Edit tour

Windows Analysis Report
KsJBQmWmRc.exe

Overview

General Information

Sample name:	KsJBQmWmRc.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
Analysis ID:	1360781
MD5:	d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1:	e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256:	472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

KsJBQmWmRc.exe (PID: 7684 cmdline: C:\Users\user\Desktop\KsJBQmWmRc.exe MD5: D9EC6F3A3B2AC7CD5EEF07BD86E3EFBC)

conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7892 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://nssm.cc/ MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 8104 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1984,i,3565637498364066981,7971420518312829886,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: http://nssm.cc/

HTTP Parser: No favicon

Source: KsJBQmWmRc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49722 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.9:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.9:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.9:49726 version: TLS 1.2

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown

HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49722 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.134&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.134Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3bOwNRptUzKeezn&MD=UWZXDZnY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3bOwNRptUzKeezn&MD=UWZXDZnY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=00000000000000000000000000000000000000009A8E8335BA HTTP/1.1Host: clients1.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: nssm.ccConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /style.css HTTP/1.1Host: nssm.ccConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/css,/;q=0.1Referer: http://nssm.cc/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/logo.jpg HTTP/1.1Host: nssm.ccConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://nssm.cc/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/logo.jpg HTTP/1.1Host: nssm.ccConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://nssm.cc/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/logo.jpg HTTP/1.1Host: nssm.ccConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://nssm.cc/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/sidebar.jpg HTTP/1.1Host: nssm.ccConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://nssm.cc/style.cssAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/logo.jpg HTTP/1.1Host: nssm.ccConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: nssm.ccConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://nssm.cc/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: nssm.ccConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: nssm.ccConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: nssm.ccConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: nssm.cc

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=k9tT3q7Yfh1nx_FSl06F5UE_vdaFQreiGKe1aDN83MeveD7PL1RZXva4s-nFc9waQi9LtKavuTIba8MUkoGu58E8E81gwB_TWJ4Ng-LfCvzhem7rNrhZQ2aGvJZ9g2TYhqx2W2O4E7uHQzPk3vuLvMLxFXZsqE6NdAViQDECGpo

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Dec 2023 20:50:38 GMTServer: Apache/2.4.25 (Fedora) OpenSSL/1.0.2o-fips mod_auth_kerb/5.4 PHP/5.6.31Content-Length: 216Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6d 61 67 65 73 2f 73 69 64 65 62 61 72 2e 6a 70 67 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /images/sidebar.jpg was not found on this server.</p></body></html>

Source: chromecache_64.6.dr	String found in binary or memory: http://git.nssm.cc/nssm/nssm
Source: chromecache_64.6.dr	String found in binary or memory: http://iain.cx/
Source: KsJBQmWmRc.exe	String found in binary or memory: http://nssm.cc/h

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.9:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.9:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.9:49726 version: TLS 1.2

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_0040FA10 GetModuleFileNameW,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

0_2_0040FA10

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_7892_513623362

Jump to behavior

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_00419522

0_2_00419522

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe	Code function: String function: 00416A78 appears 31 times
Source: C:\Users\user\Desktop\KsJBQmWmRc.exe	Code function: String function: 0041257C appears 37 times

Source: KsJBQmWmRc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean10.winEXE@16/13@12/7

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: GetModuleFileNameW,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

0_2_0040FA10

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_0040A1E0 CreateToolhelp32Snapshot,GetLastError,Thread32First,GetLastError,CloseHandle,PostThreadMessageW,PostThreadMessageW,Thread32Next,PostThreadMessageW,Thread32Next,GetLastError,GetLastError,GetLastError,CloseHandle,

0_2_0040A1E0

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_00405600 GetUserDefaultLangID,FindResourceExW,FindResourceExW,GetLastError,FindResourceExW,LoadResource,CreateDialogIndirectParamW,

0_2_00405600

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_00409B70 __fileno,__setmode,__fileno,__setmode,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,

0_2_00409B70

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_00409B70 __fileno,__setmode,__fileno,__setmode,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,

0_2_00409B70

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03

Source: KsJBQmWmRc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KsJBQmWmRc.exe C:\Users\user\Desktop\KsJBQmWmRc.exe
Source: C:\Users\user\Desktop\KsJBQmWmRc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://nssm.cc/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1984,i,3565637498364066981,7971420518312829886,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1984,i,3565637498364066981,7971420518312829886,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_0041BB09 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_0041BB09

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_00416ABD push ecx; ret

0_2_00416AD0

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSM

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_00409B70 __fileno,__setmode,__fileno,__setmode,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,

0_2_00409B70

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: HeapAlloc,OpenServiceW,GetServiceDisplayNameW,GetServiceKeyNameW,GetLastError,GetLastError,GetLastError,EnumServicesStatusW,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,__snwprintf_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_0040CAB0

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Evaded block: after key decision

graph_0-10102

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-10013

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

API coverage: 2.0 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_00412CDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00412CDC

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

0_2_0041BB09

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_00405370 GetUserDefaultLangID,FormatMessageW,FormatMessageW,FormatMessageW,GetProcessHeap,HeapAlloc,__snwprintf_s,

0_2_00405370

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe	Code function: 0_2_00412CDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00412CDC
Source: C:\Users\user\Desktop\KsJBQmWmRc.exe	Code function: 0_2_0041BD69 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041BD69
Source: C:\Users\user\Desktop\KsJBQmWmRc.exe	Code function: 0_2_00415360 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00415360
Source: C:\Users\user\Desktop\KsJBQmWmRc.exe	Code function: 0_2_004187C4 SetUnhandledExceptionFilter,	0_2_004187C4

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_00409920 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00409920

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: GetLocaleInfoA,

0_2_0041C465

Source: C:\Users\user\Desktop\KsJBQmWmRc.exe

Code function: 0_2_004088E0 GetSystemTime,PathFindExtensionW,__snwprintf_s,__snwprintf_s,

0_2_004088E0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	12 Service Execution	23 Windows Service	23 Windows Service	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	3 Native API	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	5 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Service Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://iain.cx/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
accounts.google.com	172.217.3.77	true	false	high
www.google.com	142.251.35.228	true	false	high
clients.l.google.com	172.217.2.206	true	false	high
nssm.cc	104.156.51.181	true	false	high
clients1.google.com	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://nssm.cc/images/sidebar.jpg	false	high
http://nssm.cc/style.css	false	high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.134&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false	high
http://nssm.cc/images/logo.jpg	false	high
http://nssm.cc/favicon.ico	false	high
http://nssm.cc/	false	high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high
https://clients1.google.com/tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=00000000000000000000000000000000000000009A8E8335BA	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://iain.cx/	chromecache_64.6.dr	false	Avira URL Cloud: safe	unknown
http://nssm.cc/h	KsJBQmWmRc.exe	false		high
http://git.nssm.cc/nssm/nssm	chromecache_64.6.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.217.174	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.251.35.228	www.google.com	United States	15169	GOOGLEUS	false
172.217.2.206	clients.l.google.com	United States	15169	GOOGLEUS	false
172.217.3.77	accounts.google.com	United States	15169	GOOGLEUS	false
104.156.51.181	nssm.cc	United States	29802	HVC-ASUS	false

Private

IP
192.168.2.9

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1360781
Start date and time:	2023-12-12 21:49:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KsJBQmWmRc.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
Detection:	CLEAN
Classification:	clean10.winEXE@16/13@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 9 Number of non-executed functions: 90

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240, 142.250.64.195, 34.104.35.123, 192.229.211.108, 142.250.189.131
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, edgedl.me.gvt1.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: KsJBQmWmRc.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	9b7eb368-a906-4e0e-97c2-310fd3b9f90a.eml	Get hash	malicious	HTMLPhisher	Browse
	Polynomial-Examples.xlsb	Get hash	malicious	Unknown	Browse
	index.html	Get hash	malicious	Unknown	Browse
	py_Polynomial.xlsb	Get hash	malicious	Unknown	Browse
	Polynomial-Examples.xlsb	Get hash	malicious	Unknown	Browse
	Polynomial.xlsb	Get hash	malicious	Unknown	Browse
	py_Polynomial.xlsb	Get hash	malicious	Unknown	Browse
	Polynomial-Examples.xlsb	Get hash	malicious	Unknown	Browse
	https://docs.supportstream.cc/e/AORMTFX	Get hash	malicious	Unknown	Browse
	py_Polynomial.xlsb	Get hash	malicious	Unknown	Browse
	https://brownfieldagnews.com/	Get hash	malicious	Unknown	Browse
	https://sommelier.peppertreecanyon.com/IRzyTFo+kSVFPsh+Fy7eblJolzwDJtAgQHKWJU97rSpIcJduDT6Abhs+nC1Ge5UnQmSKLkN0kTkDYQ==	Get hash	malicious	Unknown	Browse
	ed.html	Get hash	malicious	Phisher	Browse
	http://788119849.gopeerclick.com/15H5va?country=%7Bcountry%7D&site=%7Bsite%7D&site_id=%7Bsite_id%7D&external_id=%7Bs2s_token%7D	Get hash	malicious	Unknown	Browse
	ATT00001.htm	Get hash	malicious	Unknown	Browse
	https://811b1c726ed82759.krtra.com/t/D2j6M4xAqnlF	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse
	https://811b1c726ed82759.krtra.com/t/9A3wS1hQoMrK	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse
	Product_images_1d2d9f3zz07d94f0749a.bat	Get hash	malicious	Unknown	Browse
	https://lookerstudio.google.com/s/k80ogyQ4R9o	Get hash	malicious	HTMLPhisher	Browse
	https://trk.klclick3.com/ls/click?upn=IwYH47Dp8WUMsbua4sOTh3e-2FaKNUk7RtA-2FqR4SJOG30xvYTafSmyCPUGrz8fZlQnp3csu6eWWzeSrE0tvTxaEpAmhg8VRqgbHwYD-2FKuzOgEU83vgeG02CgbG0Z5exKzFKBkZ_MMEqZLjJl-2Fqp-2FvyxaNrqv9Bx8RkLcOdYw-2FJWOTXYvPqkTYVLBE7IeRG8qJhrqW3n-2B1hYQLej5iH3TBWY-2BF7T5VrlFAt1MwWNvBbDDn-2FLOciOQpm199mkgT0G7ttebqP4JjBNPQ-2FW-2BUj2YP-2FYLAq7AE4Zf-2FUQ9lQ1n3n7iWJEec-2FG5LE-2FTbzL65NNApIs5PT9VT7JSIOx8-2BgdWlTtAigLAnLimQMR1X7wK9z2bp917YU7utxU0KuBpMZYDtxgiokT39B5TyEETX08JAk6pY-2BpHq2AVUvL6no7m8TyOly3Iqk89rZjv-2BNgALzaHfU0vHMC	Get hash	malicious	Unknown	Browse
104.156.51.181	GatewayService.exe	Get hash	malicious	Unknown	Browse	nssm.cc/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nssm.cc	GatewayService.exe	Get hash	malicious	Unknown	Browse	104.156.51.181

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HVC-ASUS	NEW_ORDER.xls	Get hash	malicious	Lokibot, zgRAT	Browse	23.227.196.27
	https://nethialrerd.blob.core.windows.net/nethialrerd/url.html#cl/2580_md/12/586/1962/400/239918	Get hash	malicious	Phisher, TechSupportScam	Browse	91.208.16.164
	Contract.htm	Get hash	malicious	HTMLPhisher	Browse	23.227.196.216
	shipping_document.xls	Get hash	malicious	Lokibot	Browse	23.227.196.204
	Konstantin.exe	Get hash	malicious	Poverty Stealer	Browse	69.46.15.167
	Konst.exe	Get hash	malicious	Poverty Stealer	Browse	69.46.15.167
	Konstantin.exe	Get hash	malicious	Poverty Stealer	Browse	69.46.15.167
	SOA_OCT-NOV_2023.exe	Get hash	malicious	AgentTesla	Browse	66.232.107.34
	QcC1Ld8qqF.exe	Get hash	malicious	Djvu, RedLine, SmokeLoader	Browse	66.206.0.138
	payment_swift.xls	Get hash	malicious	Unknown	Browse	23.227.196.95
	payment_swift.xls	Get hash	malicious	Unknown	Browse	23.227.196.95
	New_Order.xls	Get hash	malicious	Lokibot	Browse	23.227.196.204
	https://dhammaparami.lk/homesign/net/login.php	Get hash	malicious	Unknown	Browse	107.155.77.34
	OCCT.exe	Get hash	malicious	BazaLoader, PrivateLoader	Browse	23.111.189.202
	klWGq3yDcQ.exe	Get hash	malicious	Unknown	Browse	66.206.0.82
	aaaaa.doc	Get hash	malicious	FormBook	Browse	23.227.194.145
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.111.145.146
	http://www.asercol.com/	Get hash	malicious	Unknown	Browse	198.178.125.8
	Official copy 5660905 17 November, 2023.html	Get hash	malicious	HTMLPhisher	Browse	37.72.168.214
	New_RFQ_-_CO213538PDF.exe	Get hash	malicious	AgentTesla	Browse	107.155.77.34

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	index.html	Get hash	malicious	Unknown	Browse	23.206.229.209
	Polynomial-Examples.xlsb	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://sommelier.peppertreecanyon.com/IRzyTFo+kSVFPsh+Fy7eblJolzwDJtAgQHKWJU97rSpIcJduDT6Abhs+nC1Ge5UnQmSKLkN0kTkDYQ==	Get hash	malicious	Unknown	Browse	23.206.229.209
	http://788119849.gopeerclick.com/15H5va?country=%7Bcountry%7D&site=%7Bsite%7D&site_id=%7Bsite_id%7D&external_id=%7Bs2s_token%7D	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://811b1c726ed82759.krtra.com/t/D2j6M4xAqnlF	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	23.206.229.209
	https://811b1c726ed82759.krtra.com/t/9A3wS1hQoMrK	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	23.206.229.209
	Product_images_1d2d9f3zz07d94f0749a.bat	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://lwebi-zgpm.maillist-manage.com/click/110c53dc704cf20a3/110c53dc704917d6c	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://811b1c726ed82759.krtra.com/t/5C0i7IFZ32Xc	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209
	https://811b1c726ed82759.krtra.com/t/5C0i7IFZ32Xc	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209
	https://trk.klclick3.com/ls/click?upn=IwYH47Dp8WUMsbua4sOTh3e-2FaKNUk7RtA-2FqR4SJOG30xvYTafSmyCPUGrz8fZlQnp3csu6eWWzeSrE0tvTxaEpAmhg8VRqgbHwYD-2FKuzOgEU83vgeG02CgbG0Z5exKzFKBkZ_MMEqZLjJl-2Fqp-2FvyxaNrqv9Bx8RkLcOdYw-2FJWOTXYvPqkTYVLBE7IeRG8qJhrqW3n-2B1hYQLej5iH3TBWY-2BF7T5VrlFAt1MwWNvBbDDn-2FLOciOQpm199mkgT0G7ttebqP4JjBNPQ-2FW-2BUj2YP-2FYLAq7AE4Zf-2FUQ9lQ1n3n7iWJEec-2FG5LE-2FTbzL65NNApIs5PT9VT7JSIOx8-2BgdWlTtAigLAnLimQMR1X7wK9z2bp917YU7utxU0KuBpMZYDtxgiokT39B5TyEETX08JAk6pY-2BpHq2AVUvL6no7m8TyOly3Iqk89rZjv-2BNgALzaHfU0vHMC	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://q742t.metdo2.com/597h/bToyMDgzL2Nwc2Vzczk2NzU2NTIyMDIvZnJvbnRlbmQvanVwaXRlci9maW06MjA4My9jcHNlc3M5Njc1NjUyMjAyL2Zyb250ZW5kL2p1cGl0ZXIvZmk	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209
	https://customer76920g.musvc5.net/e/tr?q=0%3dCb7fCd%26m%3dX%26z%3dX%26p%3dXE%26P%3diQ6Kt_OcxQ_ZM_MRzb_WG_OcxQ_YRNf07MfA18vPuBo-OqQjB9.Kx_OcxQ_YR%269%3dnR5Qdb.z0u%26F5%3dY%26uP%3dDe3ZCWAcCV8m6bAbCd%26i%3d8EV5fI98cFb6bI0e8GA4aodbYmd6fDZ69C8cgqceAr0baIXABG69cIbfApcbeKa9&mupckp=mupAtu4m8OiX0wt	Get hash	malicious	Unknown	Browse	23.206.229.209
	Claim.index.html	Get hash	malicious	Unknown	Browse	23.206.229.209
	AlertCheque_No._000000005815.exe	Get hash	malicious	Remcos, zgRAT	Browse	23.206.229.209
	http://trackinghub.info	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://www.thornapplecu.com/rates/	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://fluix.link/u66-HBtMog	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209
	Agreement_SM2023120465.htm	Get hash	malicious	Unknown	Browse	23.206.229.209
	http://www.annamessi.it/wp-content/uploads/2016/03/MODULISTICA-2016.pdf	Get hash	malicious	Unknown	Browse	23.206.229.209
28a2c9bd18a11de089ef85a160da29e4	index.html	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	Polynomial-Examples.xlsb	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	py_Polynomial.xlsb	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	https://docs.supportstream.cc/e/AORMTFX	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	https://sommelier.peppertreecanyon.com/IRzyTFo+kSVFPsh+Fy7eblJolzwDJtAgQHKWJU97rSpIcJduDT6Abhs+nC1Ge5UnQmSKLkN0kTkDYQ==	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	ed.html	Get hash	malicious	Phisher	Browse	52.165.165.26 23.204.76.112
	http://788119849.gopeerclick.com/15H5va?country=%7Bcountry%7D&site=%7Bsite%7D&site_id=%7Bsite_id%7D&external_id=%7Bs2s_token%7D	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	ATT00001.htm	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	https://811b1c726ed82759.krtra.com/t/D2j6M4xAqnlF	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	52.165.165.26 23.204.76.112
	https://811b1c726ed82759.krtra.com/t/9A3wS1hQoMrK	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	52.165.165.26 23.204.76.112
	Product_images_1d2d9f3zz07d94f0749a.bat	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	https://trk.klclick3.com/ls/click?upn=IwYH47Dp8WUMsbua4sOTh3e-2FaKNUk7RtA-2FqR4SJOG30xvYTafSmyCPUGrz8fZlQnp3csu6eWWzeSrE0tvTxaEpAmhg8VRqgbHwYD-2FKuzOgEU83vgeG02CgbG0Z5exKzFKBkZ_MMEqZLjJl-2Fqp-2FvyxaNrqv9Bx8RkLcOdYw-2FJWOTXYvPqkTYVLBE7IeRG8qJhrqW3n-2B1hYQLej5iH3TBWY-2BF7T5VrlFAt1MwWNvBbDDn-2FLOciOQpm199mkgT0G7ttebqP4JjBNPQ-2FW-2BUj2YP-2FYLAq7AE4Zf-2FUQ9lQ1n3n7iWJEec-2FG5LE-2FTbzL65NNApIs5PT9VT7JSIOx8-2BgdWlTtAigLAnLimQMR1X7wK9z2bp917YU7utxU0KuBpMZYDtxgiokT39B5TyEETX08JAk6pY-2BpHq2AVUvL6no7m8TyOly3Iqk89rZjv-2BNgALzaHfU0vHMC	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	https://www.marion-brossier.fr/#bWljaGVsbGUubG9uZ2NyaWVyQGhtbWF1c2EuY29t	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	52.165.165.26 23.204.76.112
	https://lwebi-zgpm.maillist-manage.com/click/110c53dc704cf20a3/110c53dc704917d6c	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	https://811b1c726ed82759.krtra.com/t/5C0i7IFZ32Xc	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26 23.204.76.112
	http://le55.ca	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	https://t.co/OY69C9RQl3	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26 23.204.76.112
	https://811b1c726ed82759.krtra.com/t/5C0i7IFZ32Xc	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26 23.204.76.112
	https://trk.klclick3.com/ls/click?upn=IwYH47Dp8WUMsbua4sOTh3e-2FaKNUk7RtA-2FqR4SJOG30xvYTafSmyCPUGrz8fZlQnp3csu6eWWzeSrE0tvTxaEpAmhg8VRqgbHwYD-2FKuzOgEU83vgeG02CgbG0Z5exKzFKBkZ_MMEqZLjJl-2Fqp-2FvyxaNrqv9Bx8RkLcOdYw-2FJWOTXYvPqkTYVLBE7IeRG8qJhrqW3n-2B1hYQLej5iH3TBWY-2BF7T5VrlFAt1MwWNvBbDDn-2FLOciOQpm199mkgT0G7ttebqP4JjBNPQ-2FW-2BUj2YP-2FYLAq7AE4Zf-2FUQ9lQ1n3n7iWJEec-2FG5LE-2FTbzL65NNApIs5PT9VT7JSIOx8-2BgdWlTtAigLAnLimQMR1X7wK9z2bp917YU7utxU0KuBpMZYDtxgiokT39B5TyEETX08JAk6pY-2BpHq2AVUvL6no7m8TyOly3Iqk89rZjv-2BNgALzaHfU0vHMC	Get hash	malicious	Unknown	Browse	52.165.165.26 23.204.76.112
	https://q742t.metdo2.com/597h/bToyMDgzL2Nwc2Vzczk2NzU2NTIyMDIvZnJvbnRlbmQvanVwaXRlci9maW06MjA4My9jcHNlc3M5Njc1NjUyMjAyL2Zyb250ZW5kL2p1cGl0ZXIvZmk	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26 23.204.76.112

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 12 19:50:09 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.969885952267805
Encrypted:	false
SSDEEP:	48:85dnTcSHridAKZdA1P4ehwiZUklqehky+3:8b4OOjy
MD5:	27BBD151CD7FBAC28F9DC3E743DF080E
SHA1:	65E2F519A669D5F11EAC0932AF0074CFD9656A21
SHA-256:	08311F2E9A97D9A8C4E9F78336AE351D27DD751835B5B7B9E0CB3FB355094F93
SHA-512:	01BC26446BEE689414430712B4E0111B43F69A7AFE4B52A5A051ED1A67BC156B91A36E4E37BE5A4EA54B25A9E070203EA990769E597C8B5D94CB5CBB7E324328
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....@+C.<-....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.WC.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WC.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.WC.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.WC..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.WE............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 12 19:50:09 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9880464193668432
Encrypted:	false
SSDEEP:	48:8NdnTcSHridAKZdA1+4eh/iZUkAQkqehTy+2:8n4PF9Q6y
MD5:	81909584305C00239A44F78B6FB40EAB
SHA1:	6A600EC34761DBCFE388E90F3D6A901DD097CEFD
SHA-256:	C2CB748E0BB29B85CBD33F26D3C331BFCC5F8A3E5A9FD035090BC21DF565042C
SHA-512:	932003B58E53F361B2706F9D32827296A2C5AE7B65ABD8D27AFB1B48AA38532A9E902D1251E444C57C3EC9FD408CEF0A6FCF9F8370ABBFCE16E5DD882A515C1E
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......8.<-....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.WC.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WC.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.WC.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.WC..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.WE............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:56:51 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	3.996724323885426
Encrypted:	false
SSDEEP:	48:8FdnTcVHridAKZdA1404eh7sFiZUkmgqeh7sZy+BX:8f4zInvy
MD5:	0A6C481F3BACFAE25BBB0169ABF33202
SHA1:	1350E89FCD2F119A9377B2809401BA73EA44C2D3
SHA-256:	3DF4415E6284DE94F6A734DBE80F9EBF6414C455D78EBE9F352E92FDD2D9D277
SHA-512:	632141B8C5ED072A632B1DB0B8AD16951AED678AA72F05952E4F61DEFFEF2398D21A435CF5783B473908E64DB027DF61CD6067666A2BCCECD258F9F0F23A82F2
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....<}.i.....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.WC.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WC.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.WC.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.WC..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VEW.F...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 12 19:50:09 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9861366779364626
Encrypted:	false
SSDEEP:	48:8/tdnTcSHridAKZdA1p4ehDiZUkwqehXy+R:8v445hy
MD5:	42468E1CF8674734FA482EBC722FC384
SHA1:	544F10450550E2CE09CF206129B5D9E2FD9DED74
SHA-256:	8187F0827E2A56A1DB7DFB65F6666326EDB3702BC9F00484B3B1729B175C1D35
SHA-512:	BE5C2F52693C0EE97B627E4F0AA0255DD2EA9E2DB5A0C84DE1E5309CE2F97F85377AC08E18508D158422210D58E381A0C7798D63F7D5325E47F435F6D0854FDF
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......-.<-....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.WC.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WC.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.WC.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.WC..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.WE............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 12 19:50:09 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9750757596501956
Encrypted:	false
SSDEEP:	48:8PdnTcSHridAKZdA1X4ehBiZUk1W1qehVy+C:814Wb91y
MD5:	F4FB327FCD9820411AFA5B4022718A95
SHA1:	52D14EBD9F71E5738699694F51919CD4454C7C1B
SHA-256:	111487F10E3FE3D6312E884122B1C798DB19E336085B6BF85B6CE3FCD8881DE8
SHA-512:	9F6630D2B8252B77A854F5DA1A6141A3373B267F290AFEDD090DD45683B671712B1D3095CD21CEB15C7ECCE2CC51E62A3AA57F43E992783F1BC6DABC881219D7
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....R=.<-....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.WC.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WC.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.WC.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.WC..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.WE............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 12 19:50:09 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9843256430096403
Encrypted:	false
SSDEEP:	48:8EdnTcSHridAKZdA1duTc4ehOuTbbiZUk5OjqehOuTbvy+yT+:8s4LTcJTbxWOvTbvy7T
MD5:	C3502062A8B1E34E4A2670B8E8518E6D
SHA1:	7DBB3100933058DAB22E762CEC0B3BC78983A67E
SHA-256:	980C1DA465AA1A555F2682BCCD472EBB9FF3C6F6A83ECF73D348355CAE3486D7
SHA-512:	A292A794CACA8123A95080ABFCCB8B11F2C0A93C20D33C43A2B5D84066464B223F7F6EB5DA6124B22CA504C024E8885FE68FA6F489C90EA648CF33DE163BB8EB
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....^e$.<-....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.WC.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WC.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.WC.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.WC..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.WE............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 58

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 100x100, components 3
Category:	dropped
Size (bytes):	7837
Entropy (8bit):	7.939178431094295
Encrypted:	false
SSDEEP:	192:Z6PlMKjn6MosEtOrShhiHCYCOh/GCgvPvE3HSeD+/4OT:Z6PxjnqtOyhiHCYCOhuCuvE3HSeDPOT
MD5:	4A596563F96E2E47151C17F589CAC1AD
SHA1:	DBBAE4D2FFE69C58614D7F35673F866C357F00C7
SHA-256:	BC9288A2FBD9FD6F690B644420B3D30D9D5AE80FD9AB7DFD54B0605CB1506552
SHA-512:	86A5076362D2774B28D4290B6E7B5578C8A8AB25524A9D0B4DA6BCE830FC1889BDD0B4331219D4702A530B6C8077B7444FE61AB6F8BD59E252C2121F4A374B17
Malicious:	false
Reputation:	low
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.................................................................................................................................................d.d...............................................................................................!....1"..Aa2#Q.q.bu.9.Brs$.4D.7W..(x.J........................!..1Aq.Qa...2....".Br3..R.#4..bc$%Es'G............?...I .^q...m.m&.Z.......m.t"j..)."{.Yl.%`(..WL5.V.G...v}sA.[.l...y...$x....m$9...T..M.Uo.LxT.-.......T..qy!X......4..k.Dw_k.V.sQ6O...A......a$.m...p;...p.n.R..~.oVj6..M...mF]2J.<.>RVP.EM.!]5'".G.......D..N../.......=+..;.&.N.PvS`...Z.]."...-ylQi....'Mqz.+BrN@.#<....].l2..y..j.xw......F..!..o.......T.8.. w...#..!m.p.....eki..%..1.....M]X.`"OR...'....e..y..8/'L.%.2.aX...-..Z.@.G+s..Qa.....oK9g.(.....k5.o.....4.D..s&.......\3.7.9.c\{..z....gY..GTf.N..4.....qL..M.)iIW...%..".B...gP.2p..#..^.....L$..I\|..%....(..Ni.`.i...(q.Zt.-.I ..........A..-<..=.j.w.s6.

Chrome Cache Entry: 59

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 32 bits/pixel, 48x48, 32 bits/pixel
Category:	downloaded
Size (bytes):	78446
Entropy (8bit):	1.8613615146926084
Encrypted:	false
SSDEEP:	384:Klg3s5KEZCWSDmxbjZOLEY8F7FLk+JKWT1IDc+Cput2tttxWH:Kp55CWSDmxbjmSFLk+B1IDc+Cpntt2
MD5:	85EE34CFB95AB45F2F0E664F8C3D753D
SHA1:	0E08DF440D57150CBB73F8D8397CA086F3EF3EC9
SHA-256:	1742250D10600A52EE5E2A23BAE1F86BE83D83F85F36B537FA97AA69718ABF5B
SHA-512:	E905937E8DF7F91D9E191736E179C42FC33416E4A827293B8E7BC49DCA4F579FC062794326E85A07D63CB3C641564F14DCA964D20FFA77D6FB0A1C08C4268A6E
Malicious:	false
URL:	http://nssm.cc/favicon.ico
Preview:	............ .h...6...00.... ..%............ .(...F..(....... ..... ............................................%......."...................................................$...X...s...P.......................1...B...................F..q.......Y...._...................9..9....n...(...........................]..................."..K...j....~...)...........................V...+......................t....v...)......................a....S...)......................q....b...)......................_....S...).......]...........x..g....U...)......................_....S.../...6..`............$..`....S...)......................_....U...E..<.........../......_....S...)......................`....d..........\....@..........^....U...)......................j................i..............`....Z..........................................!...........<..a....u...B...................O..............................[.......s...N..............&...x.......M.......................w.......[....1..............

Chrome Cache Entry: 60

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 100x100, components 3
Category:	downloaded
Size (bytes):	7837
Entropy (8bit):	7.939178431094295
Encrypted:	false
SSDEEP:	192:Z6PlMKjn6MosEtOrShhiHCYCOh/GCgvPvE3HSeD+/4OT:Z6PxjnqtOyhiHCYCOhuCuvE3HSeDPOT
MD5:	4A596563F96E2E47151C17F589CAC1AD
SHA1:	DBBAE4D2FFE69C58614D7F35673F866C357F00C7
SHA-256:	BC9288A2FBD9FD6F690B644420B3D30D9D5AE80FD9AB7DFD54B0605CB1506552
SHA-512:	86A5076362D2774B28D4290B6E7B5578C8A8AB25524A9D0B4DA6BCE830FC1889BDD0B4331219D4702A530B6C8077B7444FE61AB6F8BD59E252C2121F4A374B17
Malicious:	false
URL:	http://nssm.cc/images/logo.jpg
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.................................................................................................................................................d.d...............................................................................................!....1"..Aa2#Q.q.bu.9.Brs$.4D.7W..(x.J........................!..1Aq.Qa...2....".Br3..R.#4..bc$%Es'G............?...I .^q...m.m&.Z.......m.t"j..)."{.Yl.%`(..WL5.V.G...v}sA.[.l...y...$x....m$9...T..M.Uo.LxT.-.......T..qy!X......4..k.Dw_k.V.sQ6O...A......a$.m...p;...p.n.R..~.oVj6..M...mF]2J.<.>RVP.EM.!]5'".G.......D..N../.......=+..;.&.N.PvS`...Z.]."...-ylQi....'Mqz.+BrN@.#<....].l2..y..j.xw......F..!..o.......T.8.. w...#..!m.p.....eki..%..1.....M]X.`"OR...'....e..y..8/'L.%.2.aX...-..Z.@.G+s..Qa.....oK9g.(.....k5.o.....4.D..s&.......\3.7.9.c\{..z....gY..GTf.N..4.....qL..M.)iIW...%..".B...gP.2p..#..^.....L$..I\|..%....(..Ni.`.i...(q.Zt.-.I ..........A..-<..=.j.w.s6.

Chrome Cache Entry: 61

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	216
Entropy (8bit):	5.159182531677209
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eKabCezocKqD:J0+oxBeRmR9etdzRxLez1T
MD5:	A3098923B5E12D5A37829EFAF9A9A475
SHA1:	FAB97D8B98E101750323E0129B318CBC88C37AA5
SHA-256:	BED2C23E979983B532477E2B29EE95F98C5A867D17B00B1FB760C90A0588DE41
SHA-512:	4876F7C7767AF2EF1BBE7CF16508F54EAE3EABC9CEB0F53A0BF0357796F8B859EFAD8776E095F957A1AC3F036CA68C86B126852DD9BDB87BC7A6FC982C7FCC6C
Malicious:	false
URL:	http://nssm.cc/images/sidebar.jpg
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /images/sidebar.jpg was not found on this server.</p>.</body></html>.

Chrome Cache Entry: 62

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1395
Entropy (8bit):	4.9148331258756475
Encrypted:	false
SSDEEP:	24:wOaNDhklovAqIe6L7fQrJDA5k2ftFq8+AvvtAvvCOAvvgOAvvuAvvV8hPAvvLHiF:wOYDhk+vX96L7fIJDA5ketcFAvvtAvvO
MD5:	6F3596C011538F55DC590C5EF250C5FF
SHA1:	A358294A4529995016CB8148C6746AF451D46BBA
SHA-256:	E33DBAC6E396B275D2FE963AB2E6B2CF1429F2000A0A348ECB0819178CA3A4A6
SHA-512:	933A73F909A3395C7ADBD0A250D9B154B6B839A7637240FA872D834E4FD7403AA0AE5DCC9798B37DC55FD781E1FB7CEFE4A3C8B67CC8BFA0CC8D9F44FD4556AA
Malicious:	false
URL:	http://nssm.cc/style.css
Preview:	@media print {.. #menu { display: none; }.. #main { }..}....@media screen {.. #menu {.. background: url(/images/sidebar.jpg) white no-repeat;.. position: absolute;.. left: 0px; width: 128px;.. top: 0px; height: 480px.. }.... #main {.. position: absolute;.. left: 144px;.. top: 8px.. }..}....body {...color: black;.. font-family: "Caslon 540", Helvetica, Arial;.. background-color: white;..}....p {...text-indent: 1em;..}....h1,h2,h3,h4,h5,h6 {...font-family: "Univers 55", Univers, Verdana;..}....a {...color: darkred;.. text-decoration: none;..}....a:hover {...color: red;..}.....noindent {...text-indent: 0px;..}.....noIndent {...text-indent: 0px;..}.....menuindent {...margin-left: 8px;.. text-indent: 0px;..}.....cvindent {...margin-left: 8px;.. text-indent: 0px;..}.....bigIndent {...margin-left: 2em;.. text-indent: 0px;..}.....code {...margin-left: 2em;.. color: darkblue;.. text-indent: 0px;..}.....bigred {.. color: red;..}.....white {.. color: white;..}

Chrome Cache Entry: 63

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 32 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	78446
Entropy (8bit):	1.8613615146926084
Encrypted:	false
SSDEEP:	384:Klg3s5KEZCWSDmxbjZOLEY8F7FLk+JKWT1IDc+Cput2tttxWH:Kp55CWSDmxbjmSFLk+B1IDc+Cpntt2
MD5:	85EE34CFB95AB45F2F0E664F8C3D753D
SHA1:	0E08DF440D57150CBB73F8D8397CA086F3EF3EC9
SHA-256:	1742250D10600A52EE5E2A23BAE1F86BE83D83F85F36B537FA97AA69718ABF5B
SHA-512:	E905937E8DF7F91D9E191736E179C42FC33416E4A827293B8E7BC49DCA4F579FC062794326E85A07D63CB3C641564F14DCA964D20FFA77D6FB0A1C08C4268A6E
Malicious:	false
Preview:	............ .h...6...00.... ..%............ .(...F..(....... ..... ............................................%......."...................................................$...X...s...P.......................1...B...................F..q.......Y...._...................9..9....n...(...........................]..................."..K...j....~...)...........................V...+......................t....v...)......................a....S...)......................q....b...)......................_....S...).......]...........x..g....U...)......................_....S.../...6..`............$..`....S...)......................_....U...E..<.........../......_....S...)......................`....d..........\....@..........^....U...)......................j................i..............`....Z..........................................!...........<..a....u...B...................O..............................[.......s...N..............&...x.......M.......................w.......[....1..............

Chrome Cache Entry: 64

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	2074
Entropy (8bit):	4.947443458632238
Encrypted:	false
SSDEEP:	48:Jp3KkDkdKvmHjQLOY/79KMIRM+3nvO3z1hGQ7M3:xodKyyOu5y6yujk
MD5:	7C80579E91FCEB576181144C98EDD626
SHA1:	8D091F740CCC5C884FADA52D91290D91BC6D6513
SHA-256:	8CECEA5175AE550282C1D25644AE5D6E69D7A7AF39D8C864BB8D4806781E44DD
SHA-512:	9EC83649CA78511202DFBF3682E3D803EBA5BA9D32B6230A9B8287FB5F36787C11D633F3447F137B46063F9EF1B040DBC1944A9EF7899F3AEB92DEDEA3B67052
Malicious:	false
URL:	http://nssm.cc/
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">.<html>.<head>.<meta http-equiv="Content-type" content="text/html; charset=utf-8">.<meta http-equiv="Content-language" content="en">.<title>NSSM - the Non-Sucking Service Manager</title>.<link rel="stylesheet" href="/style.css" type="text/css">.</head>..<body>.<div id="menu">.<a href="/"><img src="/images/logo.jpg" alt="nssm.cc" border=0></a>.<br>.<p class="menuindent"><a href="/description">Stable version<br></a>.<a href="/download">Download<br></a>.<a href="/builds">All builds<br></a>.<a href="/usage">Usage<br></a>.<a href="/commands">Command line<br></a>.<a href="/scenarios">Use cases<br></a>.<a href="/bugs">Bugs<br></a>.<a href="/changelog">Changelog<br></a>.<a href="/credits">Credits<br></a>.<a href="http://git.nssm.cc/nssm/nssm">Gitweb<br></a>.<a href="/building">Building<br></a>.<a href="/l10n">Localisation<br></a>.<a href="/v3">Planned features<br></a>.<a href="/not">... is not

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.548858855357459
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KsJBQmWmRc.exe
File size:	294'912 bytes
MD5:	d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1:	e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256:	472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA512:	1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
SSDEEP:	6144:4BULviqYnI3QA7JTXRnZSHL2GZbkG/TZgLgst2rDkXNBD:wqBlG/TZgUsxXNBD
TLSH:	6954605263ED8A61F5F73F71683946210F36BCA19E3CC14E5390992E2CB1AA4DC747A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6.Y.W...W...W....1..W....'..W.......W...W..<W.... ..W....0..W....5..W..Rich.W..................PE..L....@.T...................

File Icon


Icon Hash:	f575ea6a75343932

Static PE Info

General

Entrypoint:	0x413e53
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x54034094 [Sun Aug 31 15:34:44 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	18e3eac3e047c2416ca9a716d742272f

Entrypoint Preview

Instruction
call 00007F82C0E74529h
jmp 00007F82C0E6F6EAh
push 00000054h
push 00420310h
call 00007F82C0E72454h
xor edi, edi
mov dword ptr [ebp-04h], edi
lea eax, dword ptr [ebp-64h]
push eax
call dword ptr [0041D27Ch]
mov dword ptr [ebp-04h], FFFFFFFEh
push 00000040h
push 00000020h
pop esi
push esi
call 00007F82C0E6FAB1h
pop ecx
pop ecx
cmp eax, edi
je 00007F82C0E6FA5Ah
mov dword ptr [00423FA0h], eax
mov dword ptr [00423F98h], esi
lea ecx, dword ptr [eax+00000800h]
jmp 00007F82C0E6F872h
mov byte ptr [eax+04h], 00000000h
or dword ptr [eax], FFFFFFFFh
mov byte ptr [eax+05h], 0000000Ah
mov dword ptr [eax+08h], edi
mov byte ptr [eax+24h], 00000000h
mov byte ptr [eax+25h], 0000000Ah
mov byte ptr [eax+26h], 0000000Ah
mov dword ptr [eax+38h], edi
mov byte ptr [eax+34h], 00000000h
add eax, 40h
mov ecx, dword ptr [00423FA0h]
add ecx, 00000800h
cmp eax, ecx
jc 00007F82C0E6F80Eh
cmp word ptr [ebp-32h], di
je 00007F82C0E6F950h
mov eax, dword ptr [ebp-30h]
cmp eax, edi
je 00007F82C0E6F945h
mov edi, dword ptr [eax]
lea ebx, dword ptr [eax+04h]
lea eax, dword ptr [ebx+edi]
mov dword ptr [ebp-1Ch], eax
mov esi, 00000800h
cmp edi, esi
jl 00007F82C0E6F844h
mov edi, esi
mov dword ptr [ebp-20h], 00000001h
jmp 00007F82C0E6F89Dh
push 00000040h
push 00000020h
call 00007F82C0E6FA23h
pop ecx
pop ecx

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20664	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x25f1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x201e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1d000	0x348	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1bc13	0x1be00	False	0.49595361547085204	data	6.45383075565656	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1d000	0x49d2	0x4a00	False	0.3324535472972973	data	5.000804282504563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x30c4	0x1400	False	0.2283203125	data	2.4567709393695543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26000	0x25f1c	0x26000	False	0.28105725740131576	data	4.313688247655514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x26790	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.41134751773049644
RT_ICON	0x26bf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.11679174484052533
RT_ICON	0x27ca0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.2225103734439834
RT_ICON	0x2a248	0x422a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9853583658046995
RT_DIALOG	0x2e474	0x14a	data	English	United States	0.603030303030303
RT_DIALOG	0x2e5c0	0x16c	data	French	France	0.5906593406593407
RT_DIALOG	0x2e72c	0x160	data	Italian	Italy	0.5795454545454546
RT_DIALOG	0x2e88c	0xe6	data	English	United States	0.6521739130434783
RT_DIALOG	0x2e974	0x106	data	French	France	0.648854961832061
RT_DIALOG	0x2ea7c	0xf6	data	Italian	Italy	0.6300813008130082
RT_DIALOG	0x2eb74	0x13e	data	English	United States	0.6163522012578616
RT_DIALOG	0x2ecb4	0x158	data	French	France	0.6162790697674418
RT_DIALOG	0x2ee0c	0x158	data	Italian	Italy	0.5959302325581395
RT_DIALOG	0x2ef64	0x18e	data	English	United States	0.542713567839196
RT_DIALOG	0x2f0f4	0x192	data	French	France	0.5597014925373134
RT_DIALOG	0x2f288	0x192	data	Italian	Italy	0.5597014925373134
RT_DIALOG	0x2f41c	0x14e	data	English	United States	0.5838323353293413
RT_DIALOG	0x2f56c	0x15a	data	French	France	0.5751445086705202
RT_DIALOG	0x2f6c8	0x162	data	Italian	Italy	0.5621468926553672
RT_DIALOG	0x2f82c	0x1ee	data	English	United States	0.5465587044534413
RT_DIALOG	0x2fa1c	0x216	data	French	France	0.5411985018726592
RT_DIALOG	0x2fc34	0x1ea	data	Italian	Italy	0.5224489795918368
RT_DIALOG	0x2fe20	0x1d0	data			0.47844827586206895
RT_DIALOG	0x2fff0	0x208	data	French	France	0.4634615384615385
RT_DIALOG	0x301f8	0x1d4	data	Italian	Italy	0.4807692307692308
RT_DIALOG	0x303cc	0x2b8	data			0.4482758620689655
RT_DIALOG	0x30684	0x34a	data	French	France	0.41330166270783847
RT_DIALOG	0x309d0	0x2cc	data	Italian	Italy	0.4581005586592179
RT_DIALOG	0x30c9c	0x2ae	data			0.48833819241982507
RT_DIALOG	0x30f4c	0x2fe	data	French	France	0.47127937336814624
RT_DIALOG	0x3124c	0x2be	data	Italian	Italy	0.45014245014245013
RT_DIALOG	0x3150c	0x2ac	data			0.4473684210526316
RT_DIALOG	0x317b8	0x2dc	data	French	France	0.4344262295081967
RT_DIALOG	0x31a94	0x2ba	data	Italian	Italy	0.4484240687679083
RT_DIALOG	0x31d50	0x110	data			0.6544117647058824
RT_DIALOG	0x31e60	0x13a	data	French	France	0.6242038216560509
RT_DIALOG	0x31f9c	0x126	data	Italian	Italy	0.6394557823129252
RT_DIALOG	0x320c4	0xaa	data	English	United States	0.7588235294117647
RT_DIALOG	0x32170	0xa2	data	French	France	0.7530864197530864
RT_DIALOG	0x32214	0xba	data	Italian	Italy	0.7150537634408602
RT_DIALOG	0x322d0	0x182	data	English	United States	0.5673575129533679
RT_DIALOG	0x32454	0x196	data	French	France	0.5615763546798029
RT_DIALOG	0x325ec	0x196	data	Italian	Italy	0.5517241379310345
RT_DIALOG	0x32784	0xda	data	English	United States	0.7018348623853211
RT_DIALOG	0x32860	0xce	data	French	France	0.7135922330097088
RT_DIALOG	0x32930	0xe2	data	Italian	Italy	0.6769911504424779
RT_MESSAGETABLE	0x32a14	0x7840	data	English	United States	0.1979274948024948
RT_MESSAGETABLE	0x3a254	0x9138	data	French	France	0.1919786959328599
RT_MESSAGETABLE	0x4338c	0x8758	data	Italian	Italy	0.18953474948048948
RT_GROUP_ICON	0x4bae4	0x3e	data	English	United States	0.7903225806451613
RT_VERSION	0x4bb24	0x29c	data	English	United States	0.5404191616766467
RT_MANIFEST	0x4bdc0	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
SHLWAPI.dll	PathUnquoteSpacesW, PathFindExtensionW
KERNEL32.dll	CreateThread, SetHandleInformation, CreatePipe, DuplicateHandle, GetCommandLineW, TlsAlloc, GetProcessTimes, OpenProcess, Thread32Next, Thread32First, CreateToolhelp32Snapshot, GenerateConsoleCtrlEvent, SetConsoleCtrlHandler, GetExitCodeProcess, Process32NextW, Process32FirstW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetWindowsDirectoryW, DeleteCriticalSection, UnregisterWait, WaitForSingleObject, LeaveCriticalSection, SetWaitableTimer, EnterCriticalSection, ResumeThread, SetProcessAffinityMask, RegisterWaitForSingleObject, GetSystemTimeAsFileTime, CreateWaitableTimerW, InitializeCriticalSection, ReadFile, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, HeapSize, RtlUnwind, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, FlushFileBuffers, GetConsoleMode, GetConsoleCP, WideCharToMultiByte, VirtualAlloc, HeapReAlloc, GetTickCount, QueryPerformanceCounter, VirtualFree, SetLastError, HeapCreate, SetStdHandle, InitializeCriticalSectionAndSpinCount, LoadLibraryA, GetFileInformationByHandle, Sleep, SystemTimeToFileTime, CloseHandle, CompareFileTime, FileTimeToSystemTime, MoveFileW, GetSystemTime, CreateFileW, SetFilePointer, SetEndOfFile, WriteFile, FreeLibrary, GetProcAddress, LoadLibraryW, GetCurrentProcess, GetProcessAffinityMask, FindResourceExW, LoadResource, GetModuleHandleW, LocalFree, TlsGetValue, LocalAlloc, TlsSetValue, GetUserDefaultLangID, FormatMessageW, GetModuleFileNameW, CreateProcessW, TerminateProcess, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, AllocConsole, SetConsoleTitleW, GetStdHandle, FillConsoleOutputAttribute, FillConsoleOutputCharacterW, GetConsoleWindow, GetCurrentProcessId, FreeConsole, GetProcessHeap, HeapAlloc, GetComputerNameW, HeapFree, GetLastError, GetCurrentThreadId, TlsFree, IsValidCodePage, MultiByteToWideChar, ExitProcess, SetHandleCount, GetFileType, GetStartupInfoA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, GetModuleFileNameA
USER32.dll	EnumWindows, PostThreadMessageW, PostMessageW, LoadImageW, SetWindowLongW, GetMessageW, IsDialogMessageW, TranslateMessage, DispatchMessageW, DestroyWindow, PostQuitMessage, ShowWindow, SetFocus, GetWindowLongW, CheckRadioButton, SetWindowPos, SetDlgItemInt, SetDlgItemTextW, SendMessageW, GetDlgItemTextW, GetDlgItem, EnableWindow, GetDlgItemInt, SendDlgItemMessageW, GetWindowRect, GetDesktopWindow, MoveWindow, CreateDialogIndirectParamW, MessageBoxW, MessageBoxIndirectW, GetSystemMenu, EnableMenuItem, GetWindowThreadProcessId, GetSystemMetrics
COMDLG32.dll	GetOpenFileNameW
ADVAPI32.dll	CreateServiceW, StartServiceW, ControlService, SetServiceStatus, DeleteService, QueryServiceConfig2W, ChangeServiceConfig2W, ChangeServiceConfigW, QueryServiceConfigW, OpenServiceW, GetServiceKeyNameW, EnumServicesStatusW, OpenSCManagerW, QueryServiceStatus, RegDeleteKeyW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, StartServiceCtrlDispatcherW, AllocateAndInitializeSid, CheckTokenMembership, RegDeleteValueW, IsTextUnicode, RegisterEventSourceW, ReportEventW, DeregisterEventSource, GetServiceDisplayNameW, CloseServiceHandle, LsaEnumerateAccountRights, LsaAddAccountRights, FreeSid, LsaLookupSids, LsaClose, LsaLookupNames, LsaFreeMemory, IsValidSid, GetSidSubAuthorityCount, GetSidLengthRequired, GetSidIdentifierAuthority, InitializeSid, GetSidSubAuthority, LsaOpenPolicy, LsaNtStatusToWinError, RegisterServiceCtrlHandlerExW
SHELL32.dll	ShellExecuteExW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
French	France
Italian	Italy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2023 21:50:00.771200895 CET	49677	443	192.168.2.9	20.189.173.11
Dec 12, 2023 21:50:01.075570107 CET	49677	443	192.168.2.9	20.189.173.11
Dec 12, 2023 21:50:01.685040951 CET	49677	443	192.168.2.9	20.189.173.11
Dec 12, 2023 21:50:01.700542927 CET	49673	443	192.168.2.9	204.79.197.203
Dec 12, 2023 21:50:02.818162918 CET	49676	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:02.818240881 CET	49675	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:02.888020039 CET	49677	443	192.168.2.9	20.189.173.11
Dec 12, 2023 21:50:03.028640032 CET	49674	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:05.294239044 CET	49677	443	192.168.2.9	20.189.173.11
Dec 12, 2023 21:50:07.774302959 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:07.774348021 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:07.774626017 CET	49708	443	192.168.2.9	172.217.3.77
Dec 12, 2023 21:50:07.774666071 CET	443	49708	172.217.3.77	192.168.2.9
Dec 12, 2023 21:50:07.774728060 CET	49708	443	192.168.2.9	172.217.3.77
Dec 12, 2023 21:50:07.775015116 CET	49708	443	192.168.2.9	172.217.3.77
Dec 12, 2023 21:50:07.775026083 CET	443	49708	172.217.3.77	192.168.2.9
Dec 12, 2023 21:50:07.775209904 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:07.775209904 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:07.775243998 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:07.782418013 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:07.783035040 CET	49710	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:07.878987074 CET	49711	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:07.913578033 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:07.913805008 CET	80	49710	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:07.913866043 CET	49710	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:07.916565895 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:07.916565895 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:08.010241985 CET	80	49711	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:08.010348082 CET	49711	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:08.062242031 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:08.062447071 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:08.062479019 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:08.062875986 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:08.062942028 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:08.063920021 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:08.063977957 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:08.064812899 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:08.064877987 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:08.065011024 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:08.065017939 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:08.087867022 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:08.095909119 CET	443	49708	172.217.3.77	192.168.2.9
Dec 12, 2023 21:50:08.096204996 CET	49708	443	192.168.2.9	172.217.3.77
Dec 12, 2023 21:50:08.096229076 CET	443	49708	172.217.3.77	192.168.2.9
Dec 12, 2023 21:50:08.097270966 CET	443	49708	172.217.3.77	192.168.2.9
Dec 12, 2023 21:50:08.097361088 CET	49708	443	192.168.2.9	172.217.3.77
Dec 12, 2023 21:50:08.098337889 CET	49708	443	192.168.2.9	172.217.3.77
Dec 12, 2023 21:50:08.098387003 CET	443	49708	172.217.3.77	192.168.2.9
Dec 12, 2023 21:50:08.098670959 CET	49708	443	192.168.2.9	172.217.3.77
Dec 12, 2023 21:50:08.098679066 CET	443	49708	172.217.3.77	192.168.2.9
Dec 12, 2023 21:50:08.117156029 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:08.148051023 CET	49708	443	192.168.2.9	172.217.3.77
Dec 12, 2023 21:50:08.330662966 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:08.330811024 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:08.330893040 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:08.331377029 CET	49707	443	192.168.2.9	172.217.2.206
Dec 12, 2023 21:50:08.331394911 CET	443	49707	172.217.2.206	192.168.2.9
Dec 12, 2023 21:50:08.370479107 CET	443	49708	172.217.3.77	192.168.2.9
Dec 12, 2023 21:50:08.370729923 CET	443	49708	172.217.3.77	192.168.2.9
Dec 12, 2023 21:50:08.370804071 CET	49708	443	192.168.2.9	172.217.3.77
Dec 12, 2023 21:50:08.377787113 CET	49708	443	192.168.2.9	172.217.3.77
Dec 12, 2023 21:50:08.377820015 CET	443	49708	172.217.3.77	192.168.2.9
Dec 12, 2023 21:50:10.108717918 CET	49677	443	192.168.2.9	20.189.173.11
Dec 12, 2023 21:50:11.314672947 CET	49673	443	192.168.2.9	204.79.197.203
Dec 12, 2023 21:50:12.097417116 CET	49716	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:50:12.097460985 CET	443	49716	142.251.35.228	192.168.2.9
Dec 12, 2023 21:50:12.097521067 CET	49716	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:50:12.098021030 CET	49716	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:50:12.098031998 CET	443	49716	142.251.35.228	192.168.2.9
Dec 12, 2023 21:50:12.311042070 CET	49717	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.311077118 CET	443	49717	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.311150074 CET	49717	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.313836098 CET	49717	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.313859940 CET	443	49717	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.378634930 CET	443	49716	142.251.35.228	192.168.2.9
Dec 12, 2023 21:50:12.378985882 CET	49716	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:50:12.379010916 CET	443	49716	142.251.35.228	192.168.2.9
Dec 12, 2023 21:50:12.380043030 CET	443	49716	142.251.35.228	192.168.2.9
Dec 12, 2023 21:50:12.380115986 CET	49716	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:50:12.381028891 CET	49716	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:50:12.381087065 CET	443	49716	142.251.35.228	192.168.2.9
Dec 12, 2023 21:50:12.424000025 CET	49676	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:12.424021959 CET	49675	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:12.424032927 CET	49716	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:50:12.424043894 CET	443	49716	142.251.35.228	192.168.2.9
Dec 12, 2023 21:50:12.469844103 CET	49716	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:50:12.573606014 CET	443	49717	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.573764086 CET	49717	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.578326941 CET	49717	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.578353882 CET	443	49717	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.578655005 CET	443	49717	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.622927904 CET	49717	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.634510994 CET	49717	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.640552044 CET	49674	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:12.680737019 CET	443	49717	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.816459894 CET	443	49717	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.816648960 CET	443	49717	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.816735029 CET	49717	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.820024014 CET	49717	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.820049047 CET	443	49717	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.820081949 CET	49717	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.820087910 CET	443	49717	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.870357037 CET	49718	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.870387077 CET	443	49718	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:12.870471954 CET	49718	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.870795965 CET	49718	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:12.870804071 CET	443	49718	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:13.126388073 CET	443	49718	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:13.126496077 CET	49718	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:13.129266977 CET	49718	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:13.129273891 CET	443	49718	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:13.129512072 CET	443	49718	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:13.130604029 CET	49718	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:13.172739983 CET	443	49718	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:13.382761002 CET	443	49718	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:13.382874012 CET	443	49718	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:13.383045912 CET	49718	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:13.384202003 CET	49718	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:13.384212971 CET	443	49718	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:13.384226084 CET	49718	443	192.168.2.9	23.204.76.112
Dec 12, 2023 21:50:13.384231091 CET	443	49718	23.204.76.112	192.168.2.9
Dec 12, 2023 21:50:14.089973927 CET	443	49704	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:14.090082884 CET	49704	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:18.046740055 CET	80	49710	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.046888113 CET	49710	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.065191031 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.065232038 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.065313101 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.083044052 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.083493948 CET	49710	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.083564997 CET	49710	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.083770990 CET	49711	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.142133951 CET	80	49711	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.142235041 CET	49711	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.142338037 CET	49711	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.149631977 CET	49719	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.214319944 CET	80	49710	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.214337111 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.214406013 CET	80	49710	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.214901924 CET	80	49711	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.273415089 CET	80	49711	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.273438931 CET	80	49711	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.280303001 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:18.280399084 CET	49719	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.280581951 CET	49719	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:18.452821016 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:19.710309029 CET	49677	443	192.168.2.9	20.189.173.11
Dec 12, 2023 21:50:22.368880987 CET	443	49716	142.251.35.228	192.168.2.9
Dec 12, 2023 21:50:22.368954897 CET	443	49716	142.251.35.228	192.168.2.9
Dec 12, 2023 21:50:22.369008064 CET	49716	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:50:23.163314104 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:23.163348913 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:23.163424969 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:23.165570021 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:23.165587902 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:23.693723917 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:23.693898916 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:23.695784092 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:23.695816040 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:23.696151018 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:23.736093044 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:23.822550058 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:23.861232042 CET	49716	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:50:23.861254930 CET	443	49716	142.251.35.228	192.168.2.9
Dec 12, 2023 21:50:23.868755102 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.089056969 CET	49704	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.089145899 CET	49704	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.089545965 CET	49722	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.089582920 CET	443	49722	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.089664936 CET	49722	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.090389013 CET	49722	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.090400934 CET	443	49722	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.194725990 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.194750071 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.194757938 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.194767952 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.194797993 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.194849014 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:24.194865942 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.194876909 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.194905043 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.194926977 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:24.194927931 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:24.194983959 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:24.214310884 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:24.214334965 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.214370012 CET	49720	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:50:24.214378119 CET	443	49720	52.165.165.26	192.168.2.9
Dec 12, 2023 21:50:24.276897907 CET	443	49704	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.276920080 CET	443	49704	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.477550030 CET	443	49722	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.477649927 CET	49722	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.496567011 CET	49722	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.496586084 CET	443	49722	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.496985912 CET	443	49722	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.497090101 CET	49722	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.497575998 CET	49722	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.497605085 CET	443	49722	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.497757912 CET	49722	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.540733099 CET	443	49722	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.946218967 CET	443	49722	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.946316957 CET	49722	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:24.946332932 CET	443	49722	23.206.229.209	192.168.2.9
Dec 12, 2023 21:50:24.946388006 CET	49722	443	192.168.2.9	23.206.229.209
Dec 12, 2023 21:50:28.219902039 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.219923019 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.220004082 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.223505974 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.355050087 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.415509939 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.415556908 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.415597916 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.415635109 CET	49719	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.415636063 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.415677071 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.415687084 CET	49719	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.415715933 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.415752888 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.415764093 CET	49719	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.468976021 CET	49719	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.590064049 CET	49723	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.689136028 CET	49724	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.721263885 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.721355915 CET	49723	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.721520901 CET	49723	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.819952965 CET	80	49724	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.820053101 CET	49724	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.855480909 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.855530024 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.855567932 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.855586052 CET	49723	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.855606079 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.855658054 CET	49723	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.855669022 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.855706930 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.855798960 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:28.855813026 CET	49723	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:28.896639109 CET	49723	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:38.357728958 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:38.370182037 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:38.502286911 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:38.951471090 CET	80	49724	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:38.951534986 CET	49724	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.417012930 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.417083979 CET	49719	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.506268024 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.506328106 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.506386995 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.506423950 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.506460905 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.506516933 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.506545067 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.506624937 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.506639004 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.506676912 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.506714106 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.506752014 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.506789923 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.506879091 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.637788057 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.637841940 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.637855053 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.637881041 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.637908936 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.637964010 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.637989044 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.638061047 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638107061 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.638138056 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638174057 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638211012 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638214111 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.638236046 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638274908 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.638290882 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638303995 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638317108 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638329029 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638336897 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.638365984 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638367891 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.638377905 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638390064 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638401985 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638452053 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.638457060 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638469934 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.638536930 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.769428015 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.769478083 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.769516945 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.769548893 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.769690990 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.769742012 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.769750118 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.769824028 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.769865036 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.769937038 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.770231962 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.770276070 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.770307064 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.770518064 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.770562887 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.770576954 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.770647049 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.770690918 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.770740032 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.771064043 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.771151066 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.771162033 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.771507978 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.771555901 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.771636963 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.771734953 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.771780014 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.771817923 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.771909952 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.771955013 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.772147894 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.772248983 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.772291899 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.772324085 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.772505045 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.772547007 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.772675037 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.772780895 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.772824049 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.772999048 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.773184061 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.773232937 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.773330927 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.773370028 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.773405075 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.773468018 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.773513079 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.773561954 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.777970076 CET	49719	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.778109074 CET	49723	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.856352091 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.856532097 CET	49723	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.856693029 CET	49723	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.856992960 CET	49724	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.857045889 CET	49724	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.857527018 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.908606052 CET	80	49719	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.909090996 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.987752914 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.987792015 CET	80	49723	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.988111019 CET	80	49724	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.988183022 CET	80	49724	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.989073992 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:48.989166975 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:48.989331961 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.124691963 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.124716043 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.124737978 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.124789000 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.124857903 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.124872923 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.124885082 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.124897003 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.124905109 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.124910116 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.124923944 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.124923944 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.124939919 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.124953032 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.124979019 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.255556107 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.255599976 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.255641937 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.255671978 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.255681038 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.255721092 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.255731106 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.255760908 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.255816936 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.255868912 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.255907059 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.255945921 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.255955935 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.255985022 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256026030 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256031990 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.256068945 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256107092 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256112099 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.256145000 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256182909 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256185055 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.256221056 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256257057 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256266117 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.256297112 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256335974 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256346941 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.256376028 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.256414890 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.387360096 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387406111 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387458086 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387494087 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387522936 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.387558937 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.387651920 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387706041 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387746096 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387754917 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.387785912 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387824059 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387831926 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.387866974 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387914896 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.387917042 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387957096 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.387994051 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388005018 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.388031960 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388070107 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388079882 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.388108015 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388149023 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388156891 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.388185978 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388223886 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388232946 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.388263941 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388300896 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388309002 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.388341904 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388379097 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388389111 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.388417959 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388454914 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388459921 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.388494968 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388533115 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388540983 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.388570070 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388624907 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388632059 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.388662100 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388699055 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388712883 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:50:49.388755083 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:50:49.388799906 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:51:00.646866083 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:00.646908998 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:00.646991968 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:00.647702932 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:00.647720098 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.188986063 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.189140081 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:01.191267014 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:01.191282034 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.191773891 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.193113089 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:01.240741968 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.688467979 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.688503027 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.688522100 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.688595057 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:01.688615084 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.688662052 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:01.688853025 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.688895941 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.688916922 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:01.688927889 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.688956976 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.688962936 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:01.688997984 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:01.692615986 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:01.692634106 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:01.692651033 CET	49726	443	192.168.2.9	52.165.165.26
Dec 12, 2023 21:51:01.692657948 CET	443	49726	52.165.165.26	192.168.2.9
Dec 12, 2023 21:51:08.770472050 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:51:08.770710945 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:51:09.389178038 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:51:09.389349937 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:51:09.862941980 CET	49725	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:51:09.863038063 CET	49709	80	192.168.2.9	104.156.51.181
Dec 12, 2023 21:51:09.993869066 CET	80	49725	104.156.51.181	192.168.2.9
Dec 12, 2023 21:51:09.994195938 CET	80	49709	104.156.51.181	192.168.2.9
Dec 12, 2023 21:51:12.031456947 CET	49728	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:51:12.031482935 CET	443	49728	142.251.35.228	192.168.2.9
Dec 12, 2023 21:51:12.031574011 CET	49728	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:51:12.031786919 CET	49728	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:51:12.031796932 CET	443	49728	142.251.35.228	192.168.2.9
Dec 12, 2023 21:51:12.318422079 CET	443	49728	142.251.35.228	192.168.2.9
Dec 12, 2023 21:51:12.318805933 CET	49728	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:51:12.318871975 CET	443	49728	142.251.35.228	192.168.2.9
Dec 12, 2023 21:51:12.319264889 CET	443	49728	142.251.35.228	192.168.2.9
Dec 12, 2023 21:51:12.319597960 CET	49728	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:51:12.319684029 CET	443	49728	142.251.35.228	192.168.2.9
Dec 12, 2023 21:51:12.374129057 CET	49728	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:51:22.323431969 CET	443	49728	142.251.35.228	192.168.2.9
Dec 12, 2023 21:51:22.323509932 CET	443	49728	142.251.35.228	192.168.2.9
Dec 12, 2023 21:51:22.323776960 CET	49728	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:51:23.859791040 CET	49728	443	192.168.2.9	142.251.35.228
Dec 12, 2023 21:51:23.859846115 CET	443	49728	142.251.35.228	192.168.2.9
Dec 12, 2023 21:51:37.117139101 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.117172956 CET	443	49729	142.250.217.174	192.168.2.9
Dec 12, 2023 21:51:37.117234945 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.117712975 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.117726088 CET	443	49729	142.250.217.174	192.168.2.9
Dec 12, 2023 21:51:37.396923065 CET	443	49729	142.250.217.174	192.168.2.9
Dec 12, 2023 21:51:37.397236109 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.397257090 CET	443	49729	142.250.217.174	192.168.2.9
Dec 12, 2023 21:51:37.397659063 CET	443	49729	142.250.217.174	192.168.2.9
Dec 12, 2023 21:51:37.397739887 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.398396969 CET	443	49729	142.250.217.174	192.168.2.9
Dec 12, 2023 21:51:37.398453951 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.399558067 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.399625063 CET	443	49729	142.250.217.174	192.168.2.9
Dec 12, 2023 21:51:37.399715900 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.399723053 CET	443	49729	142.250.217.174	192.168.2.9
Dec 12, 2023 21:51:37.452630997 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.663573980 CET	443	49729	142.250.217.174	192.168.2.9
Dec 12, 2023 21:51:37.663707018 CET	443	49729	142.250.217.174	192.168.2.9
Dec 12, 2023 21:51:37.663892031 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.664566994 CET	49729	443	192.168.2.9	142.250.217.174
Dec 12, 2023 21:51:37.664582014 CET	443	49729	142.250.217.174	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2023 21:50:07.621325970 CET	62438	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:50:07.621495008 CET	60709	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:50:07.637573004 CET	57459	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:50:07.637741089 CET	52952	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:50:07.638087034 CET	57218	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:50:07.638240099 CET	57874	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:50:07.746783972 CET	53	63879	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:07.755050898 CET	53	60709	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:07.766231060 CET	53	57874	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:07.766494989 CET	53	57218	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:07.766618967 CET	53	57459	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:07.767776012 CET	53	52952	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:07.781657934 CET	53	62438	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:08.520752907 CET	53	53382	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:11.970232010 CET	64365	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:50:11.970618010 CET	62183	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:50:12.095704079 CET	53	62183	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:12.095810890 CET	53	64365	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:25.424209118 CET	53	58936	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:28.426070929 CET	50941	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:50:28.426451921 CET	57182	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:50:28.561134100 CET	53	57182	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:28.586548090 CET	53	50941	1.1.1.1	192.168.2.9
Dec 12, 2023 21:50:44.487504959 CET	53	60118	1.1.1.1	192.168.2.9
Dec 12, 2023 21:51:00.193259001 CET	138	138	192.168.2.9	192.168.2.255
Dec 12, 2023 21:51:06.830130100 CET	53	59407	1.1.1.1	192.168.2.9
Dec 12, 2023 21:51:07.268498898 CET	53	62843	1.1.1.1	192.168.2.9
Dec 12, 2023 21:51:36.001269102 CET	53	59373	1.1.1.1	192.168.2.9
Dec 12, 2023 21:51:36.990071058 CET	57888	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:51:36.991229057 CET	59371	53	192.168.2.9	1.1.1.1
Dec 12, 2023 21:51:37.115798950 CET	53	57888	1.1.1.1	192.168.2.9
Dec 12, 2023 21:51:37.116547108 CET	53	59371	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2023 21:50:07.621325970 CET	192.168.2.9	1.1.1.1	0xe349	Standard query (0)	nssm.cc	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:50:07.621495008 CET	192.168.2.9	1.1.1.1	0x2ea	Standard query (0)	nssm.cc	65	IN (0x0001)	false
Dec 12, 2023 21:50:07.637573004 CET	192.168.2.9	1.1.1.1	0xe8f6	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:50:07.637741089 CET	192.168.2.9	1.1.1.1	0x6179	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Dec 12, 2023 21:50:07.638087034 CET	192.168.2.9	1.1.1.1	0xb118	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:50:07.638240099 CET	192.168.2.9	1.1.1.1	0x78a4	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Dec 12, 2023 21:50:11.970232010 CET	192.168.2.9	1.1.1.1	0x7cf6	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:50:11.970618010 CET	192.168.2.9	1.1.1.1	0x4452	Standard query (0)	www.google.com	65	IN (0x0001)	false
Dec 12, 2023 21:50:28.426070929 CET	192.168.2.9	1.1.1.1	0x51b6	Standard query (0)	nssm.cc	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:50:28.426451921 CET	192.168.2.9	1.1.1.1	0x900d	Standard query (0)	nssm.cc	65	IN (0x0001)	false
Dec 12, 2023 21:51:36.990071058 CET	192.168.2.9	1.1.1.1	0xe3f3	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:51:36.991229057 CET	192.168.2.9	1.1.1.1	0xcb53	Standard query (0)	clients1.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2023 21:50:07.766494989 CET	1.1.1.1	192.168.2.9	0xb118	No error (0)	accounts.google.com		172.217.3.77	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:50:07.766618967 CET	1.1.1.1	192.168.2.9	0xe8f6	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2023 21:50:07.766618967 CET	1.1.1.1	192.168.2.9	0xe8f6	No error (0)	clients.l.google.com		172.217.2.206	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:50:07.767776012 CET	1.1.1.1	192.168.2.9	0x6179	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2023 21:50:07.781657934 CET	1.1.1.1	192.168.2.9	0xe349	No error (0)	nssm.cc		104.156.51.181	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:50:12.095704079 CET	1.1.1.1	192.168.2.9	0x4452	No error (0)	www.google.com			65	IN (0x0001)	false
Dec 12, 2023 21:50:12.095810890 CET	1.1.1.1	192.168.2.9	0x7cf6	No error (0)	www.google.com		142.251.35.228	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:50:28.586548090 CET	1.1.1.1	192.168.2.9	0x51b6	No error (0)	nssm.cc		104.156.51.181	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:51:37.115798950 CET	1.1.1.1	192.168.2.9	0xe3f3	No error (0)	clients1.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2023 21:51:37.115798950 CET	1.1.1.1	192.168.2.9	0xe3f3	No error (0)	clients.l.google.com		142.250.217.174	A (IP address)	IN (0x0001)	false
Dec 12, 2023 21:51:37.116547108 CET	1.1.1.1	192.168.2.9	0xcb53	No error (0)	clients1.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

clients2.google.com

accounts.google.com

fs.microsoft.com

slscr.update.microsoft.com

https:

www.bing.com

clients1.google.com

nssm.cc

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49709	104.156.51.181	80	8104	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2023 21:50:07.916565895 CET	422	OUT	GET / HTTP/1.1 Host: nssm.cc Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 12, 2023 21:50:18.065191031 CET	1286	IN	HTTP/1.1 200 OK Date: Tue, 12 Dec 2023 20:50:17 GMT Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2o-fips mod_auth_kerb/5.4 PHP/5.6.31 X-Powered-By: PHP/5.6.31 Content-Length: 2074 Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 3e 0a 3c 74 69 74 6c 65 3e 4e 53 53 4d 20 2d 20 74 68 65 20 4e 6f 6e 2d 53 75 63 6b 69 6e 67 20 53 65 72 76 69 63 65 20 4d 61 6e 61 67 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 6d 65 6e 75 22 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 6c 6f 67 6f 2e 6a 70 67 22 20 61 6c 74 3d 22 6e 73 73 6d 2e 63 63 22 20 62 6f 72 64 65 72 3d 30 3e 3c 2f 61 3e 0a 3c 62 72 3e 0a 3c 70 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 6e 64 65 6e 74 22 3e 3c 61 20 68 72 65 66 3d 22 2f 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 53 74 61 62 6c 65 20 76 65 72 73 69 6f 6e 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 64 6f 77 6e 6c 6f 61 64 22 3e 44 6f 77 6e 6c 6f 61 64 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 62 75 69 6c 64 73 22 3e 41 6c 6c 20 62 75 69 6c 64 73 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 75 73 61 67 65 22 3e 55 73 61 67 65 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 63 6f 6d 6d 61 6e 64 73 22 3e 43 6f 6d 6d 61 6e 64 20 6c 69 6e 65 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 73 63 65 6e 61 72 69 6f 73 22 3e 55 73 65 20 63 61 73 65 73 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 62 75 67 73 22 3e 42 75 67 73 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 63 68 61 6e 67 65 6c 6f 67 22 3e 43 68 61 6e 67 65 6c 6f 67 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 63 72 65 64 69 74 73 22 3e 43 72 65 64 69 74 73 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 69 74 2e 6e 73 73 6d 2e 63 63 2f 6e 73 73 6d 2f 6e 73 73 6d 22 3e 47 69 74 77 65 62 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 62 75 69 6c 64 69 6e 67 22 3e 42 75 69 6c 64 69 6e 67 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 6c 31 30 6e 22 3e 4c 6f 63 61 6c 69 73 61 74 69 6f 6e 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 76 33 22 3e 50 6c 61 6e 6e 65 64 20 66 65 61 74 75 72 65 73 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 6e 6f 74 22 3e 2e 2e 2e 20 69 73 20 6e 6f 74 3c 62 72 3e 3c 2f 61 3e 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 69 61 69 6e 2e 63 78 2f 22 3e 41 75 74 68 6f 72 3c 2f 61 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 64 69 Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-type" content="text/html; charset=utf-8"><meta http-equiv="Content-language" content="en"><title>NSSM - the Non-Sucking Service Manager</title><link rel="stylesheet" href="/style.css" type="text/css"></head><body><div id="menu"><a href="/"><img src="/images/logo.jpg" alt="nssm.cc" border=0></a><br><p class="menuindent"><a href="/description">Stable version<br></a><a href="/download">Download<br></a><a href="/builds">All builds<br></a><a href="/usage">Usage<br></a><a href="/commands">Command line<br></a><a href="/scenarios">Use cases<br></a><a href="/bugs">Bugs<br></a><a href="/changelog">Changelog<br></a><a href="/credits">Credits<br></a><a href="http://git.nssm.cc/nssm/nssm">Gitweb<br></a><a href="/building">Building<br></a><a href="/l10n">Localisation<br></a><a href="/v3">Planned features<br></a><a href="/not">... is not<br></a><a href="http://iain.cx/">Author</a></p></div><di
Dec 12, 2023 21:50:18.065232038 CET	1013	IN	Data Raw: 76 20 69 64 3d 22 6d 61 69 6e 22 3e 0a 3c 68 31 3e 4e 53 53 4d 20 2d 20 74 68 65 20 4e 6f 6e 2d 53 75 63 6b 69 6e 67 20 53 65 72 76 69 63 65 20 4d 61 6e 61 67 65 72 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 65 6d 3e 6e 73 73 6d 3c 2f 65 6d 3e 20 69 73 20 Data Ascii: v id="main"><h1>NSSM - the Non-Sucking Service Manager</h1><p><em>nssm</em> is a service helper which doesn't suck. <em>srvany</em> andother service helper programs suck because they don't handle failure of theapplication running as a se
Dec 12, 2023 21:50:18.083044052 CET	310	OUT	GET /style.css HTTP/1.1 Host: nssm.cc Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/css,/;q=0.1 Referer: http://nssm.cc/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 12, 2023 21:50:28.219902039 CET	1286	IN	HTTP/1.1 200 OK Date: Tue, 12 Dec 2023 20:50:28 GMT Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2o-fips mod_auth_kerb/5.4 PHP/5.6.31 Last-Modified: Tue, 06 Sep 2016 16:02:00 GMT ETag: "573-53bd8eab93bf1" Accept-Ranges: bytes Content-Length: 1395 Content-Type: text/css Data Raw: 40 6d 65 64 69 61 20 70 72 69 6e 74 20 7b 0d 0a 20 20 23 6d 65 6e 75 20 7b 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 20 7d 0d 0a 20 20 23 6d 61 69 6e 20 7b 20 7d 0d 0a 7d 0d 0a 0d 0a 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 7b 0d 0a 20 20 23 6d 65 6e 75 20 7b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 2f 69 6d 61 67 65 73 2f 73 69 64 65 62 61 72 2e 6a 70 67 29 20 77 68 69 74 65 20 6e 6f 2d 72 65 70 65 61 74 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 30 70 78 3b 20 77 69 64 74 68 3a 20 31 32 38 70 78 3b 0d 0a 20 20 20 20 74 6f 70 3a 20 30 70 78 3b 20 68 65 69 67 68 74 3a 20 34 38 30 70 78 0d 0a 20 20 7d 0d 0a 0d 0a 20 20 23 6d 61 69 6e 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 34 34 70 78 3b 0d 0a 20 20 20 20 74 6f 70 3a 20 38 70 78 0d 0a 20 20 7d 0d 0a 7d 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 09 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 61 73 6c 6f 6e 20 35 34 30 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 7d 0d 0a 0d 0a 70 20 7b 0d 0a 09 74 65 78 74 2d 69 6e 64 65 6e 74 3a 20 31 65 6d 3b 0d 0a 7d 0d 0a 0d 0a 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 20 7b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 55 6e 69 76 65 72 73 20 35 35 22 2c 20 55 6e 69 76 65 72 73 2c 20 56 65 72 64 61 6e 61 3b 0d 0a 7d 0d 0a 0d 0a 61 20 7b 0d 0a 09 63 6f 6c 6f 72 3a 20 64 61 72 6b 72 65 64 3b 0d 0a 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0d 0a 7d 0d 0a 0d 0a 61 3a 68 6f 76 65 72 20 7b 0d 0a 09 63 6f 6c 6f 72 3a 20 72 65 64 3b 0d 0a 7d 0d 0a 0d 0a 2e 6e 6f 69 6e 64 65 6e 74 20 7b 0d 0a 09 74 65 78 74 2d 69 6e 64 65 6e 74 3a 20 30 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6e 6f 49 6e 64 65 6e 74 20 7b 0d 0a 09 74 65 78 74 2d 69 6e 64 65 6e 74 3a 20 30 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6d 65 6e 75 69 6e 64 65 6e 74 20 7b 0d 0a 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 38 70 78 3b 0d 0a 20 20 74 65 78 74 2d 69 6e 64 65 6e 74 3a 20 30 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 63 76 69 6e 64 65 6e 74 20 7b 0d 0a 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 38 70 78 3b 0d 0a 20 20 74 65 78 74 2d 69 6e 64 65 6e 74 3a 20 30 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 62 69 67 49 6e 64 65 6e 74 20 7b 0d 0a 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 65 6d 3b 0d 0a 20 20 74 65 78 74 2d 69 6e 64 65 6e 74 3a 20 30 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 63 6f 64 65 20 7b 0d 0a 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 65 6d 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 64 61 72 6b 62 6c 75 65 3b 0d 0a 20 20 74 65 78 74 2d 69 6e 64 65 6e 74 3a 20 30 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 62 69 67 72 65 64 20 7b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 72 65 64 3b 0d 0a 7d 0d 0a 0d 0a 2e 77 68 69 74 65 20 7b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 7d 0d 0a 0d 0a 2e 66 6c 65 Data Ascii: @media print { #menu { display: none; } #main { }}@media screen { #menu { background: url(/images/sidebar.jpg) white no-repeat; position: absolute; left: 0px; width: 128px; top: 0px; height: 480px } #main { position: absolute; left: 144px; top: 8px }}body {color: black; font-family: "Caslon 540", Helvetica, Arial; background-color: white;}p {text-indent: 1em;}h1,h2,h3,h4,h5,h6 {font-family: "Univers 55", Univers, Verdana;}a {color: darkred; text-decoration: none;}a:hover {color: red;}.noindent {text-indent: 0px;}.noIndent {text-indent: 0px;}.menuindent {margin-left: 8px; text-indent: 0px;}.cvindent {margin-left: 8px; text-indent: 0px;}.bigIndent {margin-left: 2em; text-indent: 0px;}.code {margin-left: 2em; color: darkblue; text-indent: 0px;}.bigred { color: red;}.white { color: white;}.fle
Dec 12, 2023 21:50:28.219923019 CET	387	IN	Data Raw: 78 20 7b 0d 0a 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0d 0a 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0d 0a 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 6a 75 73 74 69 66 Data Ascii: x { display: flex; flex-direction: column; align-items: center; justify-content: center;}table { border-spacing: 0; background-color: rgb(220, 220, 220);}table td { padding: 0.25em;}table tr:first-child {
Dec 12, 2023 21:50:28.223505974 CET	374	OUT	GET /images/sidebar.jpg HTTP/1.1 Host: nssm.cc Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://nssm.cc/style.css Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 12, 2023 21:50:38.357728958 CET	426	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Dec 2023 20:50:38 GMT Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2o-fips mod_auth_kerb/5.4 PHP/5.6.31 Content-Length: 216 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6d 61 67 65 73 2f 73 69 64 65 62 61 72 2e 6a 70 67 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /images/sidebar.jpg was not found on this server.</p></body></html>
Dec 12, 2023 21:50:38.370182037 CET	358	OUT	GET /favicon.ico HTTP/1.1 Host: nssm.cc Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://nssm.cc/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 12, 2023 21:50:48.506268024 CET	1286	IN	HTTP/1.1 200 OK Date: Tue, 12 Dec 2023 20:50:48 GMT Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2o-fips mod_auth_kerb/5.4 PHP/5.6.31 Last-Modified: Sat, 15 Oct 2011 07:50:28 GMT ETag: "1326e-4af51a0925900" Accept-Ranges: bytes Content-Length: 78446 Content-Type: image/vnd.microsoft.icon Data Raw: 00 00 01 00 03 00 10 10 00 00 01 00 20 00 68 04 00 00 36 00 00 00 30 30 00 00 01 00 20 00 a8 25 00 00 9e 04 00 00 80 80 00 00 01 00 20 00 28 08 01 00 46 2a 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 11 00 00 00 25 00 00 00 2e 00 00 00 22 00 00 00 0d 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 0a 00 00 00 12 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 24 00 00 00 58 00 00 00 73 00 00 00 50 00 00 00 1b 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 31 00 00 00 42 00 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 46 00 00 71 ef 00 00 94 ff 00 00 59 ed 00 00 07 5f 00 00 00 0d 00 00 00 01 00 00 00 00 00 00 00 07 00 00 07 39 00 00 39 d7 00 00 00 6e 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 12 00 00 97 ff 00 00 00 5d 00 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 22 00 00 4b d5 00 00 6a f1 00 00 00 7e 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 82 ff 00 00 00 56 00 00 00 2b 00 00 00 00 00 00 00 02 00 00 00 19 00 00 1f b0 00 00 b3 ff 00 00 74 f1 00 00 00 76 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 e2 00 00 00 53 00 00 00 29 00 00 00 01 00 00 00 10 00 00 16 8f 00 00 a8 ff 00 00 85 ef 00 00 71 ec 00 00 00 62 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f e2 00 00 00 53 00 00 00 29 00 00 00 0a 00 00 0f 5d 00 00 8c f6 00 00 8d f7 00 00 0f 78 00 00 67 e6 00 00 00 55 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f e2 00 00 00 53 00 00 00 2f 00 00 08 36 00 00 60 e1 00 00 a8 ff 00 00 14 a2 00 00 00 24 00 00 60 e3 00 00 00 53 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f e2 00 00 00 55 00 00 00 45 00 00 3c c8 00 00 aa ff 00 00 2a c7 00 00 00 2f 00 00 00 07 00 00 5f e2 00 00 00 53 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 e3 00 00 00 64 00 00 15 b4 00 00 aa ff 00 00 5c e6 00 00 00 40 00 00 00 0d 00 00 00 01 00 00 5e e3 00 00 00 55 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 6a e3 00 00 0c 98 00 00 a5 ff 00 00 8c f7 00 00 09 69 00 00 00 16 00 00 00 01 00 00 00 05 00 00 60 e4 00 00 00 5a 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 1c 00 00 8b f4 00 00 86 f1 00 00 a8 ff 00 00 11 96 00 00 00 21 00 00 00 04 00 00 00 07 00 00 0e 3c 00 00 61 e8 00 00 00 75 00 00 00 42 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 0d 4f 00 00 b2 ff 00 00 b7 ff 00 00 1e b7 00 00 00 2a 00 00 00 07 00 00 00 00 00 00 00 0d 00 00 11 5b 00 00 84 f4 00 00 00 73 00 00 00 4e 00 00 00 18 00 00 00 00 00 00 00 00 00 00 26 9c 00 00 78 f0 00 00 9c ff 00 00 4d c6 00 00 00 1d 00 00 00 09 00 00 00 00 00 00 00 00 00 00 1c 8b 00 00 77 f0 00 00 94 ff 00 00 5b e3 00 00 06 31 00 00 00 Data Ascii: h600 % (F( %."$XsP1BFqY_99n(]."Kj~)V+tv)aS)qb)_S)]xgU)_S/6`$`S)_UE</_S)`d\@^U)ji`Z!<auBO[sN&xMw[1
Dec 12, 2023 21:50:48.506328106 CET	1286	IN	Data Raw: 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 7w(0`
Dec 12, 2023 21:50:48.506386995 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 1a 00 00 00 3f 00 00 00 62 00 00 00 6b 00 00 00 4f 00 00 00 25 00 00 00 09 00 00 00 00 00 00 00 Data Ascii: ?bkO%6MG%=aF 7
Dec 12, 2023 21:50:48.506423950 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 19 9d 00 00 42 ff 00 00 21 c5 00 00 00 67 00 00 00 52 00 00 00 29 00 00 00 0a 00 00 17 00 00 00 14 00 00 00 11 00 00 00 10 00 00 00 10 00 00 00 10 00 00 00 10 00 00 00 10 00 00 00 11 00 00 00 00 01 00 00 00 05 00 Data Ascii: B!gR)4bW)\|:gQ(
Dec 12, 2023 21:50:48.506460905 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 7c 00 00 31 ff 00 00 0e 7d 00 00 00 Data Ascii: \|1}_F "K/uI3_N)
Dec 12, 2023 21:50:48.506545067 CET	1286	IN	Data Raw: a0 00 00 00 24 00 00 00 0b 00 00 00 02 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 48 00 00 2f ff 00 00 14 9c 00 00 00 60 00 00 00 4f 00 00 00 29 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: $H/`O)\|0}_F!:{0+I0aO
Dec 12, 2023 21:50:48.506639004 CET	1286	IN	Data Raw: 00 12 87 00 00 00 84 00 00 0a a4 00 00 72 f9 00 00 ca ff 00 00 dd ff 00 00 d3 ff 00 00 b0 ff 00 00 5a f5 00 00 09 47 00 00 00 17 00 00 00 06 00 00 00 01 00 00 12 00 00 00 11 00 00 00 10 00 00 00 10 00 00 00 10 00 00 00 11 00 00 00 00 00 00 00 00 Data Ascii: rZG~Fu^.DLtv
Dec 12, 2023 21:50:48.506676912 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 79 00 00 11 7c 00 00 14 82 00 00 29 e1 00 00 43 ff 00 00 53 ff 00 00 5a ff 00 00 5c ff 00 00 5a ff 00 00 48 ff 00 00 1a a3 00 00 00 10 00 00 00 07 00 Data Ascii: y\|)CSZ\ZH4{~:MSI,(#&.4
Dec 12, 2023 21:50:48.506714106 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49710	104.156.51.181	80	8104	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2023 21:50:18.046740055 CET	212	IN	HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>
Dec 12, 2023 21:50:18.083493948 CET	362	OUT	GET /images/logo.jpg HTTP/1.1 Host: nssm.cc Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://nssm.cc/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49711	104.156.51.181	80	8104	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2023 21:50:18.083770990 CET	362	OUT	GET /images/logo.jpg HTTP/1.1 Host: nssm.cc Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://nssm.cc/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 12, 2023 21:50:18.142133951 CET	212	IN	HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49719	104.156.51.181	80	8104	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2023 21:50:18.280581951 CET	362	OUT	GET /images/logo.jpg HTTP/1.1 Host: nssm.cc Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://nssm.cc/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 12, 2023 21:50:28.415509939 CET	1286	IN	HTTP/1.1 200 OK Date: Tue, 12 Dec 2023 20:50:28 GMT Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2o-fips mod_auth_kerb/5.4 PHP/5.6.31 Last-Modified: Sun, 09 Oct 2011 13:16:07 GMT ETag: "1e9d-4aedd7a2393c0" Accept-Ranges: bytes Content-Length: 7837 Content-Type: image/jpeg Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 02 00 00 64 00 64 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 55 00 00 ff ee 00 0e 41 64 6f 62 65 00 64 c0 00 00 00 01 ff db 00 84 00 02 01 01 01 01 01 02 01 01 02 03 02 01 02 03 03 02 02 02 02 03 03 03 03 03 03 03 03 05 03 04 04 04 04 03 05 05 05 06 06 06 05 05 07 07 08 08 07 07 0a 0a 0a 0a 0a 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 01 02 02 02 04 03 04 07 05 05 07 0a 08 07 08 0a 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 00 64 00 64 03 01 11 00 02 11 01 03 11 01 ff c4 00 b7 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 08 09 00 07 0a 05 06 04 03 01 00 01 04 03 01 01 00 00 00 00 00 00 00 00 00 00 06 00 04 05 08 01 03 07 02 09 10 00 01 03 02 05 03 02 04 04 02 06 06 0b 00 00 00 01 02 03 04 05 06 00 11 12 07 08 21 13 09 14 0a 31 22 15 16 41 61 32 23 51 17 71 91 62 75 b6 39 81 42 72 73 24 c6 34 44 b4 37 57 87 18 28 78 19 4a 11 00 01 02 04 03 04 08 03 05 06 06 03 00 00 00 00 01 00 02 11 03 04 05 21 12 06 31 41 71 81 51 61 91 a1 b1 32 13 07 f0 c1 22 d1 42 72 33 14 e1 52 82 23 34 08 f1 62 63 24 25 45 73 27 47 ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 7f 98 49 20 d3 9b 5e 71 b8 a5 c0 6d da aa 6d 26 f8 5a b7 db f2 a9 08 82 e4 ab 82 81 6d 89 74 22 6a 11 91 29 a4 22 7b b2 59 6c ac 25 60 28 1c b2 57 4c 35 9d 56 d9 47 18 e0 a7 ad ba 76 7d 73 41 96 5b 17 6c 04 e3 d1 b1 79 0d 82 f7 24 78 da df ed d6 a1 6d 24 39 17 1d ad 54 b8 e4 b7 4d a6 55 6f 0a 4c 78 54 a3 2d ff 00 95 96 9e 95 1a 54 80 d7 71 79 21 2a 58 09 cc 8c c8 f8 e1 9c 8b dd 34 e7 e4 6b b1 44 77 5f 6b ef 56 fa 73 51 36 4f f2 c0 8c 41 8e 08 fa c4 b2 e7 ca 61 24 81 6d f0 f7 0b 70 3b 8d fb 99 70 ed 6e f6 52 af 9b 7e af 6f 56 6a 36 a9 a8 4d b4 a6 8a 6d 46 5d 32 4a e3 3c e5 3e 52 56 50 f3 45 4d 95 21 5d 35 27 22 06 47 0c a6 d7 cb 97 1c d1 10 44 b4 1a 4e ae b7 2f a3 95 c5 c0 18 03 8e 3d 2b b1 c5 bf 3b fc 26 e6 4e f3 50 76 53 60 a9 b7 9d 5a af 5d 93 22 9d f5 b7 2d 79 6c 51 69 ef c7 86 a9 da 27 4d 71 7a 1a 2b 42 72 4e 40 f5 23 3c b3 07 19 93 5d 2e 6c 32 c4 c5 79 b9 e9 6a bb 78 77 ae 1a d2 dd d1 c7 90 46 8e 1e 21 c4 0d 6f 17 9f de 1c da 1b a9 54 d8 9e 38 db 97 b7 20 77 92 8a b7 23 d5 a9 1b 21 6d bf 70 b5 0d d6 b5 05 87 65 6b 69 a5 a5 25 04 15 31 dd 00 f4 fc 0e 4d 5d 58 d0 60 22 4f 52 9f 91 a7 27 b9 81 f3 0b 65 b4 ef 79 87 c7 38 2f 27 4c f7 25 f1 32 cb bc 61 58 bc c3 db 2d d1 d8 5a bd 40 9f 47 2b 73 ac e9 51 61 b8 8c 81 d4 91 11 6f 4b 39 67 d7 28 e4 01 91 cf f8 6b 35 ec 6f 98 16 f1 09 cb 34 9d 44 ef c8 73 26 9e 86 98 9f b3 bd 16 5c 33 e7 37 1e 39 f3 63 5c 7b 99 c6 7a 9b d5 9b 02 db b8 67 59 12 2a af 47 54 66 a5 4e 81 16 34 c7 1d 8c 97 0f 71 4c a9 b9 4d 94 29 69 49 57 c4 0c b2 25 cc 99 cd 9a 22 dc 42 86 b8 db 67 50 bc 32 70 ca e2 23 0d e3 8f 5e 0a df c6 d4 c1 4c 24 94 c2 49 7c b5 aa 25 1a e4 a3 ca b7 ae 28 8c cf a0 4e 69 c8 93 60 cd 69 0f c7 90 c3 a9 28 71 b7 5a 74 14 2d 0a 49 20 85 02 08 c6 08 8a f4 d7 16 90 41 81 0b 2d 3c 80 e1 3d c3 6a d1 77 d7 73 36 fa 9d eb 78 e1 b5 Data Ascii: JFIFddDuckyUAdobeddd!1"Aa2#Qqbu9Brs$4D7W(xJ!1AqQa2"Br3R#4bc$%Es'G?I ^qmm&Zmt"j)"{Yl%`(WL5VGv}sA[ly$xm$9TMUoLxT-Tqy!X4kDw_kVsQ6OAa$mp;pnR~oVj6MmF]2J<>RVPEM!]5'"GDN/=+;&NPvS`Z]"-ylQi'Mqz+BrN@#<].l2yjxwF!oT8 w#!mpeki%1M]X`"OR'ey8/'L%2aX-Z@G+sQaoK9g(k5o4Ds&\379c\{zgYGTfN4qLM)iIW%"BgP2p#^L$I\|%(Ni`i(qZt-I A-<=jws6x
Dec 12, 2023 21:50:28.415556908 CET	1286	IN	Data Raw: 9b af 75 ec ed 41 28 0b 72 45 21 8a 7d 44 b3 4d 93 23 3d 44 b2 ea 56 19 2b 27 e5 58 48 27 35 8c 72 8b c5 8a 6c 99 8e 9f 2b ca 1c 79 2f a0 7e db fb af 41 70 a3 93 6a b8 43 d5 99 25 a4 13 08 38 ec 23 8e fe b1 1e 84 da fd be fe 5a 25 72 7e c5 6b 86 Data Ascii: uA(rE!}DM#=DV+'XH'5rl+y/~ApjC%8#Z%r~k!h+s\AYS]'q8u(8Ay]nY=j#M4sI3\.*/[Won]kTe)Rj:kx4PNiSznuf`{U7muZ
Dec 12, 2023 21:50:28.415597916 CET	1286	IN	Data Raw: 69 37 c5 a1 25 e2 50 f3 7a b5 0d 2e 04 12 85 75 53 0f a0 a4 e6 50 a4 9e 70 c7 4d b2 55 40 e2 c3 e0 ae 85 44 9a 1f 74 6c 79 db 06 d5 4b 1c c3 80 d9 c0 f7 84 ff 00 60 f2 7f 68 39 8f e3 ea e2 e4 36 c7 54 45 46 c2 af da 75 c7 9b 0b d2 99 30 e4 26 96 Data Ascii: i7%Pz.uSPpMU@DtlyK`h96TEFu0&dBJohq90JH'2{gKBVikwMR()ng"<yqZWRi!hPIROBA7krT7GmM=nKn'e>bmDR:7s2
Dec 12, 2023 21:50:28.415636063 CET	1286	IN	Data Raw: 92 96 ea da 64 06 ce 6a ea 4a 50 14 a1 a2 e9 4c f9 ed 0d 66 07 6a 93 d0 b7 ca 5b 54 e9 93 aa 06 66 90 1b 01 b4 c4 e3 0e 1b d7 94 e1 cf 9f 14 71 7a 99 07 88 3e 6b 68 35 cd a5 e4 bd b4 df d2 1a bd 6a b4 a9 93 28 97 2c 78 88 43 4d cc ef d2 d3 20 97 Data Ascii: djJPLfj[Tfqz>kh5j(,xCM :WgN"+MO2cD'?6=W@NObFK)dZ\LXm%Gpt}kJSfMi0&]Qdse9nhyQORCJ,j=m
Dec 12, 2023 21:50:28.415677071 CET	1286	IN	Data Raw: 47 10 b4 ab 8e 98 a8 fa 98 49 20 63 cd cd ff 00 76 6e 65 93 b7 de 30 b6 62 72 a2 ef 57 24 ab 69 b6 aa 12 23 14 f7 29 96 3d 28 0a 8d cd 50 5e 61 5d 3d 2a 43 21 24 7c e9 5a c0 39 a7 2c 34 ab 25 c0 30 6d 77 86 f4 45 a7 9a d9 33 1d 54 f1 16 c9 11 e2 Data Ascii: GI cvne0brW$i#)=(P^a]=C!$\|Z9,4%0mwE3T;Rmrv)tpNL3Ol/ g?u&22W-BoD"$\|1S%-ekTUJ4,eL8FzT~ EzcH#rS_$vrvR
Dec 12, 2023 21:50:28.415715933 CET	1286	IN	Data Raw: 5b 03 1a 00 dc a3 ea ea 5d 51 35 d3 1d b5 c6 3f 1c 16 7d 7f fd 21 ff 00 e7 bf fc c7 80 3f fb 7e 6a d9 ff 00 f3 cf e0 f9 ad 24 e0 fd 54 35 30 92 5f 2d 6e af 0e df a2 cc af 54 49 14 f8 2c 3b 31 f2 81 a9 41 b6 5b 2e 2b 21 f8 9c 86 11 2b 2d 6c 4c 10 Data Ascii: []Q5?}!?~j$T50_-nTI,;1A[.+!+-lLw_?wX\iJSYjMd-CNX9)RGRmCGo6S/'fDndks*H@$[{^Y40V#=]:]M(0`a hW
Dec 12, 2023 21:50:28.415752888 CET	402	IN	Data Raw: a0 67 77 a2 6e 63 44 21 42 5b b4 48 37 6b 75 54 b9 d8 58 4a 92 e3 91 9a d5 db 23 30 4e 9e b9 67 8e 78 f1 30 dc bd 58 1c b9 bb 95 c6 a5 75 23 74 49 a0 33 1b eb 99 44 42 23 cc 41 c3 b7 05 a2 9e 1b 79 76 f1 e7 e4 07 71 67 ed 2f 12 77 00 dd 7b 89 4c Data Ascii: gwncD!B[H7kuTXJ#0Ngx0Xu#tI3DB#Ayvqg/w{L9rOK,7/V eY=%J@TaJ5j6Ml0<D70S%@c3_s/5\|{O[gPWOKZ:={YhOLe<m?v^O~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49723	104.156.51.181	80	8104	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2023 21:50:28.721520901 CET	275	OUT	GET /images/logo.jpg HTTP/1.1 Host: nssm.cc Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 12, 2023 21:50:28.855480909 CET	1286	IN	HTTP/1.1 200 OK Date: Tue, 12 Dec 2023 20:50:28 GMT Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2o-fips mod_auth_kerb/5.4 PHP/5.6.31 Last-Modified: Sun, 09 Oct 2011 13:16:07 GMT ETag: "1e9d-4aedd7a2393c0" Accept-Ranges: bytes Content-Length: 7837 Content-Type: image/jpeg Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 02 00 00 64 00 64 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 55 00 00 ff ee 00 0e 41 64 6f 62 65 00 64 c0 00 00 00 01 ff db 00 84 00 02 01 01 01 01 01 02 01 01 02 03 02 01 02 03 03 02 02 02 02 03 03 03 03 03 03 03 03 05 03 04 04 04 04 03 05 05 05 06 06 06 05 05 07 07 08 08 07 07 0a 0a 0a 0a 0a 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 01 02 02 02 04 03 04 07 05 05 07 0a 08 07 08 0a 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 00 64 00 64 03 01 11 00 02 11 01 03 11 01 ff c4 00 b7 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 08 09 00 07 0a 05 06 04 03 01 00 01 04 03 01 01 00 00 00 00 00 00 00 00 00 00 06 00 04 05 08 01 03 07 02 09 10 00 01 03 02 05 03 02 04 04 02 06 06 0b 00 00 00 01 02 03 04 05 06 00 11 12 07 08 21 13 09 14 0a 31 22 15 16 41 61 32 23 51 17 71 91 62 75 b6 39 81 42 72 73 24 c6 34 44 b4 37 57 87 18 28 78 19 4a 11 00 01 02 04 03 04 08 03 05 06 06 03 00 00 00 00 01 00 02 11 03 04 05 21 12 06 31 41 71 81 51 61 91 a1 b1 32 13 07 f0 c1 22 d1 42 72 33 14 e1 52 82 23 34 08 f1 62 63 24 25 45 73 27 47 ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 7f 98 49 20 d3 9b 5e 71 b8 a5 c0 6d da aa 6d 26 f8 5a b7 db f2 a9 08 82 e4 ab 82 81 6d 89 74 22 6a 11 91 29 a4 22 7b b2 59 6c ac 25 60 28 1c b2 57 4c 35 9d 56 d9 47 18 e0 a7 ad ba 76 7d 73 41 96 5b 17 6c 04 e3 d1 b1 79 0d 82 f7 24 78 da df ed d6 a1 6d 24 39 17 1d ad 54 b8 e4 b7 4d a6 55 6f 0a 4c 78 54 a3 2d ff 00 95 96 9e 95 1a 54 80 d7 71 79 21 2a 58 09 cc 8c c8 f8 e1 9c 8b dd 34 e7 e4 6b b1 44 77 5f 6b ef 56 fa 73 51 36 4f f2 c0 8c 41 8e 08 fa c4 b2 e7 ca 61 24 81 6d f0 f7 0b 70 3b 8d fb 99 70 ed 6e f6 52 af 9b 7e af 6f 56 6a 36 a9 a8 4d b4 a6 8a 6d 46 5d 32 4a e3 3c e5 3e 52 56 50 f3 45 4d 95 21 5d 35 27 22 06 47 0c a6 d7 cb 97 1c d1 10 44 b4 1a 4e ae b7 2f a3 95 c5 c0 18 03 8e 3d 2b b1 c5 bf 3b fc 26 e6 4e f3 50 76 53 60 a9 b7 9d 5a af 5d 93 22 9d f5 b7 2d 79 6c 51 69 ef c7 86 a9 da 27 4d 71 7a 1a 2b 42 72 4e 40 f5 23 3c b3 07 19 93 5d 2e 6c 32 c4 c5 79 b9 e9 6a bb 78 77 ae 1a d2 dd d1 c7 90 46 8e 1e 21 c4 0d 6f 17 9f de 1c da 1b a9 54 d8 9e 38 db 97 b7 20 77 92 8a b7 23 d5 a9 1b 21 6d bf 70 b5 0d d6 b5 05 87 65 6b 69 a5 a5 25 04 15 31 dd 00 f4 fc 0e 4d 5d 58 d0 60 22 4f 52 9f 91 a7 27 b9 81 f3 0b 65 b4 ef 79 87 c7 38 2f 27 4c f7 25 f1 32 cb bc 61 58 bc c3 db 2d d1 d8 5a bd 40 9f 47 2b 73 ac e9 51 61 b8 8c 81 d4 91 11 6f 4b 39 67 d7 28 e4 01 91 cf f8 6b 35 ec 6f 98 16 f1 09 cb 34 9d 44 ef c8 73 26 9e 86 98 9f b3 bd 16 5c 33 e7 37 1e 39 f3 63 5c 7b 99 c6 7a 9b d5 9b 02 db b8 67 59 12 2a af 47 54 66 a5 4e 81 16 34 c7 1d 8c 97 0f 71 4c a9 b9 4d 94 29 69 49 57 c4 0c b2 25 cc 99 cd 9a 22 dc 42 86 b8 db 67 50 bc 32 70 ca e2 23 0d e3 8f 5e 0a df c6 d4 c1 4c 24 94 c2 49 7c b5 aa 25 1a e4 a3 ca b7 ae 28 8c cf a0 4e 69 c8 93 60 cd 69 0f c7 90 c3 a9 28 71 b7 5a 74 14 2d 0a 49 20 85 02 08 c6 08 8a f4 d7 16 90 41 81 0b 2d 3c 80 e1 3d c3 6a d1 77 d7 73 36 fa 9d eb 78 e1 b5 Data Ascii: JFIFddDuckyUAdobeddd!1"Aa2#Qqbu9Brs$4D7W(xJ!1AqQa2"Br3R#4bc$%Es'G?I ^qmm&Zmt"j)"{Yl%`(WL5VGv}sA[ly$xm$9TMUoLxT-Tqy!X4kDw_kVsQ6OAa$mp;pnR~oVj6MmF]2J<>RVPEM!]5'"GDN/=+;&NPvS`Z]"-ylQi'Mqz+BrN@#<].l2yjxwF!oT8 w#!mpeki%1M]X`"OR'ey8/'L%2aX-Z@G+sQaoK9g(k5o4Ds&\379c\{zgYGTfN4qLM)iIW%"BgP2p#^L$I\|%(Ni`i(qZt-I A-<=jws6x
Dec 12, 2023 21:50:28.855530024 CET	1286	IN	Data Raw: 9b af 75 ec ed 41 28 0b 72 45 21 8a 7d 44 b3 4d 93 23 3d 44 b2 ea 56 19 2b 27 e5 58 48 27 35 8c 72 8b c5 8a 6c 99 8e 9f 2b ca 1c 79 2f a0 7e db fb af 41 70 a3 93 6a b8 43 d5 99 25 a4 13 08 38 ec 23 8e fe b1 1e 84 da fd be fe 5a 25 72 7e c5 6b 86 Data Ascii: uA(rE!}DM#=DV+'XH'5rl+y/~ApjC%8#Z%r~k!h+s\AYS]'q8u(8Ay]nY=j#M4sI3\.*/[Won]kTe)Rj:kx4PNiSznuf`{U7muZ
Dec 12, 2023 21:50:28.855567932 CET	1286	IN	Data Raw: 69 37 c5 a1 25 e2 50 f3 7a b5 0d 2e 04 12 85 75 53 0f a0 a4 e6 50 a4 9e 70 c7 4d b2 55 40 e2 c3 e0 ae 85 44 9a 1f 74 6c 79 db 06 d5 4b 1c c3 80 d9 c0 f7 84 ff 00 60 f2 7f 68 39 8f e3 ea e2 e4 36 c7 54 45 46 c2 af da 75 c7 9b 0b d2 99 30 e4 26 96 Data Ascii: i7%Pz.uSPpMU@DtlyK`h96TEFu0&dBJohq90JH'2{gKBVikwMR()ng"<yqZWRi!hPIROBA7krT7GmM=nKn'e>bmDR:7s2
Dec 12, 2023 21:50:28.855606079 CET	1286	IN	Data Raw: 92 96 ea da 64 06 ce 6a ea 4a 50 14 a1 a2 e9 4c f9 ed 0d 66 07 6a 93 d0 b7 ca 5b 54 e9 93 aa 06 66 90 1b 01 b4 c4 e3 0e 1b d7 94 e1 cf 9f 14 71 7a 99 07 88 3e 6b 68 35 cd a5 e4 bd b4 df d2 1a bd 6a b4 a9 93 28 97 2c 78 88 43 4d cc ef d2 d3 20 97 Data Ascii: djJPLfj[Tfqz>kh5j(,xCM :WgN"+MO2cD'?6=W@NObFK)dZ\LXm%Gpt}kJSfMi0&]Qdse9nhyQORCJ,j=m
Dec 12, 2023 21:50:28.855669022 CET	1286	IN	Data Raw: 47 10 b4 ab 8e 98 a8 fa 98 49 20 63 cd cd ff 00 76 6e 65 93 b7 de 30 b6 62 72 a2 ef 57 24 ab 69 b6 aa 12 23 14 f7 29 96 3d 28 0a 8d cd 50 5e 61 5d 3d 2a 43 21 24 7c e9 5a c0 39 a7 2c 34 ab 25 c0 30 6d 77 86 f4 45 a7 9a d9 33 1d 54 f1 16 c9 11 e2 Data Ascii: GI cvne0brW$i#)=(P^a]=C!$\|Z9,4%0mwE3T;Rmrv)tpNL3Ol/ g?u&22W-BoD"$\|1S%-ekTUJ4,eL8FzT~ EzcH#rS_$vrvR
Dec 12, 2023 21:50:28.855706930 CET	1286	IN	Data Raw: 5b 03 1a 00 dc a3 ea ea 5d 51 35 d3 1d b5 c6 3f 1c 16 7d 7f fd 21 ff 00 e7 bf fc c7 80 3f fb 7e 6a d9 ff 00 f3 cf e0 f9 ad 24 e0 fd 54 35 30 92 5f 2d 6e af 0e df a2 cc af 54 49 14 f8 2c 3b 31 f2 81 a9 41 b6 5b 2e 2b 21 f8 9c 86 11 2b 2d 6c 4c 10 Data Ascii: []Q5?}!?~j$T50_-nTI,;1A[.+!+-lLw_?wX\iJSYjMd-CNX9)RGRmCGo6S/'fDndks*H@$[{^Y40V#=]:]M(0`a hW
Dec 12, 2023 21:50:28.855798960 CET	402	IN	Data Raw: a0 67 77 a2 6e 63 44 21 42 5b b4 48 37 6b 75 54 b9 d8 58 4a 92 e3 91 9a d5 db 23 30 4e 9e b9 67 8e 78 f1 30 dc bd 58 1c b9 bb 95 c6 a5 75 23 74 49 a0 33 1b eb 99 44 42 23 cc 41 c3 b7 05 a2 9e 1b 79 76 f1 e7 e4 07 71 67 ed 2f 12 77 00 dd 7b 89 4c Data Ascii: gwncD!B[H7kuTXJ#0Ngx0Xu#tI3DB#Ayvqg/w{L9rOK,7/V eY=%J@TaJ5j6Ml0<D70S%@c3_s/5\|{O[gPWOKZ:={YhOLe<m?v^O~
Dec 12, 2023 21:50:48.778109074 CET	271	OUT	GET /favicon.ico HTTP/1.1 Host: nssm.cc Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49724	104.156.51.181	80	8104	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2023 21:50:38.951471090 CET	212	IN	HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>
Dec 12, 2023 21:50:48.856992960 CET	271	OUT	GET /favicon.ico HTTP/1.1 Host: nssm.cc Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49725	104.156.51.181	80	8104	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2023 21:50:48.989331961 CET	271	OUT	GET /favicon.ico HTTP/1.1 Host: nssm.cc Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 12, 2023 21:50:49.124691963 CET	1286	IN	HTTP/1.1 200 OK Date: Tue, 12 Dec 2023 20:50:49 GMT Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2o-fips mod_auth_kerb/5.4 PHP/5.6.31 Last-Modified: Sat, 15 Oct 2011 07:50:28 GMT ETag: "1326e-4af51a0925900" Accept-Ranges: bytes Content-Length: 78446 Content-Type: image/vnd.microsoft.icon Data Raw: 00 00 01 00 03 00 10 10 00 00 01 00 20 00 68 04 00 00 36 00 00 00 30 30 00 00 01 00 20 00 a8 25 00 00 9e 04 00 00 80 80 00 00 01 00 20 00 28 08 01 00 46 2a 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 11 00 00 00 25 00 00 00 2e 00 00 00 22 00 00 00 0d 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 0a 00 00 00 12 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 24 00 00 00 58 00 00 00 73 00 00 00 50 00 00 00 1b 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 31 00 00 00 42 00 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 46 00 00 71 ef 00 00 94 ff 00 00 59 ed 00 00 07 5f 00 00 00 0d 00 00 00 01 00 00 00 00 00 00 00 07 00 00 07 39 00 00 39 d7 00 00 00 6e 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 12 00 00 97 ff 00 00 00 5d 00 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 22 00 00 4b d5 00 00 6a f1 00 00 00 7e 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 82 ff 00 00 00 56 00 00 00 2b 00 00 00 00 00 00 00 02 00 00 00 19 00 00 1f b0 00 00 b3 ff 00 00 74 f1 00 00 00 76 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 e2 00 00 00 53 00 00 00 29 00 00 00 01 00 00 00 10 00 00 16 8f 00 00 a8 ff 00 00 85 ef 00 00 71 ec 00 00 00 62 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f e2 00 00 00 53 00 00 00 29 00 00 00 0a 00 00 0f 5d 00 00 8c f6 00 00 8d f7 00 00 0f 78 00 00 67 e6 00 00 00 55 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f e2 00 00 00 53 00 00 00 2f 00 00 08 36 00 00 60 e1 00 00 a8 ff 00 00 14 a2 00 00 00 24 00 00 60 e3 00 00 00 53 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f e2 00 00 00 55 00 00 00 45 00 00 3c c8 00 00 aa ff 00 00 2a c7 00 00 00 2f 00 00 00 07 00 00 5f e2 00 00 00 53 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 e3 00 00 00 64 00 00 15 b4 00 00 aa ff 00 00 5c e6 00 00 00 40 00 00 00 0d 00 00 00 01 00 00 5e e3 00 00 00 55 00 00 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 6a e3 00 00 0c 98 00 00 a5 ff 00 00 8c f7 00 00 09 69 00 00 00 16 00 00 00 01 00 00 00 05 00 00 60 e4 00 00 00 5a 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 1c 00 00 8b f4 00 00 86 f1 00 00 a8 ff 00 00 11 96 00 00 00 21 00 00 00 04 00 00 00 07 00 00 0e 3c 00 00 61 e8 00 00 00 75 00 00 00 42 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 0d 4f 00 00 b2 ff 00 00 b7 ff 00 00 1e b7 00 00 00 2a 00 00 00 07 00 00 00 00 00 00 00 0d 00 00 11 5b 00 00 84 f4 00 00 00 73 00 00 00 4e 00 00 00 18 00 00 00 00 00 00 00 00 00 00 26 9c 00 00 78 f0 00 00 9c ff 00 00 4d c6 00 00 00 1d 00 00 00 09 00 00 00 00 00 00 00 00 00 00 1c 8b 00 00 77 f0 00 00 94 ff 00 00 5b e3 00 00 06 31 00 00 00 Data Ascii: h600 % (F( %."$XsP1BFqY_99n(]."Kj~)V+tv)aS)qb)_S)]xgU)_S/6`$`S)_UE</_S)`d\@^U)ji`Z!<auBO[sN&xMw[1
Dec 12, 2023 21:50:49.124716043 CET	1286	IN	Data Raw: 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 7w(0`
Dec 12, 2023 21:50:49.124737978 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 1a 00 00 00 3f 00 00 00 62 00 00 00 6b 00 00 00 4f 00 00 00 25 00 00 00 09 00 00 00 00 00 00 00 Data Ascii: ?bkO%6MG%=aF 7
Dec 12, 2023 21:50:49.124857903 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 19 9d 00 00 42 ff 00 00 21 c5 00 00 00 67 00 00 00 52 00 00 00 29 00 00 00 0a 00 00 17 00 00 00 14 00 00 00 11 00 00 00 10 00 00 00 10 00 00 00 10 00 00 00 10 00 00 00 10 00 00 00 11 00 00 00 00 01 00 00 00 05 00 Data Ascii: B!gR)4bW)\|:gQ(
Dec 12, 2023 21:50:49.124872923 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 7c 00 00 31 ff 00 00 0e 7d 00 00 00 Data Ascii: \|1}_F "K/uI3_N)
Dec 12, 2023 21:50:49.124885082 CET	1286	IN	Data Raw: a0 00 00 00 24 00 00 00 0b 00 00 00 02 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 48 00 00 2f ff 00 00 14 9c 00 00 00 60 00 00 00 4f 00 00 00 29 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: $H/`O)\|0}_F!:{0+I0aO
Dec 12, 2023 21:50:49.124897003 CET	1286	IN	Data Raw: 00 12 87 00 00 00 84 00 00 0a a4 00 00 72 f9 00 00 ca ff 00 00 dd ff 00 00 d3 ff 00 00 b0 ff 00 00 5a f5 00 00 09 47 00 00 00 17 00 00 00 06 00 00 00 01 00 00 12 00 00 00 11 00 00 00 10 00 00 00 10 00 00 00 10 00 00 00 11 00 00 00 00 00 00 00 00 Data Ascii: rZG~Fu^.DLtv
Dec 12, 2023 21:50:49.124910116 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 79 00 00 11 7c 00 00 14 82 00 00 29 e1 00 00 43 ff 00 00 53 ff 00 00 5a ff 00 00 5c ff 00 00 5a ff 00 00 48 ff 00 00 1a a3 00 00 00 10 00 00 00 07 00 Data Ascii: y\|)CSZ\ZH4{~:MSI,(#&.4
Dec 12, 2023 21:50:49.124923944 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Dec 12, 2023 21:50:49.124939919 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Dec 12, 2023 21:50:49.255556107 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	172.217.2.206	443	8104	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-12 20:50:08 UTC	752	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.134&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-117.0.5938.134 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-12-12 20:50:08 UTC	732	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-3wPFe1VdUEVu4kQDmVUalg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 12 Dec 2023 20:50:08 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6189 X-Daystart: 46208 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-12-12 20:50:08 UTC	520	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 31 38 39 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 34 36 32 30 38 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6189" elapsed_seconds="46208"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-12-12 20:50:08 UTC	200	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-12-12 20:50:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49708	172.217.3.77	443	8104	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-12 20:50:08 UTC	680	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=k9tT3q7Yfh1nx_FSl06F5UE_vdaFQreiGKe1aDN83MeveD7PL1RZXva4s-nFc9waQi9LtKavuTIba8MUkoGu58E8E81gwB_TWJ4Ng-LfCvzhem7rNrhZQ2aGvJZ9g2TYhqx2W2O4E7uHQzPk3vuLvMLxFXZsqE6NdAViQDECGpo
2023-12-12 20:50:08 UTC	1	OUT	Data Raw: 20 Data Ascii:
2023-12-12 20:50:08 UTC	1627	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 12 Dec 2023 20:50:08 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: script-src 'report-sample' 'nonce-F8Lm0kgzA87NV9AWXiOkZQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-12-12 20:50:08 UTC	23	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-12-12 20:50:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49717	23.204.76.112	443

Timestamp	Bytes transferred	Direction	Data
2023-12-12 20:50:12 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-12-12 20:50:12 UTC	494	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=71358 Date: Tue, 12 Dec 2023 20:50:12 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49718	23.204.76.112	443

Timestamp	Bytes transferred	Direction	Data
2023-12-12 20:50:13 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-12-12 20:50:13 UTC	530	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0DZ+oYgAAAABSxwJpMgMuSLkfS640ajfFQVRBRURHRTEyMTkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=71286 Date: Tue, 12 Dec 2023 20:50:13 GMT Content-Length: 55 Connection: close X-CID: 2
2023-12-12 20:50:13 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49720	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2023-12-12 20:50:23 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3bOwNRptUzKeezn&MD=UWZXDZnY HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-12-12 20:50:24 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 2e330aed-8cab-4465-9610-2be585b5809a MS-RequestId: afc00c26-c63f-4c64-8bea-d51c465ed4ba MS-CV: jyTkrqJ+FUOKRAAF.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 12 Dec 2023 20:50:23 GMT Connection: close Content-Length: 24490
2023-12-12 20:50:24 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2023-12-12 20:50:24 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.9	49722	23.206.229.209	443

Timestamp	Bytes transferred	Direction	Data
2023-12-12 20:50:24 UTC	2223	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A4109008071 X-BM-CBT: 1696497265 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 60 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: 3967AB70E8E74431908B580AED7E67B3 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A4109008071 X-MSEdge-ExternalExp: bfbwsbghf928t,bfbwsbrs0830tf,d-thshldspcl40,fliptrac6,optfsc,spofglclickserpf2,wsbqfasmsall_t,wsbqfminiserp600,wsbref-c X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 516 Connection: Keep-Alive Cache-Control: no-cache Cookie: SRCHUID=V=2&GUID=507B984BF29F418EA13B8912FCE289B0&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&LUT=1696497029183&IPMH=5c67ba25&IPMID=1696497265539&HV=1696497179; CortanaAppUID=D36DDDF07E1B512856780840298B626F; MUID=531305E83CE64DE088676FE94B9682C4; _SS=SID=3314E043C3866D730FEDF3E2C2436C30&CPID=1696497266478&AC=1&CPH=c11e7441; _EDGE_S=SID=3314E043C3866D730FEDF3E2C2436C30; MUIDB=531305E83CE64DE088676FE94B9682C4
2023-12-12 20:50:24 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2023-12-12 20:50:24 UTC	515	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 35 33 31 33 30 35 45 38 33 43 45 36 34 44 45 30 38 38 36 37 36 46 45 39 34 42 39 36 38 32 43 34 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 38 32 39 46 43 45 45 38 38 41 35 32 34 46 34 31 39 34 33 46 33 33 35 42 38 33 32 44 31 41 34 37 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>531305E83CE64DE088676FE94B9682C4</CID><Events><E><T>Event.ClientInst</T><IG>829FCEE88A524F41943F335B832D1A47</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2023-12-12 20:50:24 UTC	476	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 445BFEC7ECD74EDE8E131587D3F819C3 Ref B: BY3EDGE0518 Ref C: 2023-12-12T20:50:24Z Date: Tue, 12 Dec 2023 20:50:24 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.d1d7ce17.1702414224.841544c6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49726	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2023-12-12 20:51:01 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3bOwNRptUzKeezn&MD=UWZXDZnY HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-12-12 20:51:01 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 60b3a3f8-e4ee-4ddf-977e-d3b01eb1e9b5 MS-RequestId: 6e419772-c617-4992-a630-2d47d4029b00 MS-CV: E1jx83VQckKyuF7g.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 12 Dec 2023 20:51:01 GMT Connection: close Content-Length: 25457
2023-12-12 20:51:01 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2023-12-12 20:51:01 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49729	142.250.217.174	443	8104	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-12 20:51:37 UTC	449	OUT	GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=00000000000000000000000000000000000000009A8E8335BA HTTP/1.1 Host: clients1.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br
2023-12-12 20:51:37 UTC	817	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-1s63WAqJOronWjzvPmg6Eg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Security-Policy: script-src 'report-sample' 'nonce-XmcPyitJWxJhUYkJ3-qJqw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Type: text/plain; charset=utf-8 Content-Length: 220 Date: Tue, 12 Dec 2023 20:51:37 GMT Expires: Tue, 12 Dec 2023 20:51:37 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2023-12-12 20:51:37 UTC	220	IN	Data Raw: 72 6c 7a 43 31 3a 20 31 43 31 4f 4e 47 52 5f 65 6e 55 53 31 30 38 38 0a 72 6c 7a 43 32 3a 20 31 43 32 4f 4e 47 52 5f 65 6e 55 53 31 30 38 38 0a 72 6c 7a 43 37 3a 20 31 43 37 4f 4e 47 52 5f 65 6e 55 53 31 30 38 38 0a 64 63 63 3a 20 0a 73 65 74 5f 64 63 63 3a 20 43 31 3a 31 43 31 4f 4e 47 52 5f 65 6e 55 53 31 30 38 38 2c 43 32 3a 31 43 32 4f 4e 47 52 5f 65 6e 55 53 31 30 38 38 2c 43 37 3a 31 43 37 4f 4e 47 52 5f 65 6e 55 53 31 30 38 38 0a 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 2c 43 31 53 2c 43 37 53 0a 73 74 61 74 65 66 75 6c 2d 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 0a 63 72 63 33 32 3a 20 66 62 64 37 30 39 64 62 0a Data Ascii: rlzC1: 1C1ONGR_enUS1088rlzC2: 1C2ONGR_enUS1088rlzC7: 1C7ONGR_enUS1088dcc: set_dcc: C1:1C1ONGR_enUS1088,C2:1C2ONGR_enUS1088,C7:1C7ONGR_enUS1088events: C1I,C2I,C7I,C1S,C7Sstateful-events: C1I,C2I,C7Icrc32: fbd709db

Target ID:	0
Start time:	21:50:03
Start date:	12/12/2023
Path:	C:\Users\user\Desktop\KsJBQmWmRc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\KsJBQmWmRc.exe
Imagebase:	0x400000
File size:	294'912 bytes
MD5 hash:	D9EC6F3A3B2AC7CD5EEF07BD86E3EFBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:50:03
Start date:	12/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:50:05
Start date:	12/12/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://nssm.cc/
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	21:50:06
Start date:	12/12/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1984,i,3565637498364066981,7971420518312829886,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	58

Executed Functions

Function 00409B70 Relevance: 40.6, APIs: 8, Strings: 15, Instructions: 334
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401A00: GetConsoleWindow.KERNELBASE ref: 00401A01
Part of subcall function 00401A00: GetWindowThreadProcessId.USER32(00000000), ref: 00401A10
Part of subcall function 00401A00: GetCurrentProcessId.KERNEL32 ref: 00401A1A
Part of subcall function 00401A00: FreeConsole.KERNELBASE ref: 00401A25

__fileno.LIBCMT ref: 00409B86
__setmode.LIBCMT ref: 00409B8F
__fileno.LIBCMT ref: 00409BA5
__setmode.LIBCMT ref: 00409BAE

Part of subcall function 00413A6D: ___lock_fhandle.LIBCMT ref: 00413B12
Part of subcall function 00413A6D: __setmode_nolock.LIBCMT ref: 00413B2A

Part of subcall function 00409920: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409969
Part of subcall function 00409920: CheckTokenMembership.ADVAPI32(00000000,?,0042340D,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040997E
Part of subcall function 00409920: FreeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409989

Part of subcall function 00413919: _doexit.LIBCMT ref: 00413925

TlsAlloc.KERNEL32(00000000), ref: 00409EB0
GetStdHandle.KERNEL32(000000F6), ref: 00409ECB
StartServiceCtrlDispatcherW.ADVAPI32 ref: 00409EF4
GetLastError.KERNEL32 ref: 00409EFE

Part of subcall function 004099A0: _memset.LIBCMT ref: 004099BD
Part of subcall function 004099A0: GetProcessHeap.KERNEL32 ref: 004099E2
Part of subcall function 004099A0: HeapAlloc.KERNEL32(00000000), ref: 004099EB

Strings

stop, xrefs: 00409C12
start, xrefs: 00409BE6
get, xrefs: 00409D92
install, xrefs: 00409D33
restart, xrefs: 00409C3E
continue, xrefs: 00409CAC
set, xrefs: 00409DAA
status, xrefs: 00409CD8
reset, xrefs: 00409DBE
remove, xrefs: 00409DE6
pause, xrefs: 00409C80
NSSM, xrefs: 00409EDC
edit, xrefs: 00409D7A
rotate, xrefs: 00409D04
unset, xrefs: 00409DD2

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Process$AllocConsoleFreeHeapWindow__fileno__setmode$AllocateCheckCtrlCurrentDispatcherErrorHandleInitializeLastMembershipServiceStartThreadToken___lock_fhandle__setmode_nolock_doexit_memset
String ID: NSSM$continue$edit$get$install$pause$remove$reset$restart$rotate$set$start$status$stop$unset
API String ID: 4221750250-1322290842
Opcode ID: 185ff8e273914152f489ed86a642b69f32b9ea0c6012e47610038ecc76eefd94
Instruction ID: 8d0ce95e1571a4db95220a4f6881cac6d3a3a374ab3f9564aeafd07009bbe4f6
Opcode Fuzzy Hash: 185ff8e273914152f489ed86a642b69f32b9ea0c6012e47610038ecc76eefd94
Instruction Fuzzy Hash: D691A1F1E5030166DA10BA72AC46B5B325D4F6031EF14093FB845B22C7FA7DEE9485AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405370 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNEL32(00401059,0000FFFF,00000000,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040537F
FormatMessageW.KERNELBASE(00000B00,00000000,0040547B,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040539B
FormatMessageW.KERNEL32(00000B00,00000000,0040547B,00000000,00401059,0000FFFF,00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040), ref: 004053B4
GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053BD
HeapAlloc.KERNEL32(00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053C4
__snwprintf_s.LIBCMT ref: 004053DC

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Strings

system error %lu, xrefs: 004053CB

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: FormatHeapMessage$AllocDefaultLangProcessUser__snwprintf_s__vsnwprintf_s_l
String ID: system error %lu
API String ID: 3208699588-1824642319
Opcode ID: af2739f03ea27dcb77735334c53fbd1a84ab6c27a147f2b738a7d16c807b2f59
Instruction ID: accda3c8b7d2623306d44ba6687032fe0a4120849f219a87f72b30063895a064
Opcode Fuzzy Hash: af2739f03ea27dcb77735334c53fbd1a84ab6c27a147f2b738a7d16c807b2f59
Instruction Fuzzy Hash: 5A01A7F16043127BE610A7659C09FBB7B9CDF807A1F10453AFA10D61C0E7B4D4059A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040A860 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 101
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__snwprintf_s.LIBCMT ref: 0040A88E

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,00020006,00000000,00000000,00000000,00409EC9), ref: 0040A8EB
GetLastError.KERNEL32(00000000), ref: 0040A8F7

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

eventlog registry, xrefs: 0040A8A1
NSSM, xrefs: 0040A878
SYSTEM\CurrentControlSet\Services\EventLog\Application\%s, xrefs: 0040A87D
TypesSupported, xrefs: 0040A995
EventMessageFile, xrefs: 0040A97E
create_messages(), xrefs: 0040A89C

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$Source$CreateDeregisterErrorLastRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: EventMessageFile$NSSM$SYSTEM\CurrentControlSet\Services\EventLog\Application\%s$TypesSupported$create_messages()$eventlog registry
API String ID: 508490100-129066941
Opcode ID: 38dc869d80ae876ed19f88e43e9c7c4997b2ce9d1b33560f508c1b5226a0dd81
Instruction ID: 189017753002612d24ec776b8254467aa4e8da1510a31d32c64f91d8f6ef9f68
Opcode Fuzzy Hash: 38dc869d80ae876ed19f88e43e9c7c4997b2ce9d1b33560f508c1b5226a0dd81
Instruction Fuzzy Hash: 0A31CAF1A443006BE210E754CC47FEB7394EB88B08F50452EB659971C2F6F8A5848796

Uniqueness

Uniqueness Score: -1.00%

Function 004054A0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 91
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405370: GetUserDefaultLangID.KERNEL32(00401059,0000FFFF,00000000,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040537F
Part of subcall function 00405370: FormatMessageW.KERNELBASE(00000B00,00000000,0040547B,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040539B
Part of subcall function 00405370: FormatMessageW.KERNEL32(00000B00,00000000,0040547B,00000000,00401059,0000FFFF,00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040), ref: 004053B4
Part of subcall function 00405370: GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053BD
Part of subcall function 00405370: HeapAlloc.KERNEL32(00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053C4
Part of subcall function 00405370: __snwprintf_s.LIBCMT ref: 004053DC

MessageBoxW.USER32(00000000,The message which was supposed to go here is missing!,NSSM,00000030), ref: 004054E4
__strftime_l.LIBCMT ref: 00405516
LocalFree.KERNEL32(00000000), ref: 00405523
MessageBoxW.USER32(00000000,The message which was supposed to go here is too big!,NSSM,00000030), ref: 00405537

Strings

NSSM, xrefs: 004054D9, 0040552B, 004055A4
The message which was supposed to go here is too big!, xrefs: 00405530
e, xrefs: 004055BC
The message which was supposed to go here is missing!, xrefs: 004054DE
(, xrefs: 0040557F

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Message$FormatHeap$AllocDefaultFreeLangLocalProcessUser__snwprintf_s__strftime_l
String ID: ($NSSM$The message which was supposed to go here is missing!$The message which was supposed to go here is too big!$e
API String ID: 3053442334-353540380
Opcode ID: eef27968d068f8b1e99ffeeeb08f58d77e7ebdd7b0cc62038cf6a803b3575ee0
Instruction ID: 9a0a8de4c5d0dfbf6e97c11b6962cbdff5b354b3c8bec1d6dae1fd1358dc6512
Opcode Fuzzy Hash: eef27968d068f8b1e99ffeeeb08f58d77e7ebdd7b0cc62038cf6a803b3575ee0
Instruction Fuzzy Hash: EB315EB1905301AFD350DF29D845B9FBBE4EF88354F40493EF959D2241E7788648CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401A00 Relevance: 6.0, APIs: 4, Instructions: 16
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00401A01
GetWindowThreadProcessId.USER32(00000000), ref: 00401A10
GetCurrentProcessId.KERNEL32 ref: 00401A1A
FreeConsole.KERNELBASE ref: 00401A25

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ConsoleProcessWindow$CurrentFreeThread
String ID:
API String ID: 3525601419-0
Opcode ID: 5629e28a465c767bbbe1bbf1bc2c58c11f9f367261ce32223375feb305a5a444
Instruction ID: 2f1dd8984dbdf2ce013bee9d2ff09af7205948615cb30f205b3daea2ec8f1f74
Opcode Fuzzy Hash: 5629e28a465c767bbbe1bbf1bc2c58c11f9f367261ce32223375feb305a5a444
Instruction Fuzzy Hash: 13D09EB0B211019BD7147B75DD4C59A77B8EE44312750C579E852D11A0DB78D440CE39

Uniqueness

Uniqueness Score: -1.00%

Function 00418AAF Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32(?,00413DA6,?,?,?,?,?,?,004202F0,00000014), ref: 00418AB2
__malloc_crt.LIBCMT ref: 00418AE0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00418AED

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 51c203dfcb76a3fbb68ee2db3a8eea800a859d582191b57c31fc7062acfb2da0
Instruction ID: ac40efc095efe1ce51b1b59133fc36c5ae3cc3e8b4832ef3638618308f324625
Opcode Fuzzy Hash: 51c203dfcb76a3fbb68ee2db3a8eea800a859d582191b57c31fc7062acfb2da0
Instruction Fuzzy Hash: DBF0E27AA000206B8A2076753C444FB1669DFDA3A9319882FF862C3201FE284DC382AC

Uniqueness

Uniqueness Score: -1.00%

Function 004136FD Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00413705

Part of subcall function 004136D2: GetModuleHandleW.KERNEL32(mscoree.dll,?,0041370A,?,?,00418C5A,000000FF,0000001E,?,004140C2,?,00000001,?,?,00414556,00000018), ref: 004136DC
Part of subcall function 004136D2: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004136EC

ExitProcess.KERNEL32 ref: 0041370E

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 6cf1626b48435327ff5cf8a7c1fce1047595b6b51481a4f821607c6479e48e72
Instruction ID: c773c40137fd1d48a63a92fcfe9ea896ee907ee475da7e957b21ec7d4b05a1b8
Opcode Fuzzy Hash: 6cf1626b48435327ff5cf8a7c1fce1047595b6b51481a4f821607c6479e48e72
Instruction Fuzzy Hash: 9AB09271000108BBCF212F26DC0A8893F2AEB803A1B108025F81809131DF76EEA29A8C

Uniqueness

Uniqueness Score: -1.00%

Function 00418B0C Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00418B21

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d1f5c1f7ff6ca3e210c9ff08d4e84c7b89227a1fab85292e36c71b5e85367a71
Instruction ID: 6fb3f13a5da9b15824ab22e1f0bcca622450086d227712405257e67a9503346b
Opcode Fuzzy Hash: d1f5c1f7ff6ca3e210c9ff08d4e84c7b89227a1fab85292e36c71b5e85367a71
Instruction Fuzzy Hash: 09D05E72B94304AADB109F75BD08B623BECD784396F00843AB90CC6150E678DA81DA08

Uniqueness

Uniqueness Score: -1.00%

Function 00413919 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 00413925

Part of subcall function 004137ED: __lock.LIBCMT ref: 004137FB
Part of subcall function 004137ED: __decode_pointer.LIBCMT ref: 00413832
Part of subcall function 004137ED: __decode_pointer.LIBCMT ref: 00413847
Part of subcall function 004137ED: __decode_pointer.LIBCMT ref: 00413871
Part of subcall function 004137ED: __decode_pointer.LIBCMT ref: 00413887
Part of subcall function 004137ED: __decode_pointer.LIBCMT ref: 00413894
Part of subcall function 004137ED: __initterm.LIBCMT ref: 004138C3
Part of subcall function 004137ED: __initterm.LIBCMT ref: 004138D3

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: cd6012783e630caf1846ed7f46355f70d13e96bf156bd8dd16ed885f7af1e038
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: ABB012B268030C37EA202947EC03F467F4D87C0B64F244071FA1C1D1E1A9A3BAA180CD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040CAB0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 203memoryserviceCOMMON

Download Yara Rule

APIs

OpenServiceW.ADVAPI32(?,?,?,?,00000000,00000000,77515E70), ref: 0040CAEF
GetServiceDisplayNameW.ADVAPI32 ref: 0040CB17
GetServiceKeyNameW.ADVAPI32(?,?,?,?), ref: 0040CB34
GetLastError.KERNEL32 ref: 0040CB47
GetLastError.KERNEL32 ref: 0040CB50
EnumServicesStatusW.ADVAPI32 ref: 0040CB9D
GetLastError.KERNEL32 ref: 0040CBA3
GetProcessHeap.KERNEL32(00000000,0000003B), ref: 0040CBB7
HeapAlloc.KERNEL32(00000000), ref: 0040CBBE
EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,00000000,00000003,?,0000003B,?), ref: 0040CC1A
GetLastError.KERNEL32 ref: 0040CC2A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040CC75
HeapFree.KERNEL32(00000000), ref: 0040CC7C
GetLastError.KERNEL32 ref: 0040CC82
__snwprintf_s.LIBCMT ref: 0040CCB4
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?), ref: 0040CCC3
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 0040CCCA
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?), ref: 0040CCDF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 0040CCE6

Strings

ENUM_SERVICE_STATUS, xrefs: 0040CBCF
canonical_name, xrefs: 0040CCD5
open_service(), xrefs: 0040CBCA, 0040CCD0

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$ErrorLast$Process$FreeService$EnumNameServicesStatus$AllocDisplayOpen__snwprintf_s
String ID: ENUM_SERVICE_STATUS$canonical_name$open_service()
API String ID: 2597093351-3687008758
Opcode ID: a873ba07c5b4005c15c99fbe001417df42881820b5864b2ce8b4ed45134739af
Instruction ID: f503188999ee140625c6406a49f341195e14fe3366045b110030180a16826972
Opcode Fuzzy Hash: a873ba07c5b4005c15c99fbe001417df42881820b5864b2ce8b4ed45134739af
Instruction Fuzzy Hash: 51618AB1904301EBD710DB55DC85FAFB7E8EBD8704F104A2EF959A3280D778E9058B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1E0 Relevance: 18.1, APIs: 12, Instructions: 125processthreadCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0040A1EA
GetLastError.KERNEL32(00000000), ref: 0040A1F6

Part of subcall function 004052C0: TlsGetValue.KERNEL32(00000014,?,00401042,00000000,00000000), ref: 004052C7
Part of subcall function 004052C0: LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Thread32First.KERNEL32 ref: 0040A24E
GetLastError.KERNEL32(00000000), ref: 0040A258
CloseHandle.KERNEL32(00000000), ref: 0040A27D

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$ErrorLastSource$AllocCloseCreateDeregisterFirstHandleLocalRegisterReportSnapshotThread32Toolhelp32Value
String ID:
API String ID: 414364297-0
Opcode ID: 4638767dc103a9e6a31185ccdf1f383c447c27e4fd120cc99bc6f3ea7aaed1db
Instruction ID: 89f48a4cf6a9a6b2169b356681f18064eeb06023b63748c5040493b97caa791b
Opcode Fuzzy Hash: 4638767dc103a9e6a31185ccdf1f383c447c27e4fd120cc99bc6f3ea7aaed1db
Instruction Fuzzy Hash: 9131B6B1504300AFD300EF659D45FAB77E8EF84318F84487EF549E3282E634E9158BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA10 Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90058403c9df6f6ed3b87d35343112d852bc14fd61586e00f88080c2bcc3e524
Instruction ID: f9580fb1e3cb4435e98f8377f0ae24c04a26ce3602f05662924e3990e25ac85f
Opcode Fuzzy Hash: 90058403c9df6f6ed3b87d35343112d852bc14fd61586e00f88080c2bcc3e524
Instruction Fuzzy Hash: 6F21F7F2A406087BE6207765BC4AFDB375CDB88319F00403AF609E5182E779E8454A68

Uniqueness

Uniqueness Score: -1.00%

Function 004088E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00408909
PathFindExtensionW.SHLWAPI(?), ref: 00408927
__snwprintf_s.LIBCMT ref: 00408966
__snwprintf_s.LIBCMT ref: 0040898D

Strings

-%04u%02u%02uT%02u%02u%02u.%03u%s, xrefs: 00408952
%s%s, xrefs: 0040897A

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: __snwprintf_s$ExtensionFindPathSystemTime
String ID: %s%s$-%04u%02u%02uT%02u%02u%02u.%03u%s
API String ID: 104670371-3937541175
Opcode ID: b111bf3271d38600ad9c55f70640b5fcacb5e3e09fac70907e172ba85b97e1c1
Instruction ID: b79bb978c2d6968e54da41b461fb302b9f59bf9436526885e0c642140c4c9fbb
Opcode Fuzzy Hash: b111bf3271d38600ad9c55f70640b5fcacb5e3e09fac70907e172ba85b97e1c1
Instruction Fuzzy Hash: 6111B4B15143116ED334DB55DC41DBBB3E8EFC8B10F40892EB9A9C22D1EABC9580D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00405600 Relevance: 9.0, APIs: 6, Instructions: 40COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 00405601
FindResourceExW.KERNEL32(00000000,00000005,?,?), ref: 00405616
GetLastError.KERNEL32(?,?), ref: 0040561C
FindResourceExW.KERNEL32(00000000,00000005,?,00000000,?,?), ref: 00405634
LoadResource.KERNEL32(00000000,00000000,?,?), ref: 0040563D
CreateDialogIndirectParamW.USER32(00000000,00000000,?,?,?), ref: 00405659

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Resource$Find$CreateDefaultDialogErrorIndirectLangLastLoadParamUser
String ID:
API String ID: 940021595-0
Opcode ID: 72ef7efeecf6b696462b6b58e3e31324a3b31a326ada6146fcfc12930be8b8d8
Instruction ID: e476e4ad9c0365e054dca9b840df72f2dc216dd3d76c2c72e3c00f538e0b4bad
Opcode Fuzzy Hash: 72ef7efeecf6b696462b6b58e3e31324a3b31a326ada6146fcfc12930be8b8d8
Instruction Fuzzy Hash: 24F09AB0708600BAE2505B64BC09FBB2768DBC4B12F408525F958D61C0EA78D8018E79

Uniqueness

Uniqueness Score: -1.00%

Function 00412CDC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00416877
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041688C
UnhandledExceptionFilter.KERNEL32(0041F0D8), ref: 00416897
GetCurrentProcess.KERNEL32(C0000409), ref: 004168B3
TerminateProcess.KERNEL32(00000000), ref: 004168BA

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f01314061c3818e20305920116d866878eb5042cc5ccecfbecbbfc2216c79b6f
Instruction ID: 714c231b98a53905c4c0fced0f636a606c023e921e8ea544abea05735bda33fc
Opcode Fuzzy Hash: f01314061c3818e20305920116d866878eb5042cc5ccecfbecbbfc2216c79b6f
Instruction Fuzzy Hash: B921C5F5A01304AFCB31DF54E9456847BB8FB98302F90817AE51987360E7B89A868F4D

Uniqueness

Uniqueness Score: -1.00%

Function 00409920 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409969
CheckTokenMembership.ADVAPI32(00000000,?,0042340D,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040997E
FreeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409989

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 628fba0404b7c400409226c91e7c1594c4cf8dc2a312d52cc7af963d2352c708
Instruction ID: 72e0c7922e14d595f5e3848571bc75bc3c4e4abfa34b06bfca4019b358322d7e
Opcode Fuzzy Hash: 628fba0404b7c400409226c91e7c1594c4cf8dc2a312d52cc7af963d2352c708
Instruction Fuzzy Hash: 4501A77134C380BFD301DB649985A6BBFD8AB99700FC4985EF58583242D174D408C76B

Uniqueness

Uniqueness Score: -1.00%

Function 004187C4 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00018782), ref: 004187C9

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 624e0e8958a909d57d43e6008fd8f935a3374ea6b4589aed2a93584222944a76
Instruction ID: 8302c0f1e511177d3ced9d6a8d8359a6898a9a2e0713b9eeb8525c1dac9086eb
Opcode Fuzzy Hash: 624e0e8958a909d57d43e6008fd8f935a3374ea6b4589aed2a93584222944a76
Instruction Fuzzy Hash: 259002B06E110557864017B05E0968527D55B59603B6544BD6021C4094DE6491455519

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE10 Relevance: 80.9, APIs: 39, Strings: 7, Instructions: 394memoryregistryserviceCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\ServiceGroupOrder,00000000,00020019,?), ref: 0040CEED
GetLastError.KERNEL32 ref: 0040CEF7
_fwprintf.LIBCMT ref: 0040CF1A

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00405498

ChangeServiceConfigW.ADVAPI32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,0041E5D8,00000000,00000000,00000000,00000000,?,00000000,?), ref: 0040D225
GetProcessHeap.KERNEL32(00000000,0041E5D8), ref: 0040D239
HeapFree.KERNEL32(00000000), ref: 0040D240
GetLastError.KERNEL32 ref: 0040D246
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040D27A
HeapFree.KERNEL32(00000000), ref: 0040D283
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D290
HeapFree.KERNEL32(00000000), ref: 0040D293
CloseServiceHandle.ADVAPI32(?), ref: 0040D29A
_fwprintf.LIBCMT ref: 0040D2BD

Part of subcall function 0040CA70: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,?,00401B82,?,?,?,00000001), ref: 0040CA7C

Strings

set_service_dependencies(), xrefs: 0040CF6D
List, xrefs: 0040CF44, 0040CFA6, 0040CFC6, 0040D020
%s: %s, xrefs: 0040CF0C
groups, xrefs: 0040CF72
%s: %s, xrefs: 0040D108, 0040D2AF
%s\%s: %s, xrefs: 0040CFD0, 0040D02A
SYSTEM\CurrentControlSet\Control\ServiceGroupOrder, xrefs: 0040CEE3, 0040CF07, 0040CFCB, 0040D025

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$Free$Process$ErrorLastOpenService_fwprintf$ChangeCloseConfigHandleLocalManager_vfwprintf
String ID: %s: %s$%s: %s$%s\%s: %s$List$SYSTEM\CurrentControlSet\Control\ServiceGroupOrder$groups$set_service_dependencies()
API String ID: 1051873479-3133791794
Opcode ID: 1472673ddb642fb760451205b66f8a7f14b720a8d27ed31555cebdbe2feeab61
Instruction ID: 9c0a7fc0b1366e98588ba43337f49fd2028f4eb401c9540c82854c5db0497d9e
Opcode Fuzzy Hash: 1472673ddb642fb760451205b66f8a7f14b720a8d27ed31555cebdbe2feeab61
Instruction Fuzzy Hash: 41C1D8F1D04301ABD710ABA1DC4AFAB77A8EF44708F14452AF945A72C1F778E94487AE

Uniqueness

Uniqueness Score: -1.00%

Function 00409270 Relevance: 72.2, APIs: 33, Strings: 8, Instructions: 427fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000001,?,00000000,?,?,00000000), ref: 004092B5
GetLastError.KERNEL32(00000000), ref: 004092C3

Strings

AppStdout, xrefs: 0040943A, 004094F8
STD_OUTPUT_HANDLE, xrefs: 00409727
stderr, xrefs: 004094F3, 00409648, 00409777
STD_INPUT_HANDLE, xrefs: 004096D2
AppStderr, xrefs: 0040964D
stdin, xrefs: 004096CD
stdout, xrefs: 00409435, 00409722
STD_ERROR_HANDLE, xrefs: 0040977C

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: AppStderr$AppStdout$STD_ERROR_HANDLE$STD_INPUT_HANDLE$STD_OUTPUT_HANDLE$stderr$stdin$stdout
API String ID: 1214770103-1833172568
Opcode ID: 616819472e838b286589a2bbe120a1ed2100ae1f041291cb188454517c6769bf
Instruction ID: 6ae8fdd2871f227cf13b581f7b9c8d83ca64bc36ba86afe41948fee67ebde81e
Opcode Fuzzy Hash: 616819472e838b286589a2bbe120a1ed2100ae1f041291cb188454517c6769bf
Instruction Fuzzy Hash: 82E184F1940704ABD724DB75DC45FE773ACEB84308F40492EF65E93182E679A844CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004010C0 Relevance: 72.2, APIs: 37, Strings: 4, Instructions: 404memoryCOMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0040111B
GetProcessHeap.KERNEL32(00000000,?), ref: 00401150
HeapAlloc.KERNEL32(00000000), ref: 00401153
GetComputerNameW.KERNEL32 ref: 00401185
GetProcessHeap.KERNEL32(00000000,?), ref: 004011B4
HeapAlloc.KERNEL32(00000000), ref: 004011B7
LsaClose.ADVAPI32(?), ref: 004011F0
LsaLookupNames.ADVAPI32(?,00000001,?,?,?), ref: 0040126B
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 00401275
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00401278
LsaClose.ADVAPI32(?), ref: 0040128B
LsaFreeMemory.ADVAPI32(?), ref: 00401299
LsaFreeMemory.ADVAPI32(?), ref: 004012A3
LsaNtStatusToWinError.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 004012A9

Part of subcall function 00401000: LsaOpenPolicy.ADVAPI32(00000000,000F0FFF,000F0FFF,?), ref: 0040102D
Part of subcall function 00401000: LsaNtStatusToWinError.ADVAPI32(00000000), ref: 00401037

Strings

SID, xrefs: 004013A9
%s\%s, xrefs: 0040121A
expanded, xrefs: 004011C8
username_sid, xrefs: 004011C3, 004013A4

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$FreeProcess$AllocCloseErrorMemoryStatus$ComputerLookupNameNamesOpenPolicy__wcsnicmp
String ID: %s\%s$SID$expanded$username_sid
API String ID: 1950436716-179756375
Opcode ID: 0f01d14120d1ec3f52388d2865ee54dcbcf4cc9dc7fddb09f4af5f8e8ba633f5
Instruction ID: 8923221f29891c7587102ab13130cbc3c72cae1e0e7c2496b089627ed1adcca3
Opcode Fuzzy Hash: 0f01d14120d1ec3f52388d2865ee54dcbcf4cc9dc7fddb09f4af5f8e8ba633f5
Instruction Fuzzy Hash: 06D1D3B1A043016FD300EB65CD85EAFB3E9EF88308F44492EF545D7351EA78E9458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00411260 Relevance: 47.6, APIs: 24, Strings: 3, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008), ref: 0041135B
HeapAlloc.KERNEL32(00000000), ref: 0041135E
GetProcessHeap.KERNEL32(00000000,?), ref: 0041139B
HeapFree.KERNEL32(00000000), ref: 0041139E
GetProcessHeap.KERNEL32(00000000,?), ref: 004113AB
HeapFree.KERNEL32(00000000), ref: 004113AE
GetProcessHeap.KERNEL32(00000000,?), ref: 00411430
HeapAlloc.KERNEL32(00000000), ref: 00411433
GetProcessHeap.KERNEL32(00000000,?), ref: 00411470
HeapFree.KERNEL32(00000000), ref: 00411473
GetProcessHeap.KERNEL32(00000000,?,?), ref: 004114E9
HeapFree.KERNEL32(00000000), ref: 004114EC
GetProcessHeap.KERNEL32(00000000,?,?), ref: 004114F9
HeapFree.KERNEL32(00000000), ref: 004114FC
GetProcessHeap.KERNEL32(00000000,?,?), ref: 00411509
HeapFree.KERNEL32(00000000), ref: 0041150C
GetProcessHeap.KERNEL32(00000000,?,?), ref: 00411519
HeapFree.KERNEL32(00000000), ref: 0041151C
ChangeServiceConfigW.ADVAPI32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041153C
GetLastError.KERNEL32 ref: 00411546
GetProcessHeap.KERNEL32(00000000,?), ref: 00411576
HeapFree.KERNEL32(00000000), ref: 0041157D
GetProcessHeap.KERNEL32(00000000,?), ref: 00411596
HeapFree.KERNEL32(00000000), ref: 0041159D

Strings

canon, xrefs: 0041136F
dependencies, xrefs: 00411444
native_set_dependongroup, xrefs: 0041136A, 0041143F

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$ChangeConfigErrorLastService
String ID: canon$dependencies$native_set_dependongroup
API String ID: 1452945198-1240925597
Opcode ID: 2bfb86973befa482fabe00d42bb3fe4171c406064511875981c350d78f657692
Instruction ID: b18a58e69c4f32cef05835414142f752b3cd4a08407a03f402dfde9a93b034f2
Opcode Fuzzy Hash: 2bfb86973befa482fabe00d42bb3fe4171c406064511875981c350d78f657692
Instruction Fuzzy Hash: 829129B19043066BD710AF65CC84EEB73D8EF84354F444A2AFA55D3290E778ED84C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00408D50 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 325fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 00408D89
IsTextUnicode.ADVAPI32(?,?,00000000), ref: 00408E39
CloseHandle.KERNEL32(?), ref: 00408EA4
MoveFileW.KERNEL32(?,?), ref: 00408EB2

Strings

MoveFile(), xrefs: 00408F0F

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: FileHandle$CloseInformationMoveTextUnicode
String ID: MoveFile()
API String ID: 2866973295-3582319293
Opcode ID: 15708711689a8bb3d828d14e4bfab1ca7b6999520053ae95ba287ec52d9b1868
Instruction ID: d8a2b6048f09d48243753343ed7bb43d63bee3e823a3270b0cadf41497ef1fc2
Opcode Fuzzy Hash: 15708711689a8bb3d828d14e4bfab1ca7b6999520053ae95ba287ec52d9b1868
Instruction Fuzzy Hash: CEB185B1604301AFD320DF65CD85E6BB7E9EFC8308F00492EF58693291DA74E945CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F580 Relevance: 38.8, APIs: 16, Strings: 6, Instructions: 344COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F5D8

Strings

%lu, xrefs: 0040F913, 0040F92E
NSSM, xrefs: 0040F94E
D, xrefs: 0040F5E5
command line, xrefs: 0040F676
"%s" %s, xrefs: 0040F64F
start_service, xrefs: 0040F671

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: _memset
String ID: "%s" %s$%lu$D$NSSM$command line$start_service
API String ID: 2102423945-3686305457
Opcode ID: 15bd790cc5130b0d5c2ab7dfe92f44a3908f88334305f7af3615e792483eadc3
Instruction ID: 8d8a3d24360daf10ba7eb9db1eca87cf74f697693d6f1518d53dda03d5ccb93b
Opcode Fuzzy Hash: 15bd790cc5130b0d5c2ab7dfe92f44a3908f88334305f7af3615e792483eadc3
Instruction Fuzzy Hash: BFC179F1A10700ABD720DB65DC46FDB73D8AB84308F40493EF69DA61C1E6BDA544CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF10 Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 272COMMON

Download Yara Rule

Strings

%s, xrefs: 0040F137
%s: %s, xrefs: 0040F15A
%s: %s: %s, xrefs: 0040F0CC, 0040F0FA, 0040F207, 0040F237

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ConsoleWindow
String ID: %s$%s: %s$%s: %s: %s
API String ID: 2863861424-3854535108
Opcode ID: 62dbc4f8497a765d2b6207e4a47a89f7e005d1b09c3d01c80ec779e24176e9d2
Instruction ID: 763075a4a37bd2d8825689e23daf19d261bde39fceb0a92dd0ece0a9df8372dc
Opcode Fuzzy Hash: 62dbc4f8497a765d2b6207e4a47a89f7e005d1b09c3d01c80ec779e24176e9d2
Instruction Fuzzy Hash: A981DBF6D04200BBE22077719C46BAF725C9B9431DF44093FF906A62C2FA7CD95946AB

Uniqueness

Uniqueness Score: -1.00%

Function 0040A580 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 229processCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040A5C0

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

__snwprintf_s.LIBCMT ref: 0040A5DE

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

OpenProcess.KERNEL32(00100411,00000000,?), ref: 0040A610
__snwprintf_s.LIBCMT ref: 0040A639
GetExitCodeProcess.KERNEL32(00000000,?), ref: 0040A67A
GetLastError.KERNEL32(00000000), ref: 0040A699
CloseHandle.KERNEL32(00000000), ref: 0040A6C2
CloseHandle.KERNEL32(00000000), ref: 0040A6ED
GetLastError.KERNEL32(00000000), ref: 0040A6F7
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A723
GetLastError.KERNEL32(00000000,00000002,00000000), ref: 0040A72F
_memset.LIBCMT ref: 0040A760
Process32FirstW.KERNEL32 ref: 0040A776
GetLastError.KERNEL32(00000000), ref: 0040A780
Process32NextW.KERNEL32(00000000,?), ref: 0040A7C2
Process32NextW.KERNEL32(00000000,?), ref: 0040A807
GetLastError.KERNEL32(?,00000000,?,?,00000002,00000000), ref: 0040A816
GetLastError.KERNEL32(00000000,?,00000000,?,?,00000002,00000000), ref: 0040A81F
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000002,00000000), ref: 0040A83C

Strings

AppStopMethodSkip, xrefs: 0040A6CA
%lu, xrefs: 0040A5AF, 0040A5CD, 0040A628
NSSM, xrefs: 0040A6CF

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ErrorLast$CloseEventHandleProcess32__snwprintf_s$NextProcessSource$CodeCreateDeregisterExitFirstOpenRegisterReportSnapshotToolhelp32__vsnwprintf_s_l_memset
String ID: %lu$AppStopMethodSkip$NSSM
API String ID: 876000941-153837258
Opcode ID: 87d6cd8ad363924e11445b902c5b866b416526b6275c1319dbaef4f3e386f7b6
Instruction ID: 9356f86b261df9c84ccaf74e0b1af484dc6ccdd0321f5befb0d5a42ea0511750
Opcode Fuzzy Hash: 87d6cd8ad363924e11445b902c5b866b416526b6275c1319dbaef4f3e386f7b6
Instruction Fuzzy Hash: A061C8F15043007BE220A7519D8AFFB736CDF94708F50892EFA49A21C3F6B89515867B

Uniqueness

Uniqueness Score: -1.00%

Function 00411680 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 219memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?), ref: 0041171B
HeapFree.KERNEL32(00000000,?,?,?), ref: 00411722
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?), ref: 00411750
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00411790
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411793
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 004117A0
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 004117A3
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00411753

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00405498

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411813
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00411816
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411823
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00411826
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411833
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00411836
ChangeServiceConfigW.ADVAPI32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041185A
GetLastError.KERNEL32 ref: 00411864
GetProcessHeap.KERNEL32(00000000,?), ref: 00411895
HeapFree.KERNEL32(00000000), ref: 0041189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004118B5
HeapFree.KERNEL32(00000000), ref: 004118BC

Strings

native_set_dependonservice, xrefs: 0041175F
dependencies, xrefs: 00411764

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$FreeProcess$AllocChangeConfigErrorLastLocalService_vfwprintf
String ID: dependencies$native_set_dependonservice
API String ID: 2900453341-2849880886
Opcode ID: eacf11b33cb2cc2d23edf79ce080d1b0cbbaad9b579bfd244ff4f5032ff0d319
Instruction ID: c8f04e43e909d1bf12b9aa294be1e3cdf98767991595af7166a1449a2d8a3fce
Opcode Fuzzy Hash: eacf11b33cb2cc2d23edf79ce080d1b0cbbaad9b579bfd244ff4f5032ff0d319
Instruction Fuzzy Hash: 0E51D5B1A043016BE610EB65DC45FAB73DCEF84714F048629FA68D72E1EB78DC44C66A

Uniqueness

Uniqueness Score: -1.00%

Function 00406A20 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169memorywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00406A39
GetProcessHeap.KERNEL32 ref: 00406A56
HeapAlloc.KERNEL32(00000000), ref: 00406A59
_memset.LIBCMT ref: 00406A74
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000200), ref: 00406AD9
__snwprintf_s.LIBCMT ref: 00406AFC
__snwprintf_s.LIBCMT ref: 00406AB8

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

GetProcessHeap.KERNEL32(00000000,0000FFFE), ref: 00406B48
HeapAlloc.KERNEL32(00000000), ref: 00406B4B
__snwprintf_s.LIBCMT ref: 00406B81
__snwprintf_s.LIBCMT ref: 00406BA5

Part of subcall function 00405370: GetUserDefaultLangID.KERNEL32(00401059,0000FFFF,00000000,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040537F
Part of subcall function 00405370: FormatMessageW.KERNELBASE(00000B00,00000000,0040547B,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040539B
Part of subcall function 00405370: FormatMessageW.KERNEL32(00000B00,00000000,0040547B,00000000,00401059,0000FFFF,00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040), ref: 004053B4
Part of subcall function 00405370: GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053BD
Part of subcall function 00405370: HeapAlloc.KERNEL32(00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053C4
Part of subcall function 00405370: __snwprintf_s.LIBCMT ref: 004053DC

GetOpenFileNameW.COMDLG32(?,00000200), ref: 00406BD6
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00406C03
GetProcessHeap.KERNEL32(00000000,?), ref: 00406C1A
HeapFree.KERNEL32(00000000), ref: 00406C1D
GetProcessHeap.KERNEL32(00000000,?), ref: 00406C2A
HeapFree.KERNEL32(00000000), ref: 00406C2D

Strings

:%s:, xrefs: 00406B74
X, xrefs: 00406A4E

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$Process__snwprintf_s$AllocFreeMessage$Format_memset$DefaultFileLangLocalNameOpenSendUser__vsnwprintf_s_l
String ID: :%s:$X
API String ID: 4223584720-3643568712
Opcode ID: 6f6cb0b89cacafe10d1f1f8fd1946d6e639445887778fbb56b134f867ee11a65
Instruction ID: 2fb1f1ec6dd78cf9b56019ed523e1d5e6dfd49e8e4e2ad70138c12666923ebb1
Opcode Fuzzy Hash: 6f6cb0b89cacafe10d1f1f8fd1946d6e639445887778fbb56b134f867ee11a65
Instruction Fuzzy Hash: 725103B1A043016BE610EB24CC45FAB77A8EF84754F140A3DFD55A73C1DB78E914CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004099A0 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00405498

_memset.LIBCMT ref: 004099BD
GetProcessHeap.KERNEL32 ref: 004099E2
HeapAlloc.KERNEL32(00000000), ref: 004099EB
GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 00409A28
GetProcessHeap.KERNEL32(00000008,0000FFFE), ref: 00409A35
HeapAlloc.KERNEL32(00000000), ref: 00409A38
GetProcessHeap.KERNEL32(00000000,?), ref: 00409A46
HeapFree.KERNEL32(00000000), ref: 00409A49
GetCommandLineW.KERNEL32 ref: 00409A5B
__snwprintf_s.LIBCMT ref: 00409A6F

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

ShellExecuteExW.SHELL32 ref: 00409AD9
GetProcessHeap.KERNEL32(00000000,?), ref: 00409AED
HeapFree.KERNEL32(00000000), ref: 00409AF6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00409AFB
HeapFree.KERNEL32(00000000), ref: 00409AFE

Strings

GetModuleFileName(), xrefs: 004099FA
elevate(), xrefs: 004099F5, 00409A4F
GetCommandLine(), xrefs: 00409A54
<, xrefs: 004099D2

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$CommandExecuteFileLineLocalModuleNameShell__snwprintf_s__vsnwprintf_s_l_memset_vfwprintf
String ID: <$GetCommandLine()$GetModuleFileName()$elevate()
API String ID: 973368859-4193039769
Opcode ID: 900e8c87ca2aa9aec742fd558df0281ba4947d5c9c9fdbed743180e08cd3c412
Instruction ID: 7ae2c759de92c54c39a002a946b74eb1e22cb2beefd2f70ccc6c30d9fe699ef8
Opcode Fuzzy Hash: 900e8c87ca2aa9aec742fd558df0281ba4947d5c9c9fdbed743180e08cd3c412
Instruction Fuzzy Hash: 673128F1E043027AD310ABA5CC46FA77798EF84704F00452AF945E72C1DBBCE9448BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004017F0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

SeServiceLogonRight, xrefs: 00401870

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID: SeServiceLogonRight
API String ID: 0-347471591
Opcode ID: d1ec01c29beff1dc2b7cf4a31634801e6b38091671ebd8c69d5d4f8db8eefe16
Instruction ID: 1588cd9aa28459d6f698114f179f5034525e64d227a869bba66d549dab2bd090
Opcode Fuzzy Hash: d1ec01c29beff1dc2b7cf4a31634801e6b38091671ebd8c69d5d4f8db8eefe16
Instruction Fuzzy Hash: D751D9F29003016BC210FB659C82A9F73A9EFC4758F44493EF845D3262E63CDA55C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00410BE0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 175registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00410C19

Strings

affinity, xrefs: 00410C79
setting_get_affinity, xrefs: 00410C74
All, xrefs: 00410C24

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: QueryValue
String ID: All$affinity$setting_get_affinity
API String ID: 3660427363-3501811323
Opcode ID: aadf3678ba3ec564ff7923484b1f3c659c44b9ba2d0e62d742e643e475440171
Instruction ID: 39c13d5f00e9b419edd27a44e9b0f75dfecbdf5c9278ee4873767282b9cc75a7
Opcode Fuzzy Hash: aadf3678ba3ec564ff7923484b1f3c659c44b9ba2d0e62d742e643e475440171
Instruction Fuzzy Hash: 7041C9B1B042007BE600A779DC45FAF77DCEFC4729F840A5AF558D22D1D6B8DC848A66

Uniqueness

Uniqueness Score: -1.00%

Function 00406C40 Relevance: 27.2, APIs: 18, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b78011fbee3aa40aefb94b04e9307e1ddbd925d910803d0c7f55a23a13cb692
Instruction ID: 4a1410ef1443eea10fe89477afcc143de1e533fa6ee3b316fa2d910530bd4db7
Opcode Fuzzy Hash: 1b78011fbee3aa40aefb94b04e9307e1ddbd925d910803d0c7f55a23a13cb692
Instruction Fuzzy Hash: 4661DCB1A84302BBE101A7509C06FFB7398EB94B44F01443AF7527A0C2DBBC56558BAF

Uniqueness

Uniqueness Score: -1.00%

Function 0040D990 Relevance: 27.1, APIs: 18, Instructions: 98memoryserviceCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040D9B8
HeapFree.KERNEL32(00000000), ref: 0040D9BB
GetProcessHeap.KERNEL32(00000000,?,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040D9E3
HeapFree.KERNEL32(00000000), ref: 0040D9E6
GetProcessHeap.KERNEL32(00000000,?,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040D9F5
HeapFree.KERNEL32(00000000), ref: 0040D9F8
GetProcessHeap.KERNEL32(00000000,?,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA07
HeapFree.KERNEL32(00000000), ref: 0040DA0A
GetProcessHeap.KERNEL32(00000000,?,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA19
HeapFree.KERNEL32(00000000), ref: 0040DA1C
CloseServiceHandle.ADVAPI32(?,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA29
CloseHandle.KERNEL32(?,00000000,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA41
UnregisterWait.KERNEL32(?), ref: 0040DA4E
DeleteCriticalSection.KERNEL32(?,00000000,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA64
CloseHandle.KERNEL32(?,00000000,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA75
FreeEnvironmentStringsW.KERNEL32(?,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA83
GetProcessHeap.KERNEL32(00000000,?,?,76F8F380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA8C
HeapFree.KERNEL32(00000000), ref: 0040DA8F

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$Free$Process$CloseHandle$CriticalDeleteEnvironmentSectionServiceStringsUnregisterWait
String ID:
API String ID: 223489879-0
Opcode ID: 115bcf30406b6ff842ec37e1375dc7df3e087b6a23b02530f15371c741b9abf6
Instruction ID: 77dd6ce9f9945231fd51557c9ffd4fac1d491a87d3cf4fd6406c7136dc2c8fa9
Opcode Fuzzy Hash: 115bcf30406b6ff842ec37e1375dc7df3e087b6a23b02530f15371c741b9abf6
Instruction Fuzzy Hash: 5E3112F1F04701ABE7209BB6DC45FA7B7DCAF44745F054929BA59E3280CA78EC048A38

Uniqueness

Uniqueness Score: -1.00%

Function 0040D520 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfig2W.ADVAPI32(00000000,00000001,00000000,00000000,00003FFF,00000000,00008418,00000402), ref: 0040D547
GetLastError.KERNEL32 ref: 0040D549
GetProcessHeap.KERNEL32(00000000,00003FFF,00000000,00000000), ref: 0040D567
HeapAlloc.KERNEL32(00000000), ref: 0040D56A

Strings

SERVICE_CONFIG_DESCRIPTION, xrefs: 0040D57B, 0040D629, 0040D65E
get_service_description(), xrefs: 0040D576

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$AllocConfig2ErrorLastProcessQueryService
String ID: SERVICE_CONFIG_DESCRIPTION$get_service_description()
API String ID: 2527037045-119971955
Opcode ID: 9949ae250d6f60cbc6c2d3ad254c89fe22e4bd7663aaf79f323aa80c9ae87168
Instruction ID: 3e5ba4e39e1bc183658cdb8e0b0057f10ea9e025a726a76105c97a4cff3da096
Opcode Fuzzy Hash: 9949ae250d6f60cbc6c2d3ad254c89fe22e4bd7663aaf79f323aa80c9ae87168
Instruction Fuzzy Hash: 103137F2A413017BE200A7A6EC46FEBB35CDF95729F10052AF509E61C1DAB9D840866A

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 139memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,00000001,00000000), ref: 0040ACEC
HeapAlloc.KERNEL32(00000000), ref: 0040ACF3
_memset.LIBCMT ref: 0040AD2C
RegQueryValueExW.ADVAPI32 ref: 0040AD57
GetLastError.KERNEL32 ref: 0040AD63
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AD6E
HeapFree.KERNEL32(00000000), ref: 0040AD75

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

get_string(), xrefs: 0040AD04

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$Event$ProcessSource$AllocDeregisterErrorFreeLastQueryRegisterReportValue_memset
String ID: get_string()
API String ID: 2603871056-896229945
Opcode ID: 56f8c6b17a97cf912f3af75bb16579b71339ad1f642ff53764c85366f89547bd
Instruction ID: 72e98944cf36b2bbc6af698ef9dc07420c8870f262d0e465f671d630dce17b03
Opcode Fuzzy Hash: 56f8c6b17a97cf912f3af75bb16579b71339ad1f642ff53764c85366f89547bd
Instruction Fuzzy Hash: 154115B19043006BE310AB58EC09FEB7B9CEF8471AF44457AF549A2182D7B9C954C6AB

Uniqueness

Uniqueness Score: -1.00%

Function 00410940 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00410980
GetProcessAffinityMask.KERNEL32(00000000), ref: 00410987

Strings

All, xrefs: 004109A9

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID: All
API String ID: 1231390398-55916349
Opcode ID: 3cc79894fb783cbacc77b87bc96894dd0151df03ecdf7f3147d36d3e41e83904
Instruction ID: 4f50b5df6772471c36ec06a59c3137138f5c5bb65052f92276dbeda9fd140f86
Opcode Fuzzy Hash: 3cc79894fb783cbacc77b87bc96894dd0151df03ecdf7f3147d36d3e41e83904
Instruction Fuzzy Hash: 0371E5B29043016BD710DF69DC85AAB77E8EFC4358F444A2EF944D3341E678ED848B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004089B0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160timefileCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004089E3
CreateFileW.KERNEL32(?,00000000,00000007,00000000,00000003,00000080,00000000), ref: 004089F8
GetFileInformationByHandle.KERNEL32(00000000,?), ref: 00408A0E
SystemTimeToFileTime.KERNEL32(?,?), ref: 00408A32
CloseHandle.KERNEL32(00000000), ref: 00408A49
SystemTimeToFileTime.KERNEL32(?,?), ref: 00408A5D
CompareFileTime.KERNEL32(?,?,?,00000000,FF676980,000000FF), ref: 00408A90
FileTimeToSystemTime.KERNEL32(?,?), ref: 00408AD6
MoveFileW.KERNEL32(?,?), ref: 00408AF7
GetLastError.KERNEL32 ref: 00408B1D
SystemTimeToFileTime.KERNEL32(?,?), ref: 00408B54
GetLastError.KERNEL32 ref: 00408B5F

Strings

CreateFile(), xrefs: 00408B34
MoveFile(), xrefs: 00408B7F

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Time$File$System$ErrorHandleLast$CloseCompareCreateInformationMove
String ID: CreateFile()$MoveFile()
API String ID: 1279283993-2404744241
Opcode ID: 25552cb11b5ace56ecd3b2e5a937ca093c4a3363743169b4a7c3585eb8c3d0c6
Instruction ID: dbd175fc6890c416a4f9d1aeb2e25f209b5034f3b8b6a35462ec3c9fcbbef7c3
Opcode Fuzzy Hash: 25552cb11b5ace56ecd3b2e5a937ca093c4a3363743169b4a7c3585eb8c3d0c6
Instruction Fuzzy Hash: 7951B2B1604300AFD321DF50DD85EEF77A8FF88704F44492EF6C992181DB78A9448B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004105B0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223registryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 00410665
RegDeleteValueW.ADVAPI32(00000000,?), ref: 00410678
RegCloseKey.ADVAPI32(00000000), ref: 00410681
__snwprintf_s.LIBCMT ref: 004106E3
__wcsnicmp.LIBCMT ref: 0041070C
_fwprintf.LIBCMT ref: 0041075F
RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 004107D2
GetLastError.KERNEL32(?,?), ref: 004107DC
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00410809
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00410815

Strings

%s, xrefs: 00410751
default, xrefs: 004105DE

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Close$Value__snwprintf_s$DeleteErrorLast__wcsnicmp_fwprintf
String ID: %s$default
API String ID: 3151773479-387093873
Opcode ID: a3eb8f7cbf097436222cf15ca32937873149e64d54cf7f047a34555ee42af66f
Instruction ID: 30a3df3cfbea9975472b600d8026b2d659796aa5a5751022936202a7496980d0
Opcode Fuzzy Hash: a3eb8f7cbf097436222cf15ca32937873149e64d54cf7f047a34555ee42af66f
Instruction Fuzzy Hash: 5F613BB1A043006BD210AB65DD46FEB73989F84308F44452AF95592282F7FCE9D5CAAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC60 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 220memoryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040ECD9
ChangeServiceConfigW.ADVAPI32(?,?,?,000000FF,00000000,00000000,00000000,0041E5D8,?,00000000,?,?,?,00000000), ref: 0040ED79
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000), ref: 0040ED8E
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0040ED95
GetLastError.KERNEL32(?,?,00000000), ref: 0040ED9B

Strings

LocalSystem, xrefs: 0040ED23

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$ChangeConfigErrorFreeLastProcessService__snwprintf_s
String ID: LocalSystem
API String ID: 3404593348-3718507506
Opcode ID: 41f063981e1366348621d5f49daee988617f9f6c866f27ec98b904e9930f1709
Instruction ID: 6c351189403f5eb6c5fe8513cea9cc0aa6b3904080e0031a5e5be75d4344df1b
Opcode Fuzzy Hash: 41f063981e1366348621d5f49daee988617f9f6c866f27ec98b904e9930f1709
Instruction Fuzzy Hash: 9071ECF1904701ABE720DB65DC49FA773A8EF84308F048D3EF559A22C1E778E8558769

Uniqueness

Uniqueness Score: -1.00%

Function 00410090 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 149registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D950: GetProcessHeap.KERNEL32(00000008,00070510,?,00406684), ref: 0040D958
Part of subcall function 0040D950: HeapAlloc.KERNEL32(00000000,?,00406684), ref: 0040D95F

__snwprintf_s.LIBCMT ref: 004100BB

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegisterServiceCtrlHandlerExW.ADVAPI32(NSSM,0040F310,00000000), ref: 0041016B
GetLastError.KERNEL32(00000000), ref: 0041017C

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

NSSM, xrefs: 0041012E
service_main(), xrefs: 004100C8
service->name, xrefs: 004100CD

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$HeapRegisterSource$AllocCtrlDeregisterErrorHandlerLastProcessReportService__snwprintf_s__vsnwprintf_s_l
String ID: NSSM$service->name$service_main()
API String ID: 4131733493-2082882489
Opcode ID: 6ac95fc9643b6a64bb1cb5c6de92dade781988db5d66d8b08e3ebf056326ab07
Instruction ID: 09d4c8929dcbfacbdd4c1d483c8683e469f37797597802ee5f3465e219f8d35a
Opcode Fuzzy Hash: 6ac95fc9643b6a64bb1cb5c6de92dade781988db5d66d8b08e3ebf056326ab07
Instruction Fuzzy Hash: 3851A8F1E40700EFD320AF759C46BD77BA8AB44319F40853FF65E96242D2BD68848B69

Uniqueness

Uniqueness Score: -1.00%

Function 00412120 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041219F
HeapFree.KERNEL32(00000000), ref: 004121A6

Strings

%s, xrefs: 00412209, 00412224
SERVICE_WIN32_OWN_PROCESS, xrefs: 004121D5, 00412204
LocalSystem, xrefs: 00412186, 004121AE
SERVICE_INTERACTIVE_PROCESS, xrefs: 00412146, 0041221F

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: %s$LocalSystem$SERVICE_INTERACTIVE_PROCESS$SERVICE_WIN32_OWN_PROCESS
API String ID: 3859560861-1492594695
Opcode ID: 33fa03d751a25fb42394721696a2fbae633dc317f90b51ed7800875141e1fc40
Instruction ID: ce946582b93cb946955dea2ec205cb75b91bbb2897729394130ecaaa05bb3734
Opcode Fuzzy Hash: 33fa03d751a25fb42394721696a2fbae633dc317f90b51ed7800875141e1fc40
Instruction Fuzzy Hash: E231C3B3D4420137E6006676BC4AFDB73089F51339F140627F924E62C2FAB9DCD186A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401580 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

username_sid, xrefs: 00401689
lsa_canon, xrefs: 0040168E

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ErrorOpenPolicyStatus
String ID: lsa_canon$username_sid
API String ID: 3835286460-3440772048
Opcode ID: 4be24f8c859b4fd8f73fde33ddbbb5feb2b1e283fdf2ddda045c7394c8cdc431
Instruction ID: c21e6304ed427eea8d7a4b8d0c36af05136f334d03c0e194f28452d20308fd16
Opcode Fuzzy Hash: 4be24f8c859b4fd8f73fde33ddbbb5feb2b1e283fdf2ddda045c7394c8cdc431
Instruction Fuzzy Hash: C641E3B59042017BD300FB69CC96DAB73E9FFC4708F44881EF58897252E678D99487A6

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 133memorysynchronizationCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,76F8E010,?), ref: 0040EA3B
HeapAlloc.KERNEL32(00000000), ref: 0040EA42
__snwprintf_s.LIBCMT ref: 0040EA5C
__snwprintf_s.LIBCMT ref: 0040EA83
SetServiceStatus.ADVAPI32(?,?), ref: 0040EADA
__snwprintf_s.LIBCMT ref: 0040EAF3
__snwprintf_s.LIBCMT ref: 0040EB07
WaitForSingleObject.KERNEL32(?,?), ref: 0040EB40

Strings

%lu, xrefs: 0040EA75, 0040EAE5, 0040EAF9
%s(), xrefs: 0040EA53

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: __snwprintf_s$Heap$AllocObjectProcessServiceSingleStatusWait
String ID: %lu$%s()
API String ID: 3479796768-699940799
Opcode ID: e71cb8d17e41331fe53131b87f854323c29ecb78752b37c52de2a023a38e2165
Instruction ID: 89c68062588a5b6a5dcd3b42c23b9f1343587bb4bcf2e221744147efb473305d
Opcode Fuzzy Hash: e71cb8d17e41331fe53131b87f854323c29ecb78752b37c52de2a023a38e2165
Instruction Fuzzy Hash: 6B41B7B1A04300EBD620DF65DD85F9B73A8FB84714F104A2EB669932C0E778E954CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB70 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?,?,?,0040C1D6,?,00000000,AppEnvironment,?,?), ref: 0040AB95
GetLastError.KERNEL32(00000000,?,0040C1D6,?,00000000,AppEnvironment,?,?), ref: 0040ABBD

Strings

get_environment(), xrefs: 0040AC55

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ErrorLastQueryValue
String ID: get_environment()
API String ID: 1349404517-3013924771
Opcode ID: 5fe43cc991a531061349832457c459933e1ba32819d714f4fa0c8be67a97d6b9
Instruction ID: 1d8989cfc65caa848716c5f45015e9ce7db8ed1eb8c61d39c0da8540bf3f80e9
Opcode Fuzzy Hash: 5fe43cc991a531061349832457c459933e1ba32819d714f4fa0c8be67a97d6b9
Instruction Fuzzy Hash: 2541A1F26043006BE3109B55EC45FA777ACEB8471AF20457EF645E72C1D6B9D440CA66

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9C0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 124registryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040A9FA

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00020006,00000000,?,?,?,?,?,?,?,00000000), ref: 0040AA5D
GetLastError.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040AA69

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

SYSTEM\CurrentControlSet\Services\%s\Parameters\%s, xrefs: 0040A9E9
NSSM_REG_EXIT, xrefs: 0040AA0D
create_exit_action(), xrefs: 0040AA08
AppExit, xrefs: 0040A9E3, 0040AB0C

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$Source$CreateDeregisterErrorLastRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: AppExit$NSSM_REG_EXIT$SYSTEM\CurrentControlSet\Services\%s\Parameters\%s$create_exit_action()
API String ID: 508490100-4149098550
Opcode ID: 4fcb7e5af628b31a412a967c9f9c41a1b2acc9b1253a557f1fea2d54328a6c8b
Instruction ID: c54e0a44a042602298dc2c5b83e2bd5604e14107d9abb35974e2f0600bad2026
Opcode Fuzzy Hash: 4fcb7e5af628b31a412a967c9f9c41a1b2acc9b1253a557f1fea2d54328a6c8b
Instruction Fuzzy Hash: FB4109F1B443006BE6209754CD4BFEB7398DB98704F50452EF64AAA1C2EAB8D544CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D690 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfig2W.ADVAPI32(00000002,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000002,0040DDED,00000002,?,00000000,00008400), ref: 0040D6D3
GetLastError.KERNEL32 ref: 0040D6DB
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D6ED
HeapAlloc.KERNEL32(00000000), ref: 0040D6F4

Strings

get_service_startup(), xrefs: 0040D700
SERVICE_CONFIG_DELAYED_AUTO_START_INFO, xrefs: 0040D791
SERVICE_DELAYED_AUTO_START_INFO, xrefs: 0040D705, 0040D7AC

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$AllocConfig2ErrorLastProcessQueryService
String ID: SERVICE_CONFIG_DELAYED_AUTO_START_INFO$SERVICE_DELAYED_AUTO_START_INFO$get_service_startup()
API String ID: 2527037045-1869567720
Opcode ID: bf1bcd56317e02efd2dd7698e4ba2d83c3c3b2c1e479c8237d6ba54ce11f5d08
Instruction ID: 097b29a2a90f646509759188dcc962e1ab6821ba756d97a4ddf6cf1ac72e26d1
Opcode Fuzzy Hash: bf1bcd56317e02efd2dd7698e4ba2d83c3c3b2c1e479c8237d6ba54ce11f5d08
Instruction Fuzzy Hash: B531D4F6A403016BE310DFA9DC89FAB7798EB84315F54487AF504E7281E778E8448A69

Uniqueness

Uniqueness Score: -1.00%

Function 00409130 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114memorypipethreadCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,00000000,00000000), ref: 0040915B
SetHandleInformation.KERNEL32(00000000,00000001,00000001,?,?,00000000,00000000), ref: 0040916C
GetProcessHeap.KERNEL32(00000008,00000030), ref: 00409176
HeapAlloc.KERNEL32(00000000), ref: 0040917D
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 004091A9
CreateThread.KERNEL32(00000000,00000000,Function_00008D50,00000000,00000000,?), ref: 00409222
GetLastError.KERNEL32(00000000), ref: 0040922F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00409250
HeapFree.KERNEL32(00000000), ref: 00409257

Strings

logger, xrefs: 0040918F
create_logging_thread(), xrefs: 0040918A

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$CreateErrorLastProcess$AllocFreeHandleInformationPipeThread
String ID: create_logging_thread()$logger
API String ID: 3682172063-2332508298
Opcode ID: 5364c44dd14288a0f0078d0c2a26264fb7274c226d6cf196836e5ebcf69bdcaf
Instruction ID: 7a5f417da971cce8bdb4d489e7d561c2bea4d1d3adffcb45d960dbf457daacd4
Opcode Fuzzy Hash: 5364c44dd14288a0f0078d0c2a26264fb7274c226d6cf196836e5ebcf69bdcaf
Instruction Fuzzy Hash: 5731A0B1A00701AFD3209F65DC49F9BB7E8EF88714F10892EF649E7291D674E8408B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E830 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 144sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040E8A3
__snwprintf_s.LIBCMT ref: 0040E8ED
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E921
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 0040E95C
SetServiceStatus.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E97A
SleepConditionVariableCS.KERNELBASE(?,?,?), ref: 0040E998
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E99F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E9C4
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E9DD

Strings

%lu, xrefs: 0040E895, 0040E8DF

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: CriticalSectionSleep__snwprintf_s$ConditionEnterLeaveObjectServiceSingleStatusTimerVariableWaitWaitable
String ID: %lu
API String ID: 418212672-685833217
Opcode ID: d4d9859d66ea56a1125a05eea6eb692c0986071de63174207467bd870c1a4a4e
Instruction ID: 0bcbe74f60e49559a2a01a7623a54cf792aad81448e6a6f2708ebc24a96566d6
Opcode Fuzzy Hash: d4d9859d66ea56a1125a05eea6eb692c0986071de63174207467bd870c1a4a4e
Instruction Fuzzy Hash: 5141DCF1A04700EBD7249B25CC46BDB73D4BB88314F508B2EF25EA61C0E67CA945C759

Uniqueness

Uniqueness Score: -1.00%

Function 00410DA0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 00410E22
HeapFree.KERNEL32(00000000), ref: 00410E29

Strings

AppEnvironment, xrefs: 00410E96

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: AppEnvironment
API String ID: 3859560861-948859433
Opcode ID: 04cadfac52257cf83fd6566f2c35dc0dcf809a10a3b222f8c10f06632aaf1ac7
Instruction ID: d0ab22901641b4708907b5ad450eb196165ffe8a0ecf88f64d9a13dda8279097
Opcode Fuzzy Hash: 04cadfac52257cf83fd6566f2c35dc0dcf809a10a3b222f8c10f06632aaf1ac7
Instruction Fuzzy Hash: 724106B2A042016BE2009B69EC09FEB37A8DFC4725F14492EF515D62D1DBB8D8C5C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD30 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,0040DD63,00000003,00000000,00000002,?,0040DD63,00000002,00000000), ref: 0040CD48
GetLastError.KERNEL32(?,0040DD63,00000002,00000000), ref: 0040CD50
GetProcessHeap.KERNEL32(00000008,0040DD63,00000000,?,0040DD63,00000002,00000000), ref: 0040CD63
HeapAlloc.KERNEL32(00000000,?,0040DD63,00000002,00000000), ref: 0040CD6A
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,0040DD63,00000002,00000000), ref: 0040CD94
GetProcessHeap.KERNEL32(00000000,00000000,?,0040DD63,00000002,00000000), ref: 0040CD9C
HeapFree.KERNEL32(00000000,?,0040DD63,00000002,00000000), ref: 0040CDA3
GetLastError.KERNEL32(00000000,?,0040DD63,00000002,00000000), ref: 0040CDAB

Strings

query_service_config(), xrefs: 0040CD77
QUERY_SERVICE_CONFIG, xrefs: 0040CD7C

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$ConfigErrorLastProcessQueryService$AllocFree
String ID: QUERY_SERVICE_CONFIG$query_service_config()
API String ID: 2921672788-976127789
Opcode ID: f0828055e39d8f9797993dd67b379e2a0b7a4cee187890433159a102a33d25e2
Instruction ID: ec6184287c6e1aa3659987899a8ea3cdc59ea47e861b503f6ba41a7943c46725
Opcode Fuzzy Hash: f0828055e39d8f9797993dd67b379e2a0b7a4cee187890433159a102a33d25e2
Instruction Fuzzy Hash: 3F21D5F2A452017BE600A7A5EC8AFBF775CEFC5329F10893AF605D3181DA78D8049679

Uniqueness

Uniqueness Score: -1.00%

Function 00404FB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 00404FBB
GetLastError.KERNEL32(00000000), ref: 00404FC8

Part of subcall function 004052C0: TlsGetValue.KERNEL32(00000014,?,00401042,00000000,00000000), ref: 004052C7
Part of subcall function 004052C0: LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404FFB
HeapAlloc.KERNEL32(00000000), ref: 00404FFE

Strings

ExpandEnvironmentStrings(), xrefs: 00405010
expand_environment_string, xrefs: 0040500B

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$AllocHeapSource$DeregisterEnvironmentErrorExpandLastLocalProcessRegisterReportStringsValue
String ID: ExpandEnvironmentStrings()$expand_environment_string
API String ID: 834161584-2090451141
Opcode ID: f59b1bc273204f5623afe584567ecfba35516a339bb065064b188413960d3f6b
Instruction ID: 1c240b0065301ebdc15cfa0ece81b4dfea20bbf87cc1a9778ddf823e08b6aba0
Opcode Fuzzy Hash: f59b1bc273204f5623afe584567ecfba35516a339bb065064b188413960d3f6b
Instruction Fuzzy Hash: AF11B2F2A416017BE21026B5BC4AFEB771CDB8076AF114472FA05E2182EA79C54045B9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E600 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000016), ref: 0040E620
HeapAlloc.KERNEL32(00000000), ref: 0040E623
__snwprintf_s.LIBCMT ref: 0040E658
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E682
HeapFree.KERNEL32(00000000), ref: 0040E685

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E6C4
HeapFree.KERNEL32(00000000), ref: 0040E6C7

Strings

0x%08x, xrefs: 0040E64E
control code, xrefs: 0040E635, 0040E66B
log_service_control(), xrefs: 0040E630, 0040E666

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$EventProcess$FreeSource$AllocDeregisterRegisterReport__snwprintf_s
String ID: 0x%08x$control code$log_service_control()
API String ID: 844069407-2089045330
Opcode ID: 9ef0c78e7c00f931eee4f5ffaa9126fd3d2030249d315e71256b6d1e8744bc2b
Instruction ID: 612ea0ede9ba1e7cb3a868644965a314014b177a7dd95aa26f1d9d3cb81d428a
Opcode Fuzzy Hash: 9ef0c78e7c00f931eee4f5ffaa9126fd3d2030249d315e71256b6d1e8744bc2b
Instruction Fuzzy Hash: 6211CBF2B4031037E62062676C46FDF2648CB90BAAF550976FA09B61C2D5BD8C5141BD

Uniqueness

Uniqueness Score: -1.00%

Function 004084D0 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 227COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 00408511

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

ShareMode, xrefs: 00408588, 004085AF
CreationDisposition, xrefs: 004085FE, 00408625
%s%s, xrefs: 0040858E, 00408604, 0040867D
get_createfile_parameters(), xrefs: 0040851F, 004085AA, 00408620, 00408699
FlagsAndAttributes, xrefs: 00408677, 0040869E

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: %s%s$CreationDisposition$FlagsAndAttributes$ShareMode$get_createfile_parameters()
API String ID: 2445375048-825329064
Opcode ID: b56b3a038a3fb234e7910174b92c3cda99c27529ad80f9ad3da27b13678a7099
Instruction ID: d5bcaed63e337bfabc806c2c34b187c565ea729d6d27f924a01f1bb630a1831b
Opcode Fuzzy Hash: b56b3a038a3fb234e7910174b92c3cda99c27529ad80f9ad3da27b13678a7099
Instruction Fuzzy Hash: D0511AB27443001BD200A61A9D43FEFB3D4AB98779FD4052FF649E62C1FA7DD580869A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C610 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

%c%u, xrefs: 0040C779

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID: %c%u
API String ID: 0-883269693
Opcode ID: a6a9a78c627fcc7f84f026c182eb2424cb4b7fe8dcf98c1fa97da1e8e50362f1
Instruction ID: fcb05bf5aa25034c6b283f3d3c8d8d5dbfc9814c65828dd12b5a4fa76bd1d4d2
Opcode Fuzzy Hash: a6a9a78c627fcc7f84f026c182eb2424cb4b7fe8dcf98c1fa97da1e8e50362f1
Instruction Fuzzy Hash: 5A51BE729443058BD324DF68E8C57ABB3E5FB84310F544A3EE854D33A0E77A98458A9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B310 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 90registryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040B349

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

__snwprintf_s.LIBCMT ref: 0040B365
RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0040B3CA
GetLastError.KERNEL32(00000000), ref: 0040B3D6
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,?), ref: 0040B41F

Strings

open_registry(), xrefs: 0040B373
SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 0040B354
SYSTEM\CurrentControlSet\Services\%s\Parameters\%s, xrefs: 0040B338
NSSM_REGISTRY, xrefs: 0040B378

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: __snwprintf_s$CreateErrorLastOpen__vsnwprintf_s_l
String ID: NSSM_REGISTRY$SYSTEM\CurrentControlSet\Services\%s\Parameters$SYSTEM\CurrentControlSet\Services\%s\Parameters\%s$open_registry()
API String ID: 3162672713-2180615361
Opcode ID: 694e5b5481d173b3ab35a74997d032020c8674ed162b4220796c0d16fe997546
Instruction ID: 51ad032d09eab74b91555c8713cdb19e4fcc5e6d9908cd399ce7877185dd2446
Opcode Fuzzy Hash: 694e5b5481d173b3ab35a74997d032020c8674ed162b4220796c0d16fe997546
Instruction Fuzzy Hash: 3221E6F0A443016FE220F760CD47FBB3398EB54704F90452E7659E61C2FAB8954086AA

Uniqueness

Uniqueness Score: -1.00%

Function 004052C0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65windowmemoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000014,?,00401042,00000000,00000000), ref: 004052C7
LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA
TlsSetValue.KERNEL32(00000014,00000000,?,00401042,00000000,00000000), ref: 004052F5
GetUserDefaultLangID.KERNEL32(00000000,0000FFFF,00000000,?,?,?,00401042,00000000,00000000), ref: 00405305
FormatMessageW.KERNEL32(00001200,00000000,?,?,?,?,?,00401042,00000000,00000000), ref: 00405321
FormatMessageW.KERNEL32(00001200,00000000,?,00000000,00000000,0000FFFF,00000000,?,?,?,?,00401042,00000000,00000000), ref: 00405336
__snwprintf_s.LIBCMT ref: 0040534A

Strings

<out of memory for error message>, xrefs: 004052E6
system error %lu, xrefs: 0040533D

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: FormatMessageValue$AllocDefaultLangLocalUser__snwprintf_s
String ID: <out of memory for error message>$system error %lu
API String ID: 1317610408-3923297632
Opcode ID: b5758bec216b926b4d62f608ffe3328bbd5e3024216705962de944ccca3494a7
Instruction ID: f23edb150031ebe2e0488c34495c660aa377f69acf961f8f06e15d9152bb88fb
Opcode Fuzzy Hash: b5758bec216b926b4d62f608ffe3328bbd5e3024216705962de944ccca3494a7
Instruction Fuzzy Hash: 630180B2B4472377E23066657C05EBB2B58DF86BA5F144276FE20E62D0D978CC0195AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A040 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?), ref: 0040A083
__snwprintf_s.LIBCMT ref: 0040A0A1
GetLastError.KERNEL32(00000000), ref: 0040A0AA

Strings

%lu, xrefs: 0040A093

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ErrorLastOpenProcess__snwprintf_s
String ID: %lu
API String ID: 1619034979-685833217
Opcode ID: fd9c7b49e71a33996ba9c2a805d512b294e08a555ec79916aaafb0d51c83362a
Instruction ID: 8f5ceacfd598cb2394abf54756f4a9d9aecdfdb9d28b481e073514ca66ad884b
Opcode Fuzzy Hash: fd9c7b49e71a33996ba9c2a805d512b294e08a555ec79916aaafb0d51c83362a
Instruction Fuzzy Hash: 6C31ADB66002006BD2049765DC82EEFB3A4EF8C324F84452FF509D7291F678E69587DA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

kill_console, xrefs: 0040A437

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID: kill_console
API String ID: 0-1600766264
Opcode ID: b512eac6a5c75acfedc64106a28a87c7925d39300a97012badd4a903b776b279
Instruction ID: 6b8feeb58a831c22132309c7bed50a8a77aa2e1ca0f50238c9c6c98eb8e5a449
Opcode Fuzzy Hash: b512eac6a5c75acfedc64106a28a87c7925d39300a97012badd4a903b776b279
Instruction Fuzzy Hash: 202106F6A0030067F6206665BC4AFEB325CCB8035CF45843AFA09E72C2F97DDC9145AA

Uniqueness

Uniqueness Score: -1.00%

Function 00410F20 Relevance: 13.6, APIs: 9, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f38156d83b47b1d3b9d2af6ee629cc77d86bd27f8c3302232bc967707eea2e8
Instruction ID: 426f323d08f1782c1e6f60194951a9d10300faf2c5e3bd40731d4607ec8a1430
Opcode Fuzzy Hash: 6f38156d83b47b1d3b9d2af6ee629cc77d86bd27f8c3302232bc967707eea2e8
Instruction Fuzzy Hash: 0041B772A042015FC720DB55DC45BEBB3E8EBC8754F04492AF95483240E7B8E9C5C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B310: __snwprintf_s.LIBCMT ref: 0040B349

RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?), ref: 0040B65F
RegCloseKey.ADVAPI32(00000000), ref: 0040B66A

Strings

%lu, xrefs: 0040B69B
AppExit, xrefs: 0040B5FC

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: CloseQueryValue__snwprintf_s
String ID: %lu$AppExit
API String ID: 2736435911-2506947422
Opcode ID: 360aecef11bcee73e09b5d0cd0e78933fc472dd2aa08b67d38fa45625f26d4c0
Instruction ID: c411b45a6930565bb1268b54e23c5314efaf1e743d4ddd058092e23d946cddcd
Opcode Fuzzy Hash: 360aecef11bcee73e09b5d0cd0e78933fc472dd2aa08b67d38fa45625f26d4c0
Instruction Fuzzy Hash: 4E31B2726043046BD300DB25DC41AAFB7E8EFC8314F84492EFA5992281FB7AD5458BDA

Uniqueness

Uniqueness Score: -1.00%

Function 004122D0 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 004122FA
HeapFree.KERNEL32(00000000), ref: 00412301

Strings

SERVICE_WIN32_SHARE_PROCESS, xrefs: 00412362, 00412367
SERVICE_WIN32_OWN_PROCESS, xrefs: 00412323, 00412328
SERVICE_KERNEL_DRIVER, xrefs: 0041234D, 00412352
SERVICE_INTERACTIVE_PROCESS, xrefs: 004123AD, 004123B2
SERVICE_FILE_SYSTEM_DRIVER, xrefs: 00412338, 0041233D
SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS, xrefs: 00412398, 0041239D

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: SERVICE_FILE_SYSTEM_DRIVER$SERVICE_INTERACTIVE_PROCESS$SERVICE_KERNEL_DRIVER$SERVICE_WIN32_OWN_PROCESS$SERVICE_WIN32_SHARE_PROCESS$SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS
API String ID: 3859560861-2402770260
Opcode ID: c4bcd49acf320aad884df7014bda7e7aedb362f20f7b40cc470d6da00f593dac
Instruction ID: 3fa550764ded5b60e080b7974a66712a4ad7996e9d168e8143a02efed0acfda5
Opcode Fuzzy Hash: c4bcd49acf320aad884df7014bda7e7aedb362f20f7b40cc470d6da00f593dac
Instruction Fuzzy Hash: BC21AFFE6003051BD600DB79AEC99AB335CEB85309F18896AFC14C2341E37DECD49269

Uniqueness

Uniqueness Score: -1.00%

Function 00408250 Relevance: 12.1, APIs: 8, Instructions: 73memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 00408267
GetLastError.KERNEL32 ref: 0040827B
__cftoe.LIBCMT ref: 0040828F

Part of subcall function 00413380: __mbstowcs_s_l.LIBCMT ref: 00413396

GetProcessHeap.KERNEL32(00000000,00000000), ref: 004082A7
HeapAlloc.KERNEL32(00000000), ref: 004082AA
__cftoe.LIBCMT ref: 004082C7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004082F9
HeapFree.KERNEL32(00000000), ref: 004082FC

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$Process__cftoe$AddressAllocErrorFreeLastProc__mbstowcs_s_l
String ID:
API String ID: 323180873-0
Opcode ID: b05e2564cea1b0aa3f2908587e94aa4160ead8b2f5666b2d7813d052930b67d1
Instruction ID: 2e5e402e2c2626b49358907e613a0df75488633df38e2a23a78af6a6010d2103
Opcode Fuzzy Hash: b05e2564cea1b0aa3f2908587e94aa4160ead8b2f5666b2d7813d052930b67d1
Instruction Fuzzy Hash: C911D2B1505310BBC3109B55DC49F9BB7ACEF89718F10466DF915A7282DA34D800CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 00405790 Relevance: 12.0, APIs: 8, Instructions: 42COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,0000040D), ref: 004057AF
EnableWindow.USER32(00000000), ref: 004057B8
GetDlgItem.USER32(00000000,0000040F), ref: 004057CA
EnableWindow.USER32(00000000), ref: 004057CD
GetDlgItem.USER32(00000000,00000410), ref: 004057DB
EnableWindow.USER32(00000000), ref: 004057DE
GetDlgItem.USER32(00000000,00000411), ref: 004057ED
EnableWindow.USER32(00000000), ref: 004057F0

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: EnableItemWindow
String ID:
API String ID: 3833022359-0
Opcode ID: 31b3fd158049fa77296440bbcea545347585c868fa80e3e4f9f83df952b283d7
Instruction ID: e2f7c1c09c8d93b2009dc5b4c4f002420ea12ae4a46ab4e20d95bb4881afef45
Opcode Fuzzy Hash: 31b3fd158049fa77296440bbcea545347585c868fa80e3e4f9f83df952b283d7
Instruction Fuzzy Hash: 37F0AEF1F4031C36D610E7B57C84D676B6CEBC4591B058436B700D3190CDF8EA058A74

Uniqueness

Uniqueness Score: -1.00%

Function 00411F00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_fwprintf.LIBCMT ref: 00411F91

Strings

%s, xrefs: 00411F83

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: _fwprintf
String ID: %s
API String ID: 394020290-620797490
Opcode ID: 2c1e00e8f750eab5735f62461effd94720a9cb9abffd7c14ceba235e15ae4272
Instruction ID: 75f6ff0ad44b13ca8f97eaa8f5d04c03990c627219346353a10bb8e85013ff75
Opcode Fuzzy Hash: 2c1e00e8f750eab5735f62461effd94720a9cb9abffd7c14ceba235e15ae4272
Instruction Fuzzy Hash: EC4135B1A0020067E6105B79AD49BAB73489B44329F14023AF715E72E2E778CC92D6AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B460 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 004084D0: __snwprintf_s.LIBCMT ref: 00408511

_memset.LIBCMT ref: 0040B4CF
_memset.LIBCMT ref: 0040B544

Strings

AppStdout, xrefs: 0040B507
AppStderr, xrefs: 0040B57C
AppStdin, xrefs: 0040B492

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: _memset$__snwprintf_s
String ID: AppStderr$AppStdin$AppStdout
API String ID: 2562117923-491939989
Opcode ID: 4e0be652339b1084abb8e3e740910de37694cbfcd9fe9fd7c93284c9240b7e06
Instruction ID: 1b06f4d84a2b42bb779b35d5d98be90b00d199c4a4a766b1a98f55c8d30fc170
Opcode Fuzzy Hash: 4e0be652339b1084abb8e3e740910de37694cbfcd9fe9fd7c93284c9240b7e06
Instruction Fuzzy Hash: B24180F2644305BBE320DE55EC42F97B3ECEF84755F10042EF2598A2C1EBB5A5488BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004102C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000), ref: 004102F8
HeapAlloc.KERNEL32(00000000), ref: 004102FB
__snwprintf_s.LIBCMT ref: 0041031D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041032E
HeapFree.KERNEL32(00000000), ref: 00410331

Strings

value_from_string(), xrefs: 0041030B, 0041033B

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$Process$AllocFree__snwprintf_s
String ID: value_from_string()
API String ID: 2465375985-962593079
Opcode ID: 32f829b42f32a28a4e5a4ac7d68f27ece40f46b8ce26e11d520957f2533d3fbb
Instruction ID: bb1032cf64baaab7dc3efed814e35f34ffcfd1963eead0c03da6be78f6f1ad05
Opcode Fuzzy Hash: 32f829b42f32a28a4e5a4ac7d68f27ece40f46b8ce26e11d520957f2533d3fbb
Instruction Fuzzy Hash: 271129B26042156BD71067AADC45FE7339CDF91369F004666FC29C72C0E6F8E8C08669

Uniqueness

Uniqueness Score: -1.00%

Function 004051B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00007FFF), ref: 004051DC
_memset.LIBCMT ref: 004051EB
CreateProcessW.KERNEL32 ref: 0040522C
TerminateProcess.KERNEL32(?,00000000), ref: 0040523D
GetLastError.KERNEL32 ref: 0040525A

Strings

D, xrefs: 00405224

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Process$CreateErrorFileLastModuleNameTerminate_memset
String ID: D
API String ID: 3492820992-2746444292
Opcode ID: 9dd1c94f525b39c6e15edc8379d8a417f697b7542ed4c4ee5f829fe84b09a39f
Instruction ID: ec264b7909b663423e436220cfe4819a88d4f1dffac62785d33a99ea7066e5a1
Opcode Fuzzy Hash: 9dd1c94f525b39c6e15edc8379d8a417f697b7542ed4c4ee5f829fe84b09a39f
Instruction Fuzzy Hash: B11154B1654300AFD320DB64DD46BEB77E4AF8C704F40482DB699D61D0EBB895488F96

Uniqueness

Uniqueness Score: -1.00%

Function 00415988 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00415994

Part of subcall function 00416431: __getptd_noexit.LIBCMT ref: 00416434
Part of subcall function 00416431: __amsg_exit.LIBCMT ref: 00416441

__amsg_exit.LIBCMT ref: 004159B4
__lock.LIBCMT ref: 004159C4
InterlockedDecrement.KERNEL32(?), ref: 004159E1
InterlockedIncrement.KERNEL32(009F2C30), ref: 00415A0C

Strings

H*B, xrefs: 004159EB

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: H*B
API String ID: 4271482742-1987176958
Opcode ID: ae82dc6bd3ee7ef20407319b7cb59c0de88f678f5595f3ffd61352e31e938958
Instruction ID: 0f1790ebc6eee61fc3f291717e61b7ca4878fd8235e58e257555a432dd93126f
Opcode Fuzzy Hash: ae82dc6bd3ee7ef20407319b7cb59c0de88f678f5595f3ffd61352e31e938958
Instruction Fuzzy Hash: F2012B71A10B21EBC720AB25A4053DE77B0BF80724F01015BE804A3380C7BC99C2CBCE

Uniqueness

Uniqueness Score: -1.00%

Function 0040D300 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

get_service_dependencies(), xrefs: 0040D3BA
lpDependencies, xrefs: 0040D3BF

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID: get_service_dependencies()$lpDependencies
API String ID: 0-219018013
Opcode ID: bf4c0c836f5ec2d75db8984220f7ba768897816f801aee747be6389641c48457
Instruction ID: 3e3e4e8d9a81c198e56250067319da3111a355b174864df4f52def3845c595e2
Opcode Fuzzy Hash: bf4c0c836f5ec2d75db8984220f7ba768897816f801aee747be6389641c48457
Instruction Fuzzy Hash: 3F51C1B19002019FD724DF99D880AA7B3F5FF94315F24492EE885972C1EB78E898CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E350 Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6db5205aaf5c7a69da1a2ed089abba3dd97014ecf3ecdbfc37bc27497026141
Instruction ID: 41e637edb1b435abd6f35276a328e9c15e151e7885b7bbb8ba59d22f3675d668
Opcode Fuzzy Hash: f6db5205aaf5c7a69da1a2ed089abba3dd97014ecf3ecdbfc37bc27497026141
Instruction Fuzzy Hash: 9F21F4F2900200B7D710ABA6FC89FDB7B6CDF9935AF00403AFA48D6142E779D4558A79

Uniqueness

Uniqueness Score: -1.00%

Function 00405820 Relevance: 9.0, APIs: 6, Instructions: 31COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,00000406), ref: 0040583A
EnableWindow.USER32(00000000), ref: 00405843
GetDlgItem.USER32(00000000,00000407), ref: 00405852
EnableWindow.USER32(00000000), ref: 00405855
GetDlgItem.USER32(00000000,00000408), ref: 00405864
EnableWindow.USER32(00000000), ref: 00405867

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: EnableItemWindow
String ID:
API String ID: 3833022359-0
Opcode ID: afe6c0985e8651cac2700cf40326becd62c8317a26ee51371698d98f401e2890
Instruction ID: 2ec9d1a14a3b6aefc49800d07f008e7303e744d1587428ffcda7d95d197ea67b
Opcode Fuzzy Hash: afe6c0985e8651cac2700cf40326becd62c8317a26ee51371698d98f401e2890
Instruction Fuzzy Hash: A8E012F2B0131476D520EBFA9CD8C97ABACEFC9A51B418815B74497050C979D502C778

Uniqueness

Uniqueness Score: -1.00%

Function 00411CB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

LocalSystem, xrefs: 00411CCE, 00411CFD, 00411D12, 00411DD3, 00411DEF, 00411E18

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID: LocalSystem
API String ID: 0-3718507506
Opcode ID: 004bf6b67739aa68ca3577fdd567ccf4bb5dc038922f0632643093c5b059ae31
Instruction ID: c55ad329f1ab7e7a319801d33323cd4f3fc7c6193fc44e9fe0b0950f6bea607c
Opcode Fuzzy Hash: 004bf6b67739aa68ca3577fdd567ccf4bb5dc038922f0632643093c5b059ae31
Instruction Fuzzy Hash: 1C512A72E043405BD6205779BC45BD737989B81738F08063AFE65D73E1E72CEC8882AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 0040D950: GetProcessHeap.KERNEL32(00000008,00070510,?,00406684), ref: 0040D958
Part of subcall function 0040D950: HeapAlloc.KERNEL32(00000000,?,00406684), ref: 0040D95F

__snwprintf_s.LIBCMT ref: 0040FF11

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

__snwprintf_s.LIBCMT ref: 0040FF73

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00405498

Strings

service, xrefs: 0040FF35
pre_install_service(), xrefs: 0040FF30

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap__snwprintf_s$AllocFreeLocalProcess__vsnwprintf_s_l_vfwprintf
String ID: pre_install_service()$service
API String ID: 792397322-3337766052
Opcode ID: 0711bef75259c87616e8d0ee0a386299807506027fbb92d94be555ef7681361a
Instruction ID: 26704b136dc3d9749b1074aa21864745be87e0fb96ff5d59f0470137026c55c2
Opcode Fuzzy Hash: 0711bef75259c87616e8d0ee0a386299807506027fbb92d94be555ef7681361a
Instruction Fuzzy Hash: 614170B29003026BC710EA54DC82EA77354EF91318F14413FF914A72C2E63DF9598799

Uniqueness

Uniqueness Score: -1.00%

Function 00411090 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

_fwprintf.LIBCMT ref: 00411123

Strings

%s, xrefs: 00411115
( B, xrefs: 004110C7

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: _fwprintf
String ID: %s$( B
API String ID: 394020290-3552019876
Opcode ID: fb6fc9bafc8bb4bc176331903f766b2f4ebe819c5f0e0d4e4c6cfed62a37235d
Instruction ID: 76538ebeed6a30712826624a3ba4fa343d335bada35abf236fb5f47343afded2
Opcode Fuzzy Hash: fb6fc9bafc8bb4bc176331903f766b2f4ebe819c5f0e0d4e4c6cfed62a37235d
Instruction Fuzzy Hash: 8F313EB2A001007BD6109B766C45FAB775CDE85379F44053BFB58C3252EA28D885C67E

Uniqueness

Uniqueness Score: -1.00%

Function 00412582 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004125A4
__calloc_crt.LIBCMT ref: 004125BD

Strings

P%B, xrefs: 00412626
`'B, xrefs: 004125E9
$B, xrefs: 004125D4

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: __calloc_crt
String ID: P%B$`'B$$B
API String ID: 3494438863-3853432223
Opcode ID: 1a830ccda2a6a0be023cdae83b6b4cd5bad9d16e3f96b526fcb571bdeb465da0
Instruction ID: 1080d359621281dac9eb6ef5654e348f9a9ff66b954d09d266db2da5be3808d7
Opcode Fuzzy Hash: 1a830ccda2a6a0be023cdae83b6b4cd5bad9d16e3f96b526fcb571bdeb465da0
Instruction Fuzzy Hash: 3A11E73130461167E7348A2E7EA07E62393FB98324B94813FE601C73D0EAB8D8D3864C

Uniqueness

Uniqueness Score: -1.00%

Function 004160F4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00416100

Part of subcall function 00416431: __getptd_noexit.LIBCMT ref: 00416434
Part of subcall function 00416431: __amsg_exit.LIBCMT ref: 00416441

__getptd.LIBCMT ref: 00416117
__amsg_exit.LIBCMT ref: 00416125
__lock.LIBCMT ref: 00416135

Strings

x/B, xrefs: 00416142

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: x/B
API String ID: 3521780317-795736107
Opcode ID: 03e2c8ac26ea6515eeabbe517bac99320c8abe5d28215d78f32520cca3b08236
Instruction ID: d97fba921eb6448607c153e5393f7921dba5c81f8b41dce901700528dcdb7151
Opcode Fuzzy Hash: 03e2c8ac26ea6515eeabbe517bac99320c8abe5d28215d78f32520cca3b08236
Instruction Fuzzy Hash: DDF06231900210ABD620BB6995027CD73E0AF44729F52811FA58097393CB2CD9818A5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F286 Relevance: 7.7, APIs: 5, Instructions: 214threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000EBA0,?,00000000,00000000), ref: 0040F356
GetLastError.KERNEL32(00000000), ref: 0040F361
RtlWakeConditionVariable.NTDLL(?), ref: 0040F3D7
SetServiceStatus.ADVAPI32(?,?), ref: 0040F45A

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ConditionCreateErrorLastServiceStatusThreadVariableWake
String ID:
API String ID: 1631654564-0
Opcode ID: a830473311122d4f58078e63b060d65950c81e0407da7c18076417680fa3d974
Instruction ID: bb6d87cbd09c4234cba0dee68d7b7d15a758b73580d713f38b937c70a6fac446
Opcode Fuzzy Hash: a830473311122d4f58078e63b060d65950c81e0407da7c18076417680fa3d974
Instruction Fuzzy Hash: 544196F2904700EAE774DB64EC4AB9777A89B54304F004D3EF24EA71C2D67DB8558B68

Uniqueness

Uniqueness Score: -1.00%

Function 004118D0 Relevance: 7.6, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 0041192C
HeapFree.KERNEL32(00000000), ref: 00411933

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5f40a348833435727a258736f11675b437c072e383ba136c01367595f6cefcd7
Instruction ID: 95e30e043aeee65d45f2ad13466b3714bbfccf5d3bd7e18b30c1f789b8d743ce
Opcode Fuzzy Hash: 5f40a348833435727a258736f11675b437c072e383ba136c01367595f6cefcd7
Instruction Fuzzy Hash: 802156B5A043006FD700DBA9DC85F9B77E8EBC8714F444A69F958C7290D678ED48C762

Uniqueness

Uniqueness Score: -1.00%

Function 004115B0 Relevance: 7.6, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 0041160C
HeapFree.KERNEL32(00000000), ref: 00411613

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 7a493bd9209aa930e9bc628240199728c948fb4e2bca7b9b2bb2fbd14f4429dc
Instruction ID: b959b81e1fe3a2bafc76a74eee7c013ba47a19e295bb6f17c30615ef93d79162
Opcode Fuzzy Hash: 7a493bd9209aa930e9bc628240199728c948fb4e2bca7b9b2bb2fbd14f4429dc
Instruction Fuzzy Hash: 7A2156B5A043006BD600DBA9DC85F9B77E8EBC8714F444A6DF958C7290D678ED08C766

Uniqueness

Uniqueness Score: -1.00%

Function 00414190 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004141AE

Part of subcall function 004145CC: __mtinitlocknum.LIBCMT ref: 004145E2
Part of subcall function 004145CC: __amsg_exit.LIBCMT ref: 004145EE
Part of subcall function 004145CC: EnterCriticalSection.KERNEL32(?,?,?,0041267D,?), ref: 004145F6

___sbh_find_block.LIBCMT ref: 004141B9
___sbh_free_block.LIBCMT ref: 004141C8
HeapFree.KERNEL32(00000000,?,00420330,0000000C,00416422,00000000,?,004140C2,?,00000001,?,?,00414556,00000018,00420398,0000000C), ref: 004141F8
GetLastError.KERNEL32(?,004140C2,?,00000001,?,?,00414556,00000018,00420398,0000000C,004145E7,?,?,?,0041267D,?), ref: 00414209

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 8ca263cfe194db8b0666dc6fb4ab876aeebdc161e256fe39dabbc450974d78f4
Instruction ID: 78ddf74b6f23589f7df2c05dcf936a3b5e981393fab6882f78671dd489d308d8
Opcode Fuzzy Hash: 8ca263cfe194db8b0666dc6fb4ab876aeebdc161e256fe39dabbc450974d78f4
Instruction Fuzzy Hash: A8018F31E41201AADB306BA29C0ABCE7BA49F81769F51425FF404A6191CB7C8AC1CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

kill_process, xrefs: 0040A507, 0040A53E

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID: kill_process
API String ID: 0-4017559064
Opcode ID: c85e92e42890c1b61c6ed8003c775d2debb2e2522625328e364df6d926ae03a5
Instruction ID: 00686baf9cae64c418d2207327e1e792f3237e2728e58617ed409f1897315a47
Opcode Fuzzy Hash: c85e92e42890c1b61c6ed8003c775d2debb2e2522625328e364df6d926ae03a5
Instruction Fuzzy Hash: 53317675504300AED711DA29AC45BE7B7D8BF84718F44893EED98622C1E3BCEA18C697

Uniqueness

Uniqueness Score: -1.00%

Function 0040B240 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 0040B280
__snwprintf_s.LIBCMT ref: 0040B2A9

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

GetLastError.KERNEL32(00000000), ref: 0040B2CA

Strings

%lu, xrefs: 0040B29B

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$Source$DeregisterErrorLastQueryRegisterReportValue__snwprintf_s__vsnwprintf_s_l
String ID: %lu
API String ID: 2741730872-685833217
Opcode ID: a4297ff40bdac13b64ecd610264a5552e878824a3cab828616055258fe2716c0
Instruction ID: 9b57c4e92f1354976d5d0f2d51147bf8e68e588caea2cac463da8bdf8903c173
Opcode Fuzzy Hash: a4297ff40bdac13b64ecd610264a5552e878824a3cab828616055258fe2716c0
Instruction Fuzzy Hash: 911190B1504300AFD210DB55DC4AFAFB7E8EB8D718F40492DF649A6281D674E944CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 004087E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040880C

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,00000000), ref: 0040884B

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

delete_createfile_parameter(), xrefs: 0040881A
%s%s, xrefs: 004087FE

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$Source$DeleteDeregisterRegisterReportValue__snwprintf_s__vsnwprintf_s_l
String ID: %s%s$delete_createfile_parameter()
API String ID: 1707313777-3045456684
Opcode ID: 7e0672d7530e772f14729283f7dc31a498a76e7525d1e09c63b7890c8cbcece8
Instruction ID: d1234627bce7d3409ed959c761f7b8d746fd5414b944bb09aaf7c4e8fca72bae
Opcode Fuzzy Hash: 7e0672d7530e772f14729283f7dc31a498a76e7525d1e09c63b7890c8cbcece8
Instruction Fuzzy Hash: 6201DFB2A142006FE700A759CD02FEFB7E8AB99714F80051EF615D72D1F5B8A8818BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00405400 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

nssm, xrefs: 00405404

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport
String ID: nssm
API String ID: 3235303502-2602286837
Opcode ID: 6fec7ebd8c18dbc7d464e686865d7787e4c472b10a666eaa8ba60e55d3e0cda1
Instruction ID: d3648bf1d166a2bd8de7c6c9c4a863b798114447eb191853c28b7c632e5ffc8e
Opcode Fuzzy Hash: 6fec7ebd8c18dbc7d464e686865d7787e4c472b10a666eaa8ba60e55d3e0cda1
Instruction Fuzzy Hash: D8F0A4B0505711ABE714DB04DC19BFBBBA5EF88705F40842CF542EA2C0D774D9418F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401070 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

Strings

NT Authority\LocalService, xrefs: 0040109C
LocalSystem, xrefs: 00401088

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID: LocalSystem$NT Authority\LocalService
API String ID: 0-2498893882
Opcode ID: 4bd61c4bc6cb448a9bbe4fa92f22af8cd3c41b511943c0e539e243abe0924b40
Instruction ID: 5088a37f203b1a9eb05045d2fec1edf7ec2d004d2db4fae365a24f9b45aa7680
Opcode Fuzzy Hash: 4bd61c4bc6cb448a9bbe4fa92f22af8cd3c41b511943c0e539e243abe0924b40
Instruction Fuzzy Hash: 35E0483179452A62DB212B2CBC05FD727995B45742F448073B450DB1D2D75CCDC352ED

Uniqueness

Uniqueness Score: -1.00%

Function 004160B6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 004160C8

Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FA0
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FAD
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FBA
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FC7
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FD4
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FF0
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(00000000), ref: 00416000
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00416016

___removelocaleref.LIBCMT ref: 004160D3

Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(004178FE), ref: 00416037
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(83000001), ref: 00416044
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(B9C972C2), ref: 00416051
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(3B660AC2), ref: 0041605E
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(3B66D18B), ref: 0041606B
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(3B66D18B), ref: 00416087
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(83C0B70F), ref: 00416097
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(000009B2), ref: 004160AD

___freetlocinfo.LIBCMT ref: 004160E7

Part of subcall function 00415E45: ___free_lconv_mon.LIBCMT ref: 00415E8B
Part of subcall function 00415E45: ___free_lconv_num.LIBCMT ref: 00415EAC
Part of subcall function 00415E45: ___free_lc_time.LIBCMT ref: 00415F31

Strings

x/B, xrefs: 004160DE

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: x/B
API String ID: 467427115-795736107
Opcode ID: d1c564f02e998aee3c3fa80c54e1f8df227aa337fe82c91f75564be1846c7342
Instruction ID: b34a0f9879d2699f7ffcf6201956a3b00b8b15cae77dc86b8d387886a1ceb3e8
Opcode Fuzzy Hash: d1c564f02e998aee3c3fa80c54e1f8df227aa337fe82c91f75564be1846c7342
Instruction Fuzzy Hash: C7E04F33B019315B8A36AE1D64406EB9A948FCA715F1B41AFF844A7784DF2CCCC154AD

Uniqueness

Uniqueness Score: -1.00%

Function 004098D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 004098D0

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00405498

Strings

32-bit, xrefs: 004098DB
2.24, xrefs: 004098E0
2014-08-31, xrefs: 004098D6

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ConsoleFreeLocalWindow_vfwprintf
String ID: 2.24$2014-08-31$32-bit
API String ID: 1334155653-2354707097
Opcode ID: 990dfce23d7a97a5039eabe4122512bd76cb627f2bc899cb7b24c49a62b2ecd3
Instruction ID: c76862b1d953f522f71d38d82470cec42d68d54e25fb047d8ef406d997cf9da4
Opcode Fuzzy Hash: 990dfce23d7a97a5039eabe4122512bd76cb627f2bc899cb7b24c49a62b2ecd3
Instruction Fuzzy Hash: 01D0C2F0A8460137E600AA598C07F8B22409B8470DFC4006AB606A52D2D67CF8944A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8B3 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041A8E7
__isleadbyte_l.LIBCMT ref: 0041A91B
MultiByteToWideChar.KERNEL32(00000080,00000009,00412F07,?,00000000,00000000,?,?,?,?,00412F07), ref: 0041A94C
MultiByteToWideChar.KERNEL32(00000080,00000009,00412F07,00000001,00000000,00000000,?,?,?,?,00412F07), ref: 0041A9BA

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 7d0f7be5522bebe04898bb7a1b5b17ac1f2cd60f464c80a5787e493e5f5524ec
Instruction ID: 8e80b7d0e863ddd762db141ba23fd8d99fbbd19addded7427a642c387e288d34
Opcode Fuzzy Hash: 7d0f7be5522bebe04898bb7a1b5b17ac1f2cd60f464c80a5787e493e5f5524ec
Instruction Fuzzy Hash: 54311370A12245EFDB20EF64C884AFE3BA4BF01310F1589AAE4619B291D334DDE1DB56

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

username, xrefs: 0040D863
get_service_username(), xrefs: 0040D85E

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID: get_service_username()$username
API String ID: 0-1118073074
Opcode ID: 784faa349208341f158178e86dc57be783a71b656f02ec290f582de94d1f2833
Instruction ID: 7d16268e7706c02599106e4441dc23a9752c8f6b5ec33a58098762b0a8250c8b
Opcode Fuzzy Hash: 784faa349208341f158178e86dc57be783a71b656f02ec290f582de94d1f2833
Instruction Fuzzy Hash: DE1106B6A003015BE710EFA9EC85B9773A8EF84304F048476F91CDB381E379E8588768

Uniqueness

Uniqueness Score: -1.00%

Function 00405080 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(?,00000000), ref: 004050E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004050F1
HeapFree.KERNEL32(00000000), ref: 004050F8
SetEnvironmentVariableW.KERNEL32(?,00000000), ref: 00405106

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: EnvironmentHeapVariable$FreeProcess
String ID:
API String ID: 1651283563-0
Opcode ID: b44acf5573aec65a98221271f6012cacc703a2aca283ef703b0ef0abf04c4004
Instruction ID: 7ca8f0decbef4ebefa15ff84fd483d82a394ef1ad15d6eda22774f96b67548aa
Opcode Fuzzy Hash: b44acf5573aec65a98221271f6012cacc703a2aca283ef703b0ef0abf04c4004
Instruction Fuzzy Hash: 26117F71C047169AD730AF549C0575BB3F8EF94310F54883BE989A72C1F3B898D48B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404EE0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000), ref: 00404F26
HeapAlloc.KERNEL32(00000000), ref: 00404F2D

Strings

environment, xrefs: 00404F3F
copy_environment_block(), xrefs: 00404F3A

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: copy_environment_block()$environment
API String ID: 1617791916-2686971372
Opcode ID: c3fd064e4f0a956d187f24e7c5e8a9bb3822476e50573aa05cb750d222029aa4
Instruction ID: 8deebacdc600d522f7aab138bb3d98dce45cd337f056f7d9729cf224169f9fdd
Opcode Fuzzy Hash: c3fd064e4f0a956d187f24e7c5e8a9bb3822476e50573aa05cb750d222029aa4
Instruction Fuzzy Hash: 1A01FCF66046221AD6212618BC50BF72298DFD0769B11443BFA82E71C5EA78CC8141A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401469 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetSidSubAuthority.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 0040147C
GetSidSubAuthority.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 00401491
LsaFreeMemory.ADVAPI32(00000000), ref: 004014F1
LsaFreeMemory.ADVAPI32(00000000), ref: 004014FB

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: AuthorityFreeMemory
String ID:
API String ID: 1444650384-0
Opcode ID: b8e15b337b3f1d921b3dea5c82a8250e1428588c6ab68d38df7715d8a68ab994
Instruction ID: 83e81ec0094bd32f467672ea939adaeb78c7e9f3249d369c250e79b353d34dd7
Opcode Fuzzy Hash: b8e15b337b3f1d921b3dea5c82a8250e1428588c6ab68d38df7715d8a68ab994
Instruction Fuzzy Hash: 81110675A043406FC310EB61C88596BB7E5FF89318F40093DF98997361D638DD91CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405680 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00405699
GetDesktopWindow.USER32 ref: 0040569F
GetWindowRect.USER32(00000000,?), ref: 004056AF
MoveWindow.USER32(?,?,?,00000000,?,00000000), ref: 004056E6

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Window$Rect$DesktopMove
String ID:
API String ID: 2894293738-0
Opcode ID: 3fd5e5817b5a9b80783906beb4d0b9204ab218456916bf9286cc18b0c0424074
Instruction ID: 4404551d088f54b3b346c67006461702cb67daa45ea7307cd0df8ea8ccbf729a
Opcode Fuzzy Hash: 3fd5e5817b5a9b80783906beb4d0b9204ab218456916bf9286cc18b0c0424074
Instruction Fuzzy Hash: D5014FB1604212ABD704CE7CDD44EAFBBEDEBC8640F48492DB854D3284DB34E8058BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00408870 Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000002,?,?,?,?,00000000), ref: 0040888F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004088A2
SetEndOfFile.KERNEL32(00000000), ref: 004088AE
GetLastError.KERNEL32(00000000), ref: 004088BB

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: File$CreateErrorLastPointer
String ID:
API String ID: 2723331319-0
Opcode ID: 4e0b794f19faba63de2e6a99d64c6716e3658fd301ade40050abe0956df1ca94
Instruction ID: 5390559d92aa947b9314eb53a18356e94adec141a5a2c230ab48a642764cfde5
Opcode Fuzzy Hash: 4e0b794f19faba63de2e6a99d64c6716e3658fd301ade40050abe0956df1ca94
Instruction Fuzzy Hash: DBF0C8B66046107FE2109758AC0AF9F7768DFC4B24F50C539FA05E62D1D774DC4186BA

Uniqueness

Uniqueness Score: -1.00%

Function 00405870 Relevance: 6.0, APIs: 4, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000), ref: 0040587D
SendMessageW.USER32(00000000,?,0000000E,00000000), ref: 00405884
GetDlgItemTextW.USER32(00000000), ref: 00405898

Part of subcall function 004054A0: MessageBoxW.USER32(00000000,The message which was supposed to go here is missing!,NSSM,00000030), ref: 004054E4

_memset.LIBCMT ref: 004058BF

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ItemMessage$SendText_memset
String ID:
API String ID: 106090685-0
Opcode ID: 6c1f17a3ed959549f23045dc7471758394cc86d8812c56315956d8aff6da2db9
Instruction ID: cb56df8b7445a31a75e8c4718e41db6c747a4df5fb1419ea8052b39527e82588
Opcode Fuzzy Hash: 6c1f17a3ed959549f23045dc7471758394cc86d8812c56315956d8aff6da2db9
Instruction Fuzzy Hash: A2F0A7B17003007BE120AB61DC8DF573B6CDF44B45F40441D7904D61D1D67CE900CE29

Uniqueness

Uniqueness Score: -1.00%

Function 0040D950 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00070510,?,00406684), ref: 0040D958
HeapAlloc.KERNEL32(00000000,?,00406684), ref: 0040D95F

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

alloc_nssm_service(), xrefs: 0040D96C
service, xrefs: 0040D971

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$HeapSource$AllocDeregisterProcessRegisterReport
String ID: alloc_nssm_service()$service
API String ID: 1868725766-2157636798
Opcode ID: 8ea0d5565f999da2896c2c36d03efb47440df890c0c9d5ffe8b582c93dbb814f
Instruction ID: 2c9525e28b5191ed34799dbcc002321da452954f880f3acf974e46df2d9dfe00
Opcode Fuzzy Hash: 8ea0d5565f999da2896c2c36d03efb47440df890c0c9d5ffe8b582c93dbb814f
Instruction Fuzzy Hash: FAD05EF5E8062027D61222A87C0AFDB25089750B56F528A71BE18F62C2D5A8884046AC

Uniqueness

Uniqueness Score: -1.00%

Function 004067C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

GetDlgItemTextW.USER32(?,000003ED,00000002,00000100), ref: 004067EA

Strings

service, xrefs: 0040683F
remove(), xrefs: 0040683A

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: ItemText
String ID: remove()$service
API String ID: 3367045223-1317115628
Opcode ID: cc42bf898366cd54f4183dcd42ca600010007e7b9bb62e5b1c9b9d6a06996358
Instruction ID: 8184d59d72f0fbf905fa053582e3628f82c79463e423cb7eee217312d63cbccc
Opcode Fuzzy Hash: cc42bf898366cd54f4183dcd42ca600010007e7b9bb62e5b1c9b9d6a06996358
Instruction Fuzzy Hash: B021DEB3A4451032E112319DBC82FEF9258CB9076DF84803BF208F91C6E73D5A91419E

Uniqueness

Uniqueness Score: -1.00%

Function 00408750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040877C

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

set_createfile_parameter(), xrefs: 0040878A
%s%s, xrefs: 0040876E

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: %s%s$set_createfile_parameter()
API String ID: 2445375048-102671490
Opcode ID: 28d182d9b054d50c6284244cab05a53826a641f1a040c1f726e585f693a11305
Instruction ID: 3394c9dda24fa343ec2156a0d0e2bb01f682d842124ecdf63034fec8dba4f21e
Opcode Fuzzy Hash: 28d182d9b054d50c6284244cab05a53826a641f1a040c1f726e585f693a11305
Instruction Fuzzy Hash: 9701B1B26142002BD300A7598C42FAFB3E8ABC4314F80041EF515972C1F5B8A59587D7

Uniqueness

Uniqueness Score: -1.00%

Function 00401720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

LocalSystem, xrefs: 00401726

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID:
String ID: LocalSystem
API String ID: 0-3718507506
Opcode ID: 2781d35c690fc2a676cfbd0f3a4b98b4639caa1f8c1be83308235997636d1291
Instruction ID: 9109e31f7caa357bacc1ff475e9021cac7f2486fa8cfe9e055bed6058de38d4d
Opcode Fuzzy Hash: 2781d35c690fc2a676cfbd0f3a4b98b4639caa1f8c1be83308235997636d1291
Instruction Fuzzy Hash: BFF0B477B001206BDA105A55AC00BDBA3AC9B847A7F14003FF901E31E1E77C994282E9

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,004074D4), ref: 00409B1C
GetProcessAffinityMask.KERNEL32(00000000,?,004074D4), ref: 00409B23

Strings

@U=u, xrefs: 00409B39

Memory Dump Source

Source File: 00000000.00000002.1354580292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1354566769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354599164.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354612822.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354625330.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KsJBQmWmRc.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID: @U=u
API String ID: 1231390398-2594219639
Opcode ID: 97b933b9551aa121181f1b4fb1055b6f2d239aa3189452af06c08f605222db2f
Instruction ID: 11c4c9ab6e9aea9219352815a8c1528424eef86741b3d7c0d31ae367e2f91a5e
Opcode Fuzzy Hash: 97b933b9551aa121181f1b4fb1055b6f2d239aa3189452af06c08f605222db2f
Instruction Fuzzy Hash: EFF0E972B0010027CB18EA69AC45ACBB3A9EBD4321F48843EF945C2241EA3CE9098299

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KsJBQmWmRc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 58

Chrome Cache Entry: 59

Chrome Cache Entry: 60

Chrome Cache Entry: 61

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
KsJBQmWmRc.exe

Function 00409B70 Relevance: 40.6, APIs: 8, Strings: 15, Instructions: 334
memoryCOMMON

Function 00405370 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54
memorywindowCOMMON

Function 0040A860 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 101
registryCOMMON

Function 004054A0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 91
windowCOMMON

Function 00401A00 Relevance: 6.0, APIs: 4, Instructions: 16
threadCOMMON

Function 00418AAF Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Function 004136FD Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 00418B0C Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 00413919 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON